{"id":871,"date":"2025-03-04T17:37:16","date_gmt":"2025-03-04T22:37:16","guid":{"rendered":"https:\/\/carleton.ca\/cipser\/?p=871"},"modified":"2025-07-30T15:45:00","modified_gmt":"2025-07-30T19:45:00","slug":"standardized-risk-assessment-for-critical-infrastructure-in-canada","status":"publish","type":"post","link":"https:\/\/carleton.ca\/cipser\/2025\/standardized-risk-assessment-for-critical-infrastructure-in-canada\/","title":{"rendered":"Unraveling the Complexity: How Canada Can Build a Clearer, Stronger Approach to Critical Infrastructure Risk Assessment"},"content":{"rendered":"\n<section class=\"w-screen px-6 cu-section cu-section--white ml-offset-center md:px-8 lg:px-14\">\n    <div class=\"space-y-6 cu-max-w-child-5xl  md:space-y-10 cu-prose-first-last\">\n\n            <div class=\"cu-textmedia flex flex-col lg:flex-row mx-auto gap-6 md:gap-10 my-6 md:my-12 first:mt-0 max-w-5xl\">\n        <div class=\"justify-start cu-textmedia-content cu-prose-first-last\" style=\"flex: 0 0 100%;\">\n            <header class=\"font-light prose-xl cu-pageheader md:prose-2xl cu-component-updated cu-prose-first-last\">\n                                    <h1 class=\"cu-prose-first-last font-semibold !mt-2 mb-4 md:mb-6 relative after:absolute after:h-px after:bottom-0 after:bg-cu-red after:left-px text-3xl md:text-4xl lg:text-5xl lg:leading-[3.5rem] pb-5 after:w-10 text-cu-black-700 not-prose\">\n                        Unraveling the Complexity: How Canada Can Build a Clearer, Stronger Approach to Critical Infrastructure Risk Assessment\n                    <\/h1>\n                \n                                \n                            <\/header>\n\n                    <\/div>\n\n            <\/div>\n\n    <\/div>\n<\/section>\n\n\n\n<h3 id=\"\" class=\"wp-block-heading\"><strong data-start=\"70\" data-end=\"193\"><figure><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-874 aligncenter\" src=\"https:\/\/carleton.ca\/cipser\/wp-content\/uploads\/sites\/127\/Risk-Assessment-Standards-Canada-2-240x240.jpg\" alt=\"\" width=\"240\" height=\"240\" srcset=\"https:\/\/carleton.ca\/cipser\/wp-content\/uploads\/sites\/127\/Risk-Assessment-Standards-Canada-2-240x240.jpg 240w, https:\/\/carleton.ca\/cipser\/wp-content\/uploads\/sites\/127\/Risk-Assessment-Standards-Canada-2-160x160.jpg 160w, https:\/\/carleton.ca\/cipser\/wp-content\/uploads\/sites\/127\/Risk-Assessment-Standards-Canada-2-200x200.jpg 200w, https:\/\/carleton.ca\/cipser\/wp-content\/uploads\/sites\/127\/Risk-Assessment-Standards-Canada-2.jpg 330w\" sizes=\"auto, (max-width: 240px) 100vw, 240px\" \/><\/figure><\/strong><\/h3>\n\n\n\n<h2 id=\"unraveling-the-complexity-how-canada-can-build-a-clearer-stronger-approach-to-critical-infrastructure-risk-assessment\" class=\"wp-block-heading\"><strong data-start=\"70\" data-end=\"193\">Unraveling the Complexity: How Canada Can Build a Clearer, Stronger Approach to Critical Infrastructure Risk Assessment<\/strong><\/h2>\n\n\n\n<p>By Perry Steckly<\/p>\n\n\n\n<p>This is simply a conversation starter.<\/p>\n\n\n\n<p>At NC-CIPSeR, a question we often hear is: \u201cDoes Canada have a standard way to assess risk?\u201d The answer, like the risks themselves, is far from simple. With so many risk assessment tools and frameworks in use across the country, determining the most effective methodology becomes part of the challenge.<\/p>\n\n\n\n<h3 id=\"the-current-reality-a-patchwork-system\" class=\"wp-block-heading\"><strong data-start=\"515\" data-end=\"558\">The Current Reality: A Patchwork System<\/strong><\/h3>\n\n\n\n<p>Canada has built a solid foundation for managing risk to critical infrastructure and communities \u2014 but it remains a patchwork of tools, frameworks, and strategies, each operating in isolation or for sector-specific purposes.<\/p>\n\n\n\n<p>Key elements of Canada\u2019s current risk management framework include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Canada\u2019s <strong data-start=\"878\" data-end=\"916\">All-Hazards Risk Assessment (AHRA)<\/strong> process and <strong data-start=\"929\" data-end=\"977\">Harmonized Threat and Risk Assessment (HTRA)<\/strong> process, which consider all types of risks \u2014 natural, technological, and human-caused (Public Safety Canada, 2018).<\/li>\n\n\n\n<li>The <strong data-start=\"1100\" data-end=\"1148\">Sendai Framework for Disaster Risk Reduction<\/strong>, which Canada has embraced as part of its international disaster risk reduction commitments (United Nations Office for Disaster Risk Reduction, 2015).<\/li>\n\n\n\n<li>The <strong data-start=\"1306\" data-end=\"1375\">Emergency Management Strategy for Canada: Toward a Resilient 2030<\/strong>, which aligns federal, provincial, and territorial efforts (Public Safety Canada, 2018).<\/li>\n\n\n\n<li><strong data-start=\"1467\" data-end=\"1480\">ISO 31000<\/strong>, adopted as Canada\u2019s national risk management standard, which offers principles and guidelines for organizational risk management (BSI Group, n.d.) and approved by the Standards Council of Canada.<\/li>\n<\/ul>\n\n\n\n<p>On paper, this is an impressive set of tools \u2014 but in practice, there is no single, unifying approach that brings all of these frameworks together into a coherent, consistent method to assess, compare, and communicate risk across the country. &nbsp;Provinces struggle with the same challenge.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 id=\"why-this-matters-and-where-the-gaps-are\" class=\"wp-block-heading\"><strong data-start=\"1892\" data-end=\"1937\">Why This Matters \u2014 And Where the Gaps Are<\/strong><\/h3>\n\n\n\n<p>The <strong>2023 National Risk Profile (NRP)<\/strong> highlighted the evolving risks Canada faces \u2014 from wildfires to cyber-attacks to pandemics (Public Safety Canada, 2023). It also emphasized the importance of evidence-based, whole-of-society risk assessments. However, the NRP is not a standardized risk methodology itself \u2014 it\u2019s more of a snapshot in time, shaped by the tools, data, and processes currently in use across provinces, territories, and sectors.<\/p>\n\n\n\n<p>This fragmentation leads to several challenges:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong data-start=\"2453\" data-end=\"2475\">Inconsistent Data:<\/strong> Different jurisdictions and sectors assess risk differently, making national comparisons difficult.<\/li>\n\n\n\n<li><strong data-start=\"2578\" data-end=\"2599\">Siloed Knowledge:<\/strong> There is limited integration between sectors \u2014 meaning the energy, transportation, and health sectors may assess risks independently, without seeing potential cascading interdependencies.<\/li>\n\n\n\n<li><strong data-start=\"2794\" data-end=\"2832\">Difficulty Prioritizing Resources:<\/strong> Without a nationally comparable risk picture, it\u2019s hard to ensure that investments, programs, and policy decisions are targeting the right vulnerabilities.<\/li>\n<\/ul>\n\n\n\n<p>How can Canada leverage the thousands of risk assessments happening across the country whether they are in the critical infrastructure sectors, municipal hazard assessments, corporate enterprise risk programs, or sector-specific regulatory filings? Canada needs a clear roadmap that moves from fragmented, isolated assessments toward a nationally harmonized, analyzable and comparable system allowing for both local customization and provincial and national-level measurement.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 id=\"can-we-learn-from-others-absolutely\" class=\"wp-block-heading\"><strong data-start=\"3003\" data-end=\"3044\">Can We Learn from Others? Absolutely.<\/strong><\/h3>\n\n\n\n<p>Countries like the United Kingdom, Australia, and the United States have each taken steps toward national standardization of risk assessment, with varying degrees of success.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The <strong>UK National Risk Register<\/strong> uses a common risk methodology across government departments, ensuring national comparability (Cabinet Office, 2023).<\/li>\n\n\n\n<li><strong>Australia\u2019s National Emergency Risk Assessment Guidelines (NERAG) <\/strong>provide a flexible but consistent process that has been adopted across most states and territories (Australian Institute for Disaster Resilience, 2020).<\/li>\n\n\n\n<li>The <strong>U.S. National Institute of Standards and Technology (NIST)<\/strong> has become a global leader in setting technical standards, including frameworks for cybersecurity risk management (NIST, 2018).<\/li>\n<\/ul>\n\n\n\n<p>The common thread? These countries all have some form of a centralized body responsible for developing, maintaining, and updating risk assessment methodologies, ensuring cross-jurisdictional and cross-sector consistency.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 id=\"a-path-forward-for-canada-and-a-role-for-nc-cipser\" class=\"wp-block-heading\"><strong data-start=\"4070\" data-end=\"4126\">A Path Forward for Canada \u2014 And a Role for NC-CIPSeR<\/strong><\/h3>\n\n\n\n<p>Canada already has the building blocks \u2014 from the National Risk Profile to the Sendai Framework to ISO 31000. What we lack is a central, science-driven entity responsible for weaving these elements together into a coherent, adaptable, and widely adopted national risk assessment standard.<\/p>\n\n\n\n<p>The National Bureau of Standards (NBS) was established in the United States on March 3, 1901, to address the growing need for consistent standards and measurements to support industrial growth, scientific progress, and public safety. As the U.S. economy became more complex, inconsistent measurements and technical standards were creating barriers to trade, innovation, and infrastructure development. NBS provided a trusted, central authority for establishing reliable standards across industries, ensuring fairness in commerce, enhancing product safety, and fostering innovation. In 1988, NBS was renamed the National Institute of Standards and Technology (NIST), reflecting its expanded role in advancing technology, cybersecurity, and critical infrastructure protection (NIST, 2021).<\/p>\n\n\n\n<p>The National Bureau of Standards was charged with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Developing and maintaining national standards of measurement.<\/strong><\/li>\n\n\n\n<li><strong>Providing calibration services to industry and government.<\/strong><\/li>\n\n\n\n<li><strong>Conducting scientific research to improve measurement science.<\/strong><\/li>\n\n\n\n<li><strong>Supporting industry and government agencies with standard reference materials (SRMs) and technical expertise.<\/strong><\/li>\n<\/ul>\n\n\n\n<p>This is where NC-CIPSeR could play a leadership role. &nbsp;Consider the above but directly related to critical infrastructure risk assessments.<\/p>\n\n\n\n<p>We propose the creation of a \u201cNIST for Risk\u201d in Canada \u2014 a <strong>Centre of Excellence<\/strong>, a national platform for developing, evolving, and promoting standardized risk assessment methodologies tailored to Canada\u2019s critical infrastructure and emergency management needs. Our foundational focus on research, innovation, collaboration and education is a strong start.<\/p>\n\n\n\n<p>This would:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ensure consistent data collection and risk analysis across sectors and jurisdictions.<\/strong><\/li>\n\n\n\n<li><strong>Support evidence-based decision-making, both for routine planning and emergency response.<\/strong><\/li>\n\n\n\n<li><strong>Identify and assess cross-sector interdependencies, ensuring cascading risks are properly understood.<\/strong><\/li>\n\n\n\n<li><strong>Provide a trusted, neutral space where government, industry, academia, and Indigenous communities can collaborate on risk data and best practices.<\/strong><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 id=\"moving-from-fragmentation-to-integration\" class=\"wp-block-heading\"><strong data-start=\"5217\" data-end=\"5261\">Moving from Fragmentation to Integration<\/strong><\/h3>\n\n\n\n<p>NC-CIPSeR\u2019s work, including Project CANVAS, is already focused on collecting, visualizing, and analyzing threat and hazard data across Canada (We&#8217;re just starting). Or our Intelligence Hub (repository) a curated and evolving knowledge center designed to support decision-makers, researchers, and industry leaders working to protect Canada\u2019s critical infrastructure. By bringing together national strategies, threat assessments, sector-specific reports, and historical insights, the Hub serves as both a reference library and a real-time intelligence platform, helping users navigate emerging risks and uncover solutions.<\/p>\n\n\n\n<p>But tools, documents and information aren\u2019t enough \u2014 what\u2019s needed is a cultural shift toward standardized, collaborative risk assessment at all levels. &nbsp;Canadians should talk about critical infrastructure, risk assessments and national security in a common, well-understood, consistent language.<\/p>\n\n\n\n<p>We invite our partners across sectors, government, and academia to join us in shaping this conversation. Together, we can:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong data-start=\"5681\" data-end=\"5754\">Define core risk assessment principles and minimum data requirements.<\/strong><\/li>\n\n\n\n<li><strong data-start=\"5757\" data-end=\"5845\">Pilot integrated risk assessments that cross sectoral and jurisdictional boundaries.<\/strong><\/li>\n\n\n\n<li><strong data-start=\"5848\" data-end=\"5923\">Continue research into the efficacy of risk assessments across hazards.<\/strong><\/li>\n\n\n\n<li><strong data-start=\"5926\" data-end=\"5983\">Standardize data collection and management processes.<\/strong><\/li>\n\n\n\n<li><strong data-start=\"5986\" data-end=\"6087\">Develop training and knowledge-sharing programs to build a consistent risk culture across Canada.<\/strong><\/li>\n\n\n\n<li>Modern Knowledge translation<\/li>\n<\/ul>\n\n\n\n<p>The time to move from fragmented risk management to a truly national, integrated risk approach is now.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.linkedin.com\/posts\/national-centre-for-critical-infrastructure-protection-security-and-resilience_criticalinfrastructure-riskassessment-emergencymanagement-activity-7302824698512359425-7XSt?utm_source=share&amp;utm_medium=member_ios&amp;rcm=ACoAAAZmZC8Bk1xolzbqNOPTNti79Y9kvUBLlSo\">See LinkedIn Post to see what others are saying:<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 id=\"references\" class=\"wp-block-heading\"><strong data-start=\"6206\" data-end=\"6228\">References&nbsp;<\/strong><\/h3>\n\n\n\n<p>Australian Institute for Disaster Resilience. (2020). <em data-start=\"6284\" data-end=\"6339\">National Emergency Risk Assessment Guidelines (NERAG)<\/em>. Retrieved from <a href=\"https:\/\/knowledge.aidr.org.au\/resources\/handbook-nerag-national-emergency-risk-assessment-guidelines\/\">National Emergency Risk Assessment Guidelines (NERAG) Handbook<\/a><\/p>\n\n\n\n<p>BSI Group. (n.d.). <em data-start=\"6428\" data-end=\"6471\">ISO 31000:2018 risk management guidelines<\/em>. Retrieved from <a href=\"https:\/\/www.bsigroup.com\/en-CA\/ISO-31000-Risk-Management\/\" target=\"_new\" rel=\"noopener\" data-start=\"6488\" data-end=\"6545\">https:\/\/www.bsigroup.com\/en-CA\/ISO-31000-Risk-Management\/<\/a><\/p>\n\n\n\n<p>Cabinet Office. (2023). <em data-start=\"6571\" data-end=\"6600\">National risk register 2023<\/em>. Government of the United Kingdom. Retrieved from <a href=\"https:\/\/www.gov.uk\/government\/publications\/national-risk-register-2023\" target=\"_new\" rel=\"noopener\" data-start=\"6651\" data-end=\"6721\">https:\/\/www.gov.uk\/government\/publications\/national-risk-register-2023<\/a><\/p>\n\n\n\n<p>National Institute of Standards and Technology. (2018). <em data-start=\"6779\" data-end=\"6842\">Framework for improving critical infrastructure cybersecurity<\/em>. Retrieved from <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/CSWP\/NIST.CSWP.04162018.pdf\" target=\"_new\" rel=\"noopener\" data-start=\"6859\" data-end=\"6920\">https:\/\/nvlpubs.nist.gov\/nistpubs\/CSWP\/NIST.CSWP.04162018.pdf<\/a><\/p>\n\n\n\n<p>National Institute of Standards and Technology. (2021). <em data-start=\"6978\" data-end=\"7003\">ÐÓ°ÉÔ­´´ NIST: Our history<\/em>. Retrieved from <a href=\"https:\/\/www.nist.gov\/about-nist\" target=\"_new\" rel=\"noopener\" data-start=\"7020\" data-end=\"7063\">https:\/\/www.nist.gov\/about-nist<\/a><\/p>\n\n\n\n<p>Public Safety Canada. (2018). <em data-start=\"7095\" data-end=\"7162\">Emergency management strategy for Canada: Toward a resilient 2030<\/em>. Retrieved from<a href=\"https:\/\/www.publicsafety.gc.ca\/cnt\/rsrcs\/pblctns\/mrgncy-mngmnt-strtgy\/index-en.aspx\"> https:\/\/www.publicsafety.gc.ca\/cnt\/rsrcs\/pblctns\/mrgnc-mngmnt-strtgy\/index-en.aspx<\/a><\/p>\n\n\n\n<p>Public Safety Canada. (2023). <em data-start=\"7293\" data-end=\"7330\">National risk profile &#8211; Canada 2023<\/em>. Retrieved from <a href=\"https:\/\/www.publicsafety.gc.ca\/cnt\/rsrcs\/pblctns\/2023-nrp-pnr\/index-en.aspx\" target=\"_new\" rel=\"noopener\" data-start=\"7347\" data-end=\"7422\">https:\/\/www.publicsafety.gc.ca\/cnt\/rsrcs\/pblctns\/2023-nrp-pnr\/index-en.aspx<\/a><\/p>\n\n\n\n<p>United Nations Office for Disaster Risk Reduction. (2015). <em data-start=\"7483\" data-end=\"7539\">Sendai framework for disaster risk reduction 2015-2030<\/em>. Retrieved from <a href=\"https:\/\/www.undrr.org\/implementing-sendai-framework\/what-sendai-framework\" target=\"_new\" rel=\"noopener\" data-start=\"7556\" data-end=\"7629\">https:\/\/www.undrr.org\/implementing-sendai-framework\/what-sendai-framework<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 id=\"further-reading\" class=\"wp-block-heading\">Further Reading<\/h3>\n\n\n\n<p>For those interested in a deeper dive into the challenges and opportunities associated with standardizing risk assessment methodologies for critical infrastructure, several academic and institutional studies offer valuable insights.<\/p>\n\n\n\n<p>The <strong>European Commission\u2019s Joint Research Centre (2015)<\/strong> proposed a comprehensive risk assessment process tailored specifically for critical infrastructure protection across EU member states, emphasizing the need for harmonized methodologies to improve cross-border resilience. Similarly, <strong>Linkov et al. (2014) <\/strong>introduced the concept of resilience metrics in critical infrastructure protection, advocating for frameworks that integrate risk, resilience, and adaptive capacity into a unified decision-making process.<\/p>\n\n\n\n<p><strong>Aven (2016) <\/strong>explored the foundations and practicalities of risk assessments for critical infrastructures, focusing on how uncertainty, complexity, and interdependencies challenge standardization efforts. <strong>Giannopoulos et al. (2012) <\/strong>examined the influence of transnational challenges and cognitive biases on the adoption of risk assessment methodologies in critical infrastructure sectors, highlighting the socio-technical barriers to harmonization.<\/p>\n\n\n\n<p>In the cyber domain, <strong>Kure, Islam, &amp; Mouratidis (2020)<\/strong> reviewed cyber resilience risk assessment methods, identifying gaps between traditional risk assessments and the evolving cyber threat landscape.<\/p>\n\n\n\n<p>Additionally, <strong>Oughton, Tyler, &amp; Ingirige (2019) <\/strong>reviewed critical infrastructure protection approaches and emphasized the importance of responsiveness to rapidly evolving modeling landscapes, a key consideration when designing dynamic and adaptive risk frameworks. Meanwhile, the <strong>United Nations Security Council Counter-Terrorism Committee (2021) <\/strong>compiled a compendium of good practices for protecting critical infrastructure from terrorist attacks, reinforcing the need for consistent, threat-informed, and adaptable risk assessment methodologies in high-threat environments.<\/p>\n\n\n\n<p>Collectively, these works highlight both the necessity and complexity of developing unified risk assessment standards for critical infrastructure. They emphasize that such standards must balance consistency and flexibility, allowing organizations to adapt to emerging threats and sector-specific risks while ensuring national comparability and effective decision-making.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Unraveling the Complexity: How Canada Can Build a Clearer, Stronger Approach to Critical Infrastructure Risk Assessment By Perry Steckly This is simply a conversation starter. At NC-CIPSeR, a question we often hear is: \u201cDoes Canada have a standard way to assess risk?\u201d The answer, like the risks themselves, is far from simple. With so many [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":874,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[24],"tags":[],"class_list":["post-871","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-nc-cipser"],"acf":{"cu_post_thumbnail":""},"_links":{"self":[{"href":"https:\/\/carleton.ca\/cipser\/wp-json\/wp\/v2\/posts\/871","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/carleton.ca\/cipser\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/carleton.ca\/cipser\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/carleton.ca\/cipser\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/carleton.ca\/cipser\/wp-json\/wp\/v2\/comments?post=871"}],"version-history":[{"count":4,"href":"https:\/\/carleton.ca\/cipser\/wp-json\/wp\/v2\/posts\/871\/revisions"}],"predecessor-version":[{"id":1373,"href":"https:\/\/carleton.ca\/cipser\/wp-json\/wp\/v2\/posts\/871\/revisions\/1373"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/carleton.ca\/cipser\/wp-json\/wp\/v2\/media\/874"}],"wp:attachment":[{"href":"https:\/\/carleton.ca\/cipser\/wp-json\/wp\/v2\/media?parent=871"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/carleton.ca\/cipser\/wp-json\/wp\/v2\/categories?post=871"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/carleton.ca\/cipser\/wp-json\/wp\/v2\/tags?post=871"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}