When extreme wind gusts from the Tapani storm hit the western shore of Finland in December 2011, the resulting cascade of critical infrastructure failures throughout the country was alarming. Sixty thousand faults in the electricity grid disconnected 570,000 customers—one of every six households nationally—with consequences to the heating systems, hospitals and water distribution and wastewater treatment and an interruption of unpowered telecommunication services.

As a consequence, remote access to electricity substations was lost, the Finnish authorities’ communication network broke down and electricity service restoration took a long time, up to 15 days during the harsh Scandinavian winter.

This widespread electricity disruption generated hundreds of millions of euros in losses and was a turning point for Finland to rethink its critical infrastructure resilience policy. A cooperative framework between governments and electricity operators was set up together with a regulation to incentivize investments in distribution network resilience. A 10 billion euro ($11 billion) investment plan is underway as a result.

The OECD High-Level Risk Forum report on Good Governance for Critical Infrastructure Resilience documented Finland’s recent experience and highlights effective policy tools to foster investments in resilience.

What Are the Policy Options?

In today’s hyper-connected world, disruptions of critical infrastructure and essential services is a key concern for risk managers, both in governments and the private sector.

Natural hazards and malicious attacks against critical infrastructure pose grave risks to societies and economies. Recent shock events—such as the Great East Japan Earthquake, Hurricane Harvey in the United States, the cyberattacks on the Ukrainian electricity grid or the Morandi Bridge collapse in Italy—show how disruptions to critical infrastructure and essential services can result in substantial economic damage and social hardship.

The interconnectedness of supply chains and technological and financial systems in the global economy increases the exposure and vulnerability of critical infrastructure. At the same time, the global increase in infrastructure investment and the digital transformation of infrastructure services provide opportunities to review and invest in critical infrastructure resilience.

Since the mid 2000s, 85 percent of OECD governments have formulated strategies to protect lifeline infrastructure, most often with a security focus in the aftermath of 9/11.

Generally, they have identified critical infrastructure sectors—energy, telecommunications, transport, water, health and finance are the most common—developed an inventory of critical assets and adopted regulations, national programs or incentives to strengthen the resilience of these assets.

Focusing on Resilience, Not Protection

The OECD report cites a need to shift from asset-protection to system-resilience to better account for interdependencies and uncertainties that characterize today’s highly complex risk landscape.

The idea is to focus efforts on the continuity of the most critical functions and services against multiple hazards and threats and to build in resilience measures across the infrastructure life cycle—from design and planning to operations and retrofitting. The report highlights the governance challenges to enhancing investments in those resilience measures.

The Mix of Public and Private Responsibilities

Infrastructure owners and operators bear the primary responsibility to protect their assets and maintain service continuity. But governments have a pivotal role to play: They are responsible for regulations, public safety, and infrastructure delivery and oversight and have expectations for continuity of their own operations, too.

Building trust between government and operators from the public and private sectors becomes essential. Cooperative partnerships need to be established, as all can benefit from an increased level of resilience of their service providers.

Agreeing on resilience target levels is a good approach. In the case of Finland, it was decided—and consequently enshrined in regulation—that there would be no more cuts longer than six hours in urban areas and 36 hours in rural areas after the Tapani storm.

Data Is Paramount to Prioritizing Resilience Investments  

Understanding risks and vulnerabilities requires access to data and information owned by multiple stakeholders, and this is where trust and cooperation becomes tricky. As a business, would you want to share information on your vulnerabilities with the government, especially in competitive sectors?

On the other side, operators might need information from governments, for instance, when it comes to cyber threats or other security risks.

The OECD report identifies a series of information-sharing mechanisms that governments can set up to ensure security and confidentiality of information shared with clear rules of access. For instance, Australia’s Trusted Information-Sharing Network encompasses hundreds of infrastructure stakeholders across the country’s eight designated critical infrastructure sectors.   

Contingency Testing

The good news is that infrastructure dependencies modeling has made tremendous progress. In the United States, Argonne National Laboratory has conducted research to help identify high-consequence failure points and prioritize mitigation investments in complex networks.

Applied to electricity or road networks, the algorithm can find which substations are most critical to the stability of the entire electricity network or identify the best ways to recover transport function after a disruptive earthquake. The insights obtained from such tools help guide resilience policies for both ex ante investments and ex post recovery.

In the United Kingdom, the recently established Data and Analytics Facility for National Infrastructure provides data and tools for infrastructure stakeholders to map interdependencies and assess resilience with advanced computing power. Using these tools more broadly should be a priority; a survey of OECD countries indicates that only about a third of them conducts some type of interdependency mapping.

Who Bears the Cost?

Resilience leads to greater reliability of essential services, but it comes at a cost. A key question is: How can business models integrate those costs up front, while limiting repercussions on costs to customers on the back end?

The OECD report identifies 23 policy instruments that governments could use to support their critical infrastructure resilience policy. As the graph shows, there is a preference toward voluntary frameworks across OECD countries. This is consistent with the aim of government risk managers to engage infrastructure partners more broadly in joint resilience efforts, rather than imposing regulations that are too strict.

The OECD provides a Policy Toolkit that governments can use to support their reforms toward improved resilience of critical infrastructure. Its guidance consists of seven steps and good practices to forge effective partnerships with infrastructure operators and share responsibilities for resilience.

Going forward, the OECD High-Level Risk Forum will work with countries and operators to benchmark their use of such effective governance practices in this area and monitor what works well to enhance resilience of critical infrastructure for the benefit of businesses and communities.