SOCI risk management program rules - questions for directors

SOCI risk management program rules – questions for directors

by Joanne Peulen, board and governance specialist

After extensive consultation by the Australian Department of Home Affairs during late 2022, the Security of Critical Infrastructure (SOCI) Risk Management Program Rules commenced on 17 February 2023, imposing new annual board-level federal reporting obligations on particular industry sectors.

In our article ‘New level of risk management transparency’ (November 2022) we discussed our key takeaways from that consultation process, including most notably:

“Responsible Entities[1] with existing fit-for-purpose risk management frameworks and effective board risk oversight processes will be best placed to respond to the requirements.”

Well-informed directors of responsible entities will have heard the starting gun in the race to respond. But now, three months along, how prepared is your organisation to clear the first hurdle? 

The initial compliance deadline, the requirement for Responsible Entities to have developed and implemented a Critical Infrastructure Risk Management Program (CIRMP) by 18 August 2023, is fast approaching. And, directors and executives should keep in mind these Rules are not seeking reinvention of the wheel.

The intention of the Rules is to ‘centrally map’ largely existing but typically disparate elements of an organisation’s policy, procedural and system controls that help minimise the likelihood and impact of critical infrastructure incidents.

While there are certain content requirements stipulated for a CIRMP[2] it is principally a means for evidencing the organisation has:

  • undertaken a thorough ‘risk management health check’ in respect to its critical infrastructure
  • remedied any gaps or weakness in existing risk management controls or processes identified by that health check
  • developed and implemented new control measures or incident response plans for any new or emerging hazards for its own critical infrastructure or that owned and managed by a third-party whose operation the organisation is dependent on, and
  • formally committed to both an ongoing SOCI risk assessment, monitoring and board reporting process and undertaking scheduled reviews of that process.

In parallel, prudent organisations will start planning how they will achieve compliance with one of the external cyber frameworks specified in the Rules or assess the suitability of utilising their existing cyber framework by 18 August 2024.

With these looming requirements in mind, here are some questions all directors and executive should be asking right now. 

Do the SOCI Risk Management Program Rules apply to our organisation?

And if so…

  • Do we have an overarching implementation plan that identifies key tasks, accountable officers and deadlines?
  • Has responsibility for managing the execution of this plan been assigned to a person empowered to operate across the entire organisation? Given the tight timelines, could a cross-departmental working group assist in streamlining delivery?
  • Does this plan prioritise avoiding process duplication and not blurring the lines of operational responsibility?
  • Are we responding to these new legislative requirements in a cost-efficient manner that adds value to our business?
  • What information will routinely be provided to the board to support effective oversight of our risk management program, including our external reporting obligations?

We all know the establishment of ‘best fit’ risk management program documentation underpins good governance practice. But what is often lost in the rush to meet the next compliance deadline, is the extent to which staff engage with and see value in the risk management process ultimately determines its effectiveness. This applies to any business, large or small, regardless of whether you own or operate critical infrastructure.

Reach out to Directors Australia’s risk specialists20*************@di****************.com;”> Joanne Peulen and 20*************@di****************.com;”>Katie Simpson if you are interested in discussing best fit and cost-effective ways of extracting greater business value from your existing risk management framework.


[1] A Responsible Entity being an owner or operator of a critical infrastructure asset.

[2] We recommend referring to the Rules and Explanatory Statement  or the Department of Home Affairs, Cyber and Infrastructure Security Centre’s Critical Infrastructure Risk Management Program factsheet.

Recent Posts


Key insights: 2024 Australian Board Remuneration Survey

Read more
Read more