Unraveling the Complexity: How Canada Can Build a Clearer, Stronger Approach to Critical Infrastructure Risk Assessment

This is simply a conversation starter.

At NC-CIPSeR, a question we often hear is: “Does Canada have a standard way to assess risk?” The answer, like the risks themselves, is far from simple. With so many risk assessment tools and frameworks in use across the country, determining the most effective methodology becomes part of the challenge.

The Current Reality: A Patchwork System

Canada has built a solid foundation for managing risk to critical infrastructure and communities — but it remains a patchwork of tools, frameworks, and strategies, each operating in isolation or for sector-specific purposes.

Key elements of Canada’s current risk management framework include:

  • Canada’s All-Hazards Risk Assessment (AHRA) process and Harmonized Threat and Risk Assessment (HTRA) process, which consider all types of risks — natural, technological, and human-caused (Public Safety Canada, 2018).
  • The Sendai Framework for Disaster Risk Reduction, which Canada has embraced as part of its international disaster risk reduction commitments (United Nations Office for Disaster Risk Reduction, 2015).
  • The Emergency Management Strategy for Canada: Toward a Resilient 2030, which aligns federal, provincial, and territorial efforts (Public Safety Canada, 2018).
  • ISO 31000, adopted as Canada’s national risk management standard, which offers principles and guidelines for organizational risk management (BSI Group, n.d.) and approved by the Standards Council of Canada.

On paper, this is an impressive set of tools — but in practice, there is no single, unifying approach that brings all of these frameworks together into a coherent, consistent method to assess, compare, and communicate risk across the country.  Provinces struggle with the same challenge.

Why This Matters — And Where the Gaps Are

The 2023 National Risk Profile (NRP) highlighted the evolving risks Canada faces — from wildfires to cyber-attacks to pandemics (Public Safety Canada, 2023). It also emphasized the importance of evidence-based, whole-of-society risk assessments. However, the NRP is not a standardized risk methodology itself — it’s more of a snapshot in time, shaped by the tools, data, and processes currently in use across provinces, territories, and sectors.

This fragmentation leads to several challenges:

  • Inconsistent Data: Different jurisdictions and sectors assess risk differently, making national comparisons difficult.
  • Siloed Knowledge: There is limited integration between sectors — meaning the energy, transportation, and health sectors may assess risks independently, without seeing potential cascading interdependencies.
  • Difficulty Prioritizing Resources: Without a nationally comparable risk picture, it’s hard to ensure that investments, programs, and policy decisions are targeting the right vulnerabilities.

How can Canada leverage the thousands of risk assessments happening across the country whether they are in the critical infrastructure sectors, municipal hazard assessments, corporate enterprise risk programs, or sector-specific regulatory filings? Canada needs a clear roadmap that moves from fragmented, isolated assessments toward a nationally harmonized, analyzable and comparable system allowing for both local customization and provincial and national-level measurement.

Can We Learn from Others? Absolutely.

Countries like the United Kingdom, Australia, and the United States have each taken steps toward national standardization of risk assessment, with varying degrees of success.

  • The UK National Risk Register uses a common risk methodology across government departments, ensuring national comparability (Cabinet Office, 2023).
  • Australia’s National Emergency Risk Assessment Guidelines (NERAG) provide a flexible but consistent process that has been adopted across most states and territories (Australian Institute for Disaster Resilience, 2020).
  • The U.S. National Institute of Standards and Technology (NIST) has become a global leader in setting technical standards, including frameworks for cybersecurity risk management (NIST, 2018).

The common thread? These countries all have some form of a centralized body responsible for developing, maintaining, and updating risk assessment methodologies, ensuring cross-jurisdictional and cross-sector consistency.

A Path Forward for Canada — And a Role for NC-CIPSeR

Canada already has the building blocks — from the National Risk Profile to the Sendai Framework to ISO 31000. What we lack is a central, science-driven entity responsible for weaving these elements together into a coherent, adaptable, and widely adopted national risk assessment standard.

The National Bureau of Standards (NBS) was established in the United States on March 3, 1901, to address the growing need for consistent standards and measurements to support industrial growth, scientific progress, and public safety. As the U.S. economy became more complex, inconsistent measurements and technical standards were creating barriers to trade, innovation, and infrastructure development. NBS provided a trusted, central authority for establishing reliable standards across industries, ensuring fairness in commerce, enhancing product safety, and fostering innovation. In 1988, NBS was renamed the National Institute of Standards and Technology (NIST), reflecting its expanded role in advancing technology, cybersecurity, and critical infrastructure protection (NIST, 2021).

The National Bureau of Standards was charged with:

  • Developing and maintaining national standards of measurement.
  • Providing calibration services to industry and government.
  • Conducting scientific research to improve measurement science.
  • Supporting industry and government agencies with standard reference materials (SRMs) and technical expertise.

This is where NC-CIPSeR could play a leadership role.  Consider the above but directly related to critical infrastructure risk assessments.

We propose the creation of a “NIST for Risk” in Canada — a Centre of Excellence, a national platform for developing, evolving, and promoting standardized risk assessment methodologies tailored to Canada’s critical infrastructure and emergency management needs. Our foundational focus on research, innovation, collaboration and education is a strong start.

This would:

  • Ensure consistent data collection and risk analysis across sectors and jurisdictions.
  • Support evidence-based decision-making, both for routine planning and emergency response.
  • Identify and assess cross-sector interdependencies, ensuring cascading risks are properly understood.
  • Provide a trusted, neutral space where government, industry, academia, and Indigenous communities can collaborate on risk data and best practices.

Moving from Fragmentation to Integration

NC-CIPSeR’s work, including Project CANVAS, is already focused on collecting, visualizing, and analyzing threat and hazard data across Canada (We’re just starting). Or our Intelligence Hub (repository) a curated and evolving knowledge center designed to support decision-makers, researchers, and industry leaders working to protect Canada’s critical infrastructure. By bringing together national strategies, threat assessments, sector-specific reports, and historical insights, the Hub serves as both a reference library and a real-time intelligence platform, helping users navigate emerging risks and uncover solutions.

But tools, documents and information aren’t enough — what’s needed is a cultural shift toward standardized, collaborative risk assessment at all levels.  Canadians should talk about critical infrastructure, risk assessments and national security in a common, well-understood, consistent language.

We invite our partners across sectors, government, and academia to join us in shaping this conversation. Together, we can:

  • Define core risk assessment principles and minimum data requirements.
  • Pilot integrated risk assessments that cross sectoral and jurisdictional boundaries.
  • Continue research into the efficacy of risk assessments across hazards.
  • Standardize data collection and management processes.
  • Develop training and knowledge-sharing programs to build a consistent risk culture across Canada.
  • Modern Knowledge translation

The time to move from fragmented risk management to a truly national, integrated risk approach is now.

See LinkedIn Post to see what others are saying:

References 

Australian Institute for Disaster Resilience. (2020). National Emergency Risk Assessment Guidelines (NERAG). Retrieved from National Emergency Risk Assessment Guidelines (NERAG) Handbook

BSI Group. (n.d.). ISO 31000:2018 risk management guidelines. Retrieved from https://www.bsigroup.com/en-CA/ISO-31000-Risk-Management/

Cabinet Office. (2023). National risk register 2023. Government of the United Kingdom. Retrieved from https://www.gov.uk/government/publications/national-risk-register-2023

National Institute of Standards and Technology. (2018). Framework for improving critical infrastructure cybersecurity. Retrieved from https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

National Institute of Standards and Technology. (2021). About NIST: Our history. Retrieved from https://www.nist.gov/about-nist

Public Safety Canada. (2018). Emergency management strategy for Canada: Toward a resilient 2030. Retrieved from https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/mrgnc-mngmnt-strtgy/index-en.aspx

Public Safety Canada. (2023). National risk profile – Canada 2023. Retrieved from https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/2023-nrp-pnr/index-en.aspx

United Nations Office for Disaster Risk Reduction. (2015). Sendai framework for disaster risk reduction 2015-2030. Retrieved from https://www.undrr.org/implementing-sendai-framework/what-sendai-framework

Further Reading

For those interested in a deeper dive into the challenges and opportunities associated with standardizing risk assessment methodologies for critical infrastructure, several academic and institutional studies offer valuable insights.

The European Commission’s Joint Research Centre (2015) proposed a comprehensive risk assessment process tailored specifically for critical infrastructure protection across EU member states, emphasizing the need for harmonized methodologies to improve cross-border resilience. Similarly, Linkov et al. (2014) introduced the concept of resilience metrics in critical infrastructure protection, advocating for frameworks that integrate risk, resilience, and adaptive capacity into a unified decision-making process.

Aven (2016) explored the foundations and practicalities of risk assessments for critical infrastructures, focusing on how uncertainty, complexity, and interdependencies challenge standardization efforts. Giannopoulos et al. (2012) examined the influence of transnational challenges and cognitive biases on the adoption of risk assessment methodologies in critical infrastructure sectors, highlighting the socio-technical barriers to harmonization.

In the cyber domain, Kure, Islam, & Mouratidis (2020) reviewed cyber resilience risk assessment methods, identifying gaps between traditional risk assessments and the evolving cyber threat landscape.

Additionally, Oughton, Tyler, & Ingirige (2019) reviewed critical infrastructure protection approaches and emphasized the importance of responsiveness to rapidly evolving modeling landscapes, a key consideration when designing dynamic and adaptive risk frameworks. Meanwhile, the United Nations Security Council Counter-Terrorism Committee (2021) compiled a compendium of good practices for protecting critical infrastructure from terrorist attacks, reinforcing the need for consistent, threat-informed, and adaptable risk assessment methodologies in high-threat environments.

Collectively, these works highlight both the necessity and complexity of developing unified risk assessment standards for critical infrastructure. They emphasize that such standards must balance consistency and flexibility, allowing organizations to adapt to emerging threats and sector-specific risks while ensuring national comparability and effective decision-making.

References

Aven, T. (2016). Risk assessment and risk management: Review of recent advances on their foundation. European Journal of Operational Research, 253(1), 1-13. https://doi.org/10.1016/j.ejor.2015.12.023

European Commission Joint Research Centre. (2015). Risk assessment methodologies for critical infrastructure protection: Part I – A state of the art. Retrieved from https://publications.jrc.ec.europa.eu/repository/handle/JRC96623

Giannopoulos, G., Filippini, R., & Schimmer, M. (2012). Risk assessment methodologies for critical infrastructure protection: Part II – A new approach. European Commission Joint Research Centre. Retrieved from https://publications.jrc.ec.europa.eu/repository/handle/JRC71049

Kure, H., Islam, S., & Mouratidis, H. (2020). A review of risk assessment methods in the context of the cyber-physical systems (CPS). Sustainability, 12(10), 4487. https://doi.org/10.3390/su12104487

Linkov, I., & Palma-Oliveira, J. M. (Eds.). (2014). Resilience and risk: Methods and application in environment, cyber and social domains. Springer. Resilience and Risk: Methods and Application in Environment, Cyber and Social Domains | SpringerLink

Oughton, E. J., Tyler, P., & Ingirige, B. (2019). A review of critical infrastructure protection approaches: Improving security through responsiveness to the dynamic modelling landscape. University of Kent. Retrieved from https://kar.kent.ac.uk/73330/

United Nations Security Council Counter-Terrorism Committee. (2021). Protection of critical infrastructure against terrorist attacks: Compendium of good practices. Retrieved from https://www.un.org/securitycouncil/ctc/files/files/documentcompendium_of_good_practices_eng.pdfs/2021/Jan/compendium_of_good_practices_eng.pdf

Tuesday, March 4, 2025  |  Categories: NC-CIPSeR
Share: Twitter, Facebook
Short URL: https://carleton.ca/cipser/?p=871