Utilities do a great job of gathering evidence and preparing for an audit. Audit recommendations are thoroughly followed, whether calling for minor changes or full-scale mitigation plans. When the process is complete, regular responsibilities are promptly returned to until the next audit cycle begins.

However, there are some concerns with this approach. The resiliency of internal processes and controls shows minimal improvement between cycles. Until another audit cycle begins, the status quo reigns. Another problem rests in the difference between compliance and security. Achieving one does not necessarily produce the other.

A different, more holistic approach to governance risk management may work better – one that keeps pace with evolving cyber risks by identifying the security gaps and adapting to fill them. Step by step, utilities can transition to this Compliance Maturity Model. The model is set up in a series of phases to achieve risk management.

Phase One: Compliance

One of the most common risk models for water utilities to use, the compliance model is reactive with utilities simply following the letter of the law on security compliance when needed. For example, if regulations require system passwords to be changed annually that is precisely when a utility will make any updates.  

Phase Two: Assurance

The limitations of the compliance model become clear when a utility system experiences a security breach. If a system is hacked two months after a password change, the utility faces increased risk of additional hacks for the next 10 months until a new password change is required.

The Assurance Model is more proactive. This risk model involves creating workflows and processes that measure when, where, why and how risk management efforts are working. In the event that a system is compromised, efforts can then be made to retool the process and increase staff training and response. Returning to the password example, instead of waiting months between password changes, the Assurance Model might call for a more robust solution that mandates complex passwords changed monthly. Security solutions, in other words, are driven by real-world needs, rather than regulatory requirements.

Phase Three: Integration

In the next phase, utilities transition from manual to automated processes. A utility can more efficiently and accurately manage thousands of assets, for example, when technology and automated workflows replace manual checks and spreadsheets. Automated systems can be more proactive in identifying intrusions and abnormal activities, making it possible for staff to monitor everything from a central command center. The integration model not only removes human error from threat detection, it also enables staff to refocus their time and energy on addressing critical needs.

Phase Four: Innovation

When entering this phase, a utility transforms its risk management approach to a full Compliance Maturity Model. Using machine learning, artificial intelligence and other innovations, utilities move beyond tracking assets to driving effective change management throughout the organization. This can include identifying changes needed in security technology products at the vendor level.

Innovation and continuous improvement — rather than prescriptive regulations — will drive utilities’ risk management efforts and critical water infrastructure will be safer as a result.


AWIA sets into motion a timeline for risk and resiliency compliance requirements for community water systems. A cohesive, comprehensive approach that incorporates best practices for infrastructure resiliency, physical security and cybersecurity can keep you ahead of fast-approaching compliance deadlines.

Read the White Paper

Jerome Farquharson is managing director of the governance, risk, cybersecurity and compliance group at Burns & McDonnell. With a multidisciplined 25-year background in physical and cybersecurity, information systems and business advisory consulting, Jerome has worked on projects ranging from compliance, network design and implementation to risk assessment, program management and strategic planning.