Risk, resilience, and readiness methodology
Risk and resilience work must match how critical infrastructure actually operates. Systems Risk Advisory helps utilities and infrastructure organizations connect cybersecurity, physical security, OT/ICS operations, emergency planning, leadership decisions, and recovery actions.
Systems Risk Advisory uses a practical, mission-focused approach to help critical infrastructure organizations understand risk, set priorities, and prepare for incidents that can affect essential services.
Our work starts with the service you must keep operating. We then examine the people, facilities, networks, control systems, vendors, procedures, and decisions that support that service. The result is a clear view of what matters most and what can be improved first.
Cybersecurity, physical security, and emergency readiness cannot be treated as separate paperwork exercises. They affect pumps, treatment processes, substations, field sites, operators, dispatch, leadership decisions, and public confidence.
We begin by understanding the mission, the consequences of disruption, and the constraints under which the organization operates.
Systems Risk Advisory uses a principal-led model. Senior judgment guides the scope, analysis, findings, and recommendations.
When an engagement requires added depth, we coordinate specialized support in technical, operational, physical security, emergency management, planning, or training roles. Clients receive focused leadership with the right expertise for the assignment.
We identify the services, assets, processes, facilities, and decisions that matter most. This includes what must keep operating, what could create public health or safety consequences, and what would affect continuity of service.
We review how people, facilities, IT systems, OT/ICS, SCADA, vendors, field sites, remote access, communications, and procedures connect in practice.
We examine access paths, control points, single points of failure, cyber-physical dependencies, vendor reliance, emergency communications, and recovery limits.
We assess whether leadership, operators, IT staff, emergency managers, public information staff, and external partners know who decides, who acts, and how issues escalate.
We separate urgent exposure from long-term improvement work. Recommendations are grouped by consequence, likelihood, ownership, cost awareness, operational impact, and realistic sequence.
We help clients turn findings into plan updates, task lists, tabletop exercises, workshops, briefings, and implementation roadmaps that can be used after the report is delivered.
Systems Risk Advisory is built for organizations that need clear decisions, not generic advice. Our approach is designed around the realities of small, mid-sized, and complex infrastructure organizations.
Every engagement is scoped to the client need. Typical work products may include:
Clear findings, practical priorities, and recommended next steps for leadership and technical staff.
Prioritized items that identify ownership, urgency, dependencies, and suggested sequence.
Plain-language briefings for boards, councils, executives, and senior leaders.
Emergency response plans, incident response plans, ransomware readiness materials, and recovery procedures.
Tabletop scenarios, injects, facilitator guides, participant materials, hotwash notes, and improvement items.
Focused training for staff, managers, executives, operators, and cross-functional response teams.
Systems Risk Advisory has a strong focus on water and wastewater utilities. This includes AWIA Risk and Resilience Assessments, Emergency Response Plan updates, SCADA and OT security, remote access review, ransomware readiness, physical security, and tabletop exercises.
The approach works for utilities of different sizes, from small systems with limited staff to larger utilities with complex IT, OT, SCADA, vendor, and emergency management environments.
The same method applies to electric power, local government, public works, and other infrastructure organizations that rely on control systems, field operations, facilities, contractors, and continuity of service.
We focus on practical improvements that help organizations keep essential services running, communicate under pressure, and recover safely.
Confirm the organization, services, facilities, systems, priorities, schedule, and expected deliverables.
Review plans, diagrams, policies, procedures, inventories, prior reports, access paths, and operational context.
Meet with leadership, operations, IT, engineering, emergency management, security, and other stakeholders. Use onsite review when needed.
Develop findings, test assumptions, identify dependencies, and group recommendations by risk and practicality.
Provide draft findings, leadership briefings, final reports, plan updates, exercise materials, or other agreed deliverables.
Support training, tabletop exercises, plan revisions, implementation planning, and future updates when requested.
Assess exposure, controls, policies, access paths, and priority risks.
Review remote access, segmentation, vendor paths, and operational risk.
Update plans so people know what to do under pressure.
Test decisions, coordination, continuity, and recovery before an incident.
Systems Risk Advisory helps clients move from risk concerns to usable plans, trained people, practical priorities, and practiced response.