Risk & Resilience Assessments

Identify what could disrupt essential service.

Systems Risk Advisory helps water, wastewater, electric utility, local government, and industrial organizations assess cyber, physical, OT/ICS, and operational risks, then turn findings into practical resilience priorities.

Schedule a Readiness Discussion View Emergency Response Planning
30+ yearsCybersecurity, physical security, OT/ICS, power, and critical infrastructure experience
Nationwide scopeCyber and physical security assessment experience across U.S. critical infrastructure sectors and territories
Engineering informedRecommendations grounded in how infrastructure systems operate and recover
Water sector focusAWIA, RRA, ERP, SCADA, ransomware readiness, and utility resilience support
Why it matters

Risk changes. Assessments should too.

Many organizations have risk assessments that no longer match how they operate. Facilities change. Staff change. Vendors change. Remote access changes. SCADA and control networks change. Emergency contacts change. Threats change.

A Risk and Resilience Assessment should help leadership answer a direct question: what could interrupt service, and what should we do first to reduce that risk?

The best assessments do more than document hazards. They connect risk to operations, response, recovery, budget decisions, and leadership priorities.

Assessment output should support action

A useful assessment should produce practical findings, clear priorities, and a path for follow-up. That may include emergency response plan updates, tabletop exercises, capital planning, grant discussions, training, and implementation tracking.

AWIA RRA support

AWIA-aligned support for water systems.

For covered community drinking water systems, America's Water Infrastructure Act requires Risk and Resilience Assessments and Emergency Response Plans. Systems Risk Advisory supports utilities preparing for AWIA RRA updates, ERP alignment, and internal readiness reviews.

Current risk picture

Review facilities, SCADA, remote access, vendors, power, communications, chemicals, staffing, and response assumptions.

ERP alignment

Connect RRA findings to roles, communication paths, continuity actions, recovery priorities, and tabletop exercise needs.

Leadership-ready output

Summarize priorities in language useful for managers, boards, councils, capital planning, and budget discussions.

What we assess

Four connected areas of risk.

Every assessment is tailored to the organization. Most projects examine cyber, physical, operational, and emergency response dependencies together.

Cyber

Remote access, MFA, accounts, vendor access, backups, logging, policy, incident readiness, and business system dependencies.

Physical

Facilities, doors, locks, gates, cameras, alarms, lighting, chemical areas, critical assets, field sites, and response coordination.

OT/ICS

SCADA, control networks, HMIs, engineering workstations, network segmentation, exposure paths, vendor access, and manual fallback.

Operational

Power, communications, chemicals, staffing, suppliers, mutual aid, continuity options, emergency roles, and recovery sequence.

Approach

A practical assessment process.

The goal is to understand how the organization actually operates, identify the risks that matter most, and produce recommendations that can be acted on.

Prepare

Review existing assessments, plans, policies, maps, system descriptions, vendor lists, and recent incidents.

Validate

Meet with leadership, operations, maintenance, IT, OT, emergency management, and other key personnel.

Assess

Review cyber, physical, OT/ICS, operational, and response risks across facilities, access paths, and dependencies.

Prioritize

Convert findings into recommendations based on likelihood, consequence, operational impact, cost, complexity, and urgency.

Support action

Provide outputs that support ERP updates, capital planning, grant applications, board briefings, and exercises.

Deliverables

Clear outputs for action and decision-making.

  • Risk and resilience assessment report
  • Prioritized findings and recommendations
  • Cyber, physical, OT/ICS, and operational risk summary
  • AWIA-focused RRA update support, when applicable
  • ERP alignment recommendations
  • Executive briefing for leadership, board, council, or management team
  • Optional tabletop exercise scenario based on assessment findings
  • Optional implementation roadmap with near-term, mid-term, and longer-term actions
Who this is for

Built for organizations that operate essential services.

  • Community drinking water systems preparing for AWIA RRA updates
  • Water and wastewater utilities that need a current view of risk
  • Public works departments and local governments responsible for essential services
  • Electric utility and industrial organizations with OT, SCADA, or control system dependencies
  • Organizations preparing for tabletop exercises, grant applications, capital planning, or board-level risk discussions
Why Systems Risk Advisory

Infrastructure experience changes the assessment.

Systems Risk Advisory brings experience across cybersecurity, physical security, OT/ICS, electrical power systems, emergency response, and critical infrastructure resilience. Our work is informed by infrastructure operations, not only by IT security frameworks.

That matters because risk does not stay in one lane. A cyber incident can become an operational incident. A physical security gap can create a cyber exposure. A power failure can affect treatment, pumping, communications, and recovery. A weak response plan can turn a manageable event into a larger public concern.

We help clients understand those connections and decide what to fix first.

Is your risk assessment still current?

If your operations have changed, your AWIA update cycle is approaching, or leadership needs a clearer view of risk, now is the time to review your readiness.

Discuss Your RRA Readiness