Q&A: Risk, Resilience and Response

Shawn Corrigan, Vice President, Risk and Resilience Principal, Carollo, chats with WF&M


This past June at AWWA’s Annual Conference and Exposition (ACE23) in Toronto, we caught up with Shawn Corrigan, CEM, vice president and risk and resilience principal at Carollo. Corrigan walked us though some trends in how utilities are approaching risk assessment, resilience planning and emergency response to combat some of the most pressing challenges facing water system operations and security. We touch on adapting business continuity plans to account for emergencies, cybersecurity risks, customer communication and disaster recovery.

Water Finance & Management: America’s Water Infrastructure Act (AWIA) of 2018 required water utilities to assess vulnerabilities and develop risk and resilience assessments and emergency response plans. Has AWIA impacted how utilities approach resilience and preparedness?

Shawn Corrigan: I think it has, and a lot of that started with risk management. The overall intent is to build a consistent approach to emergency management for all utilities in America. So in response to AWIA, utilities had to rewrite or revise their emergency response plans to a certain standard. The first task for any emergency program is to understand what your risk exposure is, taking into account natural hazards, physical security and cybersecurity. A piece of that includes looking closely at business continuity plans and how that can impact the flow of the business side as opposed to just the crisis management side. Now when people are talking about business continuity plans, they’re now thinking about cyber breaches, security vulnerabilities, potential media/social media backlash and trust issues. I think more utilities are realizing that the managerial skills required for those areas are a big piece of this.

WF&M: Even though emergency planning and risk and resilience initiatives vary by region, are there any common threads you’re seeing as far as challenges or things water systems could do better?

Corrigan: The one thing I would say utilities could do more of is training their staff to execute the plan. I see a lot of systems write an emergency response or security plan and they put it on the shelf and when it’s time to use it, they’re like, “What page is this on?” Different sectors and different industries are required to do a lot of full-scale validation of plan exercises to show regulators they can respond beyond just having it written down. There are definitely these types of exercises happening for water, don’t get me wrong. But trying to get [utilities] a little more sophisticated and trying to get more of a culture of preparedness within the organization is where I see operational resilience moving in the water sector.

WF&M: Are there any other problems you think utilities could improve in their planning process?

Corrigan: One thing I might recommend for the industry is making sure each person involved in executing all elements of the plan clearly understands their specific role and responsibilities. For example, if I’m an operator at a particular asset, it’s critical that I’m clear about what I need to know in a given situation and how I might need to interact in a real-world scenario. I don’t need to know what the command structure is, how they’re tracking situational awareness, I don’t need to know response times. I need to know, if there’s an emergency, what my specific role is. 

There’s a lot of room for utility systems to embrace emergency preparedness. You’re only as strong as your weakest link. So, having a certain level of innate resilience allows these organizations to strengthen their whole system.

WF&M: What about dealing with emergency situations in real time?

Corrigan: I am seeing a lot of systems, particularly in the Northwest, developing emergency drinking water plans aimed at determining what to do when water is out of service during a crisis and how to distribute emergency drinking water to the public if a system is down for days or weeks. Carollo is working with clients to conceive emergency supply plans that are multi-jurisdictional. For example, providing emergency water is more than just providing safe sources of water – it’s providing sites and properly coordinating and communicating with the public. In that sense, the water utility isn’t acting and can’t act alone – these types of responses require coordination between multiple groups and units.

WF&M: In terms of risk and preparedness, are you seeing a need on the wastewater side in addition to drinking water?

Corrigan: AWIA was focused exclusively on drinking water, and certainly I think a lot of good work has been done with AWIA to bring a higher standard of emergency preparedness. I would love to see that move more into the wastewater side and I would advocate for building those plans out. For systems that handle both water and wastewater, we are seeing some clients working both sides of that equation as far as emergency response.

Thinking about what the message is that needs to go out, the means for transmitting it and how it will be received by the target audience, these are all things that can be planned for and also practiced.

WF&M: Let’s talk cybersecurity. In the United States, the U.S. EPA is trying to require cyber audits as part of utility sanitary surveys, a move that was recently paused by a U.S. circuit court while it is determined if such a rule would be legally valid.

Corrigan: As far as adding cybersecurity to sanitary surveys, some people think it’s a good idea, others not so much. It seems like that’s the direction the regulators are moving toward, though. I’ve always advocated for an all-hazards approach to crisis or business continuity management where you don’t have these siloed plans. The goal is to have a consistent management structure that can deal with a any type of incident, whether it’s a cyber incident, natural hazard or, something human-induced. If I were running crisis management, I want my technical experts at the utility system trained on emergency management and organized in such a way that the system is more flexible and can adapt in the event of a cyber incident.

WF&M: Do utilities have a high level of vulnerability when it comes to potential cyber attacks?

Corrigan: I wouldn’t say that. But there’s a high level of awareness and people are very sensitive to this issue. Sometimes these attacks are just an accident – somebody clicks on the wrong thing in an email and a hack occurs. But there’s a level of awareness around things like that.

WF&M: What lessons learned from the COVID-19 pandemic come to mind as far as emergency or crisis management?

Corrigan: This I think COVID was managed as a public health event as opposed to an emergency. There were a lot of reasons for that, but I think a well-built business continuity plan should include illnesses, disease, or other reasons people can’t be in the office. From a business sense, it was an emergency, and it changed the way the world works. All of a sudden everyone was doing virtual meetings, for instance, and so people found ways to adapt. I think it’s changed the way utility systems plan for emergencies, as well. We have a different level of awareness about how to adapt. In many ways disaster is an agent of change, and COVID was a disaster and has changed the way we manage things.

WF&M: Are there any other water quality issues that can be improved with better business continuity   and crisis management plans?

Corrigan: There are several ways water quality can be impacted. One utility I worked with had a source water issue at a surface water facility that had debris clogging the intake after flooding. They had water coming into the facility from the intake, but not as much as they wanted. This system had not written well-crafted crisis communication messaging. They had typical boil water advisory-type messages that they tried to adjust to communicate reduced usage to the public, and it caused confusion. So, thinking through messages like that, whether water use, lead and copper issues or whatever, is very important. Thinking about what the message is that needs to go out, the means for transmitting it and how it will be received by the target audience, these are all things that can be planned for and also practiced.

WF&M: What else are you and Carollo working on to help change the business model for utilities?

Corrigan: I would note that a big piece of crisis or emergency management is the recovery process – the idea being that if there were some sort of calamity and you return everything to the state it was in prior, you’re still exposed to the same risks. If a utility system has had some sort of incident and then does an after-action analysis and goes through the proper recovery phase, it really should then be looking at the management structure, the financial structure and how the business of the utility can be changed and create a more streamlined approach. With AWIA, it was “Let’s build an emergency response plan.” We’re now seeing clients come to us looking for a disaster response plan.

Leave a Reply

Your email address will not be published. Required fields are marked *