risk management continued
Areas of Focus We continue to focus on maturing and developing our risk management practices to deliver tangible benefits to the business and address emerging risk areas. Over the past year, enhancements have included: • A refresh of Vector’s risk appetite, as expressed through the • The establishment of a formal supplier risk management approach to identify, manage and mitigate risks arising from across our supply network (in conjunction with Group Procurement). • A review of Vector’s risk management software Active Risks Manager (ARM) to improve its ability to support and drive data analysis, risk reporting and control assurance activities. • The introduction of a new risk leadership measure for internal audit engagements, designed to influence positive change in management’s philosophy and operating style in relation to audits and fostering greater ownership of findings and actions. • The creation of an Information Governance Council to provide strategic direction on data governance reflecting the heightened focus on how organisations access, manage, utilise, protect and create value from data. • Ongoing improvements to our crisis management and business continuity practices through training, support tool development, and industry benchmarking. • The formation of a cross-functional project team and corporate partnerships to consider the impacts and benefits of AI, automation and robotics on Vector’s future workforce. In addition, deep dives into targeted risk areas have been undertaken and presented at governance forums to promote awareness and discussion. Most notably, EY were commissioned to undertake an in-depth look at the (i) potential physical impacts of climate change on Vector’s network (refer Case Study: Battling the elements on page 39), and (ii) likely implications of a transition to a net zero emissions economy. Cyber Security With increasing evidence of targeted attacks on the energy sector, coupled with Vector being at the forefront of deploying new technologies (such as DERMs) to improve management of the network and provide innovative energy solutions to our customers, the threat of a significant cyber security breach remains a key risk for the business. Vector obviously takes this threat extremely seriously and in 2017 increased its investment in technology solutions and resources in the form of a dedicated team of security experts. Over the course of the year, our key areas of focus included: • improving our threat intelligence capability to detect and respond to potential security events Group Risk Assessment Matrix, to capture broader reputational aspects and encompass sustainability considerations.
• user education and awareness • new tools to help detect and prevent potential attacks on the core control systems that manage the distribution network and improve the security of our network perimeter (refer Case Study: Protecting the crown jewels – on page 39) • partnering with a recognised global security firm for security testing and design • improving incident response capabilities and processes The threat to the broader energy sector has also seen us work more closely with industry peers through our membership of the Control Systems Security Information Exchange (CSSIE). CSSIE is managed by the National Cyber Security Centre (NCSC). Through CSSIE we have helped facilitate the development of frameworks to improve collaboration and sharing of information relating to threats and security incidents, and updated industry security standards. Despite this work, we must remain vigilant to the ever-growing threat. In April 2018 the Vector Outage App was hacked by an unknown person, accessing the contact details of some users of the app. Vector took immediate steps to contain the incident, protect the app and customer data, contact impacted customers, inform privacy authorities, remediate and re-test our cyber controls and recover the customer data. The incident and changing threat landscape are constant reminders of the need to continue to invest in improving our cyber security resilience to ensure we are able to respond quickly to threats, and minimise any potential damage and disruption. n
126
Vector://AR 18
Made with FlippingBook flipbook maker