The Austrian Strategy for the Resilience of Critical Institutions, including the national risk analysis, published in mid-January 2026, provides information on how the national view of the hazard situation and cross-sectoral risks is being implemented. On this basis, critical institutions are obliged to carry out their own risk analyses and implement resilience measures.
Companies have nine months after the decision is issued to carry out these risk analyses for the first time and ten months to define resilience measures for the first time. The CER describes the need for critical infrastructures to assess risks that may disrupt the provision of their essential services.
The CER defines risks as all relevant natural and man-made risks, including accidents, natural disasters, hostile threats and public health emergencies, such as pandemics (all-hazard approach). Resilience measures that must be taken for the physical protection of the critical facility are technical, security and organisational measures, the preparation of a resilience plan and the appointment of a liaison officer.
BC Consulting has been helping companies to become more resilient and carry out risk analyses for several years. The innovative bcNAVIGATOR software has also been developed for this purpose, which significantly simplifies this process and saves resources. The following procedure shows how the required risk analysis is carried out step by step in the bcRISK module.
Digital implementation of the RKEG
bcRISK, a module of bcNAVIGATOR, maps the complete catalogue of hazards according to the CER, divided into natural, intentional, anthropogenic and technical hazards (all-hazard approach). Each critical facility can adapt and configure the hazard catalog individually to its own needs. Scenarios can be uploaded quickly and easily using import files or interfaces, or created manually.
Once the hazard catalog has been defined, the individual scenarios can be described and specified in detail. The fields displayed are freely configurable and can be provided with filters, among other things. As can be seen in the screenshot below, you can specify within the scenario filter whether it is a natural, intentional, anthropogenic or technical scenario.
After the scenario description, the scenario analysis follows. Here, too, it is freely configurable in which impact classes the risk is to be assessed. According to the CER, the impact on the availability (including the threshold values) of the essential service is predetermined. Other impact categories would be, for example, the impact on life and limb, impact on the environment, financial impact or impact on image. In addition to the impact, the scenario must also be assessed with a probability of occurrence. Here, too, the threshold values are specified according to CER and already integrated into the software.
The next step is the allocation of impaired resources or affected processes that would be affected by a scenario entry. In addition, risk treatment (e.g. according to the TARA principle) can be carried out, where the further procedure for dealing with the respective risk scenarios is described.
Once the scenario has been assessed with probability of occurrence and impact and the risk treatment has been determined, the localization of the scenario is displayed in a risk matrix. In the case of the risk matrix, the axes, scaling and color schemes can be individually adjusted.
Finally, an automated risk report can be created for each scenario, but also as a management summary, with all information from the software. The risk report can be configured either as a Word or PowerPoint template with various text modules and contains all relevant information for the risk analysis (lists of top dangers, measures for the respective risk scenarios, etc.). Once created, the design of the report can be customized and tailored to your organization.
Result
In order to meet regulatory requirements, critical infrastructure companies are confronted with a large number of different risk scenarios, which means that the assessment of the respective scenarios with different perspectives can very quickly become very complex.
Our innovative solution in bcRISK delivers a structured, standard-compliant and CER-compliant approach that supports companies in going through the entire process and creating a risk report at the push of a button, which can be structured both in a way that is suitable for management and can be structured in detail. The necessary risk scenarios and the methodology from the CER are already available in bcRISK.
