A record 28 “billion-dollar” weather and climate disasters struck the U.S. in 2023, according to the National Oceanic and Atmospheric Administration (NOAA), causing an estimated $92.9 billion in damages. The year was not an outlier but part of a rising trend in disruptive natural disasters increasing in intensity, frequency, and resulting cost. Such extreme events – compounded by aging infrastructure, changing demand patterns, supply chain issues, and workforce changes – can be expected to continue, endangering the critical energy, water, and communications infrastructure that drives business and underpins our quality of life. It’s putting utilities under increasing pressure to actively manage their risks and increase their resilience.
Water Sector: Time to Prep for Required Updates
Water utilities have a mechanism to address the pressure. The America's Water Infrastructure Act of 2018 (AWIA) was passed into law in October 2018 and, through amendments to the Safe Drinking Water Act, introduced a new requirement for water systems serving more than 3,300 people to conduct a Risk and Resilience Assessment (RRA) and prepare an Emergency Response Plan (ERP) that incorporates the findings of the RRA. Both elements need to be reviewed and updated every five years and certified by the utilities to the U.S. Environmental Protection Agency (USEPA).
With the first round of certifications completed during the 2020-2021 timeframe, water utilities are coming up on the next round. They must re-certify to USEPA that they have conducted, reviewed, or updated their RRAs and ERPs by the following dates.
Taking a Consistent Approach to Risk and Resilience Assessments
Although USEPA does not require the use of specific standards, methods, or tools for completing RRAs, it has recommended the use of available standards and tools from the Agency and the American Water Works Association (AWWA). These standards and tools include the AWWA J100-21 Standard for Risk and Resilience Management of Water and Wastewater Systems, and the EPA’s Vulnerability Self-Assessment Tool (VSAT). The J100 methodology is based on a 7-step process to assess risk and resilience and develop options for long-term resilience management.
7-Step Risk, Resilience Management Process
Black & Veatch has synthesized the spectrum of available tools and processes and developed a practical, spreadsheet-based tool to assist in the completion of an RRA. Our in-house team of experts has assisted water utilities of all sizes across the U.S. in their initial certifications, providing them with a repeatable and structured process based on the AWWA J100 standard for completing their RRA and ERP development and updates. AWIA tools developed by Black & Veatch use the J100 methodology as a general framework and are further strengthened by VSAT tool features, a suite of cybersecurity assessment tools, lessons learned from numerous AWIA assessments, and the multitude of AWIA guidance documents provided by the USEPA over the initial AWIA certification period.
Implementing a Successful Resilience Program
In the annual surveys that inform Black Veatch’s Strategic Directions Reports for the water sector, resilience has been consistently ranked within the top three challenges utilities are facing. The good news: studies show every $1 spent on risk mitigation reduces future disaster costs by $4-6. A range of solutions are available through Black & Veatch for different scales, complexities, and maturities of organizations, to help utilities define their resilience “stance,” assess their current maturity, and invest in practical, actionable improvement plans to meet their resilience goals cost-effectively.
In 2023, The Water Research Foundation published a first-of-its-kind framework to guide the planning and implementation of resilient water infrastructure. Led by Black & Veatch, the Practical Framework for Water Infrastructure Resilience (WRF-5014) helps utilities of all sizes readily identify strategies, actions, and resources to enhance their infrastructure resilience.
Learn moreKey Factors utilities should consider when outlining their vision toward a successful resilience program include the following.
Consider your full portfolio of operations. The AWIA requirements address drinking water systems, but the process is readily applicable to other utility services. Consider including wastewater, reuse, stormwater, and power generation to improve overall resilience of your organization and shared capabilities.
Meeting the intent of AWIA. Don’t let the RRA become a check-the-box exercise. It takes resources to understand the AWIA requirements and the intent behind them, then develop a structured approach. The goal should be to create a repeatable and sustainable process to risk and resilience management that will provide long-term value. Look for opportunities to integrate with other risk assessments and asset management and planning processes – and not let your RRA to become an isolated document updated once every five years.
Stay on track with the 4Rs. Resistance, Reliability, Redundancy, and Response/Recovery all contribute to overall infrastructure resilience. Use your AWIA assessment to understand where the gaps and opportunities for risk mitigation are. Mitigation strategies and activities can improve resilience, reduce dependency on emergency response, and quickly return the utility to normal operations after an event. Some of the mitigation strategies are physical improvements to infrastructure and equipment, and some are operational activities that occur when an event is anticipated.
Explore funding sources. Consider where funding could come from for resilience initiatives and align planning criteria to maximize funding eligibility. There are multiple funding sources available through FEMA (Federal Emergency Management Agency), USEPA, HUD, and others, and synergizing your AWIA assessment with similar initiatives can open doors to these sources.
Cybersecurity is not one size fits all. There are many widely accepted cybersecurity guidance and assessment tools including the NIST Cybersecurity Framework (CSF), AWWA Cybersecurity Risk Management Tool, EPA’s Water Cybersecurity Assessment Tool (WCAT), NIST SP800-82 Guide to Operational Technology (OT) Security, and NIST SP800-53 Security and Privacy Controls for Information Systems and Organizations. Tailor these resources to align with your utility’s unique needs and guide its cybersecurity risk mitigation efforts.
Expand the ERP across the utility. At a minimum, develop your ERP to include strategies, resources, plans and procedures, risk mitigation strategies, and detection strategies. These items are required by AWIA for drinking water systems but applying them to the rest of the utility will improve resilience across the organization.
Do not stop at documentation. To adequately prepare for events, review the ERP regularly and train with response staff to help responders know what needs to occur. Tabletop exercises and field exercises work together to help responders prepare for future events. During emergencies, the ERP document should grow into a reference for when detailed information is needed.
No dust here. The products of the AWIA assessment should be updated regularly and as needed, not just when the EPA requires it. Familiarity of staff with the RRA and ERP helps keep your utility on its path to long-term resilience.