Water utilities: What you need to know about risk and resilience assessments

The challenges facing water utilities are greater today than ever before. Fortunately, the technical resources to meet these obstacles are continuing to improve. The innovative applications behind the delivery of drinking water to citizens we have today are impressive. However, managing a water utility business remains largely focused on understanding and managing risks with some degree of uncertainty.

Recognizing that concern, U.S. Congress has mandated that all community water systems serving more than 3,300 people must perform a risk and resilience assessment and submit a certification to the Environmental Protection Agency (EPA) by deadlines based on population served. The assessment needs to address both malevolent acts and natural hazards, the physical security of several listed categories of critical assets, and cybersecurity and monitoring practices and policies.  

In the past 20 years, several trends have emerged and evolved, and with those changes the tools and best practices to conduct a risk assessment have improved. Hurricanes, droughts, wildfires, and other natural events have reminded us that we face a broad array of hazards. The explosion of the internet and cellular technologies gives utilities more data resources, but ransomware and other threats remind us that cybersecurity is a greater concern than ever before. After the terrorist attacks on September 11, 2001, what was called a “vulnerability assessment” focused largely on terrorism, and now a more mature “risk and resilience assessment” focused on all hazards and major risks that utilities may face. An “all hazards” approach to conducting assessments, coupled with improved EPA data on the likelihood of an occurrence of various types of threats, provides the tools for a more balanced risk program against which to apply limited utility resources. A new Cyber Security Tool through the American Water Works Association enables a more comprehensive and more easily understood approach to today’s cyber threats.

Pennoni has invested in thoroughly understanding the tools of conducting a water utility risk and resilience assessment. We can assist clients at all levels in order to fulfill the legal requirement and build a more resilient utility organization, from physical hardening to security processes to organization cultural shifts.

Thomas Frederick

Tom serves as Associate Vice President, Director Water/Wastewater Practice for Pennoni and is responsible for the overall coordination of the company’s engineering services to clients within the drinking water and wastewater industry, including reuse water and water resources.

For more information, please contact Tom at


Get in touch with our Smart Solutions experts today!