Strengthening GRC in UK Critical National Infrastructure: Lessons from Failures

• by Anthony Orjally
• Advent IM Blog

Governance, Risk, and Compliance (GRC) has become an indispensable pillar of resilience in the face of modern threats. Nowhere is this truer than within the United Kingdom’s Critical National Infrastructure (CNI), where vulnerabilities can have cascading effects on public safety, economic stability, and national security.

However, despite advances in cybersecurity and risk management, the UK’s CNI remains susceptible to systemic weaknesses in GRC implementation. Recent years have exposed a series of failings that reveal not just technical shortcomings, but broader issues of accountability, cultural inertia, and fragmented oversight. If left unresolved, these gaps threaten to undermine the trust placed in the systems that underpin daily life.

Understanding GRC in the CNI Context

At its core, GRC in CNI involves:

• Governance: Establishing the right leadership, policies, and oversight structures.
• Risk Management: Identifying, evaluating, and mitigating risks across physical, cyber, and operational domains.
• Compliance: Adhering to regulatory standards such as NIS Regulations, ISO/IEC 27001, and sector-specific requirements.

Given the interconnected nature of CNI sectors – including energy, water, transport, health, and communications – a failure in one domain can quickly ripple into others. This interdependency amplifies the consequences of weak GRC.

Notable Failings

1. Outdated Risk Assessments and Inadequate Threat Modelling

In several sectors, risk assessments have failed to keep pace with the evolving threat landscape. For example, the 2022 cyberattack on a major UK water supplier revealed that some legacy systems had not been accounted for in recent threat models. The incident exposed poor asset visibility and a lack of scenario-based planning.

Correction: Risk assessments must be living documents. Organisations should invest in threat intelligence integration, real-time risk monitoring, and red team exercises to simulate modern attack vectors.

2. Fragmented Governance Across Supply Chains

Outsourcing and complex supply chains are now integral to CNI operation, yet governance often stops at the organisational boundary. The 2021 SolarWinds compromise, though not UK-specific, served as a wake-up call for the risks posed by third-party software and services. UK organisations have been slow to establish end-to-end visibility across supply networks.

Correction: CNI operators should enforce stricter supply chain due diligence, including mandatory security audits, contractual GRC clauses, and coordinated response protocols with third-party vendors.

3. Ineffective Regulatory Enforcement

While frameworks like the NIS Regulations have created a baseline for cybersecurity, enforcement has been inconsistent. The lack of significant penalties for non-compliance has weakened their deterrent effect. Several operators have managed to delay compliance timelines without consequence.

Correction: Regulators must be empowered with greater resources and authority to enforce standards. Introducing tiered penalties for negligence and repeated failures, alongside public reporting, would improve transparency and accountability.

4. Cultural Resistance to Risk Ownership

In some CNI sectors, there is a tendency to treat security and compliance as IT or legal functions, rather than board-level responsibilities. This siloed mindset inhibits effective cross-functional collaboration and weakens organisational resilience.

Correction: Risk ownership must be embedded at the executive level. Boards should be required to undertake annual GRC training, supported by independent audits of leadership engagement in risk management.

5. Lack of Incident Transparency

Finally, many incidents involving CNI remain undisclosed to the public or are shared only in highly redacted form. This limits collective learning and slows sector-wide improvements.

Correction: The UK should consider a standardised incident disclosure regime for CNI-related events. Similar to aviation safety reporting, anonymised yet detailed reporting can improve sector-wide situational awareness.

A Path Forward

To safeguard the UK’s CNI in the face of increasingly sophisticated and persistent threats, GRC must evolve beyond compliance checklists. It must become a dynamic, proactive function embedded at every level of decision-making. This requires:

• A unified, national GRC strategy for CNI operators.
• Real-time, data-driven risk intelligence capabilities.
• Cross-sector collaboration and transparent reporting.
• Stronger public-private partnerships to align incentives and share resources.

The stakes are too high for complacency. The UK’s ability to maintain a secure, resilient, and trusted infrastructure depends on confronting these failings head-on—and building a GRC culture fit for the digital age.

Written by Ellie Hurst, Commercial Director.