As emerging technologies pose new attack vectors to critical infrastructure, including nuclear facilities, the nuclear sector must navigate a business environment that is growing heavily tech-dependent while maintaining security of highly sensitive information and materials. In particular, operators must cultivate a sense of trust with key stakeholders – shareholders, regulators, the public – by demonstrating transparency and building a reputation as nuclear security champions. Nuclear facilities are required to meet an estimated range of adversary characteristics that are established by each State in accordance with the State’s Design Basis Threat (DBT). While a proven degree of strong protection measures are required to license a facility, it is another matter to cultivate an approach to good governance that also demonstrates due diligence and management accountability. Good governance includes a broader, enterprise-wide assessment of security risk that balances economic tradeoffs with increasing security costs and profitability. Facilities must support a workplace culture (beliefs, values, and attitudes) that impresses upon stakeholders the credibility of security threats and the role of all involved in the enterprise to remain vigilant.
Stimson’s Organizational Governance Template for Nuclear Security is a resource that offers a series of questions for executive managers and senior leadership in nuclear facilities to describe their process of building and sustaining a proactive security governance approach and a robust security culture that is responsive to emerging challenges. Answering these questions is an opportunity for an organization to review its organizational decision-making process on security-related matters and how it ultimately impacts the beliefs and attitudes of the operational-level workforce tasked as responsible stewards of nuclear materials and technologies. The governance template process not only captures the core nuclear security culture, but more importantly, the governance and decision-making process of an organization. Stimson is currently working with one of the world’s largest nuclear operators to prototype and customize the governance template to the needs and requirements of their organization in a way that protects proprietary information, enhances transparency, and integrates the outcomes and recommendations into existing workflows. The governance template helps improve security processes and policies by cultivating a model of good organizational governance. This model also informs and shapes nuclear security culture into a narrative that is understood and meaningful to core stakeholders – shareholders, regulators, and the public.
This paper will present the findings from Stimson’s prototype and consultative process with a nuclear operator in the fall of 2019. By the end of the consultation, we will have produced a snapshot of the operator’s nuclear security governance framework and associated culture and developed recommendations with the operator for further implementation of its customized nuclear security governance template. The long-term goal is for industry to utilize the governance template to evaluate and enhance nuclear security governance at their facilities and socialize the template’s benefits with other industry stakeholders. Thus, the template could serve as an internal risk assessment/gap analysis tool for the nuclear sector to determine whether senior leadership has a consistent understanding of, and commitment to security by way of policy and practice. Furthermore, continued industry input will allow the governance template to be a flexible tool that can be adapted and modified for the broader nuclear/radiological sectors in different regions of the world.