Implementing the CER All-Hazard Approach in Practice - A Structured Method for Risk Analysis
The resilience of critical infrastructure has become a key regulatory objective within the European Union. With the introduction of the Critical Entities Resilience Directive (CER), operators of essential services are required to systematically identify, assess and manage risks that could disrupt the provision of their services.
At national level, these requirements are translated into concrete implementation strategies. In Austria, the Strategy for the Resilience of Critical Institutions, including the national risk analysis published in 01/2026, defines the national hazard landscape and provides guidance for organizations designated as critical entities.
Based on this framework, operators of critical infrastructures must conduct their own risk analyses and define appropriate resilience measures. Companies are required to perform their initial risk analysis. This regulatory framework requires organizations to establish structured and transparent risk management processes.
A CER-compliant methodology with country- specific hazard catalogues
BC Consulting supports organizations in implementing the regulatory requirements of the CER directive through structured resilience and risk management approaches. To support this process, bcNAVIGATOR was developed, including bcRISK for risk analysis.
The core concept of bcRISK is the combination of a standardised CER-compliant methodology with a flexible hazard catalogue that can be adapted to national risk environments.
The analytical methodology implemented in the software follows the CER requirements. Because the methodology remains consistent, organizations can perform risk analyses in a transparent and comparable way across sectors and locations.
At the same time, the underlying hazard catalogue can be adapted to reflect country-specific risk landscapes, such as national risk analyses or sectoral threat assessments. This allows organizations to implement the all-hazard approach required by CER while ensuring that the risk scenarios remain relevant to their operational environment.
Structured risk analysis with bcRISK
In bcRISK, hazards are structured according to the CER classification into natural, intentional, anthropogenic and technical hazards. Organizations can configure and extend this catalogue based on their national or sector-specific requirements.
Risk scenarios can be created manually or imported via interfaces and structured data imports. Each scenario can then be described in detail using configurable fields and categorised according to the relevant hazard type. The next step is the scenario analysis, which includes an assessment of both the potential impact and the probability of occurrence. In accordance with CER requirements, the impact on the availability of the essential service must always be evaluated using predefined thresholds.
Additional impact categories such as impacts on life and health, environmental damage, financial losses or reputational effects can be included depending on the organization’s needs.
The system also allows organizations to link scenarios to affected resources or operational processes, enabling a clearer understanding of potential operational disruptions.
For each scenario, organizations can define risk treatment strategies.
Risk visualisation and reporting
Once probability and impact have been evaluated, scenarios are automatically positioned in a risk matrix. This visualisation helps decision makers identify the most critical scenarios and prioritise mitigation measures.
The configuration of the risk matrix can be adjusted according to internal governance requirements.
bcRISK enables the automated generation of risk reports. These reports can be created as detailed scenario reports or as management summaries and can be exported using configurable Word or PowerPoint templates. This significantly reduces the effort required for regulatory documentation.
Conclusion
The CER directive requires operators of critical infrastructures to assess a wide range of potential disruptions using a structured and transparent methodology. Implementing the required all-hazard approach can become complex when organizations must simultaneously reflect national risk environments. bcRISK, part of bcNAVIGATOR, addresses this challenge by combining a standardized CER-compliant methodology with a flexible, country-specific hazard catalogue.
This approach enables organizations to perform risk analyses that are methodologically consistent, regulatorily compliant and operationally relevant, while significantly simplifying the documentation and reporting process.
