Everything You Need to Know About AWIA Compliance
Federal legislation requires water systems to address issues of risk and resilience proactively, and that’s a good thing: the risks from malevolent acts and natural hazards are very real but building resilience to these threats and hazards doesn’t have to be complex or expensive.
America’s Water Infrastructure Act of 2018 (AWIA) requires drinking water utilities serving populations greater than 3,300 people to be prepared for a wide range of risks and plan accordingly. But with deadlines that vary based on population size, and significant latitude granted regarding development of the final documents, meeting the AWIA’s risk and resilience requirements might leave you wondering where to begin. Fortunately, we’ve come up with a proven approach.
According to U.S. EPA, utilities must complete and submit a Risk and Resilience Assessment (RRA), evaluating threats that may include, but aren’t limited to:
If you’ve yet to consider how these threats could pose a risk to your utility’s operations—much less develop a plan to respond to them—then AWIA compliance represents an opportunity to build preparedness and the ability to reduce these risks. In addition completing an RRA, you’ll need to develop a corresponding Emergency Response Plan (ERP). ERPs need to be more than an assessment: they must include risk mitigation strategies and actions.
Taking it step by step
Creating resilience is part of our culture at CDM Smith, which is why many of the larger water systems we serve have turned to us to develop AWIA-compliant risk and resilience assessments. Based on our experience working on these projects for large water systems, we suggest that you follow the subsequent steps to achieve a successful and impactful result.
Step 1: Assess what you have
Before creating a plan, start by evaluating project goals, key stakeholders, and your current practices toward managing risk and building resilience. GIS data, as-built drawings, descriptions of your assets, any past risk assessments or resilience efforts—all this information is valuable as you begin to build your assessment and response plan and should be gathered.
For clients we work with, we develop “threat-asset pair” matrices that identify threats to the water system and their potential impact on critical assets like water production & distribution, SCADA systems and finance/accounting systems. We use EPA guidance and regionally-specific information to assess the potential for malevolent acts and natural hazards to pose a risk to your community and operations. By gathering all this information up front, we’re well-prepared to consider all the possibilities that present risk or offer opportunities for greater resilience.
Step 2: Bring the team together for a workshop
Compliance with AWIA is required by law, but it’s also a valuable opportunity to bring your organization together around the goal of building resilience. We encourage using an intensive, facilitated workshop that will allow your organization to identify the vulnerabilities, consequences, and possible solutions for the top threats to your critical assets. Each team within your organization has access to distinct information, and each offers a unique perspective that will benefit the effort.
Relegating AWIA compliance to a desktop exercise does a disservice to the very real challenges that your organization faces. A facilitated workshop allows your organization to engage leaders, department heads and other decision-makers in a meaningful way. It’s an efficient way to develop and prioritize actions to improve resilience in a collaborative, dynamic format.
Even when circumstances don't allow you to convene your team in person, developing an RRA with a collaborative focus is preferable to delegating it to a small team or outsourcing it completely to a consultant.
Step 3: Risk and resilience assessment
After gathering all the necessary information in step one and collaborating in step two, it’s time to create the RRA.
A successful RRA should encompass elements such as the following:
- Analysis of high-criticality assets and high-risk threats
- Incorporates the American Water Works Association’s RAMCAP method
- An assessment of vulnerability that considers advanced preparation, immediate response and long-term recovery
- Evaluation of the likelihood of various threats, using the EPA Baseline Information on Malevolent Acts for Community Water Systems as a guide
Prior to certifying the RRA completion with EPA, the RRA should be evaluated and refined by your leadership team. We generally deliver RRAs in two related deliverables: a spreadsheet analysis that meets the requirements of AWIA, and a written document that captures the methodology, considerations and results. Future AWIA compliance follow-up is required every 5 years, so any tools or spreadsheet models that will allow your team to make updates in the intervening time should be in your hands at the conclusion of the process.
Step 4: Emergency response plan
No later than six months after certification of the RRA, your utility must create an ERP for the required facilities.
The ERP must include the following items to enable the utility to both respond to and proactively prepare for threats, including:
- Strategies and resources to improve resilience, including physical security and cybersecurity
- Plans, procedures, and equipment for threat response
- Actions, procedures, and equipment to lessen the impact of a malevolent act or natural hazard
- Strategies to detect malevolent acts or natural hazards
An effective ERP will serve as a plan to take proactive resilience steps to reduce risk and a playbook for response when the inevitable occurs and your organization is forced to deal with a threat.
Getting it right
To effectively manage risk and build resilience, set a high standard for your RRA and ERP. You have the freedom to carry out this process in any way you see fit, so long as the final product can be certified based on EPA’s standard, but with big issues and large fines at play, mid-sized water systems should start working on their assessments and plans immediately and small systems should be planning and setting aside budget now.