Implementing the governance template can address the concerns and needs of a range of external and internal stakeholders.
- Public Confidence
- Internal Assessment
- Flexible Implementation
Increase Public Confidence
The governance template provides leaders a framework to transform data-driven security process and policy into a narrative that is approachable and meaningful to the public and policymakers.
Narratives are an important part of effective communication; stories help people better understand the human impact of data. When the community of people who work at a nuclear facility show a commitment to good governance, it enhances “public confidence in the peaceful use of nuclear applications”3At the 2020 International Atomic Energy Agency Nuclear Security Ministerial, dozens of states endorsed a declaration emphasizing the importance of nuclear security in enhancing “public confidence in the peaceful use of nuclear applications.
Improve Internal Assessments
The governance template serves as an internal assessment and gap analysis tool for nuclear facilities, particularly in determining whether senior leadership has consistent understanding of, and commitment to security culture, by way of policy and in practice.
Highlighting areas where an organization is doing well offers an opportunity to reward good behaviors that might otherwise not be recognized. Understanding an organization’s culture builds common language and intent across a diverse workforce and offers snapshots of nuclear security improvement over time.
Customize a Flexible Implementation
The template is designed to be tailored to each nuclear facility as part of a full implementation plan and can be used by a variety of actors, such as Chief Operating Officers, Chief Security/Nuclear Officers, and Site Managers.
The Governance Template contains a survey that can be used to provide guidance, recommendations, and feedback to nuclear facilities and their leadership. The goals and best practices in the template are an indicative resource to help nuclear operators illustrate how security considerations are decided, implemented, and internalized by the entire organization. Facilities can build upon good practices and ensure that they fit their unique needs and requirements to strengthen their security culture.
From the Governance Template Survey
The survey portion of the Governance Template contains questions focused on “challenge areas” and can be used to provide guidance, recommendations, and feedback to nuclear facilities and their leadership.4The good practices and associated questions on the survey are based on existing guidance documents from the International Atomic Energy Agency, including NSS 7 on Nuclear Security Culture; NSS 13 on Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities; and NSS 28-T on Self-Assessment of Nuclear Security Culture in Facilities and Activities, among others. The survey also utilizes guidance from the World Institute for Nuclear Security Best Practice Guide on Security Governance and incorporates insights from the World Association of Nuclear Operators (WANO) and the U.S.-based Institute of Nuclear Power Operators (INPO) industry guidance for safety.
- Sections based on Governance Template objectives
- Good Practices linking nuclear security goals to documented actions.
- Question Sets that help decisionmakers understand the state of their organization
Leadership and Oversight
Gaining insight into the decision-making processes
The board should play an active role to ensure good governance and oversight of the organization’s security program.
Developing organizations with strong commitment to nuclear security requires active engagement from the security guards to the senior leadership. In privately owned organizations, this includes participation from a board of directors. Board members should have a process for understanding it’s organization’s approach to security, including relevant legal frameworks, regulatory and legal requirements, and their organization’s process for responding to evolving threats.
What is the Board’s review process of risks, security policy and performance?
Executives should show commitment to the organization’s nuclear security program.
Executives can demonstrate their commitment to nuclear security by communicating and demonstrating the importance of nuclear security, ensuring that decisions are based on systematic, rigorous, and thorough analysis, and building trust through transparency with internal and external stakeholders.
Are managerial accountabilities for nuclear security clearly defined; what are the mechanisms in place to implement security policies?
Nuclear Security Risk Assessment
Gaining insight into how an organization assess the threat and adopts a risk-informed approach
The organization should have a methodology for defining acceptable risk.
An effective corporate governance framework includes the execution and evaluation of systems for risk management. Board members and executive managers should understand organizational risks and the cost benefit analysis used to decide to remediate or accept the risk.
How does your organization assess risk?
The organization should take measures to ensure proper coordination among safety, security, and emergency response arrangements, and should adopt an all-hazards approach to risk management.
Organizations should develop plans for maintain security during events with common effects to multiple hazards, rather than developing individual plans for each hazard. These plans should identify commons tasks to be performed, assign responsibility for executing these tasks, and include procedures for carrying out critical tasks. They should prioritize maintaining security throughout a crisis, including maintaining lines of communication, site access control, and physical protection systems.
Does your organization implement an integrated risk management approach to identify and manage risks?
Shared Understanding of Nuclear Security
Gaining insight into how leadership communicate and encourage security practices in every level of the workforce
The organization should have a published policy for nuclear security.
A nuclear security policy should include the goal of strong and sustainable nuclear security capable of protecting against all possible threats. This should include, at a minimum, protecting against a well-placed insider; a modest group of well-trained and well-armed outsiders, capable of operating as more than one team; and both an insider and the outsiders working together. The policy should also recommend that countries require protection against evolving threats such as cyber and unmanned aerial vehicles.
How do you socialize this policy to the workforce?
Management should work ensure that significant security related decisions make sense to stakeholders, and will sensibly reinforce good behaviors throughout the organization.
Management should convey to stakeholders how physical protection systems are tied to timely and continuous assessment of threats. It should also encourage behavior throughout the organization that rewards focus on continuous nuclear security improvement.
What are the various methods used to communicate the importance of security throughout the organization and among its stakeholders, including the importance of confidentiality?
Organizations should identify supply chain vulnerabilities and should communicate the importance of supply chain security throughout the workforce.
In world where digital technology is increasingly common and threats are rapidly evolving, organizations must ensure that their supply chains are not producing technologies vulnerable to cyber attacks. Emphasizing the security of supply chains should be part of any targeted security culture program. This means that all staff, from management to security guards, need to be aware of the importance of supply chain security.
How do you evaluate supply chain security within contracting entities?
Management should ensure there are processes / mechanisms in place for leadership and workforce to continually challenge and test basic assumptions about security (and safety)
Management should encourage the development of “red teams” that look for security system weaknesses and how to fix them. These teams should be motivated and incentivized to defeat security systems.
Are there instances in which employee feedback has been used to improve security?
Evaluation and Continuous Learning
Gaining insight into how all staff members are evaluated in their security proficiency and the opportunities provided for improvement
The organization’s nuclear security program should have benchmarks and targets to understand and improve performance.
Is your nuclear security assessment program performance based?
Management should regularly assess the effectiveness of the organization’s nuclear security.
Performance testing is a critical component in evaluating the quality of a physical protection system. Performance testing must be capable of assessing how effectively a protection system responds to changing threats rather than only testing compliance against design and performance requirements. Performance tests, like force-on-force exercises, should be conducted regularly and based on realistic scenarios.
What, if any, peer or other third-party reviews or audits have been completed or planned?
In general, the organization should have tools and resources available to assess security performance and implement improvements.
What types of other resources would be useful that the organization may not necessarily have access to at this time?
Personnel throughout the facility should be appropriately screened and trained in security.
Background checks and ongoing personnel reliability programs are a critical element of ensuring the trustworthiness of organizational staff. Appropriate standards for selection, training, and certification should be developed to ensure that managers and personnel with accountabilities for nuclear security are demonstrably competent.
How is human reliability ascertained, tested and demonstrated, and how regularly do reviews take place?
Stimson offers a full suite of consultation services to help facilities and other stakeholders implement the governance template.
Support is available for:
- Workshop Development,
- Facility-specific security culture training, and
- Implementation planning.
Organizations interested in additional information or to request an implementation quote please submit your information below.