Critical Worker Identification And Risk Management Framework

This course introduces participants to Pentagram Advisory’s Critical Worker Identification and Risk Management Framework – a structured, practical framework aligned with the Security of Critical Infrastructure (SOCI) Act 2018, the Security of Critical Infrastructure (Critical Infrastructure Risk Management Program) Rules 2023 (CIRMP Rules), and the Security of Critical Infrastructure (Telecommunications Security and Risk Management Program) Rules 2025 (TSRMP Rules).

People are complex and dynamic — their roles, behaviours, and influence can evolve over time. This makes them both an organisation’s greatest strength and its most challenging area of risk to manage. The identification of critical workers is therefore a fundamental element of enterprise risk management. By focusing on the roles that are truly critical, organisations can direct resources where they are needed most, strengthen resilience, and build assurance around the people who matter most to the continuity of critical assets and operations.

Designed for professionals in security, risk management, HR, IT/OT, procurement, and governance, the course provides a hands-on guide to identifying critical workers, assessing personnel risk, and embedding proportionate screening and assurance measures into business-as-usual processes.

Participants will gain access to a suite of editable templates enabling them to operationalise requirements, demonstrate compliance, and uplift organisational resilience.

By the end of this course, participants will be able to:

1. Understand legislative anchors: Explain how the SOCI Act, CIRMP Rules, and TSRMP Rules require critical workers to be identified, listed, and managed.

2. Apply operational requirements thinking: Use the Operational Requirements (OR) process to link critical assets, functions, and components to specific roles.

3. Use structured criteria for identification: Apply Pentagram’s seven criticality criteria to determine which roles qualify as critical workers, including “soft power” roles such as executives, HR, and procurement.

4. Develop a Critical Worker Register: Record critical workers in a structured, auditable register with screening, review, and accountability fields.

5. Embed proportionate screening and assurance: Match screening and monitoring to the risk level and role sensitivity, including suppliers and managed service providers.

6. Implement reviews and triggers: Establish routine reviews and event-driven triggers to ensure the register remains accurate and defensible.

7. Assess organisational maturity: Use Critical Worker Framework Maturity Checklist to benchmark current capability and prioritise uplift.

After completing this course, participants will be able to:

1. Explain the principles of critical worker risk management: Demonstrate how structured frameworks strengthen resilience and support regulatory compliance.

2. Map roles to critical assets and functions: Conduct mapping exercises using OR methodology and apply criteria to identify critical workers.

3. Document and maintain a Critical Worker Register: Populate, classify, and update the register as part of the CIRMP.

4. Apply proportionate controls: Design and implement screening, monitoring, and assurance measures that reflect the risk posed by each role.

5. Integrate into business-as-usual: Align HR, IAM, procurement, and governance processes to automatically capture, screen, and offboard critical workers.

6. Evaluate and uplift maturity: Self-assess against the maturity model, identify gaps, and plan improvements with clear, governance-ready outputs.