Burns and McDonnell

Risk Management & Compliance


Service Offerings

  • Asset management
  • Maturity assessments
  • Program development, review and management
  • Regulatory compliance
  • Risk assessment
  • Supply chain risk management
  • Third-party risk management

Successful application of risk management and compliance practices means integrating critical models into all facets of your organization, from building out new facilities to planning asset inventory and management to developing new programs or processes. Proper risk management and compliance programs implemented upfront help you avoid costly change within your organization.

We combine our vast risk management knowledge with critical design thinking — as well as industry-proven standards, toolsets and methodologies — to deliver an integrated risk and compliance program. We examine the risks you face and the compliance cycle for your industry, identifying where you can grow and automate your compliance programs.

Safety and reliable operations are the cornerstones of risk management and resiliency for critical infrastructure environments. Our goal is delivering the people, process and technology that support greater risk visibility and opportunities to automate.

Mind the Gap: Resilience Goes Beyond Compliance

Critical infrastructure industries are implementing connectivity and data systems that open them up to new threats that require cybersecurity mitigations.
Read more

Achieving Compliance Across Your Organization

By leveraging the maturity, integration and stakeholder engagement models we’ve developed, we gain an understanding of the risks associated with your business and assets. We implement a collaborative risk model that is built, adapted and managed within your organization. Our team helps you recognize and counter risks from broken systems and bulky manual processes. We identify and break down siloed operations through integration, controls and automation.

We partner with you to nurture and expand your risk operations and advance your program management, giving your team the edge it needs to deliver on compliance, risk and board commitments.

The Ticking Clock for AWIA Compliance on Risk Assessment and Emergency Response Plans

America’s Water Infrastructure Act (AWIA) sets into motion a timeline for risk and resiliency compliance requirements for community water systems. A cohesive, comprehensive approach that incorporates best practices for infrastructure resiliency, physical security and cybersecurity can keep you ahead of fast-approaching compliance deadlines.
Read more

Compliance With America’s Water Infrastructure Act (AWIA)

As we help the operators of community drinking water systems meet AWIA requirements associated with risk and resilience assessments (RRAs), we leverage our cybersecurity capabilities to identify and mitigate malevolent and natural threats. Our holistic approach supports AWIA compliance, risk assessment, resilience, monitoring systems, financial infrastructure, chemical handling, and operations and maintenance.

Cybersecurity Maturity Model Certification (CMMC) for the Defense Industrial Base


Our team has extensive experience safeguarding Department of Defense classified information. We are leveraging that knowledge to help protect the DoD critical supply chain. Our unique perspective helps you meet the maturity baselines required to pursue defense contracts and implement a holistic approach to cybersecurity.

Government regulations define baseline cybersecurity controls for DoD contracts. With the implementation of the CMMC, companies will need to demonstrate cybersecurity practices and processes to a third-party assessor. As a CMMC Registered Provider Organization (RPO), we will help you determine your appropriate scope and maturity level. This is based on the type of information you exchange or possess on behalf of the DoD. We will then perform a gap analysis to develop a tailored road map to reach your desired CMMC maturity level. Once identified, we work as your active partner to help you address challenges and implement remedies — technological, procedural or physical.

Navigating the Practicality of Cybersecurity Investment Incentives

Proposed rules on cybersecurity investment incentives from FERC are a starting point but may need further practical development to increase adoption.

Read more
White Paper
Executive Order Adds Momentum to Mitigation of Cyberthreats to U.S. Power Industry

In the face of increasingly sophisticated cyberattacks in recent years, the U.S. utility industry has responded with an array of strategies designed to reduce and eliminate vulnerabilities to increasingly digitized systems. Now, with the recent issuance of an executive order from President Donald Trump, utilities will expand this effort to other assets touching the bulk electric system.

Read more
Case Study
Asset Protection and NERC CIP Compliance

A major North American electric utility holding company needed assistance with cybersecurity, regulatory compliance and risk management for its critical assets, including wind, solar and all other generation assets.

Read more
Plugging Cybersecurity Leaks

As utilities try to mitigate evolving cyber risks, the plan starts with a comprehensive maturity assessment and gap analysis of IT and OT systems.

Read more
Choosing a Framework for Optimal Risk Management

Choosing the right framework is key in the assessment and management of risk. A framework can help organizations go beyond meeting compliance standards.

Read more
Chris Underwood, 1898 & Co.
Matt Morris
Managing Director

Send Us a Note

*Denotes Required Field