at Electric Power Utilities Giovanna Dondossola*, Marc Tritschler** CIGRE SC D2 Meeting and Colloquium 2009 Fukuoka, Japan, 21-22 Ottobre 2009 * ERSE SpA ** KEMA Risk Assessment is an integral part of the Risk Management process employed by Electric Power Utilities (EPUs). The objective of Risk Management is to ensure that all risks faced by the EPU are appropriately identified, understood and treated. The decision making process for the treatment of risks relies on information about the threats and vulnerabilities that contribute to the likelihood of the risk occurring and the impact of its occurrence, compared with the cost of mitigating the risk and the risk appetite of the EPU. Thus, risk treatment options range from mitigation to acceptance for any given risk. Formal Risk Management has become an accepted part of corporate governance for EPUs, and in order to cover all necessary aspects it needs to operate within a framework which facilitates the inclusion of Risk Assessment information from all parts of the EPU. In the context of this paper, this must include Risk Assessment information concerning EPU physical operations, and within physical operations Risk Assessment must include information security/Information and Communications Technology (ICT) security Risk Assessment for operational ICT systems such as SCADA/EMS and power plant process control systems. It is believed that improvements need to be made in this area in order to improve the consideration of these risks within the context of enterprise wide Risk Management. Definitions of risk and Risk Management are provided, based on the ISO 31000 Risk Management standard currently under development, and relevant to EPUs. Further to this, a Risk Management framework for EPUs is proposed, particularly to facilitate the incorporation of information/ICT security Risk Assessment for operational ICT systems into the overall, enterprise wide, Risk Management process. The proposed framework and methods are aligned with already published Risk Management methodologies specific to SCADA systems. Of critical importance in the framework is the recognition of both potential ICT consequences and power consequences due to the occurrence of risks arising from the existence of threats and vulnerabilities. The framework addresses the relationship between ICT consequences and power consequences, and their impact on the EPUs, and proposes a method for assessing these risks and reporting on them against Risk Acceptance Criteria set at appropriate levels within the EPU. This provides an approach which permits the appropriate integration of these risks into an enterprise wide Risk Management process.