RRA–ERP Compliance Review & Alignment™ — Direnzic
AWIA Compliance · Water Utilities

Your ERP will be reviewed. The question is whether it will hold up.

The June 30, 2026 ERP certification deadline is approaching, and the RRA-ERP compliance review has become the most efficient way for water utilities to confirm their documentation is defensible before they certify. Many utilities will discover, too late, that the risks documented in their Risk & Resilience Assessment are not fully reflected in their Emergency Response Plan. Direnzic conducts an independent alignment review before certification, so the gap surfaces in our review rather than during inspection, audit, or insurance reconciliation after an incident.

Book a 30-Minute Readiness Call No cost · No obligation · 30 minutes
What's Actually At Stake

A misaligned ERP is not a paperwork problem. It creates three different exposures waiting for a trigger.

Exposure 01

Regulatory & Certification Risk

Certifying an ERP that does not reflect documented RRA risks creates a written record of misalignment. EPA, state primacy agencies, and AWIA reviewers can request both documents at any time. The gap between them is not a footnote. It is the finding.

Exposure 02

Insurance & Coverage Defensibility

Cyber and general liability carriers increasingly request ERP documentation during renewal and post-incident reconciliation. An ERP that omits risks your own assessment identified weakens the defensibility of every coverage claim that follows.

Exposure 03

Post-Incident Litigation Posture

If an incident occurs and the documented response procedures fail to address a risk your RRA explicitly named, the question shifts from what happened to what your own records said you knew. That is a posture no leadership team wants to defend.

The Deadline Reframe

June 30, 2026 is not a submission deadline. It is an exposure deadline.

The Engagement

The RRA-ERP Compliance Review: an independent documentation alignment review for utilities preparing to certify under AWIA.

The RRA–ERP Compliance Review & Alignment™ is a focused consulting engagement designed to determine whether your Emergency Response Plan accurately reflects the risks identified in your Risk & Resilience Assessment.

Direnzic conducts the review independently. We do not rewrite your ERP. We do not compete with your internal team. We do not disturb the operational work already underway. We review what your documents say, where they diverge, and what leadership needs to know before certification.

The deliverable is an executive-ready report package your leadership team can act on, your legal team can reference, and your compliance reviewer can defend.

Best Suited For

Utilities completing AWIA certification in the 2024–2026 cycle.

  • Community water systems Serving 3,300+ population, subject to AWIA Section 1433.
  • Utilities completing the RRA cycle Completed RRA work in 2024 or 2025 and now finalizing ERP documentation.
  • Multi-team documentation RRA and ERP prepared by different teams, consultants, or under accelerated timelines.
  • Accountable leadership Leadership teams that want an independent set of eyes on the documentation before certification.

Why Utilities Are Reviewing Now
The gap most often surfaces after certification.

Three patterns appear repeatedly across utilities preparing for the June 30, 2026 deadline. Each is correctable when caught before submission. Each becomes a documented liability after.

Pattern 01

Different teams. Different timelines. Different documents.

RRA work is often performed by one consultant, vendor, or internal team. ERP work is performed by another, sometimes years apart. Without a structured alignment step between them, risks identified in the RRA do not consistently translate into procedures in the ERP.

Pattern 02

Cybersecurity risks named, but not procedurally addressed.

Most RRAs now include cyber and SCADA-related risks. Most ERPs were built around physical and natural-event response. The translation step, turning a documented cyber risk into a documented response procedure, is the single most common gap we find.

Pattern 03

Compliance deadlines compressed late-stage decisions.

Utilities working toward the June 30, 2026 deadline are completing ERP documentation under timeline pressure. Late-stage decisions, copy-forward language from prior plans, and unresolved internal review comments are the conditions in which alignment gaps go undetected.

What's Included
What's Included in the RRA-ERP Compliance Review

Every engagement produces an executive-ready report package designed to be read by your leadership team, referenced by counsel, and defensible under regulatory or insurance review.

01 / Deliverable

Independent RRA Risk Review

Structured review of your completed Risk & Resilience Assessment to confirm the documented risks Direnzic will measure your ERP against.

02 / Deliverable

ERP Alignment Evaluation

Section-by-section evaluation of your Emergency Response Plan against the risks documented in your RRA. What is addressed, what is missing, what is misaligned.

03 / Deliverable

RRA-to-ERP Mapping Matrix

The core analytical artifact. A documented crosswalk between every RRA risk and the corresponding ERP procedure, or absence of one.

04 / Deliverable

Compliance Risk Heat Map

Visual prioritization of identified gaps by exposure severity, so your leadership team knows what to address first, what to address next, and what is acceptable risk.

05 / Deliverable

Executive Defensibility Memo

A concise, leadership-ready summary written for the GM, board, council, or commission. The document your team can put in front of decision-makers without translation.

06 / Deliverable

90-Minute Leadership Debrief

A working session with your leadership team to walk through findings, prioritization, and recommended next steps before certification.

The Direnzic Process

Four steps. Fourteen days. One defensible answer.

01
Step One

Readiness Call

A 30-minute conversation to review your RRA completion timeline, ERP preparation approach, and certification window. You leave the call knowing whether the engagement is right for your organization.

02
Step Two

Engagement Activation

If the engagement is a fit, you receive a formal scope and project outline within 24 hours. Engagements are confirmed in the order received, since capacity is limited around the deadline.

03
Step Three

Secure Document Submission

You submit your current RRA and ERP through a secure channel. Direnzic begins the structured alignment review on receipt, with no internal staffing burden on your team during analysis.

04
Step Four

Findings & Debrief

The full report package is delivered within 14 business days, followed by the 90-minute leadership debrief. Your team leaves with a clear, prioritized path to a defensible certification.

Is This The Right Engagement?
A clear yes. A clear no. A useful filter.

We would rather you self-select out than book a call we both leave wishing we had not. Here is exactly who this engagement is, and is not, built for.

Built For

This is for utilities that have completed the RRA, are preparing the ERP, and want one independent reviewer in the loop before certification.

  • Community water systems serving 3,300+ population under AWIA Section 1433.
  • Utilities that completed their RRA in 2024 or 2025.
  • ERP work prepared by a different team, consultant, or under timeline pressure.
  • Leadership teams accountable for the certification signature.
  • Utilities working toward the June 30, 2026 deadline.
Not Built For

This is not the right engagement if any of the following apply.

  • You have not completed your RRA yet. You need an RRA engagement first.
  • You need someone to write or rewrite your ERP from scratch.
  • You have already certified and are looking for retroactive validation.
  • Your utility is below the AWIA Section 1433 population threshold.
  • You need general cybersecurity advisory unrelated to AWIA documentation.
Investment

Scoped to the engagement. Discussed transparently on the readiness call, before any commitment is requested.

Timeline
14 business days from secure documentation receipt to delivery of the full report package.
Deliverables
Mapping matrix, risk heat map, executive defensibility memo, RRA review summary, ERP alignment evaluation, and a 90-minute leadership debrief.
Format
Independent, non-disruptive, document-based review. Your internal team is not pulled into analysis work during the engagement.
Capacity
A limited number of reviews are conducted in any given window to preserve depth. Engagements close to the deadline are confirmed first-come, first-served.
About Direnzic

Cybersecurity governance built for the systems communities depend on.

Direnzic Technology Consulting Group provides governance-level cybersecurity strategy for water utilities, public agencies, and critical infrastructure operators. We translate complex regulatory requirements into clear, defensible practices leadership teams can act on.

This review is conducted by cybersecurity leaders with direct experience in water sector compliance, executive-level risk communication, and infrastructure protection. Not generalists adapting unrelated frameworks.

Experience
20+ years protecting critical infrastructure
Sector Focus
Water utilities · Public agencies · ICS/SCADA
Certifications
WBENC · WOSB · LaGov ERP · LED Hudson
Affiliations
InfraGard · Goldman Sachs 10KSB · SBA
After June 30, 2026, every gap becomes a documented liability.

Find the gap in our review.
Not in theirs.

A 30-minute readiness call is the only step required to determine whether this engagement fits your utility. No cost. No obligation. No pitch. Just a working conversation about where you are, where you need to be, and whether we are the right reviewer.

Book a 30-Minute Readiness Call
>