LOCAL GOVERNMENT SECURITY RISK MANAGEMENT > TOOLKIT AUSTRALIAN LOCAL GOVERNMENT ASSOCIATION

AUSTRALIAN LOCAL GOVERNMENT ASSOCIATION

Australian Local Government Association 2007 ISBN 978-1-1876114-08-4 This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Australian Local Government Association. Requests and inquiries concerning reproduction and rights should be addressed to: Australian Local Government Association 8 Geils Court Deakin ACT 2600 Phone (02) 6122 9420 Disclaimer The Australian Local Government Association, Emergency Management Australia and the Australian Government make no representations about the suitability of the information contained in this document or any material related to this document for any purpose. The document is provided as is without warranty of any kind to the extent permitted by law. The Australian Local Government Association, Emergency Management Australia and the Australian Government hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for particular purpose, title and non-infringement. In no event shall the Australian Local Government Association, Emergency Management Australia or the Australian Government be liable for any special, indirect or consequential damages or any damages whatsoever resulting from the loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of information available in this document. The document or material related to this document could include technical inaccuracies or typographical errors. PAGE ii

Foreword The Local Government Security Risk Management Toolkit is a practical guide to help local government address counter-terrorism considerations, by building from existing emergency/disaster management arrangements. The Toolkit will enable local government to prepare a Security Risk Management Action Plan which will augment existing arrangements with strategies to address significant security risks. Local government can play a key role in managing the consequences of terrorist attacks, as was demonstrated in New York City in the aftermath of the events of September 11, 2001. Further, local government is in place before, during and after terrorist acts or other adverse events, and thus has significant responsibility to plan and prepare for such incidents. This national Toolkit has been prepared from the Local government counter-terrorism risk management kit published by the Queensland Government and the Local Government Association of Queensland in 2004. Its preparation has been funded by a grant from the Australian Government under the Working Together to Manage Emergencies initiative administered by Emergency Management Australia. The applicability of the Toolkit will vary across jurisdictions; users should consult closely with relevant agencies before and during the planning process to ensure that the process and resultant Action Plans comply with and do not duplicate current jurisdictional requirements. The Toolkit supports sound and effective risk management planning and practice, through a systematic process of identifying requirements for additional security risk management activities in light of existing emergency/disaster and security management arrangements. It will be a valuable tool for local government emergency/disaster and security management decision makers and planners throughout Australia. Effective risk management requires collaboration between local government, state and territory governments, the Australian Government, the private sector and the wider community. I encourage you to work closely with all organisations relevant to your local government area to develop appropriate and effective security risk management arrangements. Australia s ability to prevent, respond to and recover from risks and threats, such as those due to terrorism, is strengthened by a high level of security preparedness and strong cooperative, consultative relationships. Cr. Paul Bell AM President of the Australian Local Government Association PAGE iii

PAGE iv

Contents Foreword......................................................................... iii Executive Summary................................................................ vii Glossary.......................................................................... ix WORKBOOK..................................................................... 1 Overview of the Workbook........................................................... 1 Aim............................................................................ 1 Key stakeholders................................................................. 2 Resources and references......................................................... 2 Using this Workbook.............................................................. 2 Phase 1 Establish the context....................................................... 5 Step 1. Describe the community context............................................. 7 Step 2. Describe the legislative context.............................................. 9 Step 3. Establish an emergency/disaster risk profile.................................. 11 Step 4. Review existing emergency/disaster and security management arrangements...... 13 Step 5. Determine evaluation criteria for security risk treatment options................. 19 Phase 2 Conduct a security risk review.............................................. 21 Step 6. Develop a security risk profile............................................... 23 Step 7. Examine community consequences and local government responsibilities.......... 27 Step 8. Evaluate risk treatment options............................................. 33 Phase 3 Plan for action........................................................... 39 Step 9. Develop the high priority risk treatment options................................ 41 Step 10. Develop a Security Risk Management Action Plan............................. 43 Step 11. Monitor and review the Action Plan......................................... 47 Worksheets...................................................................... 53 Emergency/disaster risk profile - Step 3............................................ 54 Comparing emergency/disaster and security management arrangements Step 4......... 55 Evaluation criteria for security risk treatment options - Step 5.......................... 56 Security risk profile Step 6...................................................... 57 Analysing possible security incidents Step 7........................................ 58 Community consequences and local government responsibilities Step 7................ 59 Evaluating risk treatment options Step 8.......................................... 60 Summarising risk treatment options Step 8........................................ 61 Developing the high priority risk treatment options - Step 9............................ 62 Security Risk Management Action Plan Step 10..................................... 63 Monitoring and reviewing implementation of the Security Risk Management.............. 64 Action Plan Step 11 Monitoring and reviewing the currency of the Security Risk Management Action........... 65 Plan Step 11 TRAINING MATERIAL......................................................... 67 Training delivery................................................................... 67 Notes for facilitators............................................................... 67 PowerPoint presentation............................................................ 69 PAGE v

Bibliography...................................................................... 73 Australian Government........................................................... 73 New South Wales............................................................... 77 Northern Territory............................................................... 79 Queensland.................................................................... 80 South Australia................................................................. 82 Tasmania...................................................................... 83 Victoria........................................................................ 85 Western Australia............................................................... 87 Acknowledgements................................................................ 89 List of Tables Table 1: Likelihood of the event occurring............................................. 10 Table 2: Consequences if the event were to occur...................................... 10 Table 3: Resultant risk rating....................................................... 10 Table 4: Risk ratings and recommended action levels................................... 10 Table 5: Emergency/disaster risk profile Green Hills Shire............................. 11 Table 6: Comparing existing emergency/disaster and security management............... 13 arrangements Green Hills Shire Table 7: A rating scale for cost...................................................... 18 Table 8: Evaluation criteria for security risk treatment options Green Hills Shire........... 19 Table 9: Security risk profile Green Hills Shire....................................... 23 Table 10: Categories of preparedness................................................. 26 Table 11: Analysing possible security incidents Green Hills Shire......................... 27 Table 12: Community consequences and local government responsibilities Green.......... 29 Hills Shire Table 13: Evaluating risk treatment options Green Hills Shire............................ 35 Table 14: Summarising risk treatment options Green Hills Shire......................... 37 Table 15: Developing the high priority risk treatment options Green Hills Shire............. 41 Table 16: Security Risk Management Action Plan - Green Hills Shire - searching............ 45 all vehicles entering Port Mary Table 17: Monitoring and reviewing implementation of the Security Risk.................... 47 Management Action Plan - Green Hills Shire Table 18: Monitoring and reviewing the currency of the Security Risk Management........... 49 Action Plan - Green Hills Shire List of Figures Figure 1: Overview of the process..................................................... 3 Figure 2: Phase 1 Establish the context............................................... 5 Figure 3: Comparing emergency/disaster and security risk management arrangements....... 12 Figure 4: Phase 2 Conduct a security risk review...................................... 21 Figure 5: Phase 3 Plan for action................................................... 39 PAGE vi

Executive Summary The Local Government Security Risk Management Toolkit has been developed from the Local government counter-terrorism risk management kit published by the Queensland Government and Local Government Association of Queensland in 2004. The Toolkit is a practical guide intended for Australia-wide use. 1 It is designed to develop and support local government capacity to undertake counter-terrorism and security risk management assessments, and to build from existing emergency/disaster 2 management arrangements to address counter-terrorism considerations. The Toolkit should be used by local government agencies, with input from key stakeholders including relevant state or territory government bodies, major industries and peak bodies, owners and/or operators 3 of critical infrastructure and mass gathering venues, and major event organisers. The systematic process used in this Toolkit is based on the risk management framework detailed in the Australian/New Zealand Standard AS/NZS 4360:2004, Risk Management. The Toolkit focuses at a strategic overview level and applies the judgments and experience of users with broad local knowledge. Users do not need counter-terrorism expertise to complete the steps in this Toolkit. Information about the current security situation and security management arrangements in Australia is available from a number of the publications and websites listed in the Bibliography. The situation and /or management arrangements may change rapidly and Toolkit users should ensure they use current information. The Toolkit is made up of two principal sections a Workbook and training material. The Workbook is the key section of the Toolkit, and details three analytical phases. The first phase describes analysis of the community context for security risk assessment, and includes consideration of the community and legislative contexts, establishment of an emergency/disaster risk profile, review of existing emergency/disaster and security management arrangements, and establishment of criteria to evaluate security risk treatment options. Much of the information needed in this phase will already be available in many local government areas. Sources of such information include existing emergency/disaster management planning guidelines and similar documents. Details of relevant additional sources of information to guide work in this phase are contained in an extensive Bibliography later in the Toolkit. The second phase of the Workbook focuses on identification of potential security targets and development of a security risk profile for the local government area. It guides assessment of a local council s responsibilities and preparedness to manage the potential community consequences of a security-related incident. Possible treatment options for plausible security incidents are evaluated in this phase. 1 The Toolkit has been developed as a resource for use throughout Australia, and consequently it is general in tone. Users should consult closely with relevant state or territory agencies, to ensure the planning process and resultant Action Plans accord with current jurisdictional legislation, policies, plans and procedures, and do not duplicate current jurisdictional requirements. Victorian users, in particular, are urged to note that state s all hazards approach to emergency risk management, and the consequent inclusion of security risk management in current emergency planning processes. 2 The terms emergency and disaster are used with various closely related meanings in different specialist fields, and in different states and territories, in Australia. A discussion of the distinction between the terms is in Commonwealth of Australia (1998b). In this Toolkit, the two terms are most commonly used conjointly, to encompass all relevant events. 3 The term owners and/or operators is used in this Toolkit to encompass all agencies and authorities which bear some responsibility for such infrastructure. PAGE vii

The third phase of the Workbook further analyses the high priority risk treatment options identified for the local government area. This phase then covers development of a Security Risk Management Action Plan that builds from existing emergency/disaster and security management arrangements and is designed to ensure closure of any gaps in existing plans. This phase also includes establishment of arrangements to monitor, review and update the Security Risk Management Action Plan. Worksheets are provided to capture the information generated from the three phases of the Workbook. An extensive Bibliography lists some relevant references. Finally, training material is provided to support introduction of local government officers and key stakeholders to the Toolkit and its application. PAGE viii

Glossary This Glossary is derived from a range of Australian Government and other documents relating to emergency/disaster management and response. Jurisdiction-specific definitions should be checked against relevant sources, including those listed in the Bibliography. All hazards approach. The all hazards approach recognises that emergency management arrangements and programs need to be able to deal with the wide variety and scale of hazards that may affect Australian communities, whether these originate from natural, technological, biological or social agents or result from an interaction between agents in any of these fields. (Commonwealth of Australia 2004a) Consequence. The outcome of an event expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain. There may be a range of possible outcomes associated with an incident. (Standards Australia/Standards New Zealand 2004) Consequence management. Measures to protect public health and safety, restore essential government services, and provide emergency relief and recovery to business and individuals affected by disasters. (Commonwealth of Australia 2005a) Critical infrastructure. Critical infrastructure is defined as those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic well-being of the nation, or affect Australia s ability to conduct national defence and ensure national security. (Trusted Information Sharing Network for Critical Infrastructure Protection 2004) Disaster. A condition or situation of significant destruction, disruption and/or distress to a community. (Commonwealth of Australia 2004a) Emergency. An event, actual or imminent, which endangers or threatens to endanger life, property or the environment, and which requires a significant and coordinated response. (Commonwealth of Australia 2004a) Emergency management. A range of measures to manage risks to communities and the environment. (Commonwealth of Australia 2004a) Emergency risk management. A systematic process that produces a range of measures which contribute to the wellbeing of communities and the environment. (Commonwealth of Australia 2004a) Likelihood. A quantitative or qualitative description of probability or frequency. (Standards Australia/Standards New Zealand 2004) Local government. Any type of legally constituted local authority functioning in any state or territory of Australia. Risk. The chance of something happening that will have an impact on objectives. It is measured in terms of a combination of the consequences of an event and their likelihood. (Standards Australia/Standards New Zealand 2004) Risk analysis. A systematic process to understand the nature of, and to deduce the level of, risk; it provides the basis for risk evaluation and decisions about risk treatment. (Standards Australia/Standards New Zealand 2004) Risk assessment. The overall process of risk identification, risk analysis and risk evaluation. (Standards Australia/Standards New Zealand 2004) PAGE ix

Risk evaluation. The process of comparing the level of risk against risk criteria; risk evaluation assists in decisions about risk treatment. (Standards Australia/Standards New Zealand 2004) Risk identification. The process of determining what, where, when, why and how something could happen. (Standards Australia/Standards New Zealand 2004) Risk management. The culture, processes and structures that are directed towards realising potential opportunities whilst managing adverse effects. (Standards Australia/Standards New Zealand 2004) Risk management process. The systemic application of management policies, procedures and practices to the tasks of communicating, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk. (Standards Australia/Standards New Zealand 2004) Risk reduction. Actions taken to lessen the likelihood, negative consequences, or both, associated with a risk. (Standards Australia/Standards New Zealand 2004) Risk treatment. The process of selection and implementation of measures to modify risk. (Standards Australia/Standards New Zealand 2004) Terrorist act means an action or threat of action where: (a) the action falls within subsection (2) and does not fall within subsection (2A); and (b) the action is done or the threat is made with the intention of advancing a political, religious or ideological cause; and (c) the action is done or the threat is made with the intention of: (i) coercing, or influencing by intimidation, the government of the Commonwealth or a State, Territory or foreign country, or of part of a State, Territory or foreign country; or (ii) intimidating the public or a section of the public. (2) Action falls within this subsection if it: (a) causes serious harm that is physical harm to a person; or (b) causes serious damage to property; or (ba) causes a person s death; or (c) endangers a person s life; other than the life of the person taking the action; or (d) creates a serious risk to the health or safety of the public or a section of the public; or (e) seriously interferes with, seriously disrupts, or destroys, an electronic system including, but not limited to: (i) an information system; or (ii) a telecommunications system; or (iii) a financial system; or (iv) a system used for the delivery of essential government services; or (v) a system used for, or by, an essential public utility; or (vi) a system used for, or by, a transport system. (2A) Action falls within this subsection if it: (a) is advocacy, protest, dissent or industrial action; and (b) is not intended: (i) to cause serious harm that is physical harm to a person; or (ii) to cause a person s death; or (iii) to endanger the life of a person, other than the person taking the action; or (iv) to create a serious risk to the health or safety of the public or section of the public. (Extract from the Security Legislation Amendment (Terrorism) Act 2002, Part 5.3) PAGE x

WORKBOOK LOCAL GOVERNMENT OVERVIEW > WORKBOOK Overview of the Workbook The Workbook is not a prescriptive template, but a guide to help you plan. The Workbook will guide you through three phases: establishing the local context, conducting a security risk review and developing a Security Risk Management Action Plan. Each phase includes several steps. When using the Workbook you may: skip any steps that do not apply to the circumstances in your local government area go directly to the primary output for each step and complete the details without working through the questions/activities. You should consult closely with relevant state or territory agencies during the planning process, to ensure the process and resultant Action Plans accord with current jurisdictional requirements, and do not duplicate or conflict with current jurisdictional requirements. Further, in consultation with those agencies, you need to consider the issue of security of and access to the Action Plan itself. You should note that security classification restrictions may apply to some of the information you have used or developed. You should consult closely with relevant state or territory, and Australian Government, agencies to ensure that security requirements are met at all times. Aim This Workbook outlines a systematic approach to developing a security risk profile and identifying the security risk management arrangements you can use to build from your existing emergency/disaster and security management activities where appropriate. The Workbook and worksheets have been designed so you can use them in a workshop setting, but this is not essential. The Workbook is intended to be used by local government agencies, with input from key stakeholders including relevant state or territory government bodies, major industries and peak bodies, owners and/or operators of critical infrastructure and mass gathering venues, and major event organisers. PAGE 1

WORKBOOK OVERVIEW Key stakeholders Consider using the people who are members of your emergency/disaster management team at local government and regional levels, plus representatives of major industries/peak bodies in the area, owners and/or operators of major infrastructure in the area, and representatives of other levels of government and/or neighbouring authorities. It is essential also that you work closely with your local police and emergency service representatives. Their experience, knowledge and responsibilities make them invaluable in applying the Workbook. Resources and references Assemble basic references relevant to emergency/disaster management and security management in your local government area. You will need any relevant documents that relate specifically to your local government area and district, and documents that are relevant at a national, and state or territory, level. At the local level, essential material will include emergency/disaster management plans and maps of the area. You should also be familiar with your state or territory emergency/disaster management legislation. The Bibliography in this Toolkit will help you identify some of the material you will need. Users may also wish to consult the recently published handbook on security risk management (Standards Australia/Standards New Zealand 2006), which provides some guidance on planning at a more detailed level. Using this Workbook This Workbook is designed so the right-hand (odd numbered) pages set out the process you need to follow, while the left-hand (even) pages provide notes to help you understand the process. Where there is no need for comment on the left-hand page, it has been annotated as intentionally blank. Your deliberations should be at a strategic/overview level and be based on the judgment and experience of key stakeholders. You do not need a security expert to complete the steps in the Workbook. You are aiming to design a practical Action Plan that can be readily applied to your local government area. PAGE 2

WORKBOOK LOCAL GOVERNMENT OVERVIEW FIGURE 1 Overview of the process PHASE 1 Establish the context STEP OUTPUT > Step 1 Describe community context > Community environmental scan > Step 2 Describe legislative context > List of relevant laws and policies > Step 3 Establish emergency/disaster > Emergency/disaster risk profile risk profile > Step 4 Review emergency/disaster > Assessment of current and security management emergency/disaster and security arrangements management arrangements > Step 5 Determine evaluation criteria for > Evaluation criteria for security security risk treatment options risk treatment options PHASE 2 Conduct a security risk review STEP OUTPUT > Step 6 Develop security risk profile > Security risk profile > Step 7 Examine community consequences > Table of consequences and and local government responsibilities responsibilities > Step 8 Evaluate risk treatment options > Additional risk treatment strategies PHASE 3 Plan for action STEP OUTPUT > Step 9 Develop the high priority risk > Table of overlaps and gaps treatment options > Step 10 Develop a Security Risk > Action Plan Management Action Plan > Step 11 Monitor and review Action Plan > Action Plan PAGE 3

WORKBOOK PHASE 1 The first phase is concerned with establishing the context for your local government area, to prepare for later phases. The steps identified will help you document an agreed context for your local council to manage security risks. In many local government areas, much of the information will already be available. For example, some resources may have been generated as a result of developing emergency or disaster management plans and procedures. In such cases, you should gather and review existing material before starting this step. PAGE 4

WORKBOOK LOCAL GOVERNMENT PHASE 1 > PHASE 1 Establish the context This phase sets the context for the remaining two phases. It includes five steps (see Figure 2). Each step will produce a specific output, which you will use as you prepare a Security Risk Management Action Plan for your local government area. FIGURE 2 Phase 1 Establish the context PHASE 1 Establish the context STEP OUTPUT > Step 1 Describe community context > Community environmental scan > Step 2 Describe legislative context > List of relevant laws and policies > Step 3 Establish emergency/disaster > Emergency/disaster risk profile risk profile > Step 4 Review emergency/disaster > Assessment of current and security management emergency/disaster and security arrangements management arrangements > Step 5 Determine evaluation criteria for > Evaluation criteria for security risk security risk treatment options treatment options PAGE 5

WORKBOOK PHASE 1 An environmental scan is a review of the broad context to determine the major factors, trends, opportunities and threats that may influence your local government area now and in the foreseeable future. The combined experience and local knowledge of key stakeholders should provide a suitable level of information to conduct the scan effectively. You need to use annotated maps as the focal point for the scan. Some of these maps may document and illustrate: topographical features GIS digital terrain elevation models land use local government planning scheme/s population distribution bushfire risk/hazard flood information, including riparian and overland flow storm surge information landslip plans infrastructure types and locations. Hazardous materials If you identify sites where significant quantities of hazardous materials are produced, used, stored and/or processed, or that pose a potential threat to the community or environment for some other reason, or routes through which significant shipments of hazardous materials pass, you should also identify the legislation that relates to managing those materials and shipments. PAGE 6

WORKBOOK LOCAL GOVERNMENT PHASE 1 > STEP 1 Describe the community context In this step you will document an environmental scan of the main features of your local government area, to develop a brief condensed overview. Use the combined experience of key stakeholders to obtain all the relevant information about your local government area and, where relevant, about the district. A list of suggested activities to help you obtain the necessary information and materials is below. Activities Obtain maps of your local government and immediately surrounding areas (the word district is used in this Workbook to cover the geographic area around your local government area). Make a note of the features listed below and briefly describe each one. You may find it necessary to produce several map overlays. Geography Confirm the size, boundaries, major geographic features, vegetation cover and general land use patterns of your local government area. Climate and weather Describe the climate and seasonal weather patterns in the district, such as flood and storm surge levels. Population Note the size, distribution, demographics and population movements within your district. Show the relative size of cities and towns. Utilities Identify the main power, water and sewerage, gas and telecommunications facilities and networks within your district. Built infrastructure Mark the ports, airports, rail, roads, pipelines and other major infrastructure in your district. Industry/economics Describe the major primary, secondary, and tertiary industries in your district. Note any significant installations associated with each. Note the major economic activities and/or factors in your district. Government facilities Note the major government facilities (Australian Government, state or territory, and local government). Identify the key emergency services sites and major health facilities. Note foreign missions and diplomatic offices or residences, if applicable. Public buildings and spaces Identify any iconic structures, and major tourist facilities, transport hubs, malls and shopping precincts, major sporting and entertainment venues in your local government area. Educational institutions Identify any major primary, secondary, and tertiary educational institutions and schools in your local government area. Events List any recurring events that attract large numbers of people, such as picnic races, agricultural or music festivals, and trade fairs in your local government area. Hazardous sites/routes Identify any sites where significant quantities of hazardous materials are produced, used, stored and/or processed, or that pose a potential threat to the community or environment for some other reason in your local government area. Identify any routes used to transport significant shipments of such materials through or around your local government area. Historical experience Make note of any history of emergencies and/or disasters in the district, either natural (e.g. floods, bushfires) or man-made (e.g. oil spills, chemical releases). PAGE 7

WORKBOOK PHASE 1 On this page make notes about the legislation that relates to: the legal basis of your local council s authority local government s roles and responsibilities in emergencies and/or disasters in your state or territory local government s roles and responsibilities in a security incident or a counterterrorism situation in your state or territory PAGE 8

WORKBOOK LOCAL GOVERNMENT PHASE 1 > STEP 2 Describe the legislative context In this step you will document relevant aspects of the legal and regulatory framework for your local council, with a particular focus on those aspects relating to emergency/disaster and security management. The Bibliography lists some relevant material and you should consult with key stakeholders to ensure you identify all relevant information. Legislative framework Identify the Australian Government legislation that is relevant to your local council in this context. Identify the state or territory legislation that is relevant to your local council in this context. Identify any regulations, and any protocols, plans, policies or procedures pursuant to that legislation that are relevant to your local council in this context. PAGE 9

WORKBOOK PHASE 1 The risk analysis method you will use in this Workbook is based on that outlined in the Australian/New Zealand Standard AS/NZS 4360:2004, Risk Management, and the associated Risk Management Guidelines Companion to AS/NZS 4360:2004 (Standards Australia/Standards New Zealand 2004). To help you develop a disaster risk profile for your local government area, some examples of likelihood terms and their descriptors are presented in Table 1. Table 2 gives a list of possible consequence terms and descriptors, Table 3 shows a resultant risk rating matrix that maps likelihood against consequences, and Table 4 provides examples of recommended levels of action for each resultant risk rating. You can use the terms and descriptors presented in Tables 1 to 4 for your local government area. Alternatively, you could work with key stakeholders to establish standard sets of likelihood terms, consequence terms, risk ratings and recommended levels of action for specific use in your local government area, with clear descriptors. Either way, you should use the same terms and descriptors to assess each risk. The Risk Management Guidelines contain additional information on developing rating scales. Table 1 Likelihood of the event occurring A Almost certain The event is expected to occur B Likely The event will probably occur C Possible The event should occur at some time D Unlikely The event could occur at some time E Rare The event may occur only in exceptional circumstances Table 2 Consequences if the event were to occur 1 Insignificant Little disruption to the community 2 Minor Minor disruption to community 3 Moderate Some inconvenience to the community 4 Major Noticeable impact on community, some services unavailable 5 Catastrophic Community unable to function without significant support Table 3 Resultant risk rating Likelihood Consequences 1 Insignificant 2 Minor 3 Moderate 4 Major 5 Catastrophic A Almost Certain Medium High High Very high Very high B Likely Medium Medium High High Very high C Possible Low Medium High High High D Unlikely Low Low Medium Medium High E Rare Low Low Low Medium High Table 4 Risk ratings and recommended action levels Ratings Recommended action levels VH Very high risk Immediate action necessary, continuous monitoring and response arrangements must be in place and tested monthly H High risk Monitoring regime and response plan must be in place and tested annually M Medium risk Management responsibility must be specified L Low risk Manage using routine procedures PAGE 10

WORKBOOK LOCAL GOVERNMENT PHASE 1 > STEP 3 Establish an emergency/disaster risk profile In this step you will develop an emergency/disaster risk profile for your local government area. It will serve: as a basis for the next step, in which you will explore the existing emergency/disaster arrangements for your local government area as an example of the risk analysis method you will use in Step 7 when you examine the community consequences of plausible security incidents. If you and the key stakeholders share a sound understanding of the existing emergency/disaster arrangements, and are confident in applying the risk analysis method, you may wish to proceed directly to Step 4. Using the combined experience of key stakeholders, conduct a high-level risk assessment for your local government area. Work through the activities below to complete a table similar to Table 5 below. (This step may not be necessary if an emergency/disaster risk profile already exists.) There is a blank copy of the relevant form in the worksheets at the end of the Workbook. The examples in Tables 1 to 4 will help you complete the emergency/disaster risk profile for your local government area, or you may prepare specific rating scales for your local government area. TABLE 5 Emergency/disaster risk profile Green Hills Shire Hazard Likelihood Consequences Resultant Comments risk rating Natural disasters Severe storm A 2 High Bushfire B 3 High Especially around Rusty Ranges River flood C 4 High Landslip B 2 Medium Mt Lookout area only Man-made disasters* Oil spill B 3 High Threat-specific plan exists Major ground C 3 High transport accident Major industrial C 2 Medium accident * Do not include security events at this stage. These will be covered later. Activities List the natural disasters and man-made hazards or incidents that might occur in your local government area in a given year, in order of probability. Rate the likelihood of each hazard or incident, using the scale in Table 1. 4 Consider the consequences of each hazard from a whole-of-community point of view. Use the rating scale in Table 2. 5 Given the likelihood and consequences for each hazard, read the overall risk rating from Table 3. Enter it into your version of Table 5. 4 Alternatively, you may use a similar scale you have developed for your local government area. 5 Alternatively, you may use a similar scale you have developed for your local government area. PAGE 11

WORKBOOK PHASE 1 Figure 3 Comparing emergency/disaster and security risk management arrangements Security management arrangements Emergency/disaster management arrangements Aspects unique to security management (additional arrangements needed for security management) Areas of overlap (integrate emergency/disaster and security management) Aspects unique to emergency/ disaster management (arrangements do not apply to security management) Examples Areas of overlap response and evacuation plans Aspects unique to emergency/disaster management hazard-specific plans Aspects unique to security management additional (heightened) security measures reporting chains may be different Note that some of the aspects unique to security management may already be addressed under existing security management arrangements, and some may require additional action. These additional aspects will be included in the Security Risk Management Action Plan you are developing. When considering areas of overlap, you should identify existing arrangements that could apply to, or could be readily adapted to manage, a security incident. These could include: organisational structures plans, policies, procedures response capability other arrangements. When considering arrangements that are unique to existing emergency/disaster management, you should identify current emergency/disaster management arrangements that do not apply to a security incident. These could include: organisational structures plans, policies, procedures response capability other arrangements. When considering arrangements that are unique to managing a security incident, you should identify the additional arrangements you would need to manage a security incident. These could include: organisational structures plans, policies, procedures response capability other arrangements. PAGE 12

WORKBOOK LOCAL GOVERNMENT PHASE 1 > STEP 4 Review existing emergency/disaster and security management arrangements In this step you will analyse and compare emergency/disaster and security management arrangements for your local government area, at a strategic or overview level. 6 Figure 3 illustrates the probable relationship between existing emergency/disaster and security management arrangements for your local government area. Use the combined experience of key stakeholders and, in particular, that of relevant state or territory, and Australian Government, officers (such as police) to complete a table similar to the example shown in Table 6 for Green Hills Shire, by working through the questions/activities below. There is a blank copy of the relevant form in the worksheets at the end of the Workbook. The table will identify: areas of overlap security arrangements can be or are integrated with emergency/disaster arrangements aspects unique to emergency/disaster management existing emergency/disaster management arrangements that do not apply to security management aspects unique to security management additional measures that exist or may be needed to address gaps in security management arrangements. TABLE 6 Comparing existing emergency/disaster and security management arrangements Green Hills Shire Type of arrangement Areas of overlap Aspects unique to Aspects unique to emergency/disaster security management management (for flood, as an example) Organisational Role of Council s Council Flood Council structures CEO in Council s Management Counter-Terrorism decision-making Taskforce Response Group structure Plans, policies, Council procedures Council policy: Land Council policy on procedures for evacuation from Use Planning for Flood security risk key commercial hubs Mitigation in Green management Hills Shire Response capability Some Council staff Equipment: portable Senior Council staff trained in roles pumps and flood member identified as under the Australian barriers Counter-Terrorism Incident Management Community Liaison System Officer Other arrangements Emergency Additional garbage Capacity to close airport accommodation disposal facility above and all roads into the arrangements flood plain Shire during a security incident 6 Note that, in some jurisdictions, security management arrangements may fall under emergency/disaster management arrangements and hence the comparison detailed in this step may not apply. In those cases, you should still analyse the existing arrangements using the questions/activities below, in order to prepare for subsequent steps in the action planning process. PAGE 13

WORKBOOK PHASE 1 THIS PAGE INTENTIONALLY LEFT BLANK PAGE 14

WORKBOOK LOCAL GOVERNMENT PHASE 1 Questions/activities The specific questions/activities below will help you assess the emergency/disaster management arrangements in your local government area. You should develop similar questions/activities to explore the current security management arrangements. They will enable you to complete the necessary table. Three particular areas you need to examine in relation to emergency/disaster management are the: Local Emergency/Disaster Management Group/Committee operations Local Emergency/Disaster Management Plans Emergency/Disaster Response Capability. Local Emergency/Disaster Management Group/Committee Which Group or Committee coordinates your local government area response to an emergency and/or disaster? What is the composition of your Group or Committee? Who is the chairperson of your Group or Committee? Does your Group or Committee meet periodically or only when an incident occurs? When was the last meeting? When is the next scheduled meeting? Local Emergency/Disaster Management Plans (and policies and procedures) Do Local Emergency/Disaster Management Plans exist? Has the senior Emergency/Disaster Management Group/Committee approved the plans? Are the plans available for inspection by the public? Have copies of the plans been forwarded to the next level of coordination (e.g. the district, zone, regional, or state or territory)? Are the plans consistent with higher level (district/regional/state/territory) plans? How extensive/comprehensive are the plans? Which threat-specific plans, if any, have been developed? When were the plans last reviewed? When were the plans last exercised? Emergency/Disaster Response Capability Do you have trained people and equipment earmarked to deploy if an emergency or a disaster occurs? Do you have established and practised procedures for standby and activation? Do you have an operations centre staffed by trained people with a set of agreed procedures for managing an emergency or a disaster? What arrangements are in place for communication with key stakeholders, such as other councils, state or territory government and Australian Government authorities and community-based organisations? PAGE 15

WORKBOOK PHASE 1 THIS PAGE INTENTIONALLY LEFT BLANK PAGE 16

WORKBOOK LOCAL GOVERNMENT PHASE 1 What arrangements are in place to ensure your community is aware of ways to mitigate the adverse effects of an incident, and to prepare for, respond to and recover from an emergency or disaster? Do you have a public information strategy or plan to keep the community informed if an emergency or a disaster occurs? Other arrangements Are there other arrangements in place in your local government area which are relevant in this context? Overall assessment Overall, how well developed is your emergency/disaster management capability? How often is your emergency/disaster management capability formally reviewed and tested? When was your emergency/disaster management capability last activated: for a real incident? for an exercise? PAGE 17

WORKBOOK PHASE 1 Rating scales for evaluation criteria Rating scales used to evaluate security risk treatment options may be in absolute or relative terms. An example of ratings for cost is in Table 7. Table 7 A rating scale for cost Rating scale type Option 1 Option 2 Option 3 Relative Cheapest Mid-range Most expensive Absolute $22 000 $65 000 $85 000 $375 000 PAGE 18

WORKBOOK LOCAL GOVERNMENT PHASE 1 > STEP 5 Determine evaluation criteria for security risk treatment options In this step you will set criteria to evaluate possible security risk treatment options. The criteria can then be used later in the process to identify appropriate treatment options. Using the combined experience of key stakeholders, answer the questions below for your local government area, to help you prepare a table similar to the Green Hills Shire example in Table 8. There is a blank copy of the relevant form in the worksheets at the end of the Workbook. TABLE 8 Evaluation criteria for security risk treatment options Green Hills Shire Criterion Rating Rating measure Rating categories Comments scale type Cost Absolute $ Capital and recurrent Exclude if cost exceeds $0.3m per year Practicality Relative The degree to which Low medium high the treatment options can be (i) implemented using existing resources and (ii) would be accepted by the community Compatibility Relative The degree to which Low medium high with existing measures the treatment options are compatible with existing arrangements Impact on Relative The degree to which Low medium high security risk the treatment options profile alter the security risk profile Local Relative The degree to which Low medium high government the treatment options responsibility fall within existing local government responsibilities Questions What criteria will you use to decide whether or not to adopt a specific risk treatment option in your local government area? What rating scale type, measure and categories will you use for each criterion? PAGE 19

WORKBOOK PHASE 2 THIS PAGE INTENTIONALLY LEFT BLANK PAGE 20

WORKBOOK LOCAL GOVERNMENT PHASE 2 > PHASE 2 Conduct a security risk review This phase documents development of a security risk profile, analysis of the community consequences of an incident and of applicable local government responsibilities, and evaluation of potential options to reduce security risk through reduction in either the likelihood or the consequences of an incident. The three steps in this phase, and the associated outputs, are set out in Figure 4. FIGURE 4 Phase 2 Conduct a security risk review PHASE 2 Conduct a security risk review STEP OUTPUT > Step 6 Develop security risk profile > Security risk profile > Step 7 Examine community consequences > Table of consequences and and local government responsibilities responsibilities > Step 8 Evaluate risk treatment options > Additional risk treatment strategies PAGE 21

WORKBOOK PHASE 2 In preparing a list of possible targets, you should note that security classification restrictions may apply to some of the information. You should consult closely with relevant state or territory, and Australian Government, agencies to ensure that security requirements are met at all times. Critical infrastructure refers to those physical facilities, supply chains, information technologies and communication networks that, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation or affect Australia s ability to conduct national defence and ensure national security (www.tisn.gov.au). The owners and/or operators of critical infrastructure will best understand their businesses, their vulnerabilities and how to protect them, and they have a responsibility to: protect and secure their assets (including having a security plan aligned to the current terrorism alert level) actively plan in accordance with risk management principles (in the counterterrorism environment, this would include risk analysis, emergency/disaster response planning and business continuity planning) exercise and review plans on a regular basis report incidents or suspicious activity to the state or territory police. Further information on the potential roles of local government in the protection of critical infrastructure is contained in the Critical Infrastructure Protection National Strategy (Trusted Information Sharing Network 2004). Mass gathering locations or events are characterised by the concentration of people on a predictable basis, in venues or precincts that are open or enclosed. They may include but are not limited to: sporting venues particularly those that attract national and international media exposure and large numbers of people, due to the nature of events hosted shopping complexes/open air markets particularly large multi-tenanted shopping complexes which attract significant numbers of people business precincts tourism and entertainment venues/attractions including high profile entertainment centres, parks and malls, casinos, theme parks, and major nightclub/licensed venue precincts which attract large numbers of people, including tourists cultural facilities hotels and convention centres public transport hubs and precincts major transport centres which attract significant pedestrian traffic major planned events. They may also include: educational institutions and schools local government precincts major local government precincts which attract large volumes of pedestrian traffic and national/international exposure due to significant tourist interest. Councils should also consider hazardous sites and routes within their local government areas, and facilities and/or installations close to their boundaries, damage to which could pose significant community consequences. PAGE 22