LOCAL GOVERNMENT SECURITY RISK MANAGEMENT > TOOLKIT AUSTRALIAN LOCAL GOVERNMENT ASSOCIATION

(1)

A U S T R A L I A N L O C A L

(2)

This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Australian Local Government Association. Requests and inquiries concerning reproduction and rights should be addressed to:

Australian Local Government Association 8 Geils Court

Deakin ACT 2600 Phone (02) 6122 9420

Disclaimer

The Australian Local Government Association, Emergency Management Australia and the Australian Government make no representations about the suitability of the

information contained in this document or any material related to this document for any purpose. The document is provided as is without warranty of any kind to the extent permitted by law. The Australian Local Government Association, Emergency

Management Australia and the Australian Government hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for particular purpose, title and non-infringement. In no event shall the Australian Local Government Association, Emergency

Management Australia or the Australian Government be liable for any special, indirect or consequential damages or any damages whatsoever resulting from the loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of information available in this document. The document or material related to this document could include technical

inaccuracies or typographical errors.

(3)

Foreword

The Local Government Security Risk Management Toolkitis a practical guide to help local government address counter-terrorism considerations, by building from existing emergency/disaster management arrangements. The Toolkit will enable local government to prepare a Security Risk Management Action Plan which will augment existing arrangements with strategies to address significant security risks.

Local government can play a key role in managing the consequences of terrorist attacks, as was demonstrated in New York City in the aftermath of the events of September 11, 2001. Further, local government is in place before, during and after terrorist acts or other adverse events, and thus has significant responsibility to plan and prepare for such incidents.

This national Toolkit has been prepared from the Local government counter-terrorism risk management kitpublished by the Queensland Government and the Local

Government Association of Queensland in 2004. Its preparation has been funded by a grant from the Australian Government under the Working Together to Manage

Emergenciesinitiative administered by Emergency Management Australia. The applicability of the Toolkit will vary across jurisdictions; users should consult closely with relevant agencies before and during the planning process to ensure that the process and resultant Action Plans comply with and do not duplicate current jurisdictional requirements.

The Toolkit supports sound and effective risk management planning and practice, through a systematic process of identifying requirements for additional security risk management activities in light of existing emergency/disaster and security

management arrangements. It will be a valuable tool for local government emergency/disaster and security management decision makers and planners throughout Australia.

Effective risk management requires collaboration between local government, state and territory governments, the Australian Government, the private sector and the wider community. I encourage you to work closely with all organisations relevant to your local government area to develop appropriate and effective security risk management arrangements.

Australia’s ability to prevent, respond to and recover from risks and threats, such as those due to terrorism, is strengthened by a high level of security preparedness and strong cooperative, consultative relationships.

Cr. Paul Bell AM

(4)

(5)

Executive Summary

The Local Government Security Risk Management Toolkithas been developed from the Local government counter-terrorism risk management kitpublished by the Queensland Government and Local Government Association of Queensland in 2004.

The Toolkit is a practical guide intended for Australia-wide use.1_{It is designed to}

develop and support local government capacity to undertake counter-terrorism and security risk management assessments, and to build from existing emergency/disaster2

management arrangements to address counter-terrorism considerations. The Toolkit should be used by local government agencies, with input from key

stakeholders including relevant state or territory government bodies, major industries and peak bodies, owners and/or operators3_{of critical infrastructure and mass}

gathering venues, and major event organisers.

The systematic process used in this Toolkit is based on the risk management framework detailed in the Australian/New Zealand Standard AS/NZS 4360:2004, Risk Management. The Toolkit focuses at a strategic overview level and applies the judgments and experience of users with broad local knowledge. Users do not need counter-terrorism expertise to complete the steps in this Toolkit.

Information about the current security situation and security management

arrangements in Australia is available from a number of the publications and websites listed in the Bibliography. The situation and /or management arrangements may change rapidly and Toolkit users should ensure they use current information. The Toolkit is made up of two principal sections – a Workbook and training material. The Workbook is the key section of the Toolkit, and details three analytical phases. The first phase describes analysis of the community context for security risk assessment, and includes consideration of the community and legislative contexts, establishment of an emergency/disaster risk profile, review of existing emergency/disaster and security management arrangements, and establishment of criteria to evaluate security risk treatment options. Much of the information needed in this phase will already be available in many local government areas. Sources of such information include existing emergency/disaster management planning guidelines and similar documents. Details of relevant additional sources of information to guide work in this phase are contained in an extensive Bibliography later in the Toolkit.

The second phase of the Workbook focuses on identification of potential security targets and development of a security risk profile for the local government area. It guides assessment of a local council’s responsibilities and preparedness to manage the potential community consequences of a security-related incident. Possible treatment options for plausible security incidents are evaluated in this phase.

1 The Toolkit has been developed as a resource for use throughout Australia, and consequently it is general in tone. Users should consult closely with relevant state or territory agencies, to ensure the planning process and resultant Action Plans accord with current jurisdictional legislation, policies, plans and procedures, and do not duplicate current jurisdictional requirements. Victorian users, in particular, are urged to note that state’s all hazardsapproach to emergency risk management, and the consequent inclusion of security risk management in current emergency planning processes. 2 The terms emergencyand disasterare used with various closely related meanings in different specialist fields, and in different

states and territories, in Australia. A discussion of the distinction between the terms is in Commonwealth of Australia (1998b). In this Toolkit, the two terms are most commonly used conjointly, to encompass all relevant events.

(8)

The third phase of the Workbook further analyses the high priority risk treatment options identified for the local government area. This phase then covers development of a Security Risk Management Action Plan that builds from existing emergency/disaster and security management arrangements and is designed to ensure closure of any gaps in existing plans. This phase also includes establishment of arrangements to monitor, review and update the Security Risk Management Action Plan.

Worksheets are provided to capture the information generated from the three phases of the Workbook. An extensive Bibliography lists some relevant references. Finally, training material is provided to support introduction of local government officers and key stakeholders to the Toolkit and its application.

(9)

Glossary

This Glossary is derived from a range of Australian Government and other documents relating to emergency/disaster management and response. Jurisdiction-specific definitions should be checked against relevant sources, including those listed in the Bibliography.

All hazards approach. The all hazards approach recognises that emergency

management arrangements and programs need to be able to deal with the wide variety and scale of hazards that may affect Australian communities, whether these originate from natural, technological, biological or social agents or result from an interaction between agents in any of these fields. (Commonwealth of Australia 2004a)

Consequence. The outcome of an event expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain. There may be a range of possible outcomes

associated with an incident. (Standards Australia/Standards New Zealand 2004)

Consequence management. Measures to protect public health and safety, restore essential government services, and provide emergency relief and recovery to business and individuals affected by disasters. (Commonwealth of Australia 2005a)

Critical infrastructure. Critical infrastructure is defined as those physical facilities, supply chains, information technologies and communication networks which, if

destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic well-being of the nation, or affect Australia’s ability to conduct national defence and ensure national security. (Trusted Information Sharing Network for Critical Infrastructure Protection 2004)

Disaster. A condition or situation of significant destruction, disruption and/or distress to a community. (Commonwealth of Australia 2004a)

Emergency. An event, actual or imminent, which endangers or threatens to endanger life, property or the environment, and which requires a significant and coordinated response. (Commonwealth of Australia 2004a)

Emergency management. A range of measures to manage risks to communities and the environment. (Commonwealth of Australia 2004a)

Emergency risk management. A systematic process that produces a range of measures which contribute to the wellbeing of communities and the environment. (Commonwealth of Australia 2004a)

Likelihood. A quantitative or qualitative description of probability or frequency. (Standards Australia/Standards New Zealand 2004)

Local government. Any type of legally constituted local authority functioning in any state or territory of Australia.

Risk. The chance of something happening that will have an impact on objectives. It is measured in terms of a combination of the consequences of an event and their likelihood. (Standards Australia/Standards New Zealand 2004)

Risk analysis. A systematic process to understand the nature of, and to deduce the level of, risk; it provides the basis for risk evaluation and decisions about risk treatment. (Standards Australia/Standards New Zealand 2004)

Risk assessment. The overall process of risk identification, risk analysis and risk evaluation. (Standards Australia/Standards New Zealand 2004)

(10)

Risk evaluation. The process of comparing the level of risk against risk criteria; risk evaluation assists in decisions about risk treatment. (Standards Australia/Standards New Zealand 2004)

Risk identification. The process of determining what, where, when, why and how something could happen. (Standards Australia/Standards New Zealand 2004)

Risk management. The culture, processes and structures that are directed towards realising potential opportunities whilst managing adverse effects. (Standards Australia/Standards New Zealand 2004)

Risk management process. The systemic application of management policies, procedures and practices to the tasks of communicating, establishing the context, identifying, analysing, evaluating, treating, monitoring and reviewing risk. (Standards Australia/Standards New Zealand 2004)

Risk reduction. Actions taken to lessen the likelihood, negative consequences, or both, associated with a risk. (Standards Australia/Standards New Zealand 2004)

Risk treatment. The process of selection and implementation of measures to modify risk. (Standards Australia/Standards New Zealand 2004)

Terrorist actmeans an action or threat of action where:

(a) the action falls within subsection (2) and does not fall within subsection (2A); and (b) the action is done or the threat is made with the intention of advancing a political,

religious or ideological cause; and

(c) the action is done or the threat is made with the intention of: (i) coercing, or influencing by intimidation, the government of the

Commonwealth or a State, Territory or foreign country, or of part of a State, Territory or foreign country; or

(ii) intimidating the public or a section of the public. (2) Action falls within this subsection if it:

(a) causes serious harm that is physical harm to a person; or (b) causes serious damage to property; or

(ba) causes a person’s death; or

(c) endangers a person’s life; other than the life of the person taking the action; or (d) creates a serious risk to the health or safety of the public or a section of the public; or (e) seriously interferes with, seriously disrupts, or destroys, an electronic system

including, but not limited to: (i) an information system; or (ii) a telecommunications system; or (iii) a financial system; or

(iv) a system used for the delivery of essential government services; or (v) a system used for, or by, an essential public utility; or

(vi) a system used for, or by, a transport system. (2A) Action falls within this subsection if it:

(a) is advocacy, protest, dissent or industrial action; and (b) is not intended:

(i) to cause serious harm that is physical harm to a person; or (ii) to cause a person’s death; or

(iii) to endanger the life of a person, other than the person taking the action; or (iv) to create a serious risk to the health or safety of the public or section of the

public.

(Extract from the Security Legislation Amendment (Terrorism) Act 2002, Part 5.3) P A G E x

(11)

> W O R K B O O K

Overview of the Workbook

The Workbook is not a prescriptive template, but a guide to help you plan. The Workbook will guide you through three phases: establishing the local context, conducting a security risk review and developing a Security Risk Management Action Plan. Each phase includes several steps. When using the Workbook you may:

• skip any steps that do not apply to the circumstances in your local government area • go directly to the primary output for each step and complete the details without

working through the questions/activities.

You should consult closely with relevant state or territory agencies during the planning process, to ensure the process and resultant Action Plans accord with current

jurisdictional requirements, and do not duplicate or conflict with current jurisdictional requirements. Further, in consultation with those agencies, you need to consider the issue of security of and access to the Action Plan itself. You should note that security classification restrictions may apply to some of the information you have used or developed. You should consult closely with relevant state or territory, and Australian Government, agencies to ensure that security requirements are met at all times.

Aim

This Workbook outlines a systematic approach to developing a security risk profile and identifying the security risk management arrangements you can use to build from your existing emergency/disaster and security management activities where appropriate. The Workbook and worksheets have been designed so you can use them in a workshop setting, but this is not essential.

The Workbook is intended to be used by local government agencies, with input from key stakeholders including relevant state or territory government bodies, major industries and peak bodies, owners and/or operators of critical infrastructure and mass gathering venues, and major event organisers.

(12)

Key stakeholders

Consider using the people who are members of your emergency/disaster management team at local government and regional levels, plus representatives of major

industries/peak bodies in the area, owners and/or operators of major infrastructure in the area, and representatives of other levels of government and/or neighbouring authorities. It is essential also that you work closely with your local police and emergency service representatives. Their experience, knowledge and responsibilities make them invaluable in applying the Workbook.

Resources and references

Assemble basic references relevant to emergency/disaster management and security management in your local government area. You will need any relevant documents that relate specifically to your local government area and district, and documents that are relevant at a national, and state or territory, level.

At the local level, essential material will include emergency/disaster management plans and maps of the area. You should also be familiar with your state or territory emergency/disaster management legislation. The Bibliography in this Toolkit will help you identify some of the material you will need.

Users may also wish to consult the recently published handbook on security risk management (Standards Australia/Standards New Zealand 2006), which provides some guidance on planning at a more detailed level.

Using this Workbook

This Workbook is designed so the right-hand (odd numbered) pages set out the process you need to follow, while the left-hand (even) pages provide notes to help you

understand the process. Where there is no need for comment on the left-hand page, it has been annotated as ‘intentionally blank’.

Your deliberations should be at a strategic/overview level and be based on the judgment and experience of key stakeholders. You do not need a security expert to complete the steps in the Workbook. You are aiming to design a practical Action Plan that can be readily applied to your local government area.

(13)

P H A S E 1 Establish the context

S T E P O U T P U T

> Step 1 Describe community context > Community environmental scan > Step 2 Describe legislative context > List of relevant laws and policies > Step 3 Establish emergency/disaster > Emergency/disaster risk profile

risk profile

> Step 4 Review emergency/disaster > Assessment of current

and security management emergency/disaster and security

arrangements management arrangements

> Step 5 Determine evaluation criteria for > Evaluation criteria for security security risk treatment options risk treatment options

P H A S E 2 Conduct a security risk review

S T E P O U T P U T

> Step 6 Develop security risk profile > Security risk profile > Step 7 Examine community consequences > Table of consequences and

and local government responsibilities responsibilities

> Step 8 Evaluate risk treatment options > Additional risk treatment strategies

P H A S E 3 Plan for action

S T E P O U T P U T

> Step 9 Develop the high priority risk > Table of overlaps and gaps treatment options

> Step 10 Develop a Security Risk > Action Plan Management Action Plan

> Step 11 Monitor and review Action Plan > Action Plan F I G U R E 1 Overview of the process

(14)

The first phase is concerned with establishing the context for your local government area, to prepare for later phases.

The steps identified will help you document an agreed context for your local council to manage security risks.

In many local government areas, much of the information will already be available. For example, some resources may have been generated as a result of developing emergency or disaster management plans and procedures. In such cases, you should gather and review existing material before starting this step.

(15)

P H A S E 1 Establish the context

S T E P O U T P U T

> Step 1 Describe community context > Community environmental scan > Step 2 Describe legislative context > List of relevant laws and policies > Step 3 Establish emergency/disaster > Emergency/disaster risk profile

risk profile

> Step 4 Review emergency/disaster > Assessment of current

and security management emergency/disaster and security

arrangements management arrangements

> Step 5 Determine evaluation criteria for > Evaluation criteria for security risk security risk treatment options treatment options

>

P H A S E 1

Establish the context

This phase sets the context for the remaining two phases. It includes five steps (see Figure 2). Each step will produce a specific output, which you will use as you prepare a Security Risk Management Action Plan for your local government area.

(16)

An environmental scan is a review of the broad context to determine the major factors, trends, opportunities and threats that may influence your local government area now and in the foreseeable future.

The combined experience and local knowledge of key stakeholders should provide a suitable level of information to conduct the scan effectively.

You need to use annotated maps as the focal point for the scan. Some of these maps may document and illustrate:

• topographical features

• GIS digital terrain elevation models • land use

• local government planning scheme/s • population distribution

• bushfire risk/hazard

• flood information, including riparian and overland flow • storm surge information

• landslip plans

• infrastructure types and locations.

P A G E 6

Hazardous materials

If you identify sites where significant quantities of hazardous materials are produced, used, stored and/or processed, or that pose a potential threat to the community or environment for some other reason, or routes through which significant shipments of hazardous materials pass, you should also identify the legislation that relates to managing those materials and shipments.

(17)

>

S T E P 1

Describe the community context

In this step you will document an environmental scan of the main features of your local government area, to develop a brief condensed overview.

Use the combined experience of key stakeholders to obtain all the relevant information about your local government area and, where relevant, about the district. A list of suggested activities to help you obtain the necessary information and materials is below.

Activities

Obtain maps of your local government and immediately surrounding areas (the word district is used in this Workbook to cover the geographic area around your local government area). Make a note of the features listed below and briefly describe each one. You may find it necessary to produce several map overlays.

Geography– Confirm the size, boundaries, major geographic features, vegetation cover and general land use patterns of your local government area.

Climate and weather – Describe the climate and seasonal weather patterns in the district, such as flood and storm surge levels.

Population– Note the size, distribution, demographics and population movements within your district. Show the relative size of cities and towns.

Utilities– Identify the main power, water and sewerage, gas and telecommunications facilities and networks within your district.

Built infrastructure– Mark the ports, airports, rail, roads, pipelines and other major infrastructure in your district.

Industry/economics– Describe the major primary, secondary, and tertiary industries in your district. Note any significant installations associated with each. Note the major economic activities and/or factors in your district.

Government facilities– Note the major government facilities (Australian Government, state or territory, and local government). Identify the key emergency services sites and major health facilities. Note foreign missions and diplomatic offices or residences, if applicable.

Public buildings and spaces– Identify any iconic structures, and major tourist facilities, transport hubs, malls and shopping precincts, major sporting and entertainment venues in your local government area.

Educational institutions– Identify any major primary, secondary, and tertiary educational institutions and schools in your local government area.

Events– List any recurring events that attract large numbers of people, such as picnic races, agricultural or music festivals, and trade fairs in your local government area.

Hazardous sites/routes– Identify any sites where significant quantities of hazardous materials are produced, used, stored and/or processed, or that pose a potential threat to the community or environment for some other reason in your local government area. Identify any routes used to transport significant shipments of such materials through or around your local government area.

Historical experience– Make note of any history of emergencies and/or disasters in the district, either natural (e.g. floods, bushfires) or man-made (e.g. oil spills, chemical releases).

(18)

On this page make notes about the legislation that relates to: • the legal basis of your local council’s authority

• local government’s roles and responsibilities in emergencies and/or disasters in your state or territory

• local government’s roles and responsibilities in a security incident or a counter-terrorism situation in your state or territory

(19)

>

S T E P 2

Describe the legislative context

In this step you will document relevant aspects of the legal and regulatory framework for your local council, with a particular focus on those aspects relating to

emergency/disaster and security management. The Bibliography lists some relevant material and you should consult with key stakeholders to ensure you identify all relevant information.

Legislative framework

Identify the Australian Government legislation that is relevant to your local council in this context.

Identify the state or territory legislation that is relevant to your local council in this context.

Identify any regulations, and any protocols, plans, policies or procedures pursuant to that legislation that are relevant to your local council in this context.

(20)

The risk analysis method you will use in this Workbook is based on that outlined in the Australian/New Zealand Standard AS/NZS 4360:2004, Risk Management, and the associated Risk Management Guidelines – Companion to AS/NZS 4360:2004 (Standards Australia/Standards New Zealand 2004).

To help you develop a disaster risk profile for your local government area, some examples of likelihood terms and their descriptors are presented in Table 1. Table 2 gives a list of possible consequence terms and descriptors, Table 3 shows a resultant risk rating matrix that maps likelihood against consequences, and Table 4 provides examples of recommended levels of action for each resultant risk rating.

You can use the terms and descriptors presented in Tables 1 to 4 for your local government area. Alternatively, you could work with key stakeholders to establish standard sets of likelihood terms, consequence terms, risk ratings and

recommended levels of action for specific use in your local government area, with clear descriptors. Either way, you should use the same terms and descriptors to assess each risk. The Risk Management Guidelinescontain additional information on developing rating scales.

Table 1 Likelihood of the event occurring

A Almost certain The event is expected to occur B Likely The event will probably occur C Possible The event should occur at some time D Unlikely The event could occur at some time

E Rare The event may occur only in exceptional circumstances Table 2 Consequences if the event were to occur

1 Insignificant Little disruption to the community 2 Minor Minor disruption to community 3 Moderate Some inconvenience to the community

4 Major Noticeable impact on community, some services unavailable 5 Catastrophic Community unable to function without significant support Table 3 Resultant risk rating

Likelihood Consequences

1 Insignificant 2 Minor 3 Moderate 4 Major 5 Catastrophic A Almost Certain Medium High High Very high Very high

B Likely Medium Medium High High Very high

C Possible Low Medium High High High

D Unlikely Low Low Medium Medium High

E Rare Low Low Low Medium High

Table 4 Risk ratings and recommended action levels Ratings Recommended action levels

VH Very high risk Immediate action necessary, continuous monitoring and response arrangements must be in place and tested monthly

H High risk Monitoring regime and response plan must be in place and tested annually

M Medium risk Management responsibility must be specified L Low risk Manage using routine procedures

(21)

>

S T E P 3

Establish an emergency/disaster risk profile

In this step you will develop an emergency/disaster risk profile for your local government area. It will serve:

• as a basis for the next step, in which you will explore the existing emergency/disaster arrangements for your local government area

• as an example of the risk analysis method you will use in Step 7 when you examine the community consequences of plausible security incidents.

If you and the key stakeholders share a sound understanding of the existing emergency/disaster arrangements, and are confident in applying the risk analysis method, you may wish to proceed directly to Step 4.

Using the combined experience of key stakeholders, conduct a high-level risk assessment for your local government area. Work through the activities below to complete a table similar to Table 5 below. (This step may not be necessary if an emergency/disaster risk profile already exists.) There is a blank copy of the relevant form in the worksheets at the end of the Workbook. The examples in Tables 1 to 4 will help you complete the emergency/disaster risk profile for your local government area, or you may prepare specific rating scales for your local government area.

T A B L E 5 Emergency/disaster risk profile – Green Hills Shire Hazard Likelihood Consequences Resultant Comments

risk rating Natural disasters

Severe storm A 2 High

Bushfire B 3 High Especially around

Rusty Ranges

River flood C 4 High

Landslip B 2 Medium Mt Lookout area only

Man-made disasters*

Oil spill B 3 High Threat-specific

plan exists

Major ground C 3 High

transport accident

Major industrial C 2 Medium

accident

* Do not include security events at this stage. These will be covered later.

Activities

List the natural disasters and man-made hazards or incidents that might occur in your local government area in a given year, in order of probability.

Rate the likelihood of each hazard or incident, using the scale in Table 1.4

Consider the consequences of each hazard from a whole-of-community point of view. Use the rating scale in Table 2.5

Given the likelihood and consequences for each hazard, read the overall risk rating from Table 3. Enter it into your version of Table 5.

(22)

Figure 3 Comparing emergency/disaster and security risk management arrangements

Examples

Areas of overlap

• response and evacuation plans

Aspects unique to emergency/disaster management • hazard-specific plans

Aspects unique to security management • additional (heightened) security measures • reporting chains may be different

Notethat some of the aspects unique to security management may already be addressed under existing security management arrangements, and some may require additional action. These additional aspects will be included in the Security Risk Management Action Plan you are developing.

When considering areas of overlap, you should identify existing arrangements that could apply to, or could be readily adapted to manage, a security incident. These could include:

• organisational structures • plans, policies, procedures • response capability • other arrangements.

When considering arrangements that are unique to existing emergency/disaster management, you should identify current emergency/disaster management arrangements that do not apply to a security incident. These could include: • organisational structures

• plans, policies, procedures • response capability • other arrangements.

When considering arrangements that are unique to managing a security incident, you should identify the additional arrangements you would need to manage a security incident. These could include:

• organisational structures • plans, policies, procedures • response capability • other arrangements. P A G E 1 2 Emergency/disaster management arrangements Security management arrangements

Aspects unique to security management (additional arrangements needed for security management) Areas of overlap (integrate emergency/disaster and security management) Aspects unique to emergency/ disaster management (arrangements do not apply to security management)

(23)

>

S T E P 4

Review existing emergency/disaster and security

management arrangements

In this step you will analyse and compare emergency/disaster and security management arrangements for your local government area, at a strategic or overview level.6_{Figure 3}

illustrates the probable relationship between existing emergency/disaster and security management arrangements for your local government area.

Use the combined experience of key stakeholders and, in particular, that of relevant state or territory, and Australian Government, officers (such as police) to complete a table similar to the example shown in Table 6 for Green Hills Shire, by working through the questions/activities below. There is a blank copy of the relevant form in the

worksheets at the end of the Workbook. The table will identify:

• areas of overlap – security arrangements can be or are integrated with emergency/disaster arrangements

• aspects unique to emergency/disaster management – existing emergency/disaster management arrangements that do not apply to security management

• aspects unique to security management – additional measures that exist or may be needed to address gaps in security management arrangements.

T A B L E 6 Comparing existing emergency/disaster and security management arrangements – Green Hills Shire

Type of arrangement Areas of overlap Aspects unique to Aspects unique to emergency/disaster security management management (for

flood, as an example)

Organisational Role of Council’s Council Flood Council

structures CEO in Council’s Management Counter-Terrorism decision-making Taskforce Response Group structure

Plans, policies, Council procedures Council policy: Land Council policy on procedures for evacuation from Use Planning for Flood security risk

key commercial hubs Mitigation in Green management Hills Shire

Response capability Some Council staff Equipment: portable Senior Council staff trained in roles pumps and flood member identified as under the Australian barriers Counter-Terrorism Incident Management Community Liaison

System Officer

Other arrangements Emergency Additional garbage Capacity to close airport accommodation disposal facility above and all roads into the arrangements flood plain Shire during a security

(24)

P A G E 1 4

T H I S P A G E I N T E N T I O N A L LY L E F T B L A N K

(25)

Questions/activities

The specific questions/activities below will help you assess the emergency/disaster management arrangements in your local government area. You should develop similar questions/activities to explore the current security management arrangements. They will enable you to complete the necessary table.

Three particular areas you need to examine in relation to emergency/disaster management are the:

• Local Emergency/Disaster Management Group/Committee operations • Local Emergency/Disaster Management Plans

• Emergency/Disaster Response Capability.

Local Emergency/Disaster Management Group/Committee

Which Group or Committee coordinates your local government area response to an emergency and/or disaster?

What is the composition of your Group or Committee? Who is the chairperson of your Group or Committee?

Does your Group or Committee meet periodically or only when an incident occurs? When was the last meeting?

When is the next scheduled meeting?

Local Emergency/Disaster Management Plans (and policies and procedures)

Do Local Emergency/Disaster Management Plans exist?

Has the senior Emergency/Disaster Management Group/Committee approved the plans? Are the plans available for inspection by the public?

Have copies of the plans been forwarded to the next level of coordination (e.g. the district, zone, regional, or state or territory)?

Are the plans consistent with higher level (district/regional/state/territory) plans? How extensive/comprehensive are the plans?

Which threat-specific plans, if any, have been developed? When were the plans last reviewed?

When were the plans last exercised?

Emergency/Disaster Response Capability

Do you have trained people and equipment earmarked to deploy if an emergency or a disaster occurs?

Do you have established and practised procedures for standby and activation? Do you have an operations centre staffed by trained people with a set of agreed procedures for managing an emergency or a disaster?

What arrangements are in place for communication with key stakeholders, such as other councils, state or territory government and Australian Government authorities and community-based organisations?

(26)

P A G E 1 6

(27)

What arrangements are in place to ensure your community is aware of ways to mitigate the adverse effects of an incident, and to prepare for, respond to and recover from an emergency or disaster?

Do you have a public information strategy or plan to keep the community informed if an emergency or a disaster occurs?

Other arrangements

Are there other arrangements in place in your local government area which are relevant in this context?

Overall assessment

Overall, how well developed is your emergency/disaster management capability? How often is your emergency/disaster management capability formally reviewed and tested?

When was your emergency/disaster management capability last activated: • for a real incident?

(28)

Rating scales for evaluation criteria

Rating scales used to evaluate security risk treatment options may be in absolute or relative terms. An example of ratings for cost is in Table 7.

Table 7 A rating scale for cost

Rating scale type Option 1 Option 2 Option 3

Relative Cheapest Mid-range Most expensive

Absolute $22 000 $65 000 – $85 000 $375 000

(29)

>

S T E P 5

Determine evaluation criteria for security

risk treatment options

In this step you will set criteria to evaluate possible security risk treatment options. The criteria can then be used later in the process to identify appropriate treatment options. Using the combined experience of key stakeholders, answer the questions below for your local government area, to help you prepare a table similar to the Green Hills Shire example in Table 8. There is a blank copy of the relevant form in the worksheets at the end of the Workbook.

T A B L E 8 Evaluation criteria for security risk treatment options – Green Hills Shire Criterion Rating Rating measure Rating categories Comments

scale type

Cost Absolute $ Capital and

recurrent Exclude if cost exceeds $0.3m per year Practicality Relative The degree to which Low – medium – high

the treatment options can be

(i) implemented using existing resources and (ii) would be accepted by the community

Compatibility Relative The degree to which Low – medium – high with existing the treatment options

measures are compatible with existing arrangements

Impact on Relative The degree to which Low – medium – high security risk the treatment options

profile alter the security risk profile

Local Relative The degree to which Low – medium – high government the treatment options

responsibility fall within existing local government responsibilities

Questions

What criteria will you use to decide whether or not to adopt a specific risk treatment option in your local government area?

(30)

P A G E 2 0

(31)

>

P H A S E 2

Conduct a security risk review

This phase documents development of a security risk profile, analysis of the community consequences of an incident and of applicable local government responsibilities, and evaluation of potential options to reduce security risk through reduction in either the likelihood or the consequences of an incident.

The three steps in this phase, and the associated outputs, are set out in Figure 4.

P H A S E 2 Conduct a security risk review

S T E P O U T P U T

> Step 6 Develop security risk profile > Security risk profile > Step 7 Examine community consequences > Table of consequences and

and local government responsibilities responsibilities

> Step 8 Evaluate risk treatment options > Additional risk treatment strategies

(32)

In preparing a list of possible targets, you should note that security classification restrictions may apply to some of the information. You should consult closely with relevant state or territory, and Australian Government, agencies to ensure that security requirements are met at all times.

Critical infrastructurerefers to those physical facilities, supply chains, information technologies and communication networks that, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security (www.tisn.gov.au).

The owners and/or operators of critical infrastructure will best understand their businesses, their vulnerabilities and how to protect them, and they have a responsibility to:

• protect and secure their assets (including having a security plan aligned to the current terrorism alert level)

• actively plan in accordance with risk management principles (in the counter-terrorism environment, this would include risk analysis, emergency/disaster response planning and business continuity planning)

• exercise and review plans on a regular basis

• report incidents or suspicious activity to the state or territory police.

Further information on the potential roles of local government in the protection of critical infrastructure is contained in the Critical Infrastructure Protection National Strategy(Trusted Information Sharing Network 2004).

Mass gathering locations or eventsare characterised by the concentration of people on a predictable basis, in venues or precincts that are open or enclosed. They may include but are not limited to:

• sporting venues – particularly those that attract national and international media exposure and large numbers of people, due to the nature of events hosted

• shopping complexes/open air markets – particularly large multi-tenanted shopping complexes which attract significant numbers of people

• business precincts

• tourism and entertainment venues/attractions – including high profile entertainment centres, parks and malls, casinos, theme parks, and major

nightclub/licensed venue precincts which attract large numbers of people, including tourists

• cultural facilities

• hotels and convention centres

• public transport hubs and precincts – major transport centres which attract significant pedestrian traffic

• major planned events. They may also include:

• educational institutions and schools

• local government precincts – major local government precincts which attract large volumes of pedestrian traffic and national/international exposure due to significant tourist interest.

Councils should also consider hazardous sites and routeswithin their local

government areas, and facilities and/or installations close to their boundaries, damage to which could pose significant community consequences.

(33)

>

S T E P 6

Develop a security risk profile

In this step you will identify the potential security targets within your local government area, and the current security arrangements. You will build from the information you documented in Step 1.

To aid your analysis, you may categorise possible targets. Suitable categories include but are not limited to: critical infrastructure, mass gathering locations and/or events, and hazardous sites/routes. These are illustrative examples; you may add or delete categories to suit the circumstances in your local government area.

Using the combined experience of key stakeholders, conduct a high-level scan to identify possible targets within your local government area. Work through the questions/activities to complete a table similar to the example in Table 9. There is a blank copy of the relevant form in the worksheets at the end of the Workbook.

T A B L E 9 Security risk profile – Green Hills Shire

Possible target Owner and/or Security arrangements Comments of terrorist attack operator (plans, policies,

procedures, etc.) Critical infrastructure

Port Mary Green Hills Shire Daytime access controlled Security guard at night Fire and evacuation plans Ulm Airport Federal Airport Daytime access controlled

Corporation Security guard at night Fire and evacuation plans

Green Hills Reservoir Green Hills Shire Staffed in daylight hours Wholly owned and Pump Station Water Board Physical perimeter subsidiary of GHS P/L

security only Campfire Creek Northern Electricity Physical perimeter Electricity Station security only Mass gathering locations

JJ King Stadium JJ King Cooperative Emergency procedures Capacity 19 700 and evacuation plans

Central Shopping Mall Mr Ted Norton Emergency procedures Usage varies widely and evacuation plans over time

Events

Green Hills Music Stockyard 23 000 attendees

and Folk Festival Promotions National press

coverage Hazardous sites/routes

Fastnet Fertiliser Fastnet Chemicals Conforms with legislation

Plant and guidelines – security

audit conducted monthly

N OT E S

(i) for major facilities, it may be useful to document key components or vulnerable points (e.g. for Ulm Airport: fuel storage and navigation aids)

(34)

P A G E 2 4

(35)

Questions/activities

Assume that a terrorist group is planning an incident in your local government area. What are the potential targets? Note that the environmental scan you conducted in Step 1 will provide the basis for this analysis.

List the items of critical infrastructure in (or immediately adjacent to) your local government boundaries.

List the mass gathering locations and/or events within your local government area. Identify any hazardous sites, or routes used to transport significant quantities of hazardous materials within your local government area.

For each entry above:

• identify the owner and/or operator

• note the existing arrangements to manage an emergency, disaster or a security incident

• identify who holds maps or floor plans for these sites • find out if there are any copies off-site

• find out if local police have been consulted about major event planning and public safety

• find out if plans allow for security measures to be adjusted if the national counter-terrorism alert level changes

• ask the question ‘How will this business change depending on the level of threat?’ The following specific questions will help critical infrastructure owners and/or operators determine the potential terrorism threat to their organisations: • Have terrorist activities overseas targeted this form of industry or interest? • Does this organisation/agency involve any form of critical infrastructure?

• Does this organisation manufacture or store explosives or chemicals/products that could potentially be used in weapons?

• Does this business involve event management, or venues that attract large numbers of people (e.g. sporting venues, airports, shopping centres)?

• Does this organisation have an overseas presence that is easily identified as Australian?

(36)

The term community consequencesdescribes the impact of an incident on community health, safety and welfare. Such impacts may include the community’s ability to access basic services (such as potable water) and may extend to non-essential services (such as recreation areas).

Local government responsibilities

Local government responsibilities vary depending on the jurisdiction. They may include: • activating the emergency/disaster response arrangements

• deploying and coordinating emergency/disaster response capability • implementing public information plans

• organising and licensing mass gatherings • maintaining a register of hazardous sites/routes

• gathering and disseminating information/intelligence on the incident • assisting with evacuating and/or relocating the population

• managing emergency human services

• managing and/or contributing to community recovery (e.g. community engagement, financial assistance)

• managing and/or/contributing to infrastructure recovery (e.g. restoration of water and sanitation, clearing roads)

• managing and/or/contributing to economic recovery (e.g. tourism, land management)

Local government preparedness

You need to consider your council’s preparedness to deal with the security incident, in the context of both community consequences and local government responsibilities. Table 10 shows some categories of preparedness and what they mean for councils. You may use these categories or develop a set of categories specifically for your local government area.

Table 10 Categories of preparedness

Category Meaning Comment

Well prepared Existing plans would cater for the Note minor amendments or that community consequences of this no further action is required type of incident with little or no

modification

Partially prepared Existing plans cater for some Identify additional measures aspects of the community Determine which ones can be consequences but some integrated with existing

additional measures need emergency/disaster management to be implemented arrangements and which cannot Unprepared Existing plans are unsuitable Arrangements must be developed

for this type of incident Possible incidents

The possible incident types relevant to your local government area could include:

• hoax • violent demonstration

• sabotage or wilful disruption • cyber attack

• arson • kidnap

• siege or hostage incident • assassination or shooting • bombing or conventional explosives • chemical attack

• radiological attack • biological attack.

(37)

>

S T E P 7

Examine community consequences and local

government responsibilities

In this step you will build from the security risk profile you established in Step 6, by identifying plausible incidents affecting the possible targets, their community consequences, and associated local government responsibilities.

To do this, you will first use the risk analysis framework detailed in Step 3. You will estimate the likelihood and consequences of possible incidents, and their resultant risk rating. Using the combined experience of key stakeholders, work through the Activities to complete a table similar to the example in Table 11. There is a blank copy of the relevant form in the worksheets at the end of the Workbook.

Activities

Referring to the list of possible incidents on the opposite page, list the possible forms of terrorist attack for each potential target you have documented in Step 6.

For each possible security incident:

• estimate the likelihood of a successful terrorist attack • estimate the likely community consequences

• determine the resultant risk rating for the incident

using the process you used to analyse emergency/disaster risk in Step 3.

T A B L E 1 1 Analysing possible security incidents – Green Hills Shire Possible Possible Likelihood Community Resultant Comments

target incidents consequences risk rating

Port Mary Terrorist Rare Moderate Low Wharf of limited

seizure long-term

of wharf strategic value

to terrorists Sabotage Possible Moderate High

wharf facilities

Sink a ship Unlikely Moderate Medium Green Hills Sabotage pumps Possible Moderate High Reservoir and _{Contaminate Unlikely} _Major _Medium Pump Station _{water supply}

JJ King Detonate an Unlikely Major Medium Stadium explosive device

Release a Unlikely Moderate Medium contaminant

or disease agent

Fastnet Arson/explosive Unlikely Moderate Medium Fertiliser device

Plant _{Theft of stockpiled Possible} _Minor _Medium materials

Contaminate Rare Moderate Low Impact readily

raw materials countered

(38)

Prioritising risks

It is unlikely that your council will be able to treat or manage all security risks which might occur in your local government area. Therefore, you will need to establish some thresholds below which you will not plan to treat particular risks. For example, you could decide:

• to only treat risks associated with possible incidents you consider plausible– i.e. those with a likelihood rating above a pre-specified level (e.g. possible)

• to only treat risks which could produce community consequences you rate above a certain level (e.g. moderate)

• to only treat risks for which the resultant risk rating exceeds a certain level (e.g. medium)

(39)

The first type of threshold has been used in the Green Hills Shire (GHS) example in Table 12. Only incidents with a likelihood of possible, likelyor almost certainhave been considered plausible and will be considered further in the development of the Shire’s Action Plan.

Once you have decided which risks you will address in the Action Plan for your local government area, you can proceed with more detailed planning, as follows.

Using the information you identified on the legislative context and existing emergency/disaster and security management arrangements in Steps 2 and 4

respectively, you will identify your council’s specific responsibilities and assess its level of preparedness to deal with the consequences of the plausible incidents. Work through the activities below to complete a table similar to the example in Table 12. There is a blank copy of the relevant form in the worksheets at the end of the Workbook.

T A B L E 1 2 Community consequences and local government responsibilities – Green Hills Shire (GHS)

Possible target Plausible Community Specific local How well prepared of terrorist incidents* consequences* government is local government

attack responsibilities to deal with

responsibilities? (see opposite) Critical infrastructure

Port Mary Sabotage wharf Moderate Maintenance of Unprepared

facilities wharf in good

working order

Sink a ship Moderate Maintenance of Unprepared wharf in good

working order

Green Hills Sabotage pumps Moderate Maintenance of Partially

Reservoir and reservoir and pump prepared

Pump Station station in good

working order

Contaminate Major No direct GHS Unprepared water supply responsibility for

water quality Mass gathering locations

JJ King Detonate an Major No direct GHS Unprepared Stadium explosive device responsibility for

the stadium

Release a Moderate No direct GHS Unprepared contaminant or responsibility for

disease agent the stadium

Hazardous sites/routes

Fastnet Arson/explosive Moderate No direct GHS Unprepared Fertiliser Plant device responsibility for

the plant

Theft of Minor No direct GHS Unprepared

stockpiled responsibility for

materials the plant

(40)

You need to consider each possible risk treatment option using three measures. These are:

• the national counter-terrorism alert levels

• the evaluation criteria for security risk treatment options identified in Step 5 • the existing emergency/disaster and security management arrangements. The first aspect is considered twice, in Steps 7 and 10. The second and third assessments occur in Steps 8 and 9 respectively.

National counter-terrorism alert levels

Australia has four levels of national counter-terrorism alert. They are: • low – terrorist attack is not expected

• medium – terrorist attack could occur • high – terrorist attack is likely

• extreme – terrorist attack is imminent or has occurred.

Further information is available from the Australian National Security web site at http://www.nationalsecurity.gov.au.

(41)

Activities

For each plausible incident:

• document the responsibilities of your council

• rate your council’s preparedness to manage its responsibilities, using the categories in Table 10 or a similar set of categories you have developed for your local

government area.

This should be done even if your council does not own or operate the possible target, because there may still be community consequences of an incident which your council will need to address.

Note the gaps in your local council’s capability.

In addition, using the national counter-terrorism alert levels, note:

• the base counter-terrorism alert level you adopted when you analysed the possible security incidents

• how the likelihood, consequences and resultant risk rating may alter for each incident, if the national counter-terrorism alert level or local circumstances changed.

(42)

N OT Ethat you can evaluate risk treatment options against multiple criteria,

including cost, practicality, impact on security profile, etc. However, the end result should be a single overall rating. You will need to decide how you will weight the results from each of the evaluation criteria you use, so that you can develop this single rating. For example, you may decide to weight all criteria equally.

Alternatively, you may decide that for some criteria there are ratings boundaries outside which you will not accept a risk treatment option (e.g. if the cost is more than $200 000 per annum, or the practicality is rated as low) and that any risk treatment options which fall outside those boundaries will be rated as do not implement.

Your sound knowledge of your local government area, and the knowledge and experience of key stakeholders, will enable you to establish an effective method to evaluate the risk treatment options for your local government area.

(43)

>

S T E P 8

Evaluate risk treatment options

In this step you will identify and examine possible risk treatment options to lessen your local government area’s exposure to security threats (likelihood) and to reduce the severity of the potential impact on your community (consequences). To do this, you will build from the information on possible security targets and plausible incidents, and the potential community consequences of such incidents, that you identified in Steps 6 and 7. You will then evaluate these risk treatment options, using the criteria you established in Step 5.

The output from this step will be a set of high priority options that will form the security risk treatment strategies you can implement within your local government area. Using the combined experience of key stakeholders, examine the possible risk

treatment options for your local government area, for each possible target and plausible incident identified in Step 7. Work through the questions/activities to complete a table similar to the example in Table 13. There are blank copies of the relevant form in the worksheets at the end of the Workbook.

Include all possible risk treatment options in your analysis – even those that you think may be covered under existing emergency/disaster or security management

arrangements, or those which may not be considered high priority at this stage. This is because:

• you will need to check that those strategies continue to be implemented in the future, under those other emergency/disaster or security management arrangements

• the evaluation of those options may change with time, if circumstances alter. The risk treatment options listed will include some to reduce the likelihood and some to reduce the community consequences of an incident.

The high priority risk treatment options (the must implementand should implement options) will be identified using the evaluation criteria that were established in Step 5 and doing an analysis like that in Table 13, to develop an overall rating for each risk treatment option.

(44)

P A G E 3 4

(45)

T A B L E 1 3 Evaluating risk treatment options – Green Hills Shire

Possible Plausible Risk Criteria Rating Comments

target incident treatment option

Port Mary Sabotage Search all vehicles Cost Year 1: $130 000 Will require construction of wharf entering wharf area Years 2+: $80 000 checkpoint and purchase of

facilities per year equipment

Practicality High Access control simple

Overall rating: Cost acceptable, practicality high should implement

Cease all bulk fertiliser Cost High Detailed cost-benefit analysis unloading at the wharf needed for accurate estimation

Practicality Low Would require all Fastnet fertiliser to leave the local government area and district by road or rail

Would increase costs Overall rating: Detailed cost-benefit analysis could implement needed prior to decision Establish secondary Cost Year 1: $10m Cost exceeds Council resources wharf facilities Years 2 +: $250 000 No funds available from

at Port William per year other sources

Practicality Low Area not under Council control Overall rating: do

not implement

Sink a ship Establish 0.5 nautical Cost Year 1: $120 000 Would require installation of marker mile exclusion zone Years 2+: $70 000 buoys and stringent enforcement around wharf, for all per year

vessels bar those in

transit to or from Practicality Medium Access control simple, but strongly

the wharf adverse reaction expected from

recreational fishers Overall rating: Would require community

could implement acceptance prior to implementation Search all vessels Cost Years 1+: $210 000 Approximately 70 incoming vessels entering the wharf per year per year; search cost per vessel

area estimated at $3 000

Practicality Low Would cause significant unloading delays and increased costs Vessels would divert to Port Jones outside the local government area, with a resultant loss of income to Council and to local businesses Overall rating: do High ongoing costs, low practicality not implement

Dredge an additional Cost Year 1: $250 000 Sunken ship may not block the channel from Fitzgerald Years 2+: $50 000 channel

Bay to the wharf

Practicality Medium Likely resistance from conservation and commercial fishing interests Ove

LOCAL GOVERNMENT SECURITY RISK MANAGEMENT > TOOLKIT AUSTRALIAN LOCAL GOVERNMENT ASSOCIATION

Disclaimer

Foreword

Contents

Executive Summary

Glossary

Overview of the Workbook

Key stakeholders

Using this Workbook

P H A S E 1 Establish the context

P H A S E 2 Conduct a security risk review

P H A S E 1 Establish the context

Establish the context

Describe the community context

Activities

Describe the legislative context

Legislative framework

Establish an emergency/disaster risk profile

Activities

Review existing emergency/disaster and security

Questions/activities

Local Emergency/Disaster Management Group/Committee

Local Emergency/Disaster Management Plans (and policies and procedures)

Emergency/Disaster Response Capability

Other arrangements

Determine evaluation criteria for security

Questions

Conduct a security risk review

P H A S E 2 Conduct a security risk review

Develop a security risk profile

Questions/activities

Local government responsibilities

Local government preparedness

Examine community consequences and local

Activities

Prioritising risks

National counter-terrorism alert levels

Activities

Evaluate risk treatment options