6 minute read
4 Key activities under the arrangements
This chapter provides an overview of the key activities required or encouraged under the arrangements. This overview is included to provide readers with a high-level understanding of the arrangements which IGEM has monitored implementation of, and which IGEM will assess the efficiency and effectiveness of going forward. This overview uses a number of specific terms and phrases because of their particular meanings in the arrangements.
4.1 Sector resilience networks, plans and reports
The Strategy recognises eight critical infrastructure sectors and a portfolio department is assigned to each.
The Strategy outlines that the portfolio department for each sector is to chair a regular forum which includes representatives from industry, EMV, Victoria Police and, on invitation, other government departments and agencies. Industry members include representatives of owners or operators of critical infrastructure. The purpose of a Sector Resilience Network is to improve the resilience of a sector’s critical infrastructure assets and operations through joint planning, information sharing and reporting to government. In addition, a forum comprising members from each of the eight Sector Resilience Networks is to be regularly convened. This forum is called the All Sectors Resilience Network Forum and its purpose is to highlight the interdependencies between sectors and increase understanding of cross-sectoral vulnerabilities.
The State Crisis and Resilience Council8, through its Risk and Resilience Sub-Committee, is to oversee the operation and activities of the Sector Resilience Networks to ensure accountability at the most senior levels of government. The central mechanism for each Sector Resilience Network to report to the State Crisis and Resilience Council is a Sector Resilience Plan developed annually by the respective portfolio department in consultation with industry. The Strategy outlines that portfolio departments are responsible for briefing relevant ministers on completed Sector Resilience Plans and monitoring the implementation of resilience improvement activities undertaken by industry. The purpose of a Sector Resilience Plan is to provide the Victorian Government with the status of, and continuous improvement arrangements for, each sector’s overall resilience.
In addition, an All Sectors Resilience Report which summarises the resilience of Victoria’s critical infrastructure sectors is to be produced annually by EMV through the Risk and Resilience Sub-Committee of the State Crisis and Resilience Council.
8 The State Crisis and Resilience Council, per section 8 of the Act, consists of the head of each Victorian Government department, the Chief Commissioner of Police, the Chief Executive of EMV, the Emergency Management Commissioner, the IGEM (as an observer), and the Chief Executive Officer of the Municipal Association of Victoria as the representative of local government.
The Strategy states that the All Sectors Resilience Report is to be used to brief the State Crisis and Resilience Council and the Minister for Police and Emergency Services9 on the resilience of Victoria’s critical infrastructure, and to assist the State Crisis and Resilience Council to determine if any further actions by portfolio departments are required. The Strategy anticipates that the Minister for Police and Emergency Services will authorise public release of the All Sectors Resilience Report.
4.2 Assessment, designation and the Victorian
Critical Infrastructure Register
Division 2 of the Act requires the relevant minister to assess whether any infrastructure is vital, major or significant. Section 74B of the Act defines ‘infrastructure’ as any premises, asset, good or system used for the purpose of the generation, production, extraction, storage, transmission, distribution or operation of an essential service – and any communication system used for the delivery of an essential service, including any system used to generate, send, receive, store or otherwise process any electronic communication for the purpose of an essential service. The essential services listed in section 74C of the Act are transport, fuel (including gas), light, power, water and sewerage. This is similar to the list in the Essential Services Act 1958 and its predecessor legislation from 1948.10
IGEM understands that the Victorian Government applies the Act on the basis of Orders in Council11 which identify ministers in respect of the essential services as relevant ministers and therefore it is these ministers who are authorised to assess infrastructure. The relevant ministers who assess infrastructure correlate with the energy, transport and water sectors. The prescribed methodology for assessment is identified in the Ministerial Guidelines for Critical Infrastructure Resilience as the Victorian Criticality Assessment Tool.12 The Strategy indicates that the assessment categorises infrastructure according to the geographic extent of the adverse impact if the infrastructure or the services it provides were lost or degraded. On the recommendation of the relevant minister, the Governor in Council may designate infrastructure to be vital critical infrastructure. The relevant minister must provide a copy of an Order designating vital critical infrastructure to the person designated as the responsible entity, EMV, the Chief Commissioner of Police and the Chief Executive Officer of any municipal council in which the infrastructure is wholly or partly located.
9 The General Order of 1 January 2019 identifies that the Minister for Police and Emergency Services administers the Act (previously the Minister for Emergency Services). 10 Where the Act refers to “fuel (including gas)”, the Essential Service Act 1958 and Essential Service Act 1948 refer to “fuel”. 11 Victoria Government Gazette G20 21 May 2015 page 1137 and Victoria Government Gazette G35 30 August 2018 p1901. 12 First issued May 2015 with updates in August 2016 and March 2017.
Figure 1: Criticality levels as described in the Strategy
The responsible entity is the owner or operator of designated vital critical infrastructure. Division 4 of the Act sets out that EMV must maintain a register called the Victorian Critical Infrastructure Register which must contain specific information about each infrastructure which has been assessed as vital, major or significant. Access to the Victorian Critical Infrastructure Register is to be limited to persons who have functions or powers in respect of critical infrastructure, counter terrorism or emergency management.
4.3 Resilience Improvement Cycle
Division 5 of the Act requires a responsible entity – the owner or operator of designated vital critical infrastructure – to complete the four activities of the Resilience Improvement Cycle each year:
Prepare an emergency risk management plan. Regulations13 under the Act prescribe ISO31000:2009
Risk Management – Principles and Guidelines14 and its companion handbook as the basis for emergency risk management planning by responsible entities. This standard describes a model of risk management at the heart of which is the implementation of risk treatments which are informed by a process of risk assessment.
Develop, conduct and evaluate an exercise to test its planning, preparedness, prevention,15 response or recovery in respect of an emergency.
13 Emergency Management (Critical Infrastructure Resilience) Regulations 2015 14 The website of the International Organization for Standardization advises that ISO31000:2009 has been revised by ISO31000:2018. 15 Amendments to the Act not yet in operation include amendments substituting the word “mitigation” instead of “prevention”.
Conduct an audit of its emergency risk management processes. The purpose of the audit is to evaluate the efficiency, effectiveness and appropriateness of the management by the responsible entity of risks to its capability in relation to planning, preparedness, prevention,16 response or recovery. Submit a statement of assurance to the relevant minister. The Strategy indicates that a statement of assurance is intended to provide the relevant minister with confidence that the responsible entity has processes and plans in place to manage emergency risks to the supply of essential services to the Victorian community.
The Strategy describes these requirements as a collaborative cycle to help industry and government articulate the emergency risks to the supply of essential services to the Victorian community, and to develop risk management strategies to mitigate and manage those risks.
Figure 2: Resilience Improvement Cycle adapted from the Strategy
16 Amendments to the Act not yet in operation include amendments substituting the word “mitigation” instead of “prevention”.
