A new Bill has been introduced into Victoria's Parliament, which will require certain 'responsible entities' for the State's most critical infrastructure to demonstrate their assets are resilient to risks, including those associated with climate change. The Bill gives effect to the 'Critical Infrastructure Resilience Interim Strategy', which is currently available in draft form and sets out the framework to reform Victoria's emergency risk management arrangements for critical infrastructure.
Assessment of Infrastructure
The Bill requires the relevant Minister to assess infrastructure for which that Minister is responsible using the criticality assessment methodology prescribed in the regulations to determine whether that infrastructure is:
- Significant critical infrastructure:
- This category applies to the lowest criticality level of infrastructure.
- If disrupted, this category of infrastructure would affect the supply of an essential service to, or the economic or social well-being of, a region of Victoria.
- Major critical infrastructure:
- This category applies to the middle criticality level of infrastructure.
- If disrupted, this category of infrastructure would affect the supply of an essential service to, or the economic or social well-being of, more than one region of Victoria.
- Vital critical infrastructure:
- This category applies to the highest criticality level of infrastructure.
- If disrupted, this category of infrastructure would affect the supply of an essential service to, or the economic or social well-being of, the whole of Victoria.
An 'essential service' is defined to include transport, fuel (including gas), light, power, water, sewerage and a service specified to be an essential service by the Governor in Council.
Victorian Critical Infrastructure Register
Under the Bill, the Government will establish and maintain the 'Victorian Critical Infrastructure Register', which must list all major critical infrastructure, significant critical infrastructure and vital critical infrastructure.
The Bill provides that access to the Victorian Critical Infrastructure Register is restricted to certain officials and agencies and, then only, to the extent necessary for the performance of functions.
Responsibilities in relation to Critical Infrastructure
Only 'responsible entities' have obligations under the new regime established by the Bill. A 'responsible entity' is defined as the person designated by the Governor as the responsible entity in respect of vital critical infrastructure specified in a Council by Order.
Each responsible entity must complete an annual 'Resilience Improvement Cycle' comprising:
- Statement of Assurance: This must be completed in accordance with the regulations and guidelines and include:
- an identification of the emergency risks to the relevant critical infrastructure
- specify the emergency risk management actions or activities that the responsible entity proposes to take to address the identified emergency risks
- an attestation that the responsible entity has complied with the new obligations imposed by the Bill.
- Emergency Risk Management Plan: This must be completed in accordance with the regulations and guidelines and must prepare the vital critical infrastructure for an emergency.
- Exercises: The responsible entity must develop, conduct and evaluate an exercise each year to test their capability to plan, prepare for, prevent, respond to or recover from an emergency. The exercise must be developed in consultation with the relevant Minister(s).
- Audit: The responsible entity must conduct an independent audit of their emergency risk management processes each year to evaluate the efficiency, effectiveness and appropriateness of the management of risks by the responsible authority. A certificate must be provided to the Minister confirming that the audit has been completed, specifying the outcome of the audit and whether any required actions have been identified.
Types of risks to be covered by the Resilience Improvement Cycle
The draft Critical Infrastructure Resilience Interim Strategy indicates that the types of risks to be identified and responded to in the context of the Resilience Improvement Cycle are to be determined using an 'all hazards' resilience approach. Under this approach, instead of focusing on the type and likelihood of specific threats, the focus is instead on the likely consequences of a failure of vital critical infrastructure.
The draft Critical Infrastructure Resilience Interim Strategy notes that Victoria's arrangements for Victorian critical infrastructure are concerned with all 'emergency risks', including flood, wind-storm, fire (each of which may be a consequence of climate change), as well as emergency risks such as earthquake, pandemic and terrorist attacks.
Consequences for non-compliance
The Bill identifies offences for non-compliance with the new regime, including:
- failure by the responsible entity, without reasonable excuse, to provide the relevant Minister with a statement of assurance
- providing the relevant Minister with a false or misleading statement of assurance
- failure by the responsible entity, without reasonable excuse, to provide details of an emergency risk management plan within the specified time when requested to do so by the relevant Minister
- failure by the responsible entity, without reasonable excuse, to conduct an exercise
- failure by the responsible entity, without reasonable excuse, to conduct an audit with an independent auditor.
Implications of the Critical Infrastructure Resilience Bill
If the Bill is passed, clearly there will be significant new responsibilities imposed on owners and operators of Victoria's most important critical infrastructure. These responsibilities will require the relevant entities to proactively identify and respond to risk, including risks associated with climate change.
The risk management model to apply to Victoria's most critical infrastructure pursuant to the Bill is broad and flexible enough to allow the model to be appropriately tailored to address the specific risks associated with a particular type of infrastructure.
The advantage of the proactive approach mandated by the Bill is that it helps to avoid risks materialising and compromising Victoria's most critical infrastructure. While the responsibilities imposed on owners and operators of Victoria's most critical infrastructure may superficially seem unduly onerous, the practical, financial and social burden would be much higher if a major catastrophic risk were to materialise without an appropriate risk management strategy and plan in place. The new regime provided for under the Bill helps to avoid such an eventuality.