www.pwc.com.au

Review of the Transport Security (Counter- Terrorism) Act 2008

Final report

August 2020

pwc

SENSITIVE Disclaimer

This report is not intended to be used by anyone other than the Department of Transport and Main Roads (TMR).

We prepared this report solely for TMR’s use and benefit in accordance with and for the purpose set out in PricewaterhouseCoopers Consulting Australia’s (PwC) engagement letter dated 22 May 2020. In doing so, we acted exclusively for TMR and considered no-one else’s interests.

We accept no responsibility, duty or liability:

● to anyone other than TMR in connection with this report ● to TMR for the consequences of using or relying on it for a purpose other than that referred to above.

We have based this report on information provided by TMR, other government agencies and surface transport operators. The Information contained in this Report has not been subject to an audit or audit-standard review. We make no representation concerning the appropriateness of this report for anyone other than TMR. If anyone other than TMR chooses to use or rely on it, they do so at their own risk.

This disclaimer applies:

● to the maximum extent permitted by law and, without limitation, to liability arising in negligence or under statute; and ● even if we consent to anyone other than TMR receiving or using this report.

Liability limited by a scheme approved under Professional Standards legislation

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 1

SENSITIVE Executive summary

Overview

In June 2005, all Australian states and the Australian Capital Territory signed the Intergovernmental Agreement on Surface Transport Security (IGA) with the objective of protecting the community and the surface transport system from terrorism.

Under the IGA, Australian jurisdictions agreed to adopt a nationally-consistent approach in protective security, planning and preventative measures for their surface transport operations, including through the nomination of security-identified surface transport operators (SISTOs) and ensuring SISTOs develop and implement preventative security measures.

The IGA committed states and territories to ensure respective legislation was sufficiently strong to meet the objectives of the Agreement. To give effect to these requirements, the Queensland Government introduced the Transport Security (Counter- Terrorism) Act 2008 (the Act), and committed to review the Act every five years. The first review was undertaken in 2014 and found that the Act was effective in prioritising investment and collaboration in counter-terrorism and raising awareness and preparedness of it. This also had the benefit of improving general transport security. It also found that, given the operation of the Act supports a reduction in the risk of a surface transport-related terrorist attack, the costs of the regulatory requirements are not considered to be significant.1 This review

The Department of Transport and Main Roads (TMR) engaged PricewaterhouseCoopers Consulting (Australia) Pty Ltd (PwC) to undertake the second review of the Act, subsequent to the 2014 review, and meeting Parliament's requirement to review the operation of the Act every five years. This review considers the operation of the Act including its effectiveness, appropriateness and costs associated with its regulatory framework. These considerations align with the Office of Best Practice Regulation Post-Implementation Review Guidance which requires assessment of the effectiveness, impact and opportunities with regulation.2 To understand the operation of the Act, SISTOs, TMR, Queensland Police Service (QPS) and the Queensland Department of Premier and Cabinet were consulted to consider the key assessment questions. The review was supplemented by desktop analysis of key policy documents to contextualise and evidence aspects of operation of the Act.

Table 1: Assessment domains mapped to key regulatory review questions

Question domain Key Assessment Questions

Appropriateness: suitability of the 1. Does the Act and its provisions remain appropriate in Act and its requirements to fulfil the supporting your organisation? objectives

Effectiveness: achievement of 2. Does the Act provide effective support in planning for the intended outcomes protection and adverse impacts of a terrorist act involving your

organisation?

Impacts of the regulation: current 3. What are the previous, existing and future costs of regulation costs and impacts of the regulation on businesses and government?

Source: PwC Analysis

1 Review of the Transport Security (Counter-Terrorism) Act 2008, report prepared by PricewaterhouseCoopers Australia for the Department of Transport and Main Roads, 2014 2 Queensland Office of Best Practice Regulation, Post-Implementation Review Guidance, accessed at: https://qpc.blob.core.windows.net/wordpress/2018/02/PIR-Guidance-Note.pdf Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 2

SENSITIVE Since the 2014 review, the operating context for surface transport operators and government has shifted. On 12 September 2014, Australia’s National Terrorism Threat Level was raised and remains ‘PROBABLE’ – the mid point - in the five tier scale adopted by the Australian Government. The threats of terrorism continue to require a coordinated response from government to prevent, protect and respond to their potential impact within the community. Crowded places, such as mass passenger transport hubs and operations continue to be a target for future attacks. The use of explosive devices, firearms and other sophisticated weapons remains a significant risk to the surface transport sector. However, the risk of more easily planned lone attacks using basic weapons (such as bladed weapons and use of vehicles as weapons) has increased significantly since 2014 and leads to a more complex security environment. This requires Queensland’s transport operators, which transport over 200 million passengers on bus, rail, ferry and tram trips each year to act with agility and manage these evolving risks proactively. The effectiveness of the Act

The review has found that the Act has been effective in ‘raising the bar’ for terrorism risk management across SISTOs. The Act has set a benchmark from which SISTOs must operate and implement risk management practices that consider terrorism risks. This has embedded counter-terrorism practices as part of broader operational security risk management of SISTOs and has influenced their broader operational practices. Notwithstanding that current declarations cover operators only within the South-East Queensland region, the obligations placed on SISTOs have demonstrated an influence on and improvements to risk management practices in operations of transport operators across Queensland and other jurisdictions.

The Act has also had the effect of fostering a strong network of collaboration between transport operators and government agencies. In large part, this network has been due to the role of TMR in brokering linkages and building opportunities for SISTOs to build their capability and networks. These informal networks ultimately have the impact of improving the resilience of Queensland’s transport network in the event of a security incident.

For these reasons, there is a clear basis for retaining the Act. While SISTOs identified a number of opportunities to streamline or refine the operation of the Act, the Act itself was not considered to present unnecessarily onerous obligations upon SISTOs, fulfilling its objectives of promoting an efficient and cost-effective regulatory framework. The appropriateness of the Act

The Act is designed in a way that is consistent with existing operational security practices, making it appropriate to fulfilling the Act’s objective of promoting an efficient and affordable regulatory framework. The design of the Act also means it is flexible to different operational contexts as well as different threat contexts. The application of the requirements to ‘terrorism acts’ and ‘security incidents’ broadens the scope of the Act to encourage SISTOs to consider the broader risks of potential incidents for which to prepare, prevent, respond and recover. This promotes the objectives of both counter-terrorism and security as it can capture incidents which may not be formally classified as a terrorism act, but for which similar measures are effective (for example, a knife attack by a disgruntled individual).

The self-review and audit features of the Act’s compliance framework are aligned with the voluntary compliance objective of the Act. While some SISTOs did raise that this challenged their organisational capability or confidence that they were achieving an appropriate standard of management (such as not being confident that they held internal capability to provide rigour to the audit), this arrangement is consistent with the Act’s objectives and good practice regulation.

The role of TMR is highly valued by SISTOs and has contributed to the building of their capability. The role of TMR in establishing a Community of Practice and brokering relationships across SISTOs was commonly cited through this review’s consultation process. This facilitative and advisory function appears appropriate to supporting the ongoing operation of the Act. The cost efficiency and effectiveness of the Act

Overall, the review found that the impact of the Act’s requirements are cost-effective to meet its objectives. The estimated costs to SISTOs have decreased since the 2014 Review.

Costs to business:

The Act requires declared SISTOs to perform a number of requirements. There are currently 10 declared SISTOs operating in Queensland. The estimated costs of these requirements, over a five-year period, are shown in Table 2.

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 3

SENSITIVE Table 2: Estimated total cost to SISTOs in fulfilling their obligations under the Act

Total estimated costs to Cost Activity description Example of costs incurred by SISTOs all SISTOs over the last 5 category years

Upfront Preparation of an initial risk management plan immediately $17,011 costs after becoming a declared SISTO Preparing the plan

Upfront Changing operational processes such as upgrading the and infrastructure and implementing new employee training to $2,539,074 ongoing meet the plan’s requirements Implementing the costs plan

Performing an annual audit of employee and process Ongoing compliance with the risk management plan and reporting it $66,236 costs to TMR Auditing the plan

Ongoing Staff time spent planning and implementing required annual $484,128 costs test exercise Test exercises

Ongoing Costs incurred through regular reviews of the plan and the $89,382 costs requirement to complete a full review every five years Reviewing the plan

Gathering information required to prepare the annual Ongoing certificate and seeking approval from the relevant executive $7,791 costs Preparation of an staff annual certificate

Ongoing Attending other SISTO related activities such as the $40,402 costs Community of Practice meetings organised by TMR Additional costs Total costs to business $3,244,024 Note: The upfront costs refer to the one-off costs incurred by one newly-declared SISTO since the previous 2014 review. Note also that preparation of the plan only accounts for one SISTO who was newly-declared in the past five years. Source: PwC analysis

This review estimated the direct costs of the Act by assessing two large and eight small SISTOs, which were categorised consistently with the 2014 review:

● Large SISTOs: operators with 1,000 or more employees ● Small SISTOs: operators with less than 1,000 employees

Between 2014 and 2020, the annual costs to both small and large SISTOs have decreased. This reflects that, for most SISTOs, the cost of complying with the Act’s requirements has reduced as their capability has matured, and, increasingly, these obligations are subsumed as part of business-as-usual security processes. Compared to the 2014 Review’s cost estimates, the effort to comply with the Act has shifted from plan preparation and audit activities to implementation, reflecting the maturity of the current SISTOs and the integration of activities within their training programs. SISTOs reported less time and cost effort, on average, compared with the previous review across most activity areas. Figure 1 provides a breakdown of the changes in estimated annual costs for small and large SISTOs between the 2014 and 2020 reviews.

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 4

SENSITIVE Figure 1: Changes in estimated annual costs per SISTO per annum between 2014 and 2020 reviews

Large SISTO Small SISTO -91% -66% $ 1,525,876 $ 170,471 2% 7% 7%

26%

19%

1% $ 57,928 4% 16% 63% 29% 3% $ 138,546 73% 7% 90% 47%

2014 Review 2020 Review 2014 Review 2020 Review

Plan preparation Plan audit Plan review Additional costs Legend: Plan implementation Test exercises Annual certificate

Note: The estimated annual costs per SISTO in 2014 refer to those who have remained declared in 2020 and excludes the 11 deregulated ferry operators (i.e. the 2014 costs are across two large and two small SISTOs).

Cost to government

The review estimated the costs to government to be almost $1.7 million over five years, based on information provided by TMR and QPS. Table 3 provides a breakdown of the costs to government.

Table 3: Estimated costs to government over 5 years

Cost description Total costs over 5 years

TMR staff costs $1,382,786 QPS staff costs $61,377 Other TMR costs (includes travel costs) $229,000 Total costs to government $1,673,162

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 5

SENSITIVE Findings and recommendations Findings regarding the appropriateness of the Act: Recommendations:

The Act’s requirements align with existing SISTO operational security practices, supporting the Act’s objective of promoting an efficient and effective regulatory framework Recommendation 1: TMR consider ways to encourage SISTOs to use terrorism risk management The purpose of the Act can be interpreted broadly in the risks it addresses, practices to strengthen broader preparedness across meaning it is flexible to a changing threat context other security threats that might benefit from this type of planning framework.

The Act’s requirements fulfil the objective of promoting compliance, although this is more seamless among larger operators

TMR provides trusted guidance and has promoted capability building of the SISTOs

While the maturity of SISTOs to manage security risks has increased, compliance functions, appropriately, remain largely with SISTOs themselves Findings regarding the effectiveness of the Act: Recommendations:

The Act has ‘raised the bar’ for terrorism risk management since its introduction Recommendation 2: TMR should provide guidance to SISTOs on how the risk management plan Counter-terrorism risk management has become a business-as-usual requirements of the Act can be fulfilled by other risk activity for many declared SISTOs management frameworks that can account for counter-terrorism activities, including: ● security plans prepared under the Rail Requirements on declared SISTOs have influenced their broader Safety National Law (Queensland) Act operations 2017 ● business continuity and crisis management

Organisational change is a reality among operators and could be better planning procedures supported to ensure requirements are met

Recommendation 3: TMR should require SISTOs to nominate at least two points of contact in each The Act has improved counter-terrorism planning across operators, but organisation for which information from TMR will be there are further opportunities to streamline planning disseminated to and communicated with to reduce the risk of communication failure.

There are potential improvements that could refine the Act so it is more effectively applied by SISTOs Recommendation 4: TMR should develop, in consultation with QPS and councils, a whole-of- network incident response plan which specifies the There is opportunity to enhance the resilience of operator and agency communication roles and responsibilities for a range response to a terrorist act or major incident of security incident scenarios. These scenarios should consider the broader network-based

response, including communication actions and The Act has fostered a strong collaboration network among operators and instruction to SISTOs operating within the zone of an agencies incident, even where their operation is not directly affected by the incident, in order to enhance network The provision of information and guidance has assisted SISTOs to fulfil resilience and response to a security threat or their obligations incident.

Recommendation 5: TMR should develop a 1-2 The counter-terrorism exercises are highly valued by SISTOs, but can be page checklist that outlines SISTO obligations under difficult to plan for the Act, including a timeline for these activities to better support business continuity and new staff b di SISTO /

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 6

SENSITIVE

The benefits of the Act, as articulated by SISTOs consulted as part of this review, include:

Awareness of Improved private- Improved private- Improved infrastructure Enhanced general counter-terrorism: sector collaboration: public working security: security: relationships: The Act has resulted in The Act and Implementation of The counter-terrorism improved organisational associated Community Fulfilling the Act’s counter-terrorism risk practices associated awareness of counter- of Practice meetings requirements has management plans has with the Act have terrorism activities and have improved lines of resulted in close and improved security promoted improved risk management communication trusted relationships management of depots broader crime practices within SISTOs between SISTOs, built across SISTOs, and hubs as a result of prevention and general including greater TMR and QPS, which infrastructure investment, security across collaboration relating extend more generally including automated SISTOs operations to security practices to security gates, CCTV and generally management and bollards) incident response

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 7

SENSITIVE Contents

Disclaimer ...... 1

Executive summary ...... 2

Overview ...... 2

This review ...... 2

The effectiveness of the Act ...... 3

The appropriateness of the Act ...... 3

The cost efficiency and effectiveness of the Act ...... 3

Recommendations ...... 6

Contents ...... 8

1 Introduction to the review ...... 11

1.1 Context ...... 11

1.2 Scope of this review ...... 11

1.2.1 Approach to undertaking this review ...... 12

1.2.2 Stakeholder engagement ...... 12

1.2.3 Limitations ...... 12

1.3 Structure of this report ...... 13

2 Nature of transport security risks ...... 14

2.1 The risks of terrorism ...... 14

2.1.1 An established risk to surface transport operators ...... 16

3 Legislative framework ...... 18

3.1 Legislative framework ...... 18

3.1.1 National Counter-Terrorism Strategy ...... 18

3.1.2 Queensland’s counter-terrorism arrangements ...... 19

3.1.3 Regulation of Queensland’s surface transport operators ...... 20

3.2 The introduction of the Transport Security (Counter-Terrorism) Act ...... 21

3.2.1 Basis for the regulation ...... 21

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 8

SENSITIVE 3.2.2 Declaration of SISTOs ...... 21

3.2.3 Obligations of SISTOs ...... 22

3.3 Changes since the last review ...... 24

4 Assessment of the operation of the Act ...... 26

4.1 The appropriateness of the Act ...... 26

TMR provide trusted guidance and has promoted capability building of the SISTOs ...... 28

While the maturity of SISTOs to manage security risks has increased, compliance functions, appropriately, remain largely with SISTOs themselves ...... 28

4.2 The effectiveness of the Act ...... 29

The Act has ‘raised the bar’ for terrorism risk management since its introduction ...... 29

Counter-terrorism risk management has become a business-as-usual activity for many declared SISTOs...... 29

The Act has fostered a strong collaboration network among operators and agencies ...... 30

The Act has improved counter-terrorism planning across operators, but there are further opportunities to streamline planning ...... 30

There are potential improvements that could refine the Act so it is more effectively applied by SISTOs ...... 31

There is opportunity to enhance the resilience of operator and agency response to a terrorist act or major incident .... 31

The counter-terrorism exercises are highly valued by SISTOs, but can be difficult to plan for ...... 33

5 Benefits of regulation ...... 35

5.1 Overview of the benefits delivered by the Act...... 35

5.2 Key benefits to business ...... 36

6 Cost of regulation ...... 37

6.1 Overview of the cost drivers associated with complying with the Act ...... 37

6.2 Key impacts of regulation on business and government ...... 38

6.2.1 Preparing the risk management plan ...... 38

6.2.2 Implementing the risk management plan ...... 39

6.2.3 Performing test exercises ...... 40

6.2.4 Auditing the risk management plan ...... 40

6.2.6 Preparing the annual certificate ...... 41

6.2.7 Additional costs ...... 42

6.2.9 Costs to government...... 42

6.3 Summary...... 43

7 Key findings and recommendations ...... 45 Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 9

SENSITIVE 7.1 The Act is effective in achieving its intended outcomes ...... 45

7.2 The Act’s requirements are appropriate to fulfilling the objectives...... 45

7.3 The impact of regulation is cost effective to fulfil the regulatory aim ...... 46

7.4 Recommendations ...... 46

Appendix A Project Scope ...... 48

Appendix B Stakeholder consultations ...... 49

Stakeholder consultation questions ...... 49

Stakeholder consultation schedule ...... 50

Appendix C Costing approach ...... 52

Cost to business ...... 52

Cost to government ...... 54

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 10

SENSITIVE 1 Introduction to the review

1.1 Context

In June 2005, all Australian states and the Australian Capital Territory signed the Intergovernmental Agreement on Surface Transport Security (IGA) with the objective of protecting the community and the surface transport system from terrorism.

Under the IGA, Australian jurisdictions agreed to adopt a nationally-consistent approach in protective security, planning and preventative measures for their surface transport operations, specifically by identifying security-identified surface transport operators (SISTOs) and ensuring they develop and implement preventative security measures.

In line with these requirements the Queensland Government introduced the Transport Security (Counter-Terrorism) Act 2008 (the Act), which is administrated by the Department of Transport and Main Roads (TMR) which has primary carriage for Queensland’s surface transport arrangements.

TMR has engaged PricewaterhouseCoopers Consulting (Australia) Pty Ltd (PwC) to undertake a review of the Act to assess its appropriateness and how effective and efficient it has been in meeting its original policy objectives. As per section 61 of the Act, the Minister is required to review the Act as soon as practicable after 12 December 2018 and every five years after the review.

This review is underpinned by stakeholder consultation to assess the resulting impacts from the implementation of the Act and, where relevant, recommend improvements to enhance the transport security outcomes in Queensland.

1.2 Scope of this review

This regulatory review has been undertaken to assess the efficiency, effectiveness and appropriateness of the Act. A series of questions has guided consideration of the operations of the Act, including any associated instruments (policy guidance or frameworks) and activities TMR performs for the purpose of administering the Act. Table 4 sets out this review’s key questions and the sub-questions that have been developed to guide this review.

Table 4: Assessment domains mapped to key regulatory review questions

Question domain Key Assessment Questions

Effectiveness: achievement of 1. Does the Act provide effective support in planning for the intended outcomes protection and adverse impacts of a terrorist act involving your

organisation?

Appropriateness: suitability of the 2. Does the Act and its provisions remain appropriate in Act and its requirements to fulfil the supporting your organisation? objectives

Impacts of the regulation: current 3. What are the previous, existing and future costs of regulation costs and impacts of the regulation on businesses and government?

Source: PwC Analysis

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 11

SENSITIVE 1.2.1 Approach to undertaking this review

The review applies a five-stage approach as represented in Table 5 below:

Table 5: PwC’s approach to undertaking the regulatory review process

1. Project planning 2. Initial research 3. Stakeholder 4. Analysis of 5. Reporting and and scope definition and problem review engagement impacts presentation

To ensure all parties To conceptualise the To assess the To analyse and To detail the findings have a shared problem, review the impacts of the Act on quantify the impacts regarding the understanding of the existing key stakeholders associated with the appropriateness of review, its scope and documentation such as SISTOs and operation of the Act the Act, with the approach regarding the Act and government agencies recommendations for consult TMR via direct meetings improvements

This review has drawn upon a range of publicly available information and documents provided by TMR, including the Act, the IGA, National Counter-Terrorism Plan, and Queensland Counter-Terrorism Strategy 2013-2019. The review has also had regard to Queensland’s Office of Best Practice Regulation (OBPR) Post Implementation Review Guidelines.

1.2.2 Stakeholder engagement

Targeted consultation was used to inform the assessment of impacts associated with the operation of the Act, and its ongoing appropriateness, effectiveness and efficiency. Stakeholder consultation was conducted with:

● the currently declared SISTOs, and ● relevant Queensland government agency representatives from TMR, the Queensland Police Service (QPS), and the Queensland Department of Premier and Cabinet.

Given the circumstances at the time of this review (i.e. the impact of COVID-19 restrictions), all stakeholders were engaged via online consultation. To support the capture and consistency of the information collected through the stakeholder consultations, all stakeholders were provided with a consistent set of questions prior to their consultation session. Appendix B provides a list of the stakeholders and questions raised through consultation.

1.2.3 Limitations

The Act provides for the Chief Executive to identify surface transport operations that are determined to be at 'elevated risk' of terrorism and declare them as SISTO under the Act. In order to assess operations across Queensland and identify those at 'elevated risk', TMR maintains a Queensland Surface Transport Terrorism Risk Methodology. This risk methodology is informed by intelligence and has not been included in the scope of this review.

The information outlined in this report has been provided by the SISTOs and other stakeholders to this review. This information has been relied upon to present findings in this report, however, no formal auditing or validation procedures were undertaken to evidence estimates and information provided. No analysis or consultation was undertaken of interjurisdictional regulatory frameworks or other comparable sources of evidence to benchmark the Act.

Given the difficult nature of quantifying the extent to which terrorism incidents have been avoided as a result of the Act, this review has not established what would have happened in the absence of the Act. This recognises that the objectives of avoiding or minimising terrorism acts as a result of the Act does not generate the evidence to substantiate this with confidence.

Further, while we provide commentary on specific provisions of the Act, this report should not be read to constitute legal advice and should not be interpreted as such.

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 12

SENSITIVE 1.3 Structure of this report

This review has been undertaken in alignment with the Office of Best Practice Regulation Post-Implementation Review Guidance which requires that agencies consider a range of aspects.3 These are addressed in the following sections of this report.

Table 6: Structure of this report

Post-Implementation Review component Section of this report

The original problem and objectives Chapter 2: Nature of transport security risks

Chapter 3: Legislative framework

The effectiveness of the regulation Chapter 4: Assessment of the operation of the Act

The impacts of the regulation Chapter 5: Benefits of regulation

Chapter 6: Cost of regulation

Whether the regulation should be retained Chapter 7: Key findings and recommendations

Proposed amendments or improvements Chapter 7: Key findings and recommendations

3 Queensland Office of Best Practice Regulation, Post-Implementation Review Guidance, accessed at: https://qpc.blob.core.windows.net/wordpress/2018/02/PIR-Guidance-Note.pdf Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 13

SENSITIVE 2 Nature of transport security risks

2.1 The risks of terrorism

Since the September 11, 2001 attacks on the World Trade Centre and the Pentagon building in the United States, Australia has faced two decades of significant and evolving terrorist threats. Australian governments continue to work together to deal with the risk of terrorism in Australia, as terrorism continues to pose a direct and ongoing threat to the safety and wellbeing of Australians here and abroad. These are reflected in the Commonwealth Government revised counter-terrorism arrangements established in the wake of the 11 September 2001 terrorist attacks on the United States.

The threat of terrorism in Australia remains elevated at its highest levels since 2001. On 12 September 2014, Australia’s National Terrorism Threat Level was raised and remains ‘PROBABLE’ – the mid point - in the five tier scale adopted by the Australian Government.4 This reflects the advice of the Australian Security Intelligence Organisation (ASIO) that individuals and groups continue to possess the intent and capability to conduct a terrorist attack in Australia. Specifically, crowded places such as urban mass passenger transport at peak periods, central business districts and iconic establishments remain as the most likely targets for future attacks in Australia.5

Recent assessments of the threat context by ASIO indicates the nature of terrorism has become more diffuse and complex. The recent increase in the National Terrorism Threat Level in 2014 confirms that Queensland's surface transport operations remain at least at the same level of risk of a significant terrorist attack as was the case when the Act was introduced in 2008; and potentially more so due to additional risks emerging from lone attacks using basic weapons.. Since September 2014, there have been eight attacks and 18 major counter-terrorism disruption operations in response to potential or imminent attack planning across Australia, two of which were caused by an individual with an extreme right-wing ideology. In addition, there have been 110 people charged as a result of 51 counter-terrorism related operations nationally.6 The highest exposures to these threats to date have been in Sydney and Melbourne, however a terrorist act remains possible anywhere in Australia.7 Figure 2 highlights the recent terrorist incidents in Australia.

4 The threat levels on the five tier scale in ascending order are NOT EXPECTED, POSSIBLE, PROBABLE, EXPECTED and CERTAIN. Australian National Security, National Terrorism Threat Level in Australia. 5 Australia’s Strategy for Protecting Crowded Places from Terrorism (2017) 6 ASIO, Australia’s security environment and outlook, and Parliament of Australia, Countering terrorism and violent extremism 7 Australian National Security, National Terrorism Threat Advisory System, The Australian security environment Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 14

SENSITIVE

Figure 2: Key terrorism-related incidents in Australia since September 2014

Queanbeyan, NSW Melbourne, VIC Melbourne, VIC Sydney, NSW Sydney, NSW Sydney, NSW Melbourne, VIC Sydney police Two attackers A lone attacker A Terrorist group Two men A lone gunman were tipped off A lone attacker stabbed a man stabbed and inspired by ISIL arrested in held 18 people two perpetrators inspired by right to death and injured a civilian plots to attack alleged right-wing hostage in Lindt were preparing wing extremism injured three in Mill Park variety of Sydney terror plot chocolate cafe, terror attacks, plots a bomb other people targets potentially involving killing two people arrested after attack against including police and injuring four observed left-wing activists Sydney, NSW A lone attacker and defence others before he purchasing stabbed three buildings, courts, Three men h t d d weapons people, killing A terrorist group churches and suspected with Two Sydney men one in the CBD plot an attack diplomatic extremist A lone gunman plot to bomb an before being shot ideologies Melbourne, VIC using explosive shot a civilian airplane and arrested following devices in employee of the build a chemical investigations by A lone attacker Melbourne’s Terrorist group in A lone attacker NSW Police, dispersion stabbed two Melbourne plot plots attack using NSW Joint before being shot device capable Counter counter-terrorism Sydney, NSW an attack using firearms in dead during a of releasing Terrorism Team officers and was firearms against Melbourne CBD shootout. poisonous gas, (JCTT) shot dead a public during New A lone attacker possibly targeting Year’s Eve Melbourne, VIC gathering stabbed a man in crowded places , QLD a suburban street such as public Sydney, NSW transport Melbourne man in, before being A man inspired plots an attack by arrested Melbourne, VIC The AFP arrest by ISIL is caught explosive A terrorist group alleged Sydney plotting to carry device, possibly inspired by ISIL Islamic State out an attack in a against a police plots to attack A lone gunman recruiter over public place station or a train government shot a civilian and radicalisation of using firearms buildings in injured three and explosives police before he teenagers Sydney

Sydney teenager inspired by ISIL A lone attacker plots to attack an plots attack with ANZAC day explosive service using devices, possibly firearms against churches and police

2014 2015 2016 2017 2018 2019 2020

Acts or plots Lone attacker involving more than Legend: plots and attacks one perpetrator

Source: PwC analysis utilising public information such as ASIO’s Australia’s security environment and outlook, and Australian National Security’s website

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 15

SENSITIVE

2.1.1 An established risk to surface transport operators

The increase in the National Terrorism Threat Level illustrates the increased level of risk that surface transport operators face, including those operating in Queensland. In December 2016, Victoria Police foiled an alleged terrorist plot to detonate explosive devices in central Melbourne with Flinders Street Station as its possible target.8 Globally, multiple terrorist acts on surface transport operations have led to mass casualties. Figure 3 provides some of the recent incidents.

Figure 3: List of recent terrorist incidents involving surface transport operations

St Petersburg, Russia, April 2017 : an explosion occurred in a metro train, London, United Kingdom, killing 14 people and September 2017:an explosion injuring 64 others occurred on a District line in London, injuring 30 people Würzburg, Germany, July 2016: lone attacker stabbed and injured five train passengers Brussels, Belgium, March 2016: bombings in the Maelbeek metro station and Istanbul, Turkey, December 2015: a Zaventem airport, killing 20 pipe bomb exploded near Metro station people and injuring 200 injuring five people Madhya Pradesh, India, March 2017: train bombing lead to injury of ten pas s engers

Source: PwC analysis

Risks to the transport sector

‘Soft’ targets, such as crowds of people in public places, remain the most attractive terrorist targets to onshore extremists, over targets such as infrastructure, where greater security measures exist.9 The most attractive transport sector targets are operations such as urban passenger bus, rail and ferry services, and major city transport hubs, particularly during peak periods and special events as they fulfil many of the terrorist targeting criteria10:

● to generate mass casualties ● to create economic disruption ● to make a symbolic statement that has resonance with extremist views and the target population ● to generate public anxiety ● to generate spectacular media imagery

While the most likely form of terrorism in Australia remains an attack by an individual or small group using simple attack methods, the possibility of more complex attacks cannot be ruled out.11 According to ASIO, any terrorist attack in Australia for at least the next 12 months is more likely to be low cost and use readily-acquired weapons and relatively simple

8 The Age, Melbourne terrorist plot: Four charged, one in custody over alleged Christmas Day attack plan (2016) 9 ASIO, Australia’s security environment and outlook 10 Transport and Infrastructure Senior Officials’ Committee, National Surface Transport Security Strategy (2013) 11 Australian National Security, National Terrorism Threat Advisory System, The Australian security environment Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 16

SENSITIVE tactics.12 The likelihood of a lone attacker using basic weapons such as knives and vehicles has increased substantially as they are readily available and do not require specific skills or training to use. Four of the seven terrorist attacks in Australia since September 2014 have used basic weapons.13 The most extreme consequences of terrorist attacks remains the use of explosive devices, firearms or a combination of both in a mixed mode attack at vulnerable mass gathering sites, including urban mass passenger transport.14 Three attacks since September 2014 have used firearms with one attack involving a flammable gas cylinder to create an explosion in Australia. In addition, the impact of deliberate hoax threats, aiming to cause disruption, test security and operational vulnerabilities has increased.

The evolution of the nature of terrorism requires Queensland’s transport security environment to be regularly reviewed and monitored. The increase in low capability attacks conducted by lone actors puts urban mass passenger operations at a higher probability of having to respond to a terrorist act that uses basic weapons, while the risk of more complex mass casualty attacks remains significant. Annually, there are over 200 million passenger trips on bus, rail, ferry and tram across Queensland.15 The South East Queensland (SEQ) network has a high concentration of Queensland’s population, with over 189 million passenger trips per annum and an average of 519,795 daily passenger trips.16 Queensland’s top 10 local government areas by population size are located in this region. Figure 4 provides an overview of surface transport operations in Queensland.

Figure 4: Overview of surface transport operations in Queensland

over 200m 519,795 359.5m 1013m 33,369km 3119 passenger trips on bus, average number of tonnes of cargo tonnes of freight state-controlled bridges ow ned rail, ferry and tram passengers trips per w ere moved moved on the roads and maintained provided to customers day on South East across the state surface network across the state Queensland netw ork

Source: Department of Transport and Main Roads Annual Report 2018-19

12 ASIO, Australia’s security environment and outlook 13 ASIO, Australia’s security environment and outlook 14 National Surface Transport Security Strategy (2013) 15 Department of Transport and Main Roads Annual Report 2018-19 16 Department of Transport and Main Roads Annual Report 2018-19 Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 17

SENSITIVE 3 Legislative framework

This section provides a high-level overview of the legislative framework and the Act. This section is organised as follows:

● high-level overview of the national and state framework for managing counter-terrorism risk ● introduction of the Transport Security (Counter-Terrorism) Act 2008 ● changes in the regulatory landscape since the last review.

3.1 Legislative framework

States, territories and the Commonwealth Government work together closely to maintain national counter-terrorism related policies, legislations and plans. Figure 5 represents this relationship across the various coordination bodies and the accompanying intergovernmental agreements.

Figure 5: Intergovernmental Agreements and Coordination Bodies relating to Counter-Terrorism

Intergovernmental Agreements that relate to Counter-Terrorism: ● the Inter-governmental Agreement on Australia’s National Counter-Terrorism Arrangements ● the Inter-governmental Agreement on Counter-Terrorism Laws ● the Inter-governmental Agreement on Surface Transport Security ● the Inter-governmental Agreement on Australia’s National Arrangements for the Management of Security Risks Associated with Chemicals

National Commonwealth State/Territory

Council of Australian National Security Committee of Governments (COAG) the Cabinet (NSC) State/Territory Cabinet Committees Secretaries Committee on National Security (SCNS) Australia-New Zealand Counter Terrorism Committee (ANZCTC) Commonwealth Counter State/Territory security Terrorism Coordination coordination bodies National Crisis Committee (NCC)

Police, Transport, Emergency Commonwealth Crisis State/Territory Crisis Centre Management, Health and Security Arrangements Intelligence Coordination

Source: National Counter-Terrorism Plan

3.1.1 National Counter-Terrorism Strategy

In April 2002, the Prime Minister and state and territory leaders agreed to a nationally-consistent and cooperative approach to counter-terrorism to meet its everchanging challenges, resulting in an intergovernmental agreement, the Intergovernmental Agreement on Australia’s Counter-Terrorism Arrangements, and establishment of the National Counter- Terrorism Committee (ANZCTC).17

The Australian Government has since continually evolved its counter-terrorism arrangements in response to heightening terrorism threats. In 2015, the Council of Australian Governments (COAG) released Australia’s Counter-Terrorism Strategy, a framework for Australia’s counter-terrorism arrangements to meet its terrorist threat.18 The purpose of this strategy is to

17 National Counter-Terrorism Committee was later renamed to Australia-New Zealand Counter-Terrorism Committee after invitation of New Zealand to move from observer status to membership of the committee in January 2012. 18 Note that the National Federation Reform Council (NFRC) was established in May 2020 to promote policy reforms of national significance. The NFRC replaces COAG. Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 18

SENSITIVE provide information to the community on the threat that Australia faces and the actions that Australia is taking at all levels of government to counter it. The strategy highlights the importance of the community’s role in preventing, preparing for, responding to and recovering from a terrorist attack, with protecting lives being its absolute priority.19 Australia’s National Counter-Terrorism Plan was developed to complement the National Counter-Terrorism Strategy and sets out a nationally- consistent approach to combat terrorism. This plan is underpinned by the prepare, prevent, respond and recover (PPRR) model. In addition, the Australia’s Strategy for Protecting Crowded Places from Terrorism is set out to make public places more resilient to terrorism. This strategy involves four core elements to protect crowded places through building stronger partnerships, enabling better information sharing, implementing effective protective security and increasing resilience.

On 3 June 2005, the Intergovernmental Agreement on Surface Transport Security (IGA) was established to better secure the community and nationally-important surface transport systems from terrorist threat. The IGA complements the high-level strategy with the objective to protect the community and surface transport systems by:

● reducing the likelihood of the surface transport system being a target for terrorism, and other security threats, ● increasing the implementation of a nationally-consistent protective security planning and preventative measures ● helping the surface transport sector across Australia to consistently and more effectively move to higher levels of alert when required. The IGA is implemented through the national Transport Security Committee (TSC) with the intent to provide national consistency and coordination. The TSC comprises representatives from all states and territories and is an established forum through which to address transport security issues and coordinate policy implementation. The TSC is responsible for developing and maintaining the National Surface Transport Security Strategy, and also maintaining a work program of initiatives to mitigate security risks to the transport sector and complement the National Counter Terrorism Arrangements and other planning arrangements for security and emergency management as appropriately determined by each jurisdiction.20

3.1.2 Queensland’s counter-terrorism arrangements

Queensland’s approach to counter-terrorism is outlined in the Queensland Counter-Terrorism Strategy 2013-2019 which specifies how lead agencies work with government, the business sector and wider community to implement counter- terrorism plans. This is complemented by the Queensland Plan for the Protection of Surface Transport Operations from Terrorism, which supports the Queensland Government’s commitment to the IGA and outlines its specific approach to protecting surface transport operators.21 It is based on the principles of:

• strengthening the protection of resilience of surface transport operators • to act in proportion to the level of risk to surface transport operators • to continue cross-jurisdictional work to implement a nationally-consistent approach • recognise that specific counter-measures vary with different hazards.

The roles and responsibilities for implementing these commitments are split across lead agencies; QPS has operational responsibility for preventing and responding to terrorism and for investigating terrorist activity, threats and incidents. Specifically, the QPS Security and Counter-Terrorism Group (SCG) provides a lead role in counter-terrorism training and exercises, developing and contributing to policy and research, and maintaining capabilities to prevent or manage a terrorist incident in Queensland.

In support of SCG, the Queensland Counter-Terrorism Committee was formed to provide coordination among key Queensland agencies to counter the terrorism threat. Under the committee’s reporting framework, an assigned lead agency is responsible for the development of a particular area of counter-terrorism capability:22

● QPS: responsible for state operational prevention and response; exercise management and explosives response; protective planning arrangements for assets, networks, services and crowded places; regulatory issues; public information and community engagement; crisis governance and communication arrangements ● TMR: responsible for transport services ● Queensland Fire and Emergency Services: responsible for special operations response and support; state disaster management and chemical and incendiary response ● Queensland Health: responsible for health services and biological and radiological response

19 Australia’s Counter-Terrorism Strategy, Strengthening Our Resilience (2015) 20 National Surface Transport Security Strategy (2013) 21 Queensland Plan for the Protection of the Surface Transport Operations from Terrorism (2009) 22 Safeguarding the Queensland Government, Role of Queensland Government Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 19

SENSITIVE ● Department of Agriculture and Fisheries: responsible for responding to agriculture and animal disease

Queensland's Disaster Management Arrangement recognises that under Queensland's all-hazards approach to disaster management, specific arrangements for specific hazards are required to address the unique nature of each hazard. Accordingly, the Queensland Government has unique, hazards specific security and counter-terrorism structures in place under the Queensland Security Committee and through Queensland's Counter-Terrorism Strategy. Nevertheless, both the IGA and Act allow for a broader application of the definition of security to include non-terrorist security threats and risks – for example, trusted insiders, fixated individuals, criminal acts, sabotage and acts of violence. The Act also allows for terrorism risks to be managed through other existing security, emergency management or business continuity plans (as long as the SISTOs obligations under the Act are being met).

TMR’s administration of the Act recognises these broader security threats and works within the auspices of the terrorism- focused Act to promote that 'good security is good business' as a broader benefit to Queensland's surface transport sector.

The Queensland Counter-Terrorism Strategy aims to achieve its objectives across four pillars23:

● inform and engage: provide advice, education and guidance to Government agencies, business and communities to help understanding the risks and the steps to reduce risks ● mitigate and deter: maintain and develop targeted preventative strategies and capabilities to minimise the likelihood and decrease the impact of a terrorist incident ● prepare and plan: ensure effective capabilities, comprehensive plans and well-practised arrangements are in place to respond to and recover from a terrorist incident ● coordinate and cooperate: robust and effective governance framework to guide and focus counter-terrorism efforts

The Queensland Counter-Terrorism Committee monitors the implementation of this strategy across government and reports on activities and initiatives as part of the Committee’s annual report to the Government.

Overall, the Queensland Government has been proactive in evolving counter-terrorism arrangements. Some of the recent initiatives are highlighted below:24

● The Counter-Terrorism Investigation Group (CTIG): In January 2018, CTIG was established to enhance the QPS’ capability to investigate, prevent and deter terrorism, and respond to politically motivated violence and security threats through collaborative and intelligence driven methodologies. ● TMR is a member of the Queensland Counter-Terrorism Committee, responsible for transport services. TMR is actively contributing to counter-terrorism exercising and QPS Crowded Places activities where opportunities present, in accordance with the IGA and the Queensland Plan for the Protection of Surface Transport. ● The Crowded Places Team (CPT): A new high-visibility team was introduced out of the Brisbane City Station to enhance the community’s sense of safety in the City’s popular public spaces. ● The Security and Counter-Terrorism Network (SCTN): This network was developed to strengthen QPS’ capacity and capability state-wide, providing frontline officers with awareness training. ● New Counter-Terrorism Facility: The Queensland Government is investing in a world-class counter-terrorism training facility at Wacol. The project includes construction of two firearm ranges, multi-function training centres and a scenario village as a response to the threat of terrorism.

3.1.3 Regulation of Queensland’s surface transport operators

The Queensland Government has committed to the following responsibilities:25

● provide leadership and whole-of-government coordination to develop and implement a nationally-consistent approach to preventative surface transport security ● determine SISTOs taking into consideration intelligence from Commonwealth and state and territory government authorities and relevant risk assessments ● ensure appropriate action is undertaken by SISTO such as:

23 Queensland Counter-Terrorism Strategy 2013-2019 24 Queensland Police Service Annual Report 2018-19 25 Intergovernmental agreement on surface transport security 2005 Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 20

SENSITIVE ○ undertaking a security risk assessment in accordance with the accredited risk management model set by Standards Australia ○ developing a security plan that incorporates measures which correspond to the levels of the National Terrorism Threat Level ○ implementing and reviewing appropriate preventative security measures on a regular basis ● ensure appropriate arrangements are in place to assess and audit the security plans of SISTOs.

TMR, in partnership with industry and local, state and federal government stakeholders such as the QPS, is accountable for surface transport security and implementing the objectives of the IGA.

3.2 The introduction of the Transport Security (Counter-Terrorism) Act

The Queensland Government established the Transport Security (Counter-Terrorism) Act in 2008, under its commitment to the IGA. The main purpose of this Act is to provide planning for the protection of particular surface transport operations, security-identified surface transport operation (SISTOs), against significant adverse impacts associated with terrorist acts. The Act achieves this by:

● identifying and declaring SISTOs ● establishing a regulatory framework for the preparation, implementation and review of risk management plans (RMPs) to mitigate the risks of terrorist acts, and provide recovery in the event of a terrorist act.

The Act has five overall objectives:

1. to achieve an appropriate balance in relation to the security of SISTOs, public confidence, and the cost of requirements under this Act on SISTOs 2. to promote efficient and affordable counter-terrorism measures for SISTOs and an overall benefit for the community in the security-preparedness of SISTOs 3. to take into account relevant national and international benchmarks for best practice 4. to promote consultation, communication and cooperation between the government, surface transport operations and the community 5. to seek voluntary compliance in preference to enforcement.

3.2.1 Basis for the regulation

Under the Act, the Chief Executive of TMR can declare a surface transport operation as a SISTO where it is assessed to have elevated risk of being the target of a terrorist act. SISTOs are required to perform a number of actions to fulfil the obligations under the Act.

In the context of the Act, elevated risk means the surface transport operation has a greater risk of being a target of a terrorist act than other surface transport operations generally.

Surface transport operators refer to activity or system for:

● transporting passengers by high occupancy vehicles (designed to carry 10 or more seated adults, including the driver), and ● transporting goods by high payload vehicles (with a payload of more than 20 tonnes).

3.2.2 Declaration of SISTOs Chapter 2 of the Act provides for the Chief Executive of TMR to declare surface transport operations as SISTOs where they are assessed to have elevated risk of being the target of a terrorist act. The Act also allows for the Chief Executive to revoke the status of a SISTO should this elevated risk abate.

To determine whether the surface transport operation’s risks are elevated, surface transport operation’s risks are assessed against the Queensland Surface Transport Terrorism Risk Methodology considering risk criteria such as the nature of the operation, the location of the service, and the number of passengers being transported at peak periods. As at July 2020, there were 10 declared SISTOs operating under the Act located in South East Queensland. Table 7 provides a list of the current declared SISTOs.

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 21

SENSITIVE Table 7: Surface transport operators and declaration status (as at July 2020)

Surface transport operator Brief description Declaration date

Queensland Rail operates local and long-distance passenger 29 October 2009 services as well as owning and maintaining approximately 6,600 kilometres of track.

Transport for Brisbane (Bus Brisbane City Council operates over 1,200 buses in Brisbane, 29 October 2009 Services) across South East Queensland.

Transport for Brisbane Brisbane City Council operates 21 CityCats along the Brisbane 25 June 2010 (CityCats and Ferries) River since 1996, providing over 100 peak-hour express services per week.

Surfside Buslines operates in Gold Coast and operates 53 bus 29 January 2010 services under the Translink banner.

Bus Queensland (Park Ridge Bus Queensland operates bus services in 17 September 2014 Transit) Park Ridge, Jimboomba, Browns Plains, Garden City and Brisbane City.

KDR Gold Coast (G:Link) G:link, also known as the Gold Coast Light Rail, is a light rail 17 September 2014 system serving the Gold Coast. It consists of a single 20- kilometre line of 19 stations. Downer is responsible for operations.

Clark’s Logan City Bus Clark’s Logan City Bus Services has 127 buses and 186 staff 17 September 2014 Services providing urban public transport services to the local community.

Transdev Queensland (Bus) Bus is a bus services operator in the 17 September 2014 Redland City region of Brisbane, operating 31 services.

Hornibrook Buslines Hornibrook Buslines operates 60 buses covering the Redcliffe 17 September 2014 peninsula and connections to Brisbane City Centre.

Mt Gravatt Bus Services operates 40 buses across four services in 23 September 2016 South East Brisbane.

The introduction of the Act in 2008 led to the declaration of 18 SISTOs, using the risk methodology in effect at that time. Changes to the risk context between 2006 and 2012 prompted a revision to declared surface transport operators, giving focus to high-volume surface transport operations delivering services within the Brisbane and Gold Coast Central Business Districts (CBDs) at peak and predictable periods; while regional operations were de-regulated. Four of the 18 declared SISTOs retained their SISTO status, and an additional five services operating within the Brisbane CBD were declared. In 2017, a further revision to the risk methodology was undertaken and remains the standard used to assess the vulnerability, likelihood and consequences of attacks against surface transport operators. This methodology is used to guide the declaration process.

SISTOs which have remained since the original declaration following the introduction of the Act are: Queensland Rail, Transport for Brisbane (Bus Services), Transport for Brisbane (City Cats and Ferries), and Surfside Buslines. Since the last review, an additional SISTO (Mt Gravatt Bus Services) has been declared by the Chief Executive.

3.2.3 Obligations of SISTOs

Under the Act, declared SISTOs are required to undertake a range of activities related to their risk management plans to ensure appropriate management and response measures are in place to mitigate risks and ensure the recovery of transport operators in event of a terrorist act. These activities are highlighted in Table 8 below:

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 22

SENSITIVE Table 8: Main regulatory requirements of SISTOs

Activity Description Section Summary Maximum penalty

Chapter A SISTO is required to prepare a risk management plan 3, Part 1, in accordance with the requirements under the Act and 60 penalty units Prepare a counter- s15–18 provide this to the Chief Executive. terrorism risk management plan

A SISTO must implement the risk management plan as 50 penalty units for Chapter soon as possible after its preparation, and take all implementation, and 3, Part 2, reasonable steps to ensure relevant personnel comply 50 penalty units for Implement and s19 comply with the risk with the plan. compliance. management plan

50 penalty units for A SISTO must conduct an annual audit to check the risk conducting the annual Chapter management plan is being implemented and complied audit, and 3, Part 2, with by its employees. 50 penalty units for s20–21 A SISTO must also keep a record of this audit for three Conduct an annual keeping record of the years. audit of the plan audit.

A SISTO must review the plan to check its ongoing 50 penalty units for compliance with the Act. The review must be performed reviewing the plan, and where change to external circumstances occur, as 50 penalty units for specified in the Act, or at the end of five years. A SISTO keeping record of the Review the risk Chapter must also keep a record of this review for three years. review. management plan 3, Part 2, A SISTO must amend the plan within 28 days after 50 penalty units for s22–24 becoming aware of a deficiency in the plan to rectify the amending the plan, deficiency. and After the amendment is made, the SISTO must provide a 60 penalty units for copy of the amendment or the plan as amended to the notifying the Chief Chief Executive within 28 days. Executive.

A SISTO must test the operation of the plan at least once 60 penalty units for each year either internally or by contributing to a test annual test exercise, undertaken by another SISTO. Reasonable steps must 60 penalty units for be taken to ensure that relevant personnel participate in complying with Chief Chapter the exercise. Executive’s directions, Prepare, conduct 3, Part 2, A SISTO entity must comply with any direction given by 60 penalty units for and participate in s25–26 the Chief Executive to test the operation of the plan. notifying the Chief exercises to test the A SISTO must provide a copy of the plan for the exercise, Executive about the operation of a plan its time and date to the Chief Executive at least 28 days exercise, and prior to the exercise. 50 penalty units for A record must be maintained of each exercise. keeping records.

Chapter A SISTO must provide the Chief Executive an ‘annual 60 penalty units for Prepare an annual certificate reporting 3, Part 2, certificate’ covering information on the audit, review and providing the annual s27 exercises testing of the plan. certificate. on the auditing, review and testing of the operation of the plan

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 23

SENSITIVE 3.3 Changes since the last review

The Act is required to be reviewed every five years to decide whether its provisions remain appropriate, and was last reviewed in 2014.26 The 2014 review assessed the implementation of the Act and the effectiveness and efficiency with which it achieves its objectives, by taking into consideration the impacts of the Act.

The 2014 review provided nine recommendations designed to improve the efficiency and effectiveness of the Act through changes to its operation and administration. Since the 2014 review, TMR has worked closely with SISTOs to provide guidance and assistance to support their adherence to the Act. Some of TMR’s notable actions are highlighted in Table 9 and build on the recommendations of the 2014 review.

Table 9: TMR’s actions since the last review align with recommendations from the 2014 review

TMR’s activity Link to the 2014 review’s recommendations

TMR provides direct point of contact Recommendation 3: TMR develop guidelines to provide contextual information to assist SISTOs with their annual regarding the Act, its application and best-practice requirements for counter- requirements. terrorism risk management plans. SISTOs could use these guidelines to inform their plan development process.

Recommendation 8: TMR develop guidance to provide direction regarding An allocated TMR team supports exercises, including minimum requirements and example exercises which can SISTOs on a day-to-day basis. be used to test the operation of the counter-terrorism risk management plan. Recommendation 7: TMR to develop guidelines to provide direction regarding A summary sheet on the Act is the formal five-year review of plans by SISTOs, including best-practice available on the TMR website. requirements. Recommendation 6: To ensure the objectives of the Act are achieved in a cost- effective manner, TMR develop guidelines on audit processes to ensure When requested, TMR has provided operators understand what is required to comply with the Act and how this can staff members support to work with be achieved in accordance with best-practice. SISTOs to assist completion of their initial risk management plan Recommendation 9: TMR provide clear advice to SISTOs regarding any on- going expectations in relation to counter-terrorism requirements where a change in the threat level results in the revocation of their SISTO declaration. TMR staff have advised SISTOs on Recommendation 5: TMR develop guidance regarding the counter-terrorism enhancements to their plan risk management plan implementation processes, including a framework on implementation to better manage factors operators may consider in developing and prioritising recommended identified risks actions in their plan.

TMR regularly communicates with Recommendation 4: To address any concerns around consistency, TMR SISTOs on changes to national and reviews its current communication strategy for engaging with SISTOs to ensure state counter-terrorism responses as that updates around the security context, changes to best-practice well as guiding stakeholders to requirements and general guidance are provided to SISTOs in a consistent, relevant communications including planned and systematic manner. ASIO reports and QPS releases.

TMR is currently undertaking the five- Recommendation 1: The Act be subject to a further review in five years’ time to year review of the Act aligned with its ensure it continues to achieve its objectives in the most efficient and effective regulatory requirements way.

TMR actively provides advice on Recommendation 2: To improve the practicality of counter-terrorism risk counter-terrorism risk planning to management plans, a synopsis version (shorter in length) be introduced that existing SISTOs when advice is summarises key information. Such a guide would be particularly helpful for required. smaller organisations who may have limited capacity – in terms of skills or time – to fully understand and apply highly detailed or complex policies and TMR has established the Community procedures. of Practice to provide information sharing between and across SISTOs on risk controls and outcomes from exercises of respective risk plans.

Source: PwC analysis

26 PwC, Review of the Transport Security (Counter-Terrorism) Act 2008 (2014) Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 24

SENSITIVE In addition to the actions outlined in the table that resulted from the 2014 review, TMR has:

● established a Community of Practice, engaging SISTOs to share information and broker relationships among operators ● maintained a precinct program established in 2007-08 in eight locations across the state, involving 72 different entities, including the SISTOs covered by this Act ● pivoted its transport security team program to better assist SISTOs through direct engagement, regular information sharing of operationally-relevant information and capability building, including to direct SISTOs to relevant training and guidance material that represents best practice security risk management. These activities replace grant funding arrangements which were in place at the introduction of the Act to support newly-declared SISTOs (this program was ceased in 2012).

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 25

SENSITIVE 4 Assessment of the operation of the Act

The Act’s objectives are primarily fulfilled by the requirements undertaken by declared SISTOs. Alongside this, TMR and other government agencies play an important role in administering the Act. To establish the appropriateness and effectiveness of the Act, PwC has considered how the Act has operated in practice through consultation with relevant stakeholders and consideration of examples of best practice. This review has focused on the Queensland system of operation and consulted with declared SISTOs. Given their direct involvement in application of the Act’s requirements, this has provided perspectives on the specific activities to manage the risks of terrorism. The definition of appropriate, effectiveness and efficiency in the context of this review, and the questions used to assess these is provided at Appendix A.

4.1 The appropriateness of the Act

To establish whether the Act and its provisions remain appropriate to fulfilling its objectives, stakeholders were asked to consider how counter-terrorism security practices interlink with operational practices, which requirements could be improved to reduce the compliance burden and what opportunities exist to enhance the outcomes, and the administrative role of TMR in promoting the objectives of the Act. This section outlines key themes identified in relation to these questions.

The Act’s requirements align with existing SISTO operational security practices, supporting the Act’s objective of promoting an efficient and effective regulatory framework

Overall, SISTOs indicated they are able to fulfil the requirements under the Act and, in general, do not find them to be overly onerous. Under the Act, SISTOs are required to prepare an initial risk management plan, completed as a one-off task at the beginning of their declaration, as well as completing annual checks such as the annual audit and the test exercise. SISTOs suggested the annual requirements require some dedicated time on an annual basis, however, they are able to complete the audit and tests concurrently (this is explored more fully in Chapter 6 of this review).

In addition, the Act’s requirements fit well with other security arrangements. Larger SISTOs indicated they have broader security arrangements and requirements which entail counter-terrorism activities, meaning a lot of the requirements of the Act are already fulfilled as part of internal risk and capability requirements. One small SISTO noted that their counter- terrorism obligations under the Act fit within their broader organisational risk management plan and security activities. The design of the requirements upon SISTOs appears to align to (or fits well with) existing organisational security practices, fulfilling the Act’s objectives to ‘achieve an appropriate balance.[with] the cost of requirements under this Act’ and to ‘promote efficient and affordable counter-terrorism measures’.27

The 4C Strategy training package has been a useful training tool for the SISTOs

Some SISTOs noted TMR has facilitated the uptake of 4C strategy training, a set of virtual combat and security training as an example of good practice security training.28 The 4Cs is a virtual/online security training packaged developed by the British Army, adapted to the surface transport context by TMR in 2014. The 4C training package has been adopted by a number of SISTOs as part of their annual training exercise framework and has equipped them with practical modules they can implement easily. SISTOs highlighted they found this extremely useful as it is a readily available module, meaning operators don’t have to start ‘with a blank page’. While its endorsement by TMR gave SISTOs confidence they were using approaches respected more broadly in industry.

The purpose of the Act can be interpreted broadly in the risks it addresses, meaning it is flexible to a changing threat context

The design of the Act supports a changing threat context and brings flexibility in how different risks are managed through the requirements of the Act.

27 s4, Transport Security (Counter-Terrorism) Act 2008 28 4C strategies, Training readiness for the British Army, accessed at: https://www.4cstrategies.com/content/uploads/2018/03/training-readiness-in-the-ba-wp- jewol_tove.pdf Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 26

SENSITIVE The Act’s purpose is to plan ‘for the protection of particular surface transport operations and their users against significant adverse impacts associated with terrorist acts’. This intent is made clearer by the regulatory framework put by the Act’s primary objective to address and mitigate the risks of terrorist acts.

However, the objective of the Act recognises the extension to incidents which might not be immediately attributable to a terrorist act but are of a nature that threatens the security of a SISTO or other surface transport operator. The application of the requirements to ‘terrorism acts’ and ‘security incidents’ broadens the scope of the Act to encourage SISTOs to consider the broader risks of potential incidents for which to prepare, prevent, respond and recover. This is considered by agencies to be a better interpretation to promote the objectives of counter-terrorism and security as it can capture incidents which may not be formally classified as a terrorism act, but for which similar measures are effective (for example, a knife attack by a disgruntled individual).

The application of requirements under the Act also mean that the strategies employed by SISTOs to address terrorism and security incidents can be fit-for-purpose to addressing broader security risks where they present a threat to life and/or property. While not the intent of the Act, it has been successful in promoting effective risk management practices that can be effectively extended to other threats. The Act specifies a risk management approach to prevent or reduce risks of a terrorist act. A specific ‘risk’ lens can be interpreted to narrow the lens of SISTOs risk planning. A broader, and more widely- accepted lens of ‘vulnerability’ and ‘threat’ would be better aligned to counter-terrorism best practice and may promote broadened consideration of transport operator vulnerabilities to terrorism (and other) threats. An example was provided of a risk associated with an unlocked door, which could have financial or security consequences, but for which a vulnerability lens would require the operator to consider how the unlocked door might be used - for example, for an armed offender to access a premises. This type of assessment encourages scenario planning that can improve operator resilience to prevent security incidents. While the use of vulnerability assessment appears to be common practice it is not explicitly referenced by the Act, and instead is reliant on the expertise of TMR to encourage its application.

The benefits that the Act has enhanced security preparedness among SISTOs and is recognised by both SISTOs themselves and government agencies. While terrorism remains a pertinent threat, related challenges, such as technology, biological and health threats, may be appropriately addressed by adopting a counter-terrorism lens. And for this purpose, this Act may be the appropriate vehicle to address these threats. However, with the specific requirements of the Act being tailored to terrorism, it might not be fully appropriate to address these objectives in design.

The Act’s requirements fulfil the objective of promoting compliance, although this is more seamless among larger operators

The obligations under the Act impact smaller SISTOs disproportionately to larger organisations. In larger SISTOs, dedicated teams take responsibility for security and operational management, which includes obligations of the Act alongside other counter-terrorism security management. These SISTOs conduct the specific annual requirements of the Act - such as the annual audit and counter-terrorism exercises - but these are aligned with other security requirements.

For smaller SISTOs, generally one person is responsible for handling all SISTO requirements among other obligations such as operations, health and safety, and training. For these SISTOs, counter-terrorism is often an additional responsibility to their role and can present challenges when balanced against other operational priorities.

Firstly, while business disruption associated with operational staff participation in field-based test exercises can be planned for - for example, by undertaking exercises during school holidays when school bus runs are not operating - activities can be concentrated among few staff, limiting the reach of lessons learnt. Operators reported that they consider whether to run multiple sessions or have some of the staff miss out on the training to account for this.

Secondly, test exercises are resource intensive and their annual requirement introduces budget and resourcing challenges. This was expressed by SISTOs in there being a preference for completing desktop over field exercises to limit the effort required by organisations. While SISTOs acknowledged the greater benefit associated with undertaking field exercises, they highlighted that completing them annually is not practical and would only be possible by making other operational sacrifices.

One SISTO raised whether the annual nature of the exercises was needed given there have not been any changes in their operational procedures nor the threat of terrorism (i.e. the National threat level has been PROBABLE for a number of years now). That SISTO suggested requiring an exercise every two years may be more appropriate.

A reference to the South Australian contracting model was made, which allows for funding of a designated person for contracted transport operators to undertake counter-terrorism risk management activities to better support smaller operators to fulfil these obligations in a dedicated way.

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 27

SENSITIVE On balance, and in considering the direct costs associated with complying with the Act (refer Chapter 6), compliance activities are not overly onerous. Additionally, as an annual requirement, these promote the regular review and testing of organisational measures which may be missed if not undertaken regularly. The close ongoing engagement of TMR assists SISTOs to plan for and limit the disruption and challenges is critical to sustain the regulatory framework of the Act.

TMR provide trusted guidance and has promoted capability building of the SISTOs

Overall, SISTOs highlighted the importance of communication with TMR in its role in providing support and guidance. All SISTOs reported a positive relationship with TMR that involved regular touchpoints both face to face and over the phone.

All SISTOs highlighted TMR has been responsive with their enquiries around their obligations such as the annual audit, certificate and test exercises, which has had the effect of enhancing the value of their test exercises and general organisational preparedness. For instance, a few SISTOs noted TMR referred them to the 4Cs training package. In another instance, TMR had provided suggestions to a small SISTO on what type of exercises they could conduct.

In addition, TMR has been actively involved with SISTO activities, including the attendance of at least one member of TMR at each SISTO’s most recent test exercise. One of the newer SISTOs advised there was a dedicated Department staff member working closely with the SISTO throughout the preparation of their initial risk management plan, providing support from the beginning to the end. This has been a different approach to previous instances of newly-declared SISTOs which were eligible for a grant from TMR to assist with the preparation of their initial risk management plan (such as by engaging external consultants) as well as with upfront investment required to give effect to the plan.

TMR has been providing support to the SISTOs beyond the requirements of the Act, consistent with its broader obligations for surface transport security outlined in the IGA. TMR has been facilitating links amongst SISTOs as well as QPS. One way this is achieved has been through the establishment of a Community of Practice in 2016 which is run twice a year. Through the Community of Practice TMR has fostered connections among the SISTOs, as well as using the opportunity to enhance their counter-terrorism knowledge by exploring different topics and bringing subject matter experts such as QPS to provide advice on specific scenarios.

Collaboration among SISTOs - Community of Practice

TMR’s Community of Practice has built informal networks among SISTOs and agencies. While it has been used as a formal mechanism for sharing lessons in implementing specific requirements of the Act, it has also broadened awareness and opportunities in operational practice.

One recent example was facilitated by TMR in which one larger SISTO offered their site to host a Community of Practice. Attending SISTOs were given insight into the operational procedures and design of the SISTO’s security approach which led to richer discussions of opportunities to embed approaches into their own organisational practice. Another example was provided where TMR brought together SISTOs along with QPS to explore bomb threats and suspicious packages. A key lesson from that activity was that SISTOs might not be able to plan and train individual operational staff to identify the packages themselves, but that being alert to something being ‘not quite right’ would be effective to equip police to respond appropriately. Practical lessons like these have built SISTO capability and confidence over the operation of the Act.

While the maturity of SISTOs to manage security risks has increased, compliance functions, appropriately, remain largely with SISTOs themselves

The requirements of the Act have built the maturity of counter-terrorism risk management amongst declared SISTOs, who report that their preparedness for recovery and response has improved since the introduction of the Act. Some SISTOs identified self-evaluation of the risk management and ‘self audit’ may no longer be appropriate as the changes in the nature of terrorism is increasingly difficult to manage and test the risks. These SISTOs were interested in having additional guidance and benchmarks on how to conduct audits and to gain endorsement that their audit was robust.

Currently, most SISTOs complete their audit and exercises concurrently, applying the lessons learnt from the exercise into their annual audit. While this provides an opportunity to keep the risk management plans up to date based on the lessons learnt, some SISTOs suggested the audit function could be undertaken externally to ensure management practices are properly ‘stress tested’ and are designed to best practice. The self audit is a necessary lever to encourage operators to look introspectively at their operations and convince themselves that vulnerabilities are appropriately addressed.

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 28

SENSITIVE Ultimately, a self audit approach aligns to the original vision of the IGA which commits the Queensland Government to “ensure appropriate arrangements are in place to assess and audit the security plans of SISTO”29, while also fulfilling the objectives of the Act which promotes voluntary compliance.30 Findings regarding the appropriateness of the Act: Recommendations:

The Act’s requirements align with existing SISTO operational security practices, supporting the Act’s objective of promoting an efficient and effective regulatory framework Recommendation 1: TMR consider ways to encourage SISTOs to use terrorism risk management The purpose of the Act can be interpreted broadly in the risks it addresses, practices to strengthen broader preparedness across meaning it is flexible to a changing threat context other security threats that might benefit from this type of planning framework.

The Act’s requirements fulfil the objective of promoting compliance, although this is more seamless among larger operators

TMR provides trusted guidance and has promoted capability building of the SISTOs

While the maturity of SISTOs to manage security risks has increased,

compliance functions, appropriately, remain largely with SISTOs themselves

4.2 The effectiveness of the Act

The effectiveness of the Act is ultimately measured by the extent to which it delivers upon its objectives. This review considers whether the requirements of the Act have better protected organisations and the broader transport network to address the risks of terrorist acts and to prepare for recovery. Questions were posed to stakeholders as to whether there are other opportunities to better protect SISTOs against impacts of terrorist acts, what requirements could be improved or removed, and what guidance and information is supportive or could be enhanced to assist operators to undertake obligations under the Act.

The Act has ‘raised the bar’ for terrorism risk management since its introduction

Stakeholders to this review articulated that the existence of the Act was valuable in providing a ‘baseline’ to which declared SISTOs must operate. Overall, they perceived that this has the impact of increasing operators’ awareness and management of terrorism risks. Additionally, it brought benefits in supporting the cross-operation management of risk for transport hubs. For example, larger SISTOs reported that the requirements of the Act encouraged operators with whom they interface, to embed similar risk management practices, which gave them greater confidence that in the case of a terrorism act, their operations could act seamlessly together to better manage response and recovery.

In a number of cases, SISTOs cited that they undertook, or liaised with other SISTOs and QPS in preparing and undertaking annual security exercises. This has had the effect of improving communication lines and relationships across organisations. One of the larger SISTOs raised concerns about a smaller SISTO’s ability to adapt the appropriate measures for their counter-terrorism risk management. Particularly, given the indiscriminate threat of terrorism to all means of public transport, which required that operators adopt similar levels of security to ensure the network is resilient to any threats.

Counter-terrorism risk management has become a business-as-usual activity for many declared SISTOs

SISTOs counter-terrorism risk management is continually maturing as a result of the Act’s requirements. Over time, through iterations of the risk management plan as well as conducting the annual requirements, the awareness of terrorist threat has increased amongst SISTOs and activities are intertwined with broader organisational security management practices. Examples were provided by SISTOs of violent passenger de-escalation techniques now being part of existing annual training packages for operational staff. Many SISTO safety managers include counter-terrorism security management as part of their business-as-usual security requirements and dedicate a portion of their role to fulfilling the Act’s annual tasks.

While the responsibility of dealing with the Act’s obligations are part of business-as-usual activities, SISTOs appear to treat the test exercise and risk management plan differently. Some SISTOs have embedded counter-terrorism training and

29 The Intergovernmental Agreement on Surface Transport Security (IGA), 2005 30 s4e, Transport Security (Counter-Terrorism) Act 2008 Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 29

SENSITIVE exercises as part of other annual training, delivering their obligations under the Act as part of existing training frameworks such as induction training for new employees. In contrast, other SISTOs highlighted their test exercises are solely related to counter-terrorism and are only delivered to fulfil their obligations under the Act. It does not appear that one approach is more effective than the other but does demonstrate that the Act is flexible to differing approaches.

Requirements on declared SISTOs have influenced their broader operations

A number of SISTOs that operate within a broader business context, across Queensland, Australia and even internationally, gave examples of activities they had undertaken as per their requirements as a SISTO that were transferred or shared to other parts of their operation. In one example, despite not being formally required to implement activities, a SISTO had adopted test exercises as part of their business-as-usual security activities. In the opinion of that security manager, this had the effect of improving their terrorism risk management practices across the organisation. For one of the larger SISTOs, they were able to apply some of their lessons, in applying more considered risk management practices, in Queensland to their operations in other jurisdictions.

The Act has fostered a strong collaboration network among operators and agencies

One of the benefits of the Act is that it has created a strong network amongst SISTOs to better communicate and learn from one another and other agencies. The Act has fostered relationships with TMR and QPS and other agencies, as well as their linkage with operators. As a consequence, there has been a strong collaboration between TMR and the declared SISTOs. This is widely valued, and the informal network developed is considered to provide for improved lines of communications in the case of a security incident.

In addition, the collaboration between the SISTOs and local agencies such as QPS has strengthened through conducting the annual test exercises and continuous communication of locally-relevant risks and incidents. Some SISTOs highlighted the importance of the network developed as part of the Community of Practice sessions as well as participation in each other’s test exercises. Some highlighted that TMR’s role in fostering relationships and making these connections was highly valuable and central to achieving the informal networks that have been established. This has enabled SISTOs to learn from each other but also has raised each of their awareness about other operator’s securities and procedures. This is particularly important when considering the threat of terrorism or other major incidents could impact the whole network and would require a collective response.

The Act has improved counter-terrorism planning across operators, but there are further opportunities to streamline planning

Several larger SISTOs identified that they maintain a number of security-related plans to manage risks to their businesses. To perform their requirements as a SISTO under the Act, they will undertake review and management of their risk management plan alongside their business continuity plans and crisis management plans. These exist to fulfil corporate requirements, contractual requirements, as well as other regulatory obligations. The existence of multiple plans, which appear to have over-lapping objectives, may mean that there are potential opportunities to streamline them.

Regulatory obligations that intersect with the Transport Security (Counter-Terrorism) Act 2008 Rail operators are governed by Commonwealth requirements and inter-jurisdictional commitments which impose requirements to manage terrorism risks, among other security risks. The Rail Safety National Law (Queensland) Act 2017 promotes a nationally-consistent approach to the effective management of safety risks to rail operators and continuous improvement for safe railway operations. Under the legislation, railway operators must prepare a security management plan that incorporates terrorism measures.31 .

By streamlining the above obligations with the obligations to SISTOs under the Act, there is an opportunity to reduce the compliance burden on operators, as well as to promote organisational consistency and simplicity. In these cases, there is scope to consider how these plans may be able to be submitted or accepted as a risk management plan under the Act, or to provide exemptions to operators who can demonstrate that they have fulfilled their obligations through other mechanisms. This provision also exists in s 16(3) of the Act, which allows that a risk management plan may comprise an existing plan.

31 s112 (a), Rail Safety National Law (Queensland) Act 2017 Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 30

SENSITIVE There are potential improvements that could refine the Act so it is more effectively applied by SISTOs

With the benefit of a number of years of operation, SISTOs observed some opportunities to refine the Act so as to make it clearer to newly-declared SISTOs and to reduce ambiguity. These included:

● better aligning the timeframes specified in the Act regarding SISTOs requirements. The existing differences in timeframes has created some organisational confusion, which, anecdotally has been resolved by SISTOs through direct engagement with TMR. Examples provided include that the annual certificate drives much of the timing of SISTOs activities, and yet the audit is prescribed to be completed within one year of the previous audit.32 In practice, given the certificate follows the audit, there is opportunity to align the timing specified in the Act to make this clearer. ● making the language of briefing material and the Act consistent so that obligations are clear. An example was provided of the common use of the term ‘certificate of compliance’, where, in the Act, it is called the ‘annual certificate’.33

A number of SISTOs identified that there may be future opportunities to refine the reach of the test exercises. The Act requires that ‘each person having an obligation under the risk management plan participates in at least 1 exercise’.34 While this was constructive initially, it does create a logistical and engagement challenge to some SISTOs where these nominated personnel are senior people within the organisation. These challenges existed in SISTOs having difficulty engaging senior staff to participate, but at the same time balancing the need to engage operational staff in activities so that lessons learnt could be extended beyond a very small cohort of people (the responsible officers). The need for senior executives to participate also created challenges in needing to plan exercises that will be valued and contributory to executive participation, but which also fulfil the need to be operationally-practical, which are often activities that target operational staff.

There is opportunity to enhance the resilience of operator and agency response to a terrorist act or major incident

While the requirements in place have improved the responsiveness and preparedness of SISTOs to major incidents, lines of communication could be better defined for actions to be followed by operators in adjacent precincts but for whom are not directly affected. SISTOs identified there being a potential gap in the case of a potential incident and challenges with ‘in-the- moment’ decision making. Specifically, there are contractual implications if a decision is made to cease services in the interest of passenger safety and could, in case of an incident, conflict decision making.

This issue was raised in the light of recent deliberate hoax threats, where some of the bus operations were misinformed about potential unsafe packages in their vehicles meaning that they were required to make an assessment of how real a risk might be and whether to continue services. However, ceasing, or rerouting services would compromise their contractual obligations. While QPS is ultimately in charge of immediate incident response, some SISTOs identified that there could be a role for TMR to instruct indirectly affected SISTOs (operating in nearby locations) on operational decisions in the event of a major incident and potential terrorist attack that is affecting services, which are not necessarily their own. This would greatly enhance the resilience and response of the broader transport network.

Section 17 of the Act does prescribe the roles and contact details for personnel in a security incident, but it appears that this relates to incidents occurring to the SISTO’s own operations. Where a risk is presented to adjacent operations or transport networks which are operated on, there is an opportunity for TMR to adopt an information role to rapidly contact nearby SISTOs and direct them on how to implement risk management procedures.

Communication challenges during the 2016 Moorooka bus attack

In a recent major incident in Queensland involving surface transport operations, a lone attacker killed a bus driver in Moorooka.35 At the time of this event, surface transport operators operating nearby identified that they were faced with a number of decision-making challenges.

In one case, a SISTO had a bus operating on a route nearby to the Moorooka attack. They had first learnt about the incident on a news broadcast that they happened to have turned on by chance. Knowing they had a bus scheduled to run nearby, they needed to make a rapid decision on whether to cease or reroute the bus service. However, they had to also

32 s20, Transport Security (Counter-Terrorism) Act 2008 33 s27, Transport Security (Counter-Terrorism) Act 2008 34 s25(1)(b), Transport Security (Counter-Terrorism) Act 2008 35 This major incident was not classified as a terrorist attack. Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 31

SENSITIVE

balance this with maintaining services as per their contractual obligations. With QPS on scene and still making an assessment and little information coming through via news channels or other sources, the SISTO decided to reroute their services.

In incidents such as these in future, timely, clear communications from QPS/TMR to relevant SISTOs could assist operators to make appropriate decisions and could enhance the resilience of the transport network’s response.

Organisational change is a reality among operators and could be better supported to ensure requirements are met

TMR has a well-established relationship with SISTOs and has a clear understanding of their operational context. A handful of SISTOs identified that with this role, TMR is in a unique position to encourage SISTOs to review their risk management plans or provide direction where updates to procedures may be appropriate. The COVID-19 situation was provided as an example, where it has presented significant organisational change to the way transport operations are delivered and that this changed context might warrant consideration of the way their risk management plan is designed so that it better fits this new context. The suggestion was that TMR was in a unique, independent position to identify that this change may require a revision to SISTOs’ risk management plans. Informal prompts of this kind could enhance the effectiveness and currency of risk management plans (section 22(b) of the Act provides for a requirement to review a risk management plan).

Further opportunities exist to extend the threats and incidents for which operators should plan for. As threats are identified, TMR could play a role in actively encouraging their consideration as part of the risk management planning framework and providing information. An example of the specific biological and health threats of COVID-19 is an example that, while not a terrorism risk, may present security risks to operators and could be effectively planned for in the same way.

One SISTO also suggested that TMR should require at least two points of contact for each operator. This reflected that staff turnover is a reality among many operators, and would reduce the risk of information being shared by TMR being missed by the operators due to attrition, or even in the case of that contact taking leave. There could be opportunities to leverage existing contact information shared in the risk management plan as the multiple points of contact with whom TMR communicate with. The provision of information and guidance has assisted SISTOs to fulfil their obligations

The nature of the Act enables SISTOs to adopt risk management procedures in a non-prescriptive way. This means that different SISTOs use different sources of information to guide their risk assessment, planning and delivery of their obligations under the Act.

SISTOs reported that they sought guidance from TMR in relation to fulfilling their obligations under the Act and felt that TMR was accessible and helpful. However, they were not prescriptive in detailing how requirements should be met; this was welcomed by more mature operators, but for some smaller operators, was considered to be lacking as they would have preferred more prescriptive advice and provision of specific guidance to implement their obligations under the Act.

In relation to risk advice, all SISTOs referenced that they held close relationships with their local police command who regularly provided informal advice and information. In addition, SISTOs reported that they accessed information from ASIO Outreach - at the advice of TMR - which provides, among other things:

● Security Manager guidance ● Weekly digests from the US National Counter-Terrorism Centre ● Biannual assessment of terrorist and violent protest threats

Some SISTOs identified that given the Act’s requirements lay with them, or a small number of staff, it may be valuable to consider developing a quick “checklist” to support onboarding. It would outline the key obligations of the Act, timing and where to go for information. This would assist SISTOs to onboard new staff, as well as to provide a quick (official) overview of operator requirements. Another SISTO suggested the idea of developing a portal for SISTOs to login and see all relevant reference documents and templates.

Another aspect raised by SISTOs were their requirements to meet ‘national and international benchmarks’ of best practice. Like with guidance and information, SISTOs are seeking specific guidance to give them confidence that they meet this threshold. Conversation with government agencies notes that ‘best practice’ is probably better referenced as ‘leading practice’, acknowledging that it is important to allow for changing practice. For these agencies, regularly looking to other jurisdictions provided those sources of best practice, and these are regularly explored as part of existing committees and roles both TMR and QPS have.

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 32

SENSITIVE

Leveraging examples of best practice

A number of examples of best practice were cited by stakeholders to this review. In these cases, the United Kingdom is referenced as the leading practice example for counter-terrorism management. Among the practices adopted or referenced from the UK and used to inform SISTOs are:

● behavioural observation capabilities that QPS have embedded within their Counter-Terrorism and Security Command ● Security by Design guidelines which inform prevention planning activities of Queensland Government agencies ● deterrence methods, such as the use of uniformed guards at stations which has been shown to be effective in its application at the London Tube.

The counter-terrorism exercises are highly valued by SISTOs, but can be difficult to plan for

TMR was widely acknowledged to provide valued advice and input to ongoing SISTO responsibilities. In particular, many SISTOs cited that TMR’s role in designing or brokering test exercises was invaluable. They gave examples of TMR promoting the sharing of exercises through Community of Practice meetings, as well as creating links to other SISTOs. However, some smaller SISTOs identified the effort required to design scenarios for the test exercises was challenging. Often they were tasked to think ‘creatively’ to ensure the exercises brought value in testing elements of the risk management plan that hadn’t been tested recently (or at all), as well as to engage senior personnel so that they would derive value from participating.

Information sharing between SISTOs of test exercise ideas or exercises they have recently performed has assisted SISTOs to leverage different insights and consider how best to design these activities. TMR and QPS’s role in advising the SISTOs was repeatedly cited by stakeholders as an invaluable addition to the design and delivery of test exercises. This best practice advice provides SISTOs with confidence that their exercises promote the best outcomes. This function should continue to be encouraged to bring local insights and operational and tactical expertise into operator planning.

Our observation in speaking with SISTOs is that the field exercises undertaken by organisations appear to provide more insights and lessons than desktop exercises as they better ‘stress test’ communication channels and require active participation across different operational arms. Some SISTOs explicitly acknowledged this but noted that field exercises required much more resourcing effort. Desktop exercises are valuable for supporting the review and audit of the risk management plan, but lessons were harder to disseminate beyond those ‘in the room’.

Findings regarding the effectiveness of the Act: Recommendations:

Recommendation 2: TMR should provide The Act has 'raised the bar' for terrorism risk management since its introduction guidance to SISTOs on how the risk management plan requirements of the Act can be fulfilled by other risk management frameworks that can account for Counter-terrorism risk management has become a business-as-usual activity for counter-terrorism activities, including: many declared SISfOs • security plans prepared under the Rail Safety National Law (Queensland) Act 2017 Requirements on declared SISTOs have influenced their broader operations • business continuity and crisis management planning procedures

Recommendation 3: TMR should require Organisational change is a reality among operators and could be better supported SISTOs to nominate at least two points of to ensure requirements are met contact in each organisation for which information from TMR w ill be disseminated to and communicated w ith to reduce the risk of communication failure. The Act has improved counter-terrorism planning across operators, but there are ' further opportunities to streamline planning ' ' '------

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 33

SENSITIVE ------~ Recommendat ion 4: TMR should develop, in There are potent ial improvements that could refine the Act so it Is more consultation with QPS and councils, a effectively applied by SISTOs whole-of-network incident response plan which specifies the communication roles and responsibilities for a range of security incident There is opportunity to enhance the resilience of operator and agency scenarios. These scenarios should consider the response to a terrorist act or major Incident broader network-based response, including communication actions and instruction to SISTOs operating within the zone of an incident, " The Act has fostered a strong collaboration network among operators and even where their operation is not directly ~ agencies affected by the incident, in order to enhance network resilience and response to a security threat or incident. " Th~ pr~vision of information and guidance has assisted SISTOs lo fulfil their Recommendation 5: TMR should develop a ~ obhgallons 1-2 page checklist that outlines SISTO obligations under the Act, including a timeline for these activities to better support business The counter-terrorism exercises are highly valued by SISTOs, but can be continuity and new staff onboarding among difficult to plan for SISTOs. , ------

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 34

SENSITIVE 5 Benefits of regulation

5.1 Overview of the benefits delivered by the Act

The purpose of the Act is to protect surface transport operators, and their users from the significant, adverse impacts of terrorist acts. This chapter identifies the types of benefits generated by requiring SISTOs to prepare, implement, and review risk management plans.

It is a complex task to define and quantify the benefits associated with reducing the risk and consequence of a terrorist act. The ultimate benefits of counter-terrorism activities come from preventing a terrorist attack and avoiding or minimising any associated costs (including loss of life, injury and broader economic and social costs). Given that this requires substantiation of the avoidance of incidents, which is difficult to evidence and quantify, the nature of the analysis has been limited to the qualitative outcomes of regulation.

Preventing and better responding to terrorism acts presents significant benefits to government and the broader community. These activities have direct and indirect implications and benefits for Australian society. Importantly, preparedness for prevention, response and recovery has important implications as outlined below:

A terrorist act can have severe economic and social consequences

A plethora of academic research recognises the benefits of effective counter-terrorism as it substantially exceeds the costs, given the catastrophic welfare impact of a terrorist act. The welfare costs of terrorism include social costs measured in life satisfaction and household confidence and the economic costs measured in financial losses and repercussions. Historical data shows these costs are far greater than putting counter-terrorism arrangements in place.36 For instance, the March 2016 Brussel attacks cost Belgium approximately €1 billion ($1.62 billion AUD).37

In order to organise themselves, and to plan and carry out attacks, terrorists need recruits and supporters, funds, weapons, the ability to travel unimpeded, other forms of material support (e.g., means of communicating, places to hide), and access to vulnerable targets. There are substantial benefits for a government to effectively counter acts of terrorism and preventing individuals from engaging in terrorist-related activities.38

In addition, terrorism continues to be a source of public fear. According to an Australian National University poll taken after the Lindt Cafe siege in Sydney, 38 percent of Australian adults are concerned that they or a family member will be a target of a future terrorist attack and more than half strongly believe the government needs to introduce greater preventative measures to combat it.39

Prepared crisis management lessens the economic impacts and helps to restore confidence rapidly

According to the OECD, the economic consequences of terrorism impact a government’s decision making both through the immediate attack aftermath policy response and medium-term policy implications for regulatory, trade and fiscal policy. The economic losses from terrorism among OECD countries in 2015 amount to approximately $2.4 billion (purchasing power parity) in direct and indirect terms.40 Most of the economic losses from terrorism are indirect and related to lost future income and productivity from lives lost. The preparedness in crisis management has played a key role in restoring household and consumer confidence.41 An effective response leads to minimising loss of life, injury, damage to property and damage or disruption to infrastructure; and ensures those affected by the threat or act to receive immediate relief and support. It also builds public confidence that they are safe and secure, which itself is critical to economic participation.

36 The Political Economy of Transnational Terrorism, Sage Publications (2005), The welfare cost of terrorism, Journal Terrorism and Political Violence (2015), and A Preliminary Benefit/Cost Framework for Counterterrorism Public Expenditures (2003) 37 Politico, Brussels terror attacks cost Belgian economy almost €1 billion: report (2016) 38 Preventing Terrorism and Countering Violent Extremism and Radicalization that Lead to Terrorism, Organisation for Security and Co-operation in Europe (2014) 39 Attitudes to National Security: Balancing Safety and Privacy (2016) 40 Australian Reinsurance Pool Corporation, Terrorism in OECD Countries (2016) 41 OECD Economic Outlook 71, Economic consequences of terrorism (2002) Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 35

SENSITIVE

The 2018 Commonwealth Games in Gold Coast

The 2018 Commonwealth Games, held in Gold Coast between 4 and 15 April, was the largest event ever to be held in Queensland. It was also the biggest security contingent ever to be deployed to keep Queenslanders, athletes, team officials and visitors safe, including more than 5,000 personnel in security operations. Surface transport operators, and in particular, SISTOs, played an important role in delivery of this event and supporting mass transport with more than 1.1 million trips on light rail, 2.3 million trips on Surfside bus routes, 1.5 million trips on shuttle buses and 600,000 train trips taken.42 QPS and TMR engaged early in event planning and coordination of security preparedness activities across transport operators and businesses. For example, QPS delivered observational behaviour training across many businesses to enhance their capability to identify and act on threats.

The organisers, security and transport operators were able to deliver a safe and secure environment for athletes, spectators and supporters. While some operators, such as Queensland Rail were readily prepared, other SISTOs were supported through engagement to assess vulnerabilities and upgrade security ahead of the Games. A number of these measures made for the Commonwealth Games are still in place, supporting their counter-terrorism and other security requirements.

5.2 Key benefits to business

The Act itself has introduced enhanced risk management practice among transport operators which has likely lessened the impacts of a terrorist act if one were to occur. This overarching benefit has been achieved through improved information sharing, improved security practices, broad awareness of risks and appropriate responsiveness. While it is clear that the Act has delivered upon these outcomes, it is difficult to attribute a specific, quantifiable reduction in the overall risk of terrorism to the Act.

The benefits of the Act, as articulated by SISTOs consulted as part of this review, include: l!I Iii- Iii Awareness of Improved■ private-sector Improved■ private-public Improved infrastructure Enhanced general counter-terrorism: collaboration: working relationships: security: security:

The Act has resulted in The Act and associated Fulfilling the Act's Implementation of T he counter-terrorism improved organisational Community of Practice requirements has resulted in counter-terrorism risk practices associated with awareness of meetings have improved close and trusted management plans has the Act have promoted counter-terrorism activities lines of communication relationships built across improved security improved broader crime and risk management between SISTOs, including SISTOs, TMR and OPS, management of depots and prevention and general practices within SISTOs greater collaboration relating which extend more generally hubs as a result of security across SISTOs to security practices to security management and infrastructure investment, operations generally incident response including automated gates, CCTV and bollards

42 Gold Coast 2018 Commonwealth Games Post Games Report Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 36

SENSITIVE 6 Cost of regulation

6.1 Overview of the cost drivers associated with complying with the Act

This section estimates the direct costs of the Act on the declared SISTOs and the government since the previous review of the Act in 2014. Consultations with stakeholders identified seven main cost categories that apply to SISTOs resulting from compliance with the Act requirements. These categories and associated estimated costs are summarised in Table 10.

Table 10: Estimated total cost incurred by SISTOs in fulfilling their obligations under the Act

Cost Total costs to all SISTOs Activity description Example of costs incurred by SISTOs category over the last 5 years

Upfront Preparation of an initial risk management plan immediately $17,011 costs after becoming a declared SISTO Preparing the plan

Upfront Changing operational processes such as upgrading the and infrastructure and implementing new employee training to $2,539,074 ongoing meet the plan’s requirements Implementing the costs plan

Performing an annual audit of employee and process Ongoing compliance with the risk management plan and reporting it $66,236 costs to TMR Auditing the plan

Ongoing Staff time spent planning and implementing required annual $484,128 costs test exercise Test exercises

Ongoing Costs incurred through regular reviews of the plan and the $89,382 costs requirement to complete a full review every five years Reviewing the plan

Gathering information required to prepare the annual Ongoing certificate and seeking approval from the relevant executive $7,791 costs Preparation of an staff annual certificate

Ongoing Attending other SISTO related activities such as the $40,402 costs Community of Practice meetings organised by TMR Additional costs Total costs to business $3,244,024

Note: The upfront costs refer to the one-off costs incurred by one newly-declared SISTO since the previous 2014 review. Note also that preparation of the plan only accounts for one SISTO who was newly-declared in the past five years. Source: PwC analysis

The costs estimated as part of this assessment are based on the nature and quantum of costs provided by stakeholders through consultations with PwC. For the purpose of this review, costs have been assessed on a per annum basis and then aggregated to determine the total cost of regulation over the five-year review period. Due to the commercial sensitivity of some information, the costs described in this section are presented at an aggregated level, so as not to attribute costs to any individual SISTO or activity. The costing methodology used is presented in Figure 6 and is detailed further in Appendix C. Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 37

SENSITIVE Figure 6: Methodology used to estimate the cost of regulation - . - Cost per Average cost Total cost to Total cost to Total cost of operator per operator business government regu lation ~ ~ ~ lotal [!]

Based on information Time costs recorded The total annu al cost The total annual cost to The total cost o f from stakeholder were translated to dollar impact on business is government of regulation is equal to consultations, we values, using the calculated: administering and the sum of th e total re,corded the time and standard m ethodology (Average cost to small enforcing the Act was cost to business and monetary costs detailed in Appendix C. SISTO x number of provided by the total cost to associated with Costs were aggregated sm all SISTOs) + government government. fulfilling the and averaged to (Average cost to large requirements of the produce an average SISTO x number of Acl. cost per small and large large SISTOs) . SISTO.

This review estimated the direct costs of the Act by assessing two large and eight small SISTOs, which were categorised consistently with the 2014 review as:

● Large SISTOs: operators with 1,000 or more employees ● Small SISTOs: operators with less than 1,000 employees

Stakeholder consultations demonstrated a difference in operational capacity and requirements between smaller and larger SISTOs. For instance, some of the larger SISTOs have existing internal risk management processes which fulfil some of the Act’s requirements, where some of the smaller SISTOs had to initially prepare the risk management plan to adhere to the Act’s requirements.

6.2 Key impacts of regulation on business and government

6.2.1 Preparing the risk management plan

All SISTOs are required to prepare a risk management plan as the first activity following their declaration as a SISTO. All but one SISTO had completed this activity immediately after their declaration dating back to 2014 or prior and have since completed a review. Consequently, most SISTOs did not incur costs with an initial plan preparation. Reviews were mainly due to changes in the responsible personnel at SISTOs. In addition, most risk management plans developed prior to the last review were developed externally and funded through the grants provided by TMR.

The costs of preparation of the initial risk management plan is estimated based on the average costs for the organisation to prepare this internally. SISTOs indicated the variance in the preparation of the initial risk management plan came down to other risk management documents that had been prepared by the organisation for other regulatory requirements or internal business processes. As a result, there is a variance in the level of effort required for the initial preparation. For a small SISTO who is still operating on their first risk management plan and prepared it from scratch, the preparation took approximately 240 hours. The SISTO received direct support from TMR who provided support throughout the process.

Table 11 outlines the estimated costs to businesses incurred in preparing risk management plans. On average, the cost of preparing the initial plan for a small SISTO was $17,011. This review has not quantified it for large SISTOs, as there have been no new risk management plans prepared by large SISTOs since 2014. Based on the analysis conducted as part of the previous review, the initial risk management plan prepared internal cost approximately $40,000 to $180,000.

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 38

SENSITIVE Table 11: Estimated costs incurred by an average operator preparing a risk management plan

Cost of preparing a risk management plan SISTO category Total costs incurred by all SISTOs over 5 years Internal staff cost Monetary cost (per SISTO) (per SISTO)

Small SISTO $17,011 $0 $17,011

Large SISTO $0 $0 $0

All SISTOs $17,011

Note: Only one stakeholder, a small SISTO, provided an estimate for the preparation of the initial risk management plan during the period 2015 to 2019

6.2.2 Implementing the risk management plan

SISTOs are required by the Act to implement the risk management plan immediately after its preparation. This presents costs associated with upfront implementation, such as changes to organisational procedures and processes, including performing new training, modifying existing training modules, and security-related capital expenditure.

Most SISTOs had implemented the upfront costs immediately after declaration and were unable to provide estimates, similar to their initial risk management plan. Some larger SISTOs had already implemented most of the upfront investment as part of their internal best-practice risk management and other regulatory requirements. Smaller SISTOs reported differences in upfront implementation costs, which was largely dependent on the nature of their operational context. For instance the upfront infrastructure investment of an organisation with only one route declared under the Act is different to an operation which predominantly operates in a declared area.

In one instance a small newly-declared SISTO had invested $2.5 million to establish fencing and CCTV, however, only around $200,000 of this was directed to CCTV and could be directly attributed to the Act. Another SISTO anticipated that they may have another part of their operation subject to the Act, and if that were the case, they would likely incur a $30,000 investment for CCTV and a further $5,000 per week for ongoing security guards if they were to implement their risk management plan requirements. These costs have not been reflected in estimates presented here.

A number of SISTOs reported that they incorporate counter-terrorism training activities as part of annual training or induction training procedures to implement their risk management plan. The costs associated with general implementation activities of the risk management plan are presented in Table 12.

Table 12: Estimated costs incurred by an average operator preparing and implementing a risk management plan (since the 2014 review)

Ongoing Upfront implementation Total implementation SISTO category implementation costs costs incurred by all costs (per SISTO) (per SISTO per annum) SISTOs over 5 years

Small SISTO $200,000 $27,466 $1,298,656

Large SISTO $0 $124,042 $1,240,418

All SISTOs $2,539,074

Note: Only one stakeholder, a small SISTO, provided an estimate for upfront implementation costs. Other stakeholders suggested these costs would not be immaterial, however, were unable to provide estimates. The costs presented in this table exclude the implementation costs incurred by SISTOs prior to 2014.

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 39

SENSITIVE 6.2.3 Auditing the risk management plan

SISTOs are required to conduct an annual audit of their plan. All SISTOs reported conducting their annual audits internally in line with guidance provided by TMR. Many SISTOs advised that their audit process was undertaken as part of the test exercise debrief process. Overall, the annual audit takes SISTOs between two to 90 hours of staff time per annum depending on the required changes to the risk management plan. The level of change required is often dependent on the outcome of the test exercise, especially with field exercises where operations are directly tested. Costs associated with the annual audit are presented in Table 14.

Table 14: Estimated costs incurred by an average operator performing a risk management plan audit

Performing the risk management plan audit SISTO category Total risk management plan audit costs incurred by all SISTOs over 5 years Average cost per SISTO

Small SISTO $737 $29,466

Large SISTO $3,677 $36,770

All SISTOs $66,236

6.2.4 Performing test exercises

SISTOs must perform a test of their risk management plan at least once each year. There were a variety of approaches in completing the annual test exercise requirement amongst SISTOs, given the flexibility of this section in the Act. Overall, the test exercises were undertaken as either:

● a desktop exercise, involving key personnel working through a simulated, theoretical scenario in the office environment ● a field exercise, involving functional scenarios in the fields, sometimes including the use of resources such as actors and real transport.

SISTOs use test exercises as an opportunity for training and testing their staff in addition to ensuring their plan is up to date. Some SISTOs conduct their test exercise as part of a broader training across the organisation such as the new employee induction and annual refresher training. This was particularly the case for desktop exercises, as the counter-terrorism exercise by itself was relatively short. Most SISTOs completed their training virtually as a desktop training this year, given the difficulties of organising a field exercise with the COVID-19 pandemic outbreak.

On the other hand, field exercises are more time consuming and expensive to plan, implement and debrief than desktop exercises. Some SISTOs engaged external organisations such as acting groups to help with setting up and executing the training. The test exercise activity has the greatest cost impact amongst the ongoing activity due to its nature. Larger SISTOs incurred proportionally smaller costs for undertaking test exercises, primarily due to the fact that larger SISTOs saw some of these activities as businesses-as-usual or consistent with industry best practice.

The costs associated with the test exercise are across three categories:

● staff time to plan and deliver the exercise ● ad-hoc costs for the operational exercises, such as purchasing a particular training program or hiring actors to demonstrate the exercise ● staff time for conducting the exercises and debrief

The average annual cost of undertaking test exercises are detailed in Table 13, noting that SISTOs only need to undertake one of the desktop or field exercises to meet the requirements of the Act.

Table 13: Estimated costs incurred by an average operator performing an annual test exercise

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 40

SENSITIVE

Staff costs of participating in the Planning the test exercises test exercises (per SISTO) (per SISTO) Total test exercise SISTO category costs incurred by all SISTOs over 5 years Desktop Field Desktop Field exercises exercises exercises exercises

Small SISTO $2,481 $5,978 $3,089 $6,734* $377,071

Large SISTO $5,103 $5,103 $3,509 $4,696 $92,057

All SISTOs $484,128*

Note: The estimated total costs assume SISTOs conduct a field exercise every second year, in line with the stakeholder consultations. *Some of the smaller SISTOs engaged external consultants to conduct their field exercises, this value is not included in the field exercise value, however, is included as part of the total costs. * Total exercise cost captures small and large SISTO test exercise costs plus an ad hoc investment of $15,000 made by one SISTO to support the delivery of the exercise over the past 5 years.

6.2.5 Reviewing the risk management plan

SISTOs are required to review their risk management plan to ensure its currency, or after five years from the plan’s preparation or last review. In practice, some SISTOs advised this review happens more regularly as part of their annual reviews. SISTOs reported they review their risk management plan more if the risk environment has changed or if they have recognised something as part of their test exercise or other operational activity. Most SISTOs conducted their review internally, and this required between 4 to 30 hours of effort across all SISTOs. In one instance, a small SISTO had engaged an external consultant to complete their 5-year review for an estimated cost of $29,000. Increasingly, SISTOs reported that they performed reviews as part of business-as-usual activities.

Table 15: Estimated costs incurred by an average operator reviewing their risk management plan

Reviewing the risk management plan SISTO category Total review costs incurred by all SISTOs over 5 years Monetary cost - external Internal staff cost (per SISTO) consultant (per SISTO)

Small SISTO $1,533 $29,000 $82,648

Large SISTO $673 $0* $6,734

All SISTOs $89,382

Note: Only one small SISTO reported engaging an external consultant, large SISTOs did not report engaging external consultants for their review.

6.2.6 Preparing the annual certificate

SISTOs must provide TMR with an annual certificate detailing their compliance with the Act, including information on their compliance with the annual audit and exercise requirements. SISTOs prepare this certificate for sign-off by their Chief Executive. This information is consolidated into a short report using TMR’s standard template. Most SISTOs indicated completing the annual certificate ranges from less than an hour to a full day of work. One organisation highlighted that in agreement with TMR, they provide supporting documents in addition to the annual certificate template. SISTOs highlighted they complete the certificate immediately off the back of completing their exercise and annual audit. Table 16 summarises the time costs to businesses incurred preparing annual certificates based on the findings of our stakeholder consultation.

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 41

SENSITIVE Table 16: Estimated costs incurred by an average operator preparing an annual certificate

Preparing the annual certificate SISTO category Total annual certificate costs incurred by all SISTOs over 5 years Internal staff cost (per SISTO)

Small SISTO $157 $6,285

Large SISTO $151 $1,506

All SISTOs $7,791

6.2.7 Additional costs

In addition, SISTOs reported they regularly participate in non-mandatory activities associated with the Act. This includes Community of practice meetings, where SISTOs engage with one another as well as relevant third party agencies such as QPS. Participation in these meetings is estimated to cost the SISTOs around $40,402 over the five-year review period.

6.2.8 Costs to new SISTOs

Currently, all but one of the declared SISTOs have been operating under the Act for several years and have incorporated annual requirements into their business-as-usual activities. If more surface transport operators were to be declared under the Act, there can be expected to be greater upfront costs than presented in this review.

There are three sets of costs which any newly declared SISTOs are likely to incur in addition to ongoing compliance costs:

1. Preparation of an initial risk management plan 2. Initial compliance costs, such as capital investment and operational changes 3. Ongoing training costs

As discussed in sections 6.2.1 and 6.2.2, only one small SISTO provided estimates for the initial plan preparation and implementation costs which were reported in the magnitude of $17,000, and $200,000 respectively. On average the ongoing training costs for large and small SISTOs were approximately $124,000 and $27,000, respectively.

Based on the 2014 review, the average costs of preparing an initial plan internally for a large SISTO could range $180,000 and $40,000, and for small SISTOs $15,000 and $5,000, respectively.

6.2.9 Costs to government

Department of Transport and Main Roads

The Transport Security team at TMR works closely with SISTOs to assist their compliance with the Act. As detailed in this review, TMR maintains close relationships with SISTOs, and provides a single point of contact for queries related to complying with the obligations of the Act. A representative from TMR attends the SISTO’s annual test exercises, and they provide in-person and phone support to SISTOs. In addition, TMR prepares and runs the Community of Practice meetings throughout the year.

Queensland Police Service

QPS play an active role in supporting SISTOs to meet their requirements. They do this informally, through the provision of advice and guidance, in addition to participation in test exercises. As has been previously mentioned, the role of QPS is highly valued by SISTOs and is suggestive of QPS playing an integral role in building the technical capability of operators. A team of 18 FTE across SEQ provide this function through a dedicated counter-terrorism network which works closely with businesses and government agencies to prepare, prevent and protect Queenslanders from terrorism. This team engages closely with businesses, including SISTOs and other transport operators, which number over 1,000, to implement QPS’s counter-terrorism strategy. It is the only dedicated network of its kind in Australia and this function exists independently of this Act.

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 42

SENSITIVE Additionally, QPS participate in a wide range of counter-terrorism activities as they relate to transport operators. Among these are their role on the Australia and New Zealand Counter-Terrorism Committee of which senior QPS staff sit on a number of sub-committees including the crowded places protection sub-committee. The Committee serves as an information sharing and capability and training forum across jurisdictions. QPS leverages lessons from the Committee to its counter-terrorism role in Queensland, including to enhance the security practices of SISTOs. For example, QPS convened a crowded places forum for CEOs in Queensland last year to raise awareness of the vulnerabilities and controls that can be employed to better protect Queenslanders from these risks.

A conservative assessment of the effort of QPS in engaging with SISTOs and participating in counter-terrorism test exercises and community of practice meetings was undertaken. In total, over $10,000 in staff time was attributed to attendance at test exercises each year. A further $2,000 was estimated as the cost of attending the biannual Community of Practice meetings.

Table 17: Total estimated cost incurred by government to administer the Act

Cost description Total costs over 5 years

TMR staff costs $1,382,786 QPS staff costs $61,377 Other TMR costs $229,000 Total costs to government $1,673,162

6.3 Summary

Our assessment has estimated the cost of regulation to both business and government. Table 18 summarises these findings and provides a total cost of the Act over the last five years.

Table 18: Total estimated cost incurred by SISTOs in fulfilling their obligations under the Act

Cost description Total costs over 5 years

Preparing the plan $17,011 Implementing the plan $2,539,074 Auditing the plan $66,236 Test exercises $484,128 Reviewing the plan $118,382 Preparation of an annual certificate $7,791 Additional costs $40,402 Total costs to business $3,244,024 Costs to government $1,673,162 Total costs $4,917,186

Source: PwC analysis

The total costs incurred by the SISTOs is estimated to be $3.2 million over a five-year period. The ongoing costs of the Act over five years across the 10 SISTOs is estimated to be $600,336, equivalent to approximately $120,067 per annum. In line with the findings of this review, the annual costs of the Act have decreased in comparison to the 2014 review.

There are several reasons for changes in costs since 2014:

● fewer SISTOs incurred upfront costs associated with preparing a risk management plan and implementing it. Only one of the ten SISTOs in this review reported upfront costs over the past five years. ● many SISTOs now perform the required activities under the Act as part of their business-as-usual security practices and do not ascribe this effort to the Act.

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 43

SENSITIVE The costs to both small and large SISTOs have decreased between 2014 and 2020 (see Figure 7). This reflects that for most SISTOs, the cost of complying with the Act’s requirements has become more efficient as their capability has matured, and, increasingly, these obligations are subsumed as part of business-as-usual security requirements. Compared to the 2014 cost estimates, effort to comply with the Act has shifted from plan preparation and audit activities to implementation, reflecting the integration of activities within operator training programs. Across all cost categories, SISTOs reported less time and cost effort. The one exception to this is the test exercises which represent a similar level of activity in 2020 as it did in 2014 for small SISTOs. Proportionally, however, test exercises now comprise 16% of small SISTO effort (compared to 7% of their effort in 2014).

The costs to government agencies for administering and supporting the operations of the Act are estimated to be $1.7 million over the five-year period. These costs are approximately 30% lower than the costs estimated in the previous review. One reason for this change has been that TMR no longer provides grant funding to SISTOs to develop their initial risk management plan. Some activities are now considered to be part of TMR’s and QPS’s broader responsibilities beyond the Act’s requirements.

Most SISTOs were not required to complete a review in 2014 as they were operating for less than five years at the time on their plan. However, costs should be considered indicative given the small sample size from which these costs have been estimated.

Figure 7: Changes in estimated costs per SISTO per annum between 2014 and 2020 review

Large SISTO Small SISTO -91% -66% $ 1,525,876 $ 170,471 2% 7% 7%

26%

19%

1% $ 57,928 4% 16% 63% 29% 3% $ 138,546 73% 7% 90% 47%

2014 Review 2020 Review 2014 Review 2020 Review

Plan preparation Plan audit Plan review Additional costs Legend: Plan implementation Test exercises Annual certificate

Note: The estimated annual costs per SISTO in 2014 refer to those who have remained declared in 2020 and excludes the 11 deregulated ferry operators (i.e. the 2014 costs are across two large and two small SISTOs).

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 44

SENSITIVE 7 Key findings and recommendations

This review has been undertaken in alignment with the Office of Best Practice Regulation Post-Implementation Review Guidance which requires that agencies consider:43

● the original problem and objectives ● the impacts of the regulation ● the effectiveness of the regulation ● whether the regulation should be retained ● proposed amendments or improvements

These lenses have been considered through the evaluation questions of this review which asks whether the Act and its requirements are effective, appropriate and what cost impacts are borne by industry and government.

7.1 The Act is effective in achieving its intended outcomes

Overall, the Act has achieved its intended objectives. It is clear that with the benefit of time, operator capability to manage terrorism risks and plan for recovery to an incident has matured. In large part, terrorism risk management practices appear intertwined with operational security practices, suggesting it is increasingly part of business-as-usual for these operators. This has the effect of raising the resilience of Queensland’s transport network overall.

Importantly, the Act appears to provide a benefit to the community in enhanced security-preparedness among SISTOs (s4b), takes into account relevant national and international best practice (s4c) and promotes improved coordination and collaboration across government, surface transport operators and the community (s4d). In addition, the requirements of the Act have delivered:

● improved planning for counter-terrorism activities ● significant insights and lessons from the counter-terrorism exercises to improve operational processes and infrastructure ● a strong network among transport operators and government agencies, which is borne out through improved lines of communication, information sharing and collaboration ● transference of lessons learnt and security practices beyond the boundary of declared SISTO operations; in a number of cases, activities had influenced other arms of operators within and beyond Queensland ● improved organisational awareness of terrorism risks and management practices ● improvements in general crime prevention, passenger safety and other security benefits on transport networks.

7.2 The Act’s requirements are appropriate to fulfilling the objectives

The design of the Act and its requirements upon SISTOs provides flexibility for operators to embed practices within existing operational security frameworks. This has the effect of promoting efficiency and affordability.

The Act is also flexible to a broad interpretation of risks, which can be taken to be read narrowly and applying only to terrorism risks, or more broadly to apply to security threats which would benefit from a risk management approach. The risk management approach adopted by SISTOs can provide benefit to the management of other threats. TMR could play a role in actively encouraging the consideration of these other threats as part of the risk management planning framework and providing information. The specific biological and health threats of COVID-19 are an example that, while not a terrorism risk, may present security risks to operators and could be effectively planned for in the same way.

Some SISTOs identified through this review a desire for more guidance, more material and a dedicated portal for resources reflecting that they truly do look to TMR for direction and advice. Additional comments were made by SISTOs to lessen the annual compliance requirements and for TMR to undertake audits of operators rather than relying on self-audits. In part, this appears to arise among operators who are less confident in their approach, and who are seeking ‘endorsement’ of their

43 Queensland Office of Best Practice Regulation, Post-Implementation Review Guidance, accessed at: https://qpc.blob.core.windows.net/wordpress/2018/02/PIR-Guidance-Note.pdf Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 45

SENSITIVE plans and activities. In engaging with TMR, the level of resourcing required to keep material current and directed, for so few operators, appears disproportionate to the regulatory aim. Instead, TMR’s trusted advice should continue to be maintained through less formal channels which are demonstrated to be successful in building operator capability. it is through capability building that the Act’s aims will be best achieved, rather than the adoption of prescriptive approaches. This is also aligned to the Act’s fifth objective to ‘seek voluntary compliance in preference to enforcement’.44

7.3 The impact of regulation is cost effective to fulfil the regulatory aim

While some SISTOs did identify a regulatory burden to comply with the Act, this was not considered to be significant in order to fulfil the Act’s objectives (fulfilling the Act’s objectives of an appropriate balance of security, public confidence and cost, under section 4a). This is substantiated by the fact that the estimated costs to the average SISTOs, once counter- terrorism systems are established, are in the order of $36,000 for small and $117,000 for large SISTOs per year (meeting the Act’s second objective of promoting an efficient and affordable counter-terrorism measures, at section 4b of the Act). Further, lessened requirements are likely to produce sub-optimal results, and may reduce the resilience of operators to manage terrorism risks and prepare for recovery. Further, as noted in the 2014 review, the legislative requirement on SISTOs does elevate the priority placed on counter-terrorism activities by operator executives. The removal of requirements risks that security upgrades and activities are not properly funded or given the attention required to manage terrorism risks appropriately.

The role of TMR is highly valued by SISTOs, and there is a clear role for a trusted adviser to guide SISTOs to maintain regulatory requirements in a manner that best fits their organisational context. TMR has also successfully built the capability of SISTOs, reducing their reliance on government and equipping the self-regulatory elements of the design of the Act. The role of QPS is also highly valued, and is integral to SISTO ongoing delivery of risk management. While this does present a cost to government, this is offset by the benefits to the broader community achieved through improved relationships, lines of communication and more tailored risk management, incident response and a more secure, safer and resilient transport network. In the event of a terrorist act, these informal ties will enhance agency response to minimise the impacts of an incident and give confidence to operators and the community that they will act in the best interest of members of the public.

7.4 Recommendations

Based on consultation with SISTOs and PwC assessment, several opportunities have been identified to improve the effectiveness and efficiency of the requirements of the Act, and ultimately enhance the resilience of Queensland to plan, manage and respond to terrorism acts and security incidents. These are outlined below.

44 s4e, Transport Security (Counter-Terrorism) Act 2008 Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 46

SENSITIVE

Recommendation 1: TMR consider ways to encourage SISTOs to use terrorism risk Recommendation 5: TMR should develop a 1-2 page management practices to strengthen broader checklist that outlines SISTO obligations under the preparedness across other security threats that Act, including a timeline for these activities to better might benefit from this type of planning framework. support business continuity and new staff onboarding (Section 4.1 - The purpose of the Act can be interpreted among SISTOs. broadly in the risks it addresses, meaning it is flexible to a changing threat context ) (Section 4.2 - The provision of information and guidance has assisted SISTOs to fulfil their obligations)

Recommendation 2: TMR should provide Recommendation 4: TMR should develop, in guidance to SISTOs on how the risk Recommendations consultation with QPS and councils, a whole of management plan requirements of the Act network incident response plan which specifies can be fulfilled by other risk management of the regulatory the communication roles and responsibilities for a frameworks that can account for counter- review range of security incident scenarios. These terrorism activities, including: scenarios should consider the broader network- based response, including communication actions - security plans prepared under and instruction to SISTOs operating within the the Rail Safety National Law zone of an incident, even where their operation is (Queensland) Act 2017 not directly affected by the incident, in order to - business continuity and crisis enhance network resilience and response to a management planning security threat or incident. procedures. (Section 4.2 - Organisational change is a reality among TMR should require (Section 4.2 - The Act has improved counter- Recommendation 3: operators and could be better supported to ensure terrorism planning across operators, but there SISTOs to nominate at least two points of contact requirements are met) are further opportunities to streamline in each organisation for which information from planning) TMR will be disseminated to and communicated with to reduce the risk of communication failure.

(Section 4.2 - Opportunity to enhance the resilience of operator and agency response to a terrorist act or major incident)

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 47

SENSITIVE Appendix A Project Scope

Table 19: Assessment domains mapped to key regulatory review questions and sub-questions

Question domain Key Assessment Assessment sub-questions Questions

a. Do the measures adopted by organisations under the Act 1. Does the Act better protect them by addressing the risks of terrorist acts provide effective and preparing recovery? support in b. Has the introduction and operation of the Act reduced the planning for the risk of terrorist to surface transport operators in Effectiveness: protection and Queensland? In what ways does the Act do this? adverse impacts of c. What additional requirements in the Act could better achievement of a terrorist act protect SISTOs against impacts of terrorist acts? intended outcomes involving your d. What aspects around the requirements of the Act could be organisation? improved or removed? e. What guidance is provided to undertake the obligations under the Act? How helpful has it been? f. What additional information would be helpful to support undertaking the obligations under the Act?

a. Are there aspects around the requirements of the Act that 2. Does the Act and could be improved to reduce the compliance burden on the its provisions SISTOs? remain appropriate b. How do organsiation’s current counter-terrorism security in supporting your practices interlink with their business-as-usual security? Appropriateness: organisation? c. Since the previous review how has the effort to comply with the Act changed? suitability of the Act d. What has been the experience of dealing with TMR in and its administering the Act? requirements to fulfil the objectives

a. The upfront implementation and ongoing costs that 3. What are the businesses and government uptake in order to comply with

previous, existing the Act’s requirements. and future costs of b. Please refer to Appendix B for the complete list of cost- regulation on related questions. Impacts of the businesses and regulation: government?

current costs and impacts of the regulation

Source: PwC Analysis

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 48

SENSITIVE Appendix B Stakeholder consultations

Stakeholder consultation questions Prior to the discussion with the declared SISTOs, all stakeholders were provided the following questions to consider for the stakeholder consultation.

Could you provide a brief summary of what your business does?

1.1. Could you provide a brief description of your organisation? (e.g. the nature and modes of your services, size of operation, geographic span and number of employees.) 1.2. How many employees are directly involved in SISTO-related activities to comply with the Act?

What are the current costs and impacts of the Act on your organisation?

2. How much does the preparation and documentation of the Risk Management Plan (RMP) cost your organisation?

2.1. When did you last prepare and document a RMP under the Act? 2.2. Was the RMP prepared internally or by engaging an external consultant? 2.2.1. [if internal] How much time did it take to prepare the RMP? Who in the business was responsible for preparation? (e.g. manager, Operations staff, etc.)? 2.2.2. [if external] How much did it cost to have the RMP prepared by the consultant? How much staff time was used to work with the consultant or document the consultant's report into your business' policies?

3. How much does the review of the RMP cost your organisation?

3.1. When did you last conduct a review of your RMP? What was the main reason for the review? 3.2. Was the RMP review conducted internally or by engaging an external consultant? 3.2.1. [if internal] How much time did it take to prepare/review the RMP? Who in the business was responsible for undertaking the review? (e.g. manager, Operations staff, etc.)? 3.2.2. [if external] How much did it cost to have the RMP reviewed by the consultant? How much staff time was used to work with the consultant or document their report into your business' policies? 3.3. Were any other costs incurred in relation to the review? 3.4. Did you make any changes to the RMP in response to the Review?

4. What are the upfront and ongoing costs associated with implementing the RMP?

Upfront costs: 4.1. What were the initial measures taken to implement the RMP and what was the time/cost involved? 4.2. Were there any changes to physical assets or systems/processes? (e.g. CCTV, fencing, etc.) If so, what costs were involved? 4.3. Did you introduce any new training? Did you incur any other implementation costs? Ongoing costs: 4.4. What are the ongoing costs with having the RMP in place? (e.g. security, training, etc.)

5. How much does the annual audit of the RMP cost your organisation?

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 49

SENSITIVE

5.1. Have you conducted an audit of your RMP in the last year? 5.2. Was the annual audit undertaken internally or did you engage an external consultant? 5.2.1. [if internal] How much staff time was required to conduct the audit? 5.2.2. [if external] What was the total cost of conducting the audit to your business? 5.3. Are there any other costs associated with the audit? For example, costs to implement any recommended improvements, etc.?

6. How much does the testing exercise of your operations cost your organisation?

6.1. In the last year have you either (i) conducted an exercise to test operations or (ii) contributed to the planning of an exercise by another entity? 6.2. What did the exercises contain? Are they 'desktop' training or 'actual physical' exercises? 6.3. Are these test exercises part of your business-as-usual security exercises or are they additional? 6.4. How frequently do you conduct these exercises? 6.5. Can you tell us about the time and costs involved in undertaking an exercise? 6.6. Was there any disruption to normal business activities? If so, what were these costs? Are there any other costs?

7. How much does the preparation of the ‘annual certificate’ cost your organisation?

7.1. Do you prepare an ‘annual certificate’ for sign-off by your chief executive? Who in the organisation prepares the annual certificate? 7.2. How much staff time does it take to prepare and sign-off the certificate?

8. Are there any other activities associated with the Act requirements that we have not covered?

8.1. What other costs, such as administration or compliance with the Act, did you incur? 8.2. Would you have undertaken any of the compliance activities in the course of business if the Act did not exist? (e.g. annual audit, testing, training and the review of the RMP) 8.3. How do your compliance activities under the Act contribute to other security, safety and amenity objectives of your operation?

Does the Act and its provisions remain appropriate in supporting your organisation?

9.1. Are there aspects around the requirements of the Act that you think could be improved to reduce the compliance burden on your operations? 9.2. How do the counter-terrorism security practices interlink with your business-as-usual security? 9.3. If you were a SISTO in 2014, how has the effort to comply with the Act changed? Would you estimate it takes more time or effort to comply, or less? 9.4. What has been your experience of dealing with TMR in administering the Act?

Does the Act provide effective support in planning for the protection and adverse impacts of a terrorist act involving your organisation?

10.1. Do the measures you have adopted under the Act better protect your organisation by addressing the risks of terrorist acts and preparing your recovery? 10.2. Do you consider that the introduction and operation of the Act reduces the risk of terrorism to surface transport operators in Queensland? In what ways does it do this? 10.3. What additional requirements in the Act could better protect your organisation against impacts of terrorist acts? 10.4. Are there aspects around the requirements of the Act that could be improved or removed? 10.5. What guidance do you use to undertake your obligations under the Act? How helpful has it been? 10.6. What additional information would be helpful to support undertaking your obligations under the Act?

Stakeholder consultation schedule

Table 20 below presents the full list of all stakeholder consultations as part of the regulatory review. Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 50

SENSITIVE Table 20: List of stakeholder consultations Company name Meeting Date

Queensland Rail Friday 26 June 10-11AM

Transdev Queensland Wednesday 1 July 11AM-12PM

BCC CityCats Monday 29 June 10-11AM

BCC Transport for Brisbane Monday 29 June 10-11AM

BCC Transport for Brisbane Monday 29 June 10-11AM

BCC Transport for Brisbane Monday 29 June 10-11AM

Mt Gravatt Coach Thursday 25 June 10-11AM

Mt Gravatt Coach Thursday 25 June 10-11AM

Bus Qld (Park Ridge Transit) Tuesday 30 June 10-11AM

Bus Qld (Park Ridge Transit) Tuesday 30 June 10-11AM

Hornibrook Bus Lines Thursday 25 June 1-2PM

Hornibrook Bus Lines Thursday 25 June 1-2PM

KD Light Rail (G:Link) Wednesday 24 June 10-11AM

Kinetic (Surfside Buslines) Friday 26 June 3-4PM

TAG Group (Surfside Buslines) Friday 26 June 3-4PM

Queensland Police Service Wednesday 8 July 9-10AM

Department of the Premier and Cabinet Friday 10 July 10-11AM

Department of Transport and Main Roads Tuesday 23 June 1-2PM, Thursday 9 July 10-11AM

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 51

SENSITIVE Appendix C Costing approach

This analysis sought and estimated the costs incurred by both the public and private sector due to the Act. To maximise comparability between reviews, this review used the same costing approach as the previous 2014 review, with minor modifications. An overview of the costing methodology is presented in Figure 8 below.

Figure 8: Approach to calculating the cost of regulation:

Cost per operator Average cost per Total cost to Total cost to Total cost of operator business government regulation

Based on information Time costs recorded were The total annual cost The total annual cost to The total cost of from stakeholder translated to dollar values, impact on business is government of regulation is equal to the consultations, we using the standard calculated: administering and sum of the total cost to recorded the time and methodology detailed (Average cost to small enforcing the act was business and the total monetary costs below. Costs were then SISTO x number of small provided by government. cost to government. associated with fulfilling aggregated and averaged SISTOs) + (Average cost the requirements of the to produce an average to large SISTO x number act. cost per small and large of large SISTOs. SISTO.

Cost to business

First, SISTOs participated in stakeholder consultation. SISTOs provided details regarding the costs incurred and time spent meeting the requirements of the act. This data was recorded, and the value of staff time spent was calculated by multiplying the number of hours spent on an activity by the economy-wide hourly rate. The economy-wide hourly rate was derived using a method consistent with the previous review, specifically:

Economy-wide hourly rate = AEH x ON x OH, Where:

● AEH is the average earnings per hour for a full-time adult employee ● ON is the on-cost multiplier, which includes superannuation payroll costs, and other non-salary labour costs ● OH is the overhead cost multiplier

These assumptions are further defined in Table 21.

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 52

SENSITIVE

Table 21: Value of time assumptions Input assumption Data source Calculation Result/Input Rationale

Average annual ABS Full Time $1,659.00 x $86,268 Average weekly earnings are multiplied earnings Average Weekly 52 by 52 to derive average annual Earnings, Australia earnings. This is consistent with the (Cat. No 6302.0 – approach used by other jurisdictions. Table 11C) The latest available data (Nov 2018) has Earnings; Persons; been used. Full Time; Adult; Total earnings; Queensland

Number of weeks N/A N/A 45 This is based on subtracting 7 weeks worked per from the full year (four weeks associated annum with annual leave and another three weeks associated with sick and other leave). This approach is consistent with the assumptions applied in NSW and South Australia.

Average weekly Fair Work N/A 38 This is the latest published estimate of hours for full Ombudsman hours worked by full-time employees. time workers Full-time employees This is also consistent with the approach - average hours used in other jurisdictions. worked

Average Annual earnings / $86,268.00 / $50.45 earnings per (weeks worked pa. x (45 x 38) hour (AEH) hours worked per week)

On-cost ABS Labour Costs 100%- 1.124 Consistent with other jurisdictions. The multiplier (ON) 2015-16 (Cat No [Earnings % of latest data for Queensland (2015-16) 6348.0) Major labour total labour has been used. Total other labour costs costs by state and costs (87.6%)] include superannuation, payroll tax, territory + 1 worker’s compensation and fringe- (Queensland) benefits tax.

Overhead cost n/a n/a 1.25 While some jurisdictions use a higher multiplier (OH) multiplier for overheads, as we expect that most online users will be small to medium enterprises, and therefore subject to lower overhead costs, a more conservative estimate is considered appropriate.

Economy-wide = $50.45 x $70.88 hourly rate (HR) 1.124 x 1.25

Once the value of time was calculated, an average cost per small and large SISTO was calculated from the aggregated time and monetary cost of each category. Next, the total year cost to business was calculated by multiplying any ongoing costs by 5, and adding any one-off and upfront costs, such as the cost of a five year review or initial plan preparation. The result is a value which represents the total monetary impact of the act on business over five years.

Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 53

SENSITIVE Cost to government

The Department of Transport and Main Roads (DTMR), Department of Premier and Cabinet (DPC), and Queensland Police Service (QPS) participated in stakeholder consultations, which included discussions of the costs incurred by these organisations. Additionally, many SISTOs advised that DTMR and QPS staff had attended their test exercises, as well as the bi-annual community of practice meetings.

The cost to Queensland Police Service for their attendance at training exercises was calculated using publicly available salary information, as well as data provided by SISTOs and QPS on their involvement in training exercises. Calculations assumed:

● An average salary of $83,000 per annum45 ● An on-cost and overhead multiplier the same as those detailed above (1.124 and 1.25 respectively) ● Police attendance at 10 exercises and 2 community of practice meetings per annum ● 1 day of time for each exercise, including any preparation, travel, involvement and debrief ● 2 QPS staff attending each exercise and meeting.

45 Assumes the average value of a Senior Constable salary range, sourced from QPS Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 54

SENSITIVE

www.pwc.com.au

© 2020 PricewaterhouseCoopers Consulting (Australia) Pty Limited. All rights reserved. PwC refers to PricewaterhouseCoopers Consulting (Australia) Pty Limited, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. Liability limited by a scheme approved under Professional Standards Legislation. Review of the Transport Security (Counter-Terrorism) Act 2008 PwC 55