February 2009
|
|
Need Your Own Copy of The Risk Communicator?
|
|
Write for Us
|
| Have you seen a story you would
like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact
the newsletter staff at newsletter@sarma.org. |
Thanks to Our Sponsor
|
|
Legal Matters
|
Copyright 2009
SARMA
All Rights Reserved
Privacy Policy
The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.
|
|
|
President's Corner
|
| SARMA Prepares for 3rd Annual Conference
Fellow SARMA Members,
I hope you are enjoying the new look and feel of The Risk Communicator, as well as its enhanced content. As we approach spring, many other new and exciting changes are also in development. Soon, SARMA will announce a new organizational structure and approach to doing business. These changes will mean additional opportunities for all of our members to become involved in helping to shape the future of the profession -- whether by serving on a project committee, helping with events and conferences or taking a leadership post as one of the association's elected officers.
While we await spring's arrival, however, the business of the association continues -- including key aspects of the planning necessary to ensure the success of SARMA's 3rd Annual Conference on Security Analysis and Risk Management. In keeping with the many changes here at SARMA and at the federal level, the theme of this year's gathering is "New Perspectives on Security Risk Management."
As you may have noticed, the SARMA web site has recently been updated to include a call for speakers, exhibitors and sponsors. Your involvement in any of these categories would be of tremendous value. Additionally, SARMA's conference committee is seeking volunteers to support the many day-to-day activities that are required to make a conference of this magnitude successful. To lend a hand, please contact conference manager Chris Miller.
In addition to supporting the annual conference, we are also in search of someone willing to serve as the association's next treasurer. Last fall, when he was nearing the end of his two-year term, our current treasurer, Dave Brown, graciously indicated his willingness to remain in place through the filing of the association's 2008 taxes. Unfortunately, that time is now upon us. Dave's quiet competence and effective leadership in this area will be hard to replace, but I am confident that we will find that person among the wealth of talent that comprises SARMA's membership. In that regard, I encourage you to send your recommendations to the nominating committee by close of business on Friday, 27 February 2009.
Finally, it was especially heartening to see the importance the new administration appears to be placing in its early days on the use of risk as a key decision-support tool for homeland security. As we highlight in a separate article, new Homeland Security Secretary Janet Napolitano wasted little time in clarifying the matter. One of her first five Action Directives, issued on 21 January 2009, calls for an internal report on the current state of risk analysis metrics and asks how DHS can enhance the use of risk management in decision-making. A vital and energized SARMA stands ready and able to assist in that effort.
Enjoy this issue of The Risk Communicator and, as always, please feel free to contact me or editor Avi Klein with your comments, suggestions and story ideas!
All the best,
Kerry L. Thomas
President
|
News
|
|
White House Strong Out of the Gate on Risk Management Challenges
The change in administration in Washington has brought with it a renewed sense that risk management principles must be the bedrock of effective homeland security policy. On 21 January 2009, DHS Secretary Janet Napolitano issued the first
five in a series of Action Directives focused on gaining a better
understanding of the current capabilities and challenges related to the protection mission, including infrastructure protection, national
planning scenarios and the allocation of grant dollars.
"One of my top priorities is to unify this department and to create a common culture. These action directives are designed to begin a review, evaluation and dialogue between the various functions of this department and me," said Secretary Napolitano. "I look forward to receiving the information and to working with the offices and agencies involved to make DHS a more effective and a more efficient department."
The directives include one dedicated to critical infrastructure and another to risk analysis:
- Critical infrastructure protection. This core mission of DHS entails a broad mandate to reduce the vulnerability of key systems and structures to natural and manmade threats. DHS oversees the national critical infrastructure list and manages 18 infrastructure sectors established under Homeland Security Presidential Directive-7, with primary responsibility for information technology, telecommunications, chemical, transportation, emergency services, and postal and shipping. This entails extensive dealings with other federal agencies, states, and the private sector, involving collaboration, data collection, risk analysis, and sharing of best practices. What is the current status of the critical infrastructure list, relations with the 18 sector security councils and the other departments that have critical infrastructure protection roles? What are the plans to enhance protection? How do we enhance private sector participation? An oral report is due Jan. 28.
- Risk analysis. Given the extensive number of vulnerabilities to manmade and natural disasters and the limitations on resources, determining national priorities and the judicious distribution of resources are a major element of the department's mission. What is the status of risk analysis metrics and what is the plan and time frame for setting up a full-blown system to govern the establishment of critical infrastructure programs, the priorities among national planning scenarios, and the distribution of grants to state, local, and tribal entities? More broadly, how can DHS enhance risk management as the basis of decision making? An oral report is due Jan. 28.
All five of Napolitano's Action Directives can be found here.
The secretary also announced this week that she has ordered a full review of the annual Topoff emergency response drill program, as well as American policies related to cybersecurity, border protection with Canada, and the vulnerability of power plants and other critical
infrastructure, The New York Times reported. As governor of Arizona, Ms. Napolitano had been a harsh critic of Topoff, which she said was too expensive and "too removed from a real-world scenario."
"If we're going to be doing these kinds of things, and they are
valuable, the underlying philosophy is a good one, but they need to be
in my view streamlined," Ms. Napolitano told the Senate Committee on
Homeland Security and Governmental Affairs last month.
The next Topoff drill is scheduled for June and reportedly will test how well planners respond to a multi-stage crisis involving a terrorist attack in Europe and a coordinated strike against the United States from terrorists operating from Mexico.
|
Website Releases Trove of Leaked CRS Studies on Risk Management
They aren't the Pentagon Papers, but thousands of unreleased Congressional Research Service (CRS) reports were leaked this month to Wikileaks.org, an on-line resource for secret and suppressed government documents. CRS reports are not typically confidential, but because they are created as guidance for congressional members and their staffs, they are not publicly released.
Nevertheless, said Wikileaks spokesman Daniel Schmitt, "These documents belong in the public domain because they represent an
essential part of policymaking and they are produced with taxpayer
dollars."
Among the thousands of reports are a number of interest to the risk management and security analysis sectors:
-
Risk Management and Critical Infrastructure Protection (full report)
- The Department of Homeland Security's Risk Management Methodology (full report)
-
Risk Assessment and Regulation in the Federal Government: A Brief Overview (full report)
- Flood Risk Management and Levees: A Federal Primer (full report)
-
Earthquakes: Risk, Monitoring, Notification and Research (full report)
|
SARMA Survey on the Way
SARMA is conducting the first known survey of individuals involved in the emerging profession of security analysis and risk management. All SARMA members and approximately 1,800 SARMA newsletter recipients will receive the survey invitation by email later this week; recipients are encouraged to forward the survey to any colleagues who perform similar work but may not have received the invitation. All responses are completely anonymous.
"The results of this survey will benefit everyone," said SARMA's immediate past president, Ed Jopeck. "Many of today's initiatives in security risk management are based on untested assumptions about who risk analysts are, what they know and what they need to know. The results of this survey will benchmark for the first time ever where the profession is currently, and allow SARMA and other organizations to measure progress in the future."
It is critically important that as many risk management professionals as possible participate so that SARMA can develop an accurate demographic profile of this emerging profession. SARMA will share this information with the federal government, academia and private industry to help identify current trends, compensation, training needs and opinions about the future of the profession. After a short period of analysis, the results of this survey will be available to SARMA members and affiliated organizations through conferences, a written report and on the SARMA web site.
|
Speakers and Volunteers Needed for June SARMA Conference
The 3rd Annual Conference on Security Analysis and Risk Management
is just around the corner, and SARMA is counting on your participation
to make it the most successful gathering to date. Whether it's as a
speaker presenting your latest research findings, an organizer helping
us design the program, a sponsor or a vendor, you can play an important
role in promoting SARMA and the risk management and security analysis
professions.
Scheduled to take place from 16-18 June 2009 at
George Mason University's
Arlington, Virginia campus, the conference is the only national event
organized by security risk analysts and managers for their peers in
government, industry and academia. Last year, more than 200 individuals from around
the world attended, including 50 speakers as well as representatives from all
levels of government and from various national and international agencies.
If you'd like to participate, please contact the SARMA Conference Committee for additional information. Details for prospective speakers can be found here.
Below, a picture from the 2008 conference:
|
SARMA's LinkedIn Page Continues to Grow
Each month, dozens of security analysis and risk management colleagues have been joining SARMA's LinkedIn page. In addition to networking and catching up with long-lost colleagues, members are discussing critical issues in risk management and sharing ideas about current trends.
This month, SARMA members discussed whether, given the economic crisis, security risk analysis will
become increasingly critical to allocating scarce security resources,
or whether it will become an expensive capability few organizations can afford. Here are a few quotes from the discussion:
- "With the promise of more government on the horizon, I believe we
will see just as much if not more need for security risk management.
DHS is trying to leverage the concept of strategic risk... to
ensure that only the highest risk assets get the resources. However, I
am not convinced they know what that looks like."
- "It depends on who's doing the analysis. I can easily see private
entities delaying or reducing expenditures on security risk analyses
since security risk may not be their dominant business risk in this
economic climate."
- "The greater issue is not the importance of performing
risk analysis, rather the acceptance of risk. As resources become
scarcer, decision makers will begin delaying the implementation of
countermeasures usually in an effort to ease restrictions or to reduce
costs. They will justify this decision with the fact that nothing has
occurred that would require them to implement the countermeasure."
Got an opinion? It's easy to get involved. To create a LinkedIn account, go here. If you already have an account, you can go directly to the SARMA group here.
|
In the Field
|
|
Getting Inside the OODA Loop
by Dr. Benjamin Nerud
Numerous studies extol the benefits of the OODA Loop and the advantages of integrating its concepts into analysis and decision-making processes. The most frequently touted concept is "getting inside their Loop" -- the use of effective analysis and action to disrupt the enemy in the planning stages of an attack. This article describes a process to accomplish this objective.
Air Force Colonel John Boyd developed the OODA Loop to describe the decision-cycle process by which an entity reacts to an event. He broke this process down to the simple four-step iterative cycle of Observe - Orient - Decide - Act. The idea is that, prior to taking action, a decision-maker must observe the condition, situation or opportunity that requires action. To respond effectively, he must orient himself by synthesizing prior training, experience and cultural traditions with the newly obtained information. Once oriented, the decision-maker evaluates the options available, chooses one and then acts. The process repeats itself until resolution is achieved.
To defeat the enemy, then, is to have a faster OODA Loop cycle, thus forcing him to react to you while you maintain the initiative. As Boyd observed, "Without the ability to get inside other OODA Loops (or other environments), we will find it impossible to comprehend, shape, adapt to, and in turn be shaped by unfolding, evolving reality that is uncertain, ever-changing, unpredictable."
While Boyd's OODA Loop provides a means of evaluating the decision-making process, it is not sufficiently detailed to utilize as a standalone analytical model. The purpose of intelligence analysis methods is to create a model of the target to obtain critical information. This analysis requires two components: first, the identification of critical nodes within the adversary's OODA Loop; second, the application of mechanisms to defeat or disrupt those nodes.
The OODA Loop can incorporate many models to aid in the identification of its critical nodes. One method identifies critical capabilities and the critical requirements of those capabilities to determine which nodes are vulnerable to defeat mechanisms.
In his "Centers of Gravity and Critical Requirements," Dr. Joseph Strange of the Marine Corps War College developed this framework by expanding on the Clausewitzian concept of centers of gravity. This process encompasses a tiered approach, establishing the adversary's center of gravity, the primary source of its moral and physical strength, power and resistance. Within these centers of gravity are "critical capabilities." For critical capabilities to function, they depend on essential conditions, resources and means to be present. These latter factors constitute "critical requirements."
The chart below shows a terrorist attack cycle center of gravity / critical capability / critical requirement model:
After breaking down an adversary's system, an analysis of each node determines its vulnerability to defeat mechanisms. Nodes susceptible to influence constitute "critical vulnerabilities." The application of defeat mechanisms at these points degrades or denies a critical requirement, thereby disrupting the adversary's OODA Loop.
Brigadier General Huba Wass de Czege identified three methods, called
"defeat mechanisms", that can be used to influence a critical requirement. Attrition reduces an adversary's manpower or resources using destructive force. Disintegration reduces manpower or resources by influencing the support systems necessary for the adversary to act. Dislocation changes the environment in which the adversary must operate, affecting its ability to maintain the initiative and freedom of movement.
Defeat mechanisms should be capable of disabling the nodes required by the adversary. To do this, defeat mechanisms must be oriented as part of a system. The more complex the adversary, the greater the need to develop coordinated defeat systems that use multiple defeat mechanisms targeted against multiple critical vulnerabilities. Defeat mechanisms can be oriented to engage these critical vulnerabilities either sequentially or simultaneously. The entire system has one primary goal -- to disrupt or deny the critical nodes necessary for the adversary to accomplish its objectives.
In conclusion, this methodology aids planners by identifying aspects of the adversary's operations that are susceptible to defeat, and it aids in selecting the appropriate defeat mechanisms. To complete this process, it is necessary to identify when to implement certain defeat mechanisms in order to obtain the greatest impact. Using the OODA Loop, the effect of each defeat mechanisms on each critical node determines the overall effect on the adversary's decision-making process. By determining the effect, it is possible to comprehend, shape and adapt the environment to the planner's benefit. In other words, this methodology "gets inside the adversary's OODA Loop."
Dr. Benjamin Nerud is a Deputy Branch Chief in the Combat Support Assessments Division at the Defense Threat Reduction Agency.
|
Commentary
|
|
Canada's Infrastructure Renewal Must Address Critical Security Gaps
by Dr. Kevin Quigley
The Canadian manufacturing industry experienced 101,000 job losses in January, the worst one-month loss the industry has ever recorded. The national unemployment rate has increased 0.6% over the last 12 months. All across Canada, as in most Western countries, the economy is the only story in town. With an eye to stimulating the sagging economy, on 27 January 2009 the Canadian government tabled its budget in the House of Commons. In it the government announced a number of new spending initiatives, including C$12 billion over the next two years in infrastructure improvements on roads, bridges, railways, universities, recreation centers and other public infrastructure.
Despite the Canadian government's focus on strengthening national infrastructure, the security of that infrastructure in general received little explicit attention in the government's budget. There were some specific references to improving border and aviation security, but on the whole one can see that security concerns are not front and center. Living in the shadow of 9/11, this is surprising. Many investments the government will make in infrastructure are once-in-a-generation investments. A modern approach to infrastructure renewal must take medium- and long-term security concerns into account. There is reason to believe that vulnerabilities in this area persist and that the timing might be just right for these security investments.
The relative silence on the security of national infrastructure raises questions about the progress the government is making in this policy area in two important respects. First, is the government talking to the right people? "Federal infrastructure accounts for about 5 per cent of public infrastructure in Canada," noted the federal budget. The provinces and municipalities also own a share, which received considerable attention when the budget was released. But even collectively public ownership of infrastructure is dwarfed by the private sector's ownership -- as it is in the US. In particular, Canada's critical assets rest overwhelmingly in private hands; the infrastructure that supports banking, energy and utilities, telecommunications, manufacturing and food are obvious examples. No serious conversation about strengthening Canada's infrastructure can occur without involving the private sector.
Second, given that the critical infrastructure is largely privately owned, will present market conditions prompt infrastructure owners and operators to take the necessary steps to protect it? In fact, there is a significant market failure at work that the government has yet to address fully. Corporate executives and their shareholders are sometimes reluctant to invest in security -- particularly in bad times -- because its benefits are often indeterminate. (How much money should one spend on security? One never knows. Or rather, one knows only when one has spent too little.)
Infrastructure vulnerabilities tend also to be 'dirty little secrets' that no one wants to discuss. They threaten the immediate security of the firm, yes, but also its liability, share value and public image. Moreover, there is a problem with trust. Industry executives worry that sensitive information shared with government, for instance, may be used (surreptitiously) for purposes other than those related to security. In short, market forces can keep security investments down. They also discourage cooperation and transparency.
This dynamic is similar to Hardin's famous "Tragedy of the Commons." In his article, Hardin describes a dilemma in which individuals acting independently, in a self-interested manner and without regulation, deplete a shared resource -- leaving everyone worse off. In this case, the security of the infrastructure is the common resource and, while underinvesting in it can save the individual firm some much needed cash, collectively we will be worse off for it. Traditionally, industries could try their luck; if they chose to take risks with their security and failed, the market would punish them accordingly. Because organizations that manage critical infrastructure are increasingly interdependent, however, individual decisions to underspend on security and/or not disclose security-related information is now a risk for the entire critical infrastructure and all those who depend on it. Recall August 2003: overgrown trees in Ohio coupled with poor management practices in the power sector contributed to a grid failure that affected 50 million North Americans and cost the North American economy billions.
What, then, can the Canadian government do to address these issues? It can start by re-energizing existing initiatives. Public Safety Canada -- Canada's response to the Department of Homeland Security -- has drafted a strategy for critical infrastructure, which has been in circulation for a year and includes many promising ideas. The government should follow through with the plan, including the development of public/private-sector information-sharing forums and protocols as well as sector-specific risk assessments and work plans. The economic circumstances have changed since the plan was first released and some amendments might be in order. Bad economic times will make global supply chains generally more vulnerable. The plan might therefore include tax incentives for industry and small and medium-sized enterprises (SMEs) in particular, to develop business continuity and recovery plans as an example.
Few would dispute the budget's infrastructure investments in such uncertain economic times. In addition to the short-term economic stimulus they can provide, however, we should ensure that what we build today results in a more resilient infrastructure in the future. The relative calm in security issues may present an opportunity to make some thoughtful progress; making policies immediately following crises clearly produces mixed results. The sense of urgency to respond can break through inert bureaucracies and mobilize considerable resources to accomplish ambitious projects. But "they stumble that run fast," noted Shakespeare's Friar Laurence. Policy discussions about the security of critical infrastructure immediately following high profile failures can prompt overreaction from the public and their politicians. This, too, is part of the shadow of 9/11.
Kevin Quigley is an assistant professor at the School of Public
Administration at Dalhousie University, Halifax, Canada. He specializes in public sector risk management and critical infrastructure protection. In 2008 he published, with Palgrave MacMillan, Responding to Crises in the Modern Infrastructure: Policy Lessons from Y2K.
|
Research and Analysis
|
|
Risk Management for Intelligence Professionals (Part I)
by Paul Bracken
Risk management has benefited one field after another. It has improved performance in engineering, environmental protection, finance, space flight, health care, accounting, the control of epidemics -- even baseball. There can be little doubt that risk management has enhanced many fields, except one: intelligence has remained largely insulated from it.
Yet risk will occupy an increasingly central place in national security decision-making. The intelligence community needs not only to be aware of this, but also to design its work to better assess, clarify and define the risks that follow from these changes. Intelligence also has to develop a more productive conversation with other operational components of national security. Risk management offers a powerful framework to facilitate this conversation.
This paper builds on Managing Strategic Surprise, Lessons from Risk Management and Risk Assessment (Cambridge University Press, 2008), which I co-edited with Ian Bremmer and David Gordon. Over two years, we worked closely with risk management specialists in finance, health care, engineering and many other fields. In addition, we worked with intelligence and security experts with great domain knowledge. The project's aim was to see how risk specialists structured their problems and what the implications were for bringing risk management into intelligence and security affairs. This paper summarizes the key insights and conclusions of the project.
The reason risk management hasn't been widely used in the intelligence community is not hard to understand. Few people have given much thought to what it is or how it could be used. The same was once true in other fields. It isn't bureaucratic resistance that's the problem. Rather, the problem is the lack of a clear statement of exactly what risk management is and why it is useful.
It is necessary to dispose of some preconceptions here. One is that risk management consists of using models and mathematical methods -- for example, value at risk in finance, options theory (also finance) or decision and fault trees in nuclear engineering. There are many modeling techniques, and they may have useful application in intelligence.
But risk management conceived as a collection of methodological tools is much too narrow an approach. Creating a collaborative structure -- for example, between intelligence and operations -- is more than just disseminating narrowly focused tools. It is about managing the complex interplay that occurs in these disparate networks, of which one of the most important is risk. The real payoff of risk management lies in its ability to foster a common language for assessing and discussing risk by the different parts of an organization. It raises the level of conversation about risk in such a way that terms and categories have a consistent meaning.
To see this, we turn to how risk management has transformed other fields. Anesthesiologists in the 1980s paid one of the highest malpractice insurance premiums of any medical specialty, and for good reason: they had the highest patient deaths from malpractice of any specialty. But in the 1990s anesthesiology became much safer. Patient deaths declined from about 1 in 5,000 to 1 in 250,000 cases. For years anesthesiologists had focused on lobbying for laws protecting them from malpractice. But this approach was changed in favor of a risk-based approach that focused on patient safety. New technology was introduced to prevent common mistakes, risk maps were used to define systematic solutions and a new organization was launched to focus on patient safety.
The shift from legal protection to patient protection called for a framework that put patient risk at its center. The big payoff came from developing a framework that focused on risk, along with distinctions and vocabulary that allowed a productive discussion about it. This allowed a new procedure or technology to be evaluated in a consistent way. It allowed physicians to take a fresh look at their practice through the lens of managing its risks. Moreover, it allowed them to extend this conversation outside of their network, to hospital administrators, equipment vendors and insurance companies.
This is very different from a "tools" approach to risk management. To import mathematical models into an organization where most managers don't understand them may produce an improvement here or there. But it won't lead to a productive conversation about risk in the organization as a whole because it won't supply the needed terms, distinctions and frameworks. Likewise, it won't allow an extended conversation outside of the organization, with other institutions, decision-makers and technology suppliers.
The project on managing strategic surprise produced a number of important insights:
Surprise Can Be Managed
Some people think that managing strategic surprise is an oxymoron. This view, while mistaken, points the way to a powerful insight: dealing with surprise is about much more than listing bad things that can happen. Consider what is the most fundamental strategy for risk management in business. The reason for a strong balance sheet is because experienced managers know that surprises will happen. With a strong balance sheet, shocks can be more easily absorbed. Borrowing money, protecting key assets and renegotiating better terms are all easier for a company with a solid balance sheet. The insight here is that there are several ways to deal with surprise.
This leads to a second conclusion:
Get Away From Prediction
Academic studies of intelligence often define the practice in narrow terms as the study of the success or failure of warning. Hence the myriad studies of surprise attack over the decades and the many case studies of individual warnings, most of which conclude that warning is unlikely to be accurate. But this insight is well known. It is difficult to understand why after so many decades of research it is still seen as a major achievement.
There's another problem with this kind of research. It places failure at the center of analysis. Academic studies of intelligence in this vein have tended to become exercises in sophisticated cynicism. Warning is hard, certainly. But placing failure and cynicism as the center of analysis is highly destructive to energy and morale. It directs attention to only one way of managing surprise -- warning -- thereby overlooking many others.
Six Ways To Manage Risk
If warning has so many problems, then what else is there? The key is to understand that there are only a small number of ways to deal with uncertainty. The six general approaches to risk management are:
1. Isolating Critical Assets from Uncertainty
Roberta Wohlstetter's classic account of Pearl Harbor was not used as a case study of how to get better warning, as is commonly believed. Quite the opposite, in fact. The book was less about Japanese aircraft carriers sneaking across the Pacific than it was about a Russian surprise attack. Wohlstetter's conclusion was that because warning was unreliable, critical assets like the nuclear deterrent should be built to be survivable without it -- an insight that supported efforts on both sides of the Cold War to build up massive nuclear arsenals.
There are many other examples of isolating critical assets. Command-and-control aircraft are often kept back from the battlespace to protect them. Backup intelligence facilities lessen the chance that a single attack can knock out an entire whole system. Nevertheless, isolating critical resources from uncertainty is usually quite expensive. For example, hardening of shopping centers against terrorist attack is unlikely to ever make sense, given the costs of protecting open facilities.
2. Smoothing
This involves turning a big problem into smaller, more manageable, chunks. Examples include the Europe-first strategy in World War II and the debates about attacking Afghanistan and Iraq simultaneously or in sequence after 9/11. Smoothing is important because many intelligence sensors and collection systems are limited in their processing capacity. Sizing system capacity is an important investment decision. If crises and events can be smoothed, then it's possible to get away with less processing power. If they cannot, then more processing capacity is required.
3. Warning
Viewed in terms of risk management, warning is an effort to predict conditions so that tailored responses can be used. When warning is unlikely to be helpful, marginal investments should be placed in other ways to manage risk.
4. Agility
Companies in fields as diverse as consumer products and cement have found that predicting demand (i.e., good warning) is exceedingly difficult. Consequently, they have invested in agile logistical systems rather than new warning systems. Adaptive logistics allows them to quickly switch products to meet uncertain demand.
There are many intelligence and military parallels. The shift to small satellites and UAVs means that systems can launch much more quickly than giant satellites requiring years of development. The design of modular IT interfaces, while costly, can greatly improve agility.
5. Alliances
Alliances spread risk across several actors and bring more resources to bear in limiting the consequences of a problem. Outsourcing is one example. Building a strong base of suppliers to the intelligence community lowers the risk that in-house approaches might miss an important technological development. Information-sharing alliances, agreements between component commands and intelligence agencies, and new technologies like cloud computing (which allows rapid expansion of computing architecture) all have important risk management aspects.
6. Environment Shaping
Managing the environment to make it less dangerous, or less unstable, is the final way to manage risk. Soft power, diplomacy and all the rest are built on the idea of making the environment less dangerous.
In some instances the goal may be to make the enemy's environment unstable. This will often directly involve intelligence. Cyber attacks and financial warfare are two of many possible examples. At least some parts of the intelligence community have moved from a supporting role to a lead operational one in this regard. Risk assessments are especially important here.
This six-part framework for risk management underscores that there are two broad approaches to conceptualizing risk management. One is tactical, involving things like models and mathematical methods that have a well-grounded academic disciplinary foundation. The other is a strategic management approach. Here, risk management is conceived as developing practical steps intelligence managers can use to transform their organizations into risk-centric institutions. This requires productive conversations about risk within -- as well as outside -- the intelligence community.
Paul Bracken is Professor of Management and Professor of Political Science at Yale University.
SARMA thanks the Foreign Policy Research Institute for permission to reprint this article. Part II will run in the March issue of The Risk Communicator.
|
|
Key Reports
|
|
Government Accountability Office High Risk Series: An Update
In this January 2009 update of its ongoing review of high risk areas in the federal government, GAO ranks DHS second among those agencies with the most significant challenges. Among other criticisms, GAO notes that risk management initiatives "lack details for the transformation of DHS and integration of its management functions."
Get the report
The Challenge of Domestic Intelligence in a Free Society: A Multidisciplinary Look at the Creation of a U.S. Domestic Counterterrorism Intelligence Agency
This 2009 RAND study examines the benefits, effectiveness and potential trade-offs involved in creating a domestic counterterrorism intelligence agency. In the end, the authors suggest "caution and deliberation."
Get the report
Planning Guidance for Response to a Nuclear Detonation
The Homeland Security Council Interagency Policy Coordination Subcommittee
for Preparedness & Response to Radiological and Nuclear Threats offers specific response recommendations in cases of urban nuclear attack. Topics in this 2009 report include emergency response, shelter and population monitoring/decontamination.
Get the report
|
|
|
|
|
