March 2009
|
|
Need Your Own Copy of The Risk Communicator?
|
|
Write for Us
|
| Have you seen a story you would
like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact
the newsletter staff at newsletter@sarma.org. |
Thanks to Our Sponsor
|
|
Legal Matters
|
Copyright 2009
SARMA
All Rights Reserved
Privacy Policy
The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.
|
|
|
President's Corner
|
| Fellow SARMA Members,
Believe it or not, I saw my first cherry blossom this past week -- at least in Washington a sure sign that we are close to shaking off the last vestiges of winter and welcoming the renewal that is springtime. In that spirit, we have another great issue of The Risk Communicator in store for you this month, including analysis of a recently completed survey of security risk professionals, coverage of the new CAPTA All Hazards Guide For Transportation Agencies and a continued discussion of the utility of risk management for intelligence officials. I would also like to take this opportunity to make several important announcements.
First, as I wrote in our last issue, the association had an urgent need to identify a successor to our long-serving treasurer, Dr. David Brown. I very much appreciate the nominations we received, and I am pleased to announce that, after a spirited discussion, the SARMA board of directors has elected Dr. David Weinberg to serve in this capacity. Dr. Weinberg is the Founder and Principal of Practical Risk, LLC, a terrorism risk analysis consulting firm based in New Mexico.
Prior to founding Practical Risk, Dr. Weinberg served on the staff of the Idaho National Laboratory, where he was detailed to the National Infrastructure Protection Center and then to the Department of Homeland Security. As a part of that detail, Dave served as the senior technical advisor to the director of the Risk Management and Analysis Division, where he headed the department's development team for building a capability to quantitatively prioritize geographic areas and infrastructure to receive federal funds based on risk of terrorism. Dave served in that capacity from the stand-up of DHS in March 2003 until his retirement in April 2007. He will assume his new responsibilities by April 30. Please join me in congratulating Dave!
In conjunction with an ongoing effort to update the association's bylaws, I am equally pleased to announce that the SARMA board of directors has elected Phil Lacombe to serve as its chairman. Phil joined the SARMA board last year, and has served in a variety of senior positions in industry, government and the military.
Of special note, Phil served as director of the President's Commission on Critical Infrastructure Protection (PCCIP), a position he held from September 1996 to February 1998. The PCCIP was charged by the president with determining whether the nation's critical infrastructure was at risk from physical or cyber attack and with developing a protective strategy. The commission's recommendations were codified and implemented through a series of presidential decision directives (PDDs), including PDD 63, which called for the creation of information sharing and analysis centers (ISACs) in each critical infrastructure sector to facilitate sharing of threat, vulnerability and incident information among private and public sector members. Please also join me in congratulating Phil!
Lastly, I am also pleased to announce that the SARMA board has approved a new committee structure designed to support the association's projects and business. This is a major milestone in evolving SARMA into a more robust, mature and sustainable organization. The new committee structure, which is detailed in a subsequent article, represents a unique opportunity for all of our members to become directly involved in advancing both our association and the state of the art in security analysis and risk management. I would encourage each of you to read more about this and think about ways you could lend your time and talents.
Thanks... and enjoy this issue of The Risk Communicator!
All the best,
-Kerry
Kerry L. Thomas
President
Security Analysis and Risk Management Association
|
| News |
|
The SARMA Survey Says...
The
typical risk professional is male, over 35, has a master's degree, a
Top Secret security clearance and makes between $100,000 and $150,000 per year, according to a survey taken this month by SARMA. In
spite of the economic downturn, most feel confident in their job
security but are concerned about future earnings and believe that
"improving strategic thinking and direction" is the most critical
challenge facing the profession.
Nearly 250 risk management
professionals took part in the 37-question survey, the first known
attempt to create a benchmark profile of those working in this emerging
profession.
"The results of our survey show that the risk
management profession that exists is in good shape and is an attractive
career choice for those with a background in the military, security and
intelligence disciplines," said Ed Jopeck, SARMA's immediate past
president, who organized the project. "Practitioners show an impressive
level of education, knowledge and experience, as well as a healthy
confidence about their chosen field. However, the formal training and
education necessary to prepare the next generation of risk
professionals remains insufficient to meet the needs of ensuring the
nation's security in the future."
According to the survey:
- Twenty percent of respondents have a military background. Nine percent worked
in intelligence before coming to the risk management field, and an
additional nine percent come from the security industry.
- While
the typical risk management professional earns from $100,000 to
$150,000, a small number (2.7 percent) make more than $250,000 a
year. Sixteen percent make between $150,000 and $250,000.
- More
than half hold a professional certification. The most common
certifications held are OPSEC Certified Professional (OCP), Certified
Protection Professional (CPP) and Project Management Professional (PMP).
- Asked how they learned their job skills, 43 percent cited on-the-job training. Only 12 percent cited classroom instruction.
|
SARMA Announces New Committee Structure
After much deliberation, the SARMA Board of Directors recently approved a new committee structure for the association that will help evolve SARMA into a more robust, mature and sustainable organization. At its heart, the new structure represents an approach that is specifically focused on the current needs of the profession and the business of running a successful association. In this, we are fortunate that a number of individuals have stepped forward to chair these new committees. To be fully successful, however, this new structure requires active participation by a broad cross section of our members. The mission of each new committee, along with contact information for the committee chairmen, is available at the SARMA website. Please take a moment to consider how you can contribute. 
|
Markle Foundation: US Continues to Struggle With Information Sharing
Despite billions of dollars in spending since 9/11, the United States still faces considerable challenges in sharing information between federal, state and local agencies, acccording to a report released this month from the Markle Foundation. At the same time, civil liberties are at risk because government agencies don't have the government-wide policies in place to protect citizens' privacy rights as intelligence collection has expanded.
The findings are the work of the Markle Foundation Task Force on National Security in the Information Age, a bipartisan group of former policy makers and technology and national security experts. The report urges the Obama administration to take swift action to ensure that policy makers have the best information available to confront national security and other challenges.
"For all the nation has invested in national security since 9/11, we remain vulnerable to terrorist attack and emerging national security threats because we have not adequately improved our ability to connect the dots between intelligence gathering and threat protection." said Markle Task Force co-chair Zoe Baird. "We still don't know what we know about these threats."
Key recommendations of the report include making information sharing a top presidential priority, the development of government-wide privacy policies and increased discoverability of information by security officials up and down the federal structure.
The latter is perhaps the most important, according to the Markle Foundation. To enhance discoverability, the report recommends that departments and agencies be required to:
- Tag their data at the point of collection
- Contribute key categories of data (e.g., names, addresses, passport numbers, etc.) to data indices.
- Follow through on implementing widely available means to search data indices.
To help encourage implementation, the report also suggests some employee incentives. In addition to integrating information sharing skills in performance and budget reviews, the report suggests that an "information sharing award" be created for the agency or unit that has been most successful at making its data discoverable. According to the report, "This award would highlight the overall value of information sharing to national security, and help facilitate the necessary culture shift."
|
Transportation Research Board Releases New Resource Allocation Program
There is no need for states to assess the likelihood of a terrorist threat in making transportation security resource allocation decisions, according to a new report and allocation guide from the Transportation Research Board (TRB). According to the group's National Cooperative Highway Research Program, instead of relying on subjective judgments, state budget officers should use a consequence-based approach that focuses not on how a disaster occurred but instead identifies those risks that, if they were to occur, would require the allocation of additional resources.
This method, a Microsoft Excel-based program called Costing Asset Protection: An All Hazards Guide for Transportation Agencies (CAPTA) is intended to bring greater objectivity to the resource allocation process by using asset attributes to the greatest extent possible, thus avoiding heavy reliance on subjective judgments. Objectivity in turn empowers decision makers both to achieve budgetary consensus and make a more defensible case before legislative bodies that make budgetary decisions.
According to Michael Smith, an engineering professor at the University of Virginia and the lead researcher on the project, resource allocation programs to date have been both unwieldy and unreliable because they have tended to focus on select asset classes, and because they force state budget officers to act as terrorism experts and characterize threats according to likelihood. In contrast, CAPTA is intended to be "transparent, objective and accessible," and it can be used by employees without any training in modeling or statistics.
"We took risk management out of it entirely," says Smith. "There's so much uncertainty about measuring likelihood, especially as the likelihood of an event may change in response" to any security measure imposed. "Even good plans can just shift the risk elsewhere, and then you again don't know the likelihood."
Instead, the CAPTA process begins by asking state security planners to identify their worst-case scenarios, with the primary judgment required being the threshold at which an adverse consequence would merit the allocation of additional resources. Yet even here the program lends a hand by identifying potential consequences in four distinct areas: potentially exposed population, property loss, mission disruption and social/cultural disruption.
Having fully fleshed out the potential threat scenarios, subsequent analysis is completed iteratively by identifying both the assets where losses would exceed the consequence threshold as well as the countermeasures that could avoid or reduce the consequences. Again, the user is prompted to select from a group of potential countermeasures selected by the program to be most likely effective and organized by cost and budget implications. The user can then move back and forth, adjusting the thresholds and potential countermeasures until achieving a satisfactory security response.
Now that the CAPTA program has been published, says Smith, the key objective is getting it "endorsed and accepted" by state and local agencies. Trial runs in 2007 and 2008 with state officials in Massachusetts, Maryland and Virginia "confirmed the usefulness" of the tool, and Smith is optimistic about its future prospects. After all, he points out, TRB has already done most of the heavy lifting. CAPTA is free to use, and in these days of state budget shortfalls, that may be the best selling point of all.
|
Speakers and Volunteers Needed for June SARMA Conference
The 3rd Annual Conference on Security Analysis and Risk Management
is just around the corner, and SARMA is counting on your participation
to make it the most successful gathering to date. Whether it's as a
speaker presenting your latest research findings, an organizer helping
us design the program, a sponsor or a vendor, you can play an important
role in promoting SARMA and the risk management and security analysis
professions.
Scheduled to take place from 16-18 June 2009 at
George Mason University's
Arlington, Virginia campus, the conference is the only national event
organized by security risk analysts and managers for their peers in
government, industry and academia. Last year, more than 200 individuals from around
the world attended, including 50 speakers as well as representatives from all
levels of government and from various national and international agencies.
If you'd like to participate, please contact the SARMA Conference Committee for additional information. Details for prospective speakers can be found here.
Below, SARMA representative Andrew Hartle at the 2008 conference:
|
Commentary
|
|
Serving America's Disaster Victims: Where Does FEMA Fit?
by Frank J. Cilluffo, Daniel J. Kaniewski, Jan P. Lane, Gregg C. Lord and Laura P. Keith
As the debate regarding the bureaucratic placement of the Federal Emergency Management Agency (FEMA) within the executive branch intensifies, we implore pundits and policymakers alike to pause and consider more broadly the implications of any reshuffling. Serving America's disaster victims must be the primary focus of any discussion regarding FEMA. It is our view that in considering the options, form should follow function, not vice versa.
FEMA has been put to the test since the failed response to Hurricane Katrina in 2005. In 2008 alone, the agency faced numerous natural disasters across the country, including very active hurricane and tornado seasons, intense wildfires and widespread flooding. In fact the 2008 hurricane season broke two records: it was the first time that six consecutive tropical cyclones made landfall on the U.S. mainland and the first to have a major hurricane (Category 3 or higher) form in five consecutive months. Unlike the response to Hurricane Katrina, federal, state and local officials were prepared, garnering resources well ahead of the storm and executing timely and effective evacuations. In the aftermath of the storms there were more stories of triumph than tragedy: largely successful responses at all levels of government.
The triumph is not just in lives saved because of evacuations and other measures, but also in the ability of the national system -- including the convergence of local, state and federal efforts -- to support response and recovery to the benefit of America's communities.
[Photo of Mobile, Alabama during Hurricane Katrina by Au_Tiger01, via Flickr, used courtesy of a Creative Commons license.]
The government's improved response to natural disasters is more than a feel-good story. As America's homeland and national security policy is guided by a new presidential administration, it is an important reminder for policymakers to first assess how new or existing policies benefit the citizen. The bottom line is this: will these new policies increase our level of readiness for natural or manmade disasters? If this question cannot be answered in the affirmative, the new administration should reflect and reassess, rather than rush to implement change.
The debate over the FEMA's placement within the executive branch is a well-worn one. In 2002, during the debate over the legislation creating DHS, it became a polarizing issue. The debate again surfaced in 2006 as Congress considered, and ultimately passed, FEMA reform legislation. So it is not surprising that once again policymakers and pundits alike are calling for various proposals to keep FEMA in DHS or move it out.
At issue is whether FEMA should be an independent agency as it once was, or stay within DHS. The debate is framed in terms of access to the president and strength of the organization. While FEMA's place on an organizational chart is an important issue, a larger, fundamental discussion must take place about the respective missions of FEMA and DHS -- and their subsequent convergence or divergence -- and how these affect our readiness as a nation to prepare for, respond to and recover from disasters. In other words, policymakers should follow the principle that the organization -- or form -- of FEMA should follow its function.
The mission of FEMA is "to reduce the loss of life and property and protect the nation from all hazards, including natural disasters, acts of terrorism and other man-made disasters, by leading and supporting the nation in a risk-based, comprehensive emergency management system of preparedness, protection, response, recovery and mitigation." FEMA itself is more of a facilitator and coordinator of federal support to state and local officials, rather than a massive federal department with organic response assets. It relies heavily on other federal departments and agencies, contractors and state and local assets to perform its coordination mission.
Consistent with this coordination mission, FEMA led the effort to revise the 2005 National Response Plan (NRP) and replace it with the National Response Framework (NRF), a guide for how the nation "conducts all-hazards response -- from the smallest incident to the largest catastrophe." More than just a simple name change, the NRF establishes a revised "response doctrine" and calls for "engaged partnerships" amongst all levels of government, non-governmental organizations and the private sector. The NRF is an example of FEMA's capacity to serve as a facilitator at the national level, while simultaneously empowering local, state and federal authorities to respond quickly and efficiently during crises.
Finally, despite the organizational changes over the years, leadership seems to have been a significant contributing factor for FEMA's successes or failures. FEMA leaders such as James Lee Witt have been lauded for their leadership of the agency. Director Witt inherited the beleaguered agency in 1993 following a widely criticized response to Hurricane Andrew the year before. Infamously, FEMA Director Michael Brown failed to respond effectively to Hurricane Katrina. Most point to Brown as the culprit for the failings, but some feel FEMA's placement in DHS contributed as well. However, Brown's successor David Paulison reinvigorated FEMA's role and capabilities by making dramatic changes inside the organization as well as building bridges within DHS, the executive branch and with state and local officials. The results were clear: much improved federal responses to the many natural disasters that occurred under Paulison's leadership.
Looking Ahead: A New and Improved FEMA?
Whether FEMA stays in DHS or becomes independent, policymakers should clearly articulate FEMA's role. For example, FEMA is currently configured as a support and coordination entity for state and local governments, but the public often believes that the organization alone is capable of providing substantial "boots on the ground." Policymakers must either confront the reality that FEMA is a disaster coordinator and appropriately manage the public's expectations, or invest substantial resources to provide significant capabilities to FEMA. Such a discussion could take place during the upcoming Quadrennial Homeland Security Review.
If policymakers decide FEMA should remain within DHS, DHS leadership must be able to demonstrate that FEMA will remain a priority for the department and not succumb to bureaucratic atrophy. And if the decision is to make FEMA an independent agency, great care must be taken to divide roles and responsibilities between and among DHS and FEMA, while ensuring that operational readiness is not compromised.
Disasters don't halt for bureaucratic reshuffling. As in the past, the problem is not one of organizational design -- the requisite policy and law exists. The challenge is one of management and leadership. The future leadership of FEMA must understand that they are part of an all hazards preparedness team -- that response and recovery complement preparedness and protection. For FEMA to succeed within or outside of DHS, the mission must be clear, and leadership at all levels must embrace it.
Frank J. Cilluffo is the director of the George Washington University Homeland Security Policy Institute (HSPI). Daniel J. Kaniewski is Counselor with HSPI. Jan P. Lane is the Deputy Director of HSPI. Gregg C. Lord is the Associate Director of the National EMS Preparedness Initiative. Laura P. Keith is a Policy Analyst at HSPI.
SARMA thanks HSPI for its permission to reprint this article, which was originally published as an Issue Brief.
|
Research and Analysis
|
|
Risk Management for Intelligence Professionals (Part II)
by Paul Bracken
[Editor's Note: In Part I of his essay, published in the February edition of The Risk Communicator, Professor Bracken introduced his argument that intelligence officials implement a "strategic management approach" to risk by developing practical steps managers can use to transform their organizations into more risk-centric entities. This, he argues, requires productive conversations about risk both inside the intelligence community and outside of it.
Professor Bracken's essay builds on Managing Strategic Surprise, Lessons from Risk Management and Risk Assessment (Cambridge University Press, 2008), a book he co-edited with Ian Bremmer and David Gordon. The project's aim was to see how risk specialists structured their problems and what the implications were for bringing risk management into intelligence and security affairs.]
The days of Sherman Kent, when the relationship between intelligence
and the operational decision maker was one of arms length contact, are
long gone. The challenge today is to integrate organizational behavior
in the face of centrifugal bureaucratic tendencies. Risk management
should be one of these integrating frameworks.
You Don't Need Data To Think About Risk
This will sound like heresy to those who conceive of risk management
narrowly as a set of tools and models. But getting better concepts and
vocabulary in place has a more important impact. As an example, many of
the case studies in our project found that instead of talking about
what's likely to happen, attention ought to be given to the variance
of what could happen.
The concept of variance is important. Alan
Greenspan, who has experience in everything from economic policy to
crisis management, calls for thinking about policy based on a range of
possible outcomes. The distinction between likely
outcomes and the variance of outcomes is a perfect example of changing
concepts as a way to institute better risk management.
The Problem With Folk Wisdom
Risk management is always done. It just isn't done in a systematic way. In a global company, or within the intelligence community, there may be
tremendous variation in the ways risks are monitored, assessed and
managed across different departments. If the work of the organization
is loosely coupled, if one part doesn't affect the other, this may
be acceptable.
But the trend in intelligence is for tighter coupling. This presents big problems if risk assessment is conducted differently by the relevant divisions. In our project, Uzi Arad, former Director of Intelligence for the
Israeli Mossad, described his experience in just how enormous the
variation can be between military, civilian and intelligence agencies.
Words about risk mean different things to different groups. "Folk
wisdom" based on long patterns of established thinking can provide the
illusion of risk management.
For instance, a very common response when it comes to risk is the statement that
"we took a calculated risk." Whenever this phrase came up in our
project we had a prepared question. "Can you show us the calculations,
please?" In not one single case did anyone do so. In fact, this
question irritated several officials.
Another piece of folk wisdom about risk is that "the greatest risk
is in not taking any risks." In a certain sense this is true. But this
saying legitimizes virtually any action, which is not very helpful in
assessing what its associated risks are. The widespread reliance on folk wisdom about risk is often an indication that deeper deliberation is needed.
Recent Intelligence Reforms Move in the Right Direction
The intelligence community has been restructured in recent years,
notably with the creation of the office of the Director of National
Intelligence (DNI). There have been many criticisms of this, but our
project suggests a different conclusion.
DNI's job is horizontal integration of the intelligence community in
the broadest sense. Given the huge variance in the way risk management
is done across the hundreds of departments that make up the
intelligence community, this is an absolute necessity. Richard Posner
and others have argued that DNI only adds another decision-making
layer -- i.e., that it will gum up an already bureaucratic process. They call for less bureaucracy in intelligence and more streamlining of decisions.
This view shows a lack of understanding of modern organizational
behavior. As globalization and new technology made international business more complex, businesses responded by developing integration strategies and departments. The
role of integrating departments was twofold: to make sure subdivisions
weren't acting in ways blind to significant risks; and to understand
and respond in a coherent way to threats in the outside environment. Absent an integrated risk management framework, individual
departments would go their own ways, with little regard
for the enterprise as a whole. If a shock hit, performance would likely be shockingly inadequate.
Conclusions
Risk management's most important effect hasn't been to "solve"
problems. Rather it has been to reconstitute the basic conversations
about them. In our discussions with the experts from the different
applications of risk management, nearly all of the leaders emphasized
that it was these conversations -- the ways problems were discussed and
framed -- that were more important than the predictions that came out of
formal models.
There is a one more point worth emphasizing. It is the need to
better understand how risk, and its management, is conceived in other
countries and in other societies. In our project we saw this theme in
fields as diverse as energy security and nuclear proliferation. A
great deal of research shows that risk assessment is hardly an
objective science. It is powerfully shaped by cultural, social and
institutional forces. This is an area needing more research attention,
because it is often the interaction of national (or group) risk
assessments that drives outcomes, rather than one of them alone.
Paul Bracken is Professor of Management and Professor of Political Science at Yale University.
SARMA thanks the Foreign Policy Research Institute for permission to reprint this article.
|
|
Key Reports
|
|
Interaction With State and Local Fusion Centers: Concept of Operations
In this December 2008 report, DHS outlines processes relating to fusion center support including intelligence and operational information flows and interactions, deployment of officers, component integration, and identification of SLFC requirements, technical assistance and training.
Get the report
National Governors Association 2008 State Homeland Security Directors Survey
This recently released survey provides an overview of the fifth annual NGA survey of 56 state and territorial homeland security directors. In addition to providing details of the state governance structures and homeland security priorities, this report presents an update of the state-federal homeland security partnership and examines states' recent experience with federal grant programs.
Get the report
DNI: Data Mining Report 2009
In this unclassified report to Congress, the Director of National Intelligence offers a close and technical look at the Video Analysis and Content Extraction (VACE) program. The report also includes updates on expired data mining such as Tangram and the ProActive Intelligence (PAINT) programs.
Get the report
|
|
|
|
|
