April 2009
|
|
Need Your Own Copy of The Risk Communicator?
|
|
Write for Us
|
| Have you seen a story you would
like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact
the newsletter staff at newsletter@sarma.org. |
Thanks to Our Sponsor
|
|
Legal Matters
|
Copyright 2009
SARMA
All Rights Reserved
Privacy Policy
The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.
|
|
|
President's Corner
|
| Dear Fellow SARMA Members,
Welcome to the April issue of The Risk Communicator! As always, our goal is to keep you abreast of the latest developments within SARMA and across our profession. Among other things, the April Risk Communicator includes a fascinating article by one of our Australian colleagues, Rita Parker, about organizational resiliency, as well as a news item about risk management problems at the Transportation Security Administration. I am also pleased to announce several new developments in our efforts to provide new and better opportunities for our members to interact with each other, as well as other elements of the security analysis and risk management community.
First, I would like to introduce Ryan Owens to you as the new lead for managing SARMA's LinkedIn page. This site, which grew from only a few users to more than 150 within months of its inception, provides an important means of fostering dialogue about topics of interest within the security analysis and risk management community, and promoting greater connectivity among practitioners of all ages. Ryan and I served together at the Department of Homeland Security when this type of resource could have provided a critical linkage between the department and its state, local and private-sector stakeholders had it existed. In the years since, Ryan has gone on to pioneer a similar site for the U.S. Coast Guard, and I know that his experience, creativity and energy will also help to further develop and enhance our SARMA LinkedIn site. Please join me in welcoming Ryan and thanking him for taking on this challenge!
In addition, as many of you know, one of our major objectives for this year was to increase our interactions with the broader risk management community, both here in the United States and abroad. We started down this path last year by implementing a formal memorandum of agreement affiliating SARMA with the Risk Management Institution of Australasia Limited (RMIA). Such relationships not only provide SARMA members with access to a wider array of projects, conferences, meetings and publications, but also help to bring additional expertise and balance to our own projects and initiatives. Now, as we move into the spring of 2009, several new partnerships are emerging:
- SARMA recently helped to sponsor the Risk Analysis of Complex Systems for National Security Applications Conference hosted by Los Alamos National Laboratory in Santa Fe, New Mexico from 7-9 April 2009. This event drew more than 140 security risk practitioners from across the nation, and provided SARMA with an important opportunity to educate other members of the security analysis and risk management community about SARMA's mission, vision and strategic priorities. SARMA was ably represented at this event by our treasurer-elect, Dr. David Weinberg, and we are looking forward to making this conference a regular part of our event calendar in the years to come.
- Likewise, SARMA will co-host a reception at the upcoming National OPSEC Conference and Exhibition, 11-15 May 2009 in San Antonio, Texas. Among others, our board chairman, Phil Lacombe, will attend, and I encourage any of our members who live in the San Antonio area or who also participate in either the OPSEC Professionals Society or Operations Security Professional's Association to attend. Additional information on this event, part of a growing series of interactions with the OPSEC community, is provided in a separate article later in this issue of The Risk Communicator.
- Finally, SARMA is currently working to develop a session on security risk management for the upcoming ASIS International conference to be held in Anaheim, California from 21-24 September 2009. This effort, led by our executive vice president, John Paczkowski, is also part of a broader effort to seek points of alignment with one of the largest security-focused professional associations in the world. Stay tuned!
Of course, preparations also continue for SARMA's own Third Annual Conference on Security Analysis and Risk Management, to be held 16-18 June 2009, in Arlington, Virginia.
Our event planners, led by vice president for operations John Boatman and conference committee chair Chris Miller, are again doing yeoman's work managing all of the competing demands of a pulling together a major event. Thanks to their hard work, registration is now open, and I encourage each of you to take advantage of the early bird rates in effect through 1 May 2009. Opportunities for corporate sponsorship, including display space, are also still available -- please see our Sponsor/Exhibitor Prospectus on the SARMA web site to learn more!
This is an exciting time to be part of SARMA. I hope that you enjoy this issue of The Risk Communicator and take advantage of some of these excellent opportunities to connect, collaborate and communicate with each other!
Best regards,
Kerry
Kerry L. Thomas
President
Security Analysis and Risk Management Association
|
News
|
|
 Peter Verga to Deliver Keynote at SARMA Conference
Peter F. Verga, principal deputy under secretary of defense for policy, has agreed to serve as the keynote speaker at SARMA's Third Annual Conference on Security Analysis and Risk Management, to be held 16-18 June 2009 in Arlington, Virginia.
Mr. Verga advises the secretary of defense, deputy secretary of defense and the under secretary of defense for policy on national security policy, military strategy and defense policy, and concurrently serves as principal deputy assistant secretary of defense for homeland defense and Americas' security affairs. A retired U.S. Army officer, he previously served in the Office of Emergency Operations at the White House Military Office.
In addition to Mr. Verga, expert speakers representing a broad array of organizations, applications and interests will be presenting this year. They include:
- Tina Gabbrielli, Director of the DHS Office of Risk Management and Analysis.
- Roger
Cressey, President of the Good Harbor Consulting Group, and the former
Director of Transnational Threats for the National Security Council.
- Paul Bracken, Professor of Management and Political Science at Yale University.
The conference will also include a series of breakout sessions on the latest trends and techniques in risk management and security analysis. They include:
- Establishing Principles for Evaluating Measures Designed to Protect the Homeland, led by John Mueller, Professor of Political Science at Ohio State University.
- The Assumptions That Ate Wall Street: When Normal Conditions Weren't and the Unthinkable Happened, led by Irving Lachow, Senior Research Professor at the National Defense University's Information Resources Management College.
- Protecting US Sport Facilities in a Post 9/11 Era, led by Dr. Walter Cooper and a group of researchers from the University of Southern Mississippi's Center for Spectator Sports Security Management.
The event will also feature extensive exhibits, meals, receptions and other networking opportunities. To get more information about the conference, including sponsorship details and a list of speakers, please visit the event website.
|
SARMA, OPS and OSPA to Co-Host Reception at 2009 National OPSEC Conference
Marking
yet another step in a growing partnership, the Security Analysis and
Risk Management Association (SARMA), OPSEC Professionals Society (OPS)
and Operations Security Professional's Association (OSPA) will co-host
a joint reception at the upcoming National OPSEC Conference in San
Antonio, Texas.
The reception, which will be held on the evening of
Tuesday, 12 May 2009, is open to all conference attendees free of
charge. The event will be attended by leaders from all three
organizations, including SARMA Board Chair Phil Lacombe, OPS President
Daryl Haegley and OSPA President Christopher Cox. There will also be
complimentary appetizers and a cash bar.
"This is an exciting
opportunity to continue our efforts to build bridges between the
various elements of the security risk management community," said SARMA
President Kerry Thomas. "Such events allow us to develop the types of
partnerships necessary to grow and mature the profession, and we are
delighted to join with OPS and OSPA in hosting this reception."
"Each organization serves as a means of educating and resourcing OPSEC and risk management practitioners," said Daryl Haegley, president of the OPSEC Professionals Society. "A combined reception enables immediate networking and future collaboration, resulting in an expanded body of knowledge and united forces best prepared toward maintaining a strong national defense."
"OSPA, OPS and SARMA are three world-class organizations with the same goal: to see security implemented in all walks of life, from the soldier in the trenches, to the teacher in the classroom, to the police officer on the beat," said OSPA President Chris Cox. "I'm pleased to see these resources being pooled for such a greater good, and look forward to seeing what we can do when we work together."
|
GAO: TSA Falling Behind on Risk Management
The Transportation Security Administration has failed to properly employ risk management techniques, leading to uncertainty about whether TSA is prioritizing spending properly, the Government Accountability Office said this month.
"Although TSA has completed a variety of threat assessments and is in the process of developing several threat scenarios with likelihood estimates," the GAO reported, "its key annual threat assessments do not include information about the likelihood of a terrorist attack method on a particular asset, system or network, as required by the NIPP," or National Infrastructure Protection Plan.
More specifically, TSA has so far been unable to say how it conducts vulnerability assessments for the commercial trucking and bus industries, as mandated by HSPD-17, nor has it taken up assessments of how a terrorist attack that employed transportation assets such as tanker trucks would cascade throughout the rest of the country. In addition, GAO, which conducts oversight reports on government operations, said that TSA had neglected its responsibilities under the 9/11 Commission Act to issue a report on commercial trucking security.
"As a result of limitations with its threat, vulnerability, and consequence assessments, TSA cannot be sure that its approach for securing the commercial vehicle sector addresses the highest priority security needs," the report warned.
Although GAO noted that TSA has made some positive efforts in reaching out to federal, state and industry stakeholders, including coordination with the Department of Transportation to avoid duplication of effort, interviews with state and industry officials suggested that TSA "had not clearly defined stakeholder roles and responsibilities consistent with leading practices for collaborating agencies."
GOA also offered a number of recommendations for improvement:
- Establish a plan and a time frame for completing risk assessments of the commercial vehicle sector, and use this information to support future updates to the Transportation Sector Strategic Plan.
- In future updates to the Highway Infrastructure and Motor Carrier Annex to the Transportation Sector Security Plan, clarify the basis for the agency's security strategy of focusing on the transportation of hazardous materials, the relative risk of vehicle-borne improvised explosive devices to the sector, and, based on the relative risk of these threats, any risk mitigation activities to be implemented to address them.
- Develop outcome-based performance measures, to the extent possible, to assess the effectiveness of federal programs to enhance the security of the commercial vehicle sector.
- Establish a process to strengthen coordination with the commercial vehicle industry, including ensuring that the roles and responsibilities of industry and government are fully defined and clearly communicated.
|
Commentary
|
|
Anticipate and Adapt - A New Paradigm
for Organizational Resilience
by Rita Parker
Organizational resilience is a holistic management system process that recognizes and benefits from the inter-relationship of different business practices and work units within an organization. The complex global environment in which organizations operate today requires new thinking about how they operate now, so they can function effectively in the future.
Increasingly organizations are realizing that, to be effective, they
must shift from the old paradigm of experience and reaction to a new
paradigm of anticipation and adaptation. Resilience can no longer be understood as simply a matter of bouncing back to where an organization was at the time of a disaster or catastrophic event. Indeed, by definition that was when the organization was vulnerable.
Current business tools: Essential but not enough
Conventional business tools such as risk management, security, governance and business continuity have traditionally formed the principal underpinnings of corporate resilience. But there is a growing view that traditional models fail to account for interdependencies across vertical and horizontal operations. Many business practices are based on a "tick-the-box" checklist method. These practices, and the management and implementation of them, often exist independently of each other; they are in effect organizational silos.
In today's operational environment, effective organizations are more than the sum of their separate components and must operate in an integrated holistic way focused on systemic resilience. Front line managers, recovery managers, business continuity managers, security managers and risk managers all need to be aware and to understand what the others are doing. They need to work together and align their strategies to achieve common corporate goals.
The limits of scenario-based plans
Conventional business practices are based on plans developed around predictable circumstances and scenarios. Organizations create plans to prepare for the inevitable, to pre-empt the undesirable and to control the controllable. While this may sound rational, it has its limitations because the plans are based on what-if threat-based scenarios.
Scenario-based plans are useful, but relying on them exclusively can stifle and limit the capacity of an organization to achieve a mature level of resilience -- especially if the plans are out of date or have not been tested independently. Too often organizations rely on prescriptive plans and procedures that quickly become dated and useless.
Organizational resilience maturity
Organizations need to have a clear understanding of their own levels of resilience maturity before they put in place strategies to effect change.
Resilient organizations display a number of distinctive attributes, which can be grouped under five broad headings: values and culture; business planning and strategies; stakeholder partnerships; capability strengths and vulnerabilities; and adaptive capacity.
Each of the attributes has a number of characteristics that relate to the extent of alertness, flexibility, adaptability, situational awareness, anticipation, vulnerability, interdependency, communications and capability capacity within the organization. The extent to which these attributes and characteristics are present can be addressed with a model of resilience maturity.
There are five levels of organizational resilience in my Maturity Model where each one builds on the other to create an organization with a mature level of both offensive and defensive resilience.
Defensive resilience is developed alongside scenario-based threat models to test organizational plans to determine if they are workable, relevant and timely. Offensive strategic resilience is developed through a capability-based adaptive and anticipatory approach. It requires a holistic approach and the breakdown of silos, and it builds on existing activities. This may require a significant cultural shift within an organization that has developed independent rather than integrated work units.
Within the Maturity Model, organizations are graded based on their success in achieving resilience. Level One demonstrates a very low level of resilience where an organization may have some business plans but little or no confidence in whether they are workable, timely or reliable. Level One therefore has a low level of defensive resilience. Level Two of the Maturity Model shows an evolving level of defensive resilience capability with possibly some scenario-based assessment or testing of existing plans.
The third level of organizational resilience reflects a maturity level of defensive resilience and a low level of offensive resilience. An organization achieving Level Four has started to view its activities from a holistic perspective and would demonstrate a mature level of defensive resilience and an evolving offensive resilience capability. The highest level, Five, is a mature resilient organization which combines defensive and offensive capabilities.
The Maturity Model is accompanied by a Maturity Matrix that makes use of the five broad categories of attributes and associated characteristics set out earlier to analyze and assess an organization, and to provide a true picture of its level of resilience maturity.
Offensive strategic resilience capability is essential to maintaining reputation, customers, suppliers and market share. It is achieved by adopting a capability-based anticipatory and adaptive approach. Traditional business tools are important but they are not enough in these turbulent times. It is only by developing both defensive and offensive elements that an organization can face the future with confidence and a mature level of resilience.
Rita Parker is an Australian strategist with a well-established background in national security. She has worked in several Australian government agencies in executive management roles providing high-level policy advice on, and management of, security issues including counter terrorism. In association with other
professionals, she advises government and the private sector on
developing their corporate resilience. In addition to her consultancy
and advisory work, Rita presents courses at the Australian Defence
Force Academy for the University of New South Wales including one on
organizational resilience.
Rita will be a speaker at the forthcoming SARMA Conference at George Mason University, and at the European Security Conference in Montreux, Switzerland.
|
|
Key Reports
|
|
'Connecting the Dots' and the Canadian Counter-Terrorism Effort: Steady Progress or Technical, Bureaucratic, Legal and Political Failure?
In this March 2009 report by the Canadian Defence & Foreign Affairs Institute, analysts find that Canada has failed to develop a "cohesive federal response" to terrorism. They single out poor intelligence sharing and coordination for much of the blame.
Get the report
The Homeland Security Council: Considerations for the Future
The Homeland Security Policy Institute at George Washington University lays out the competing arguments for and against merging the Homeland Security Council into the National Security Council.
Get the report
The U.K.'s Strategy for
Countering International Terrorism
This March 2009 report from the United Kingdom for the first time presents that country's "revised" counter-terrorism strategy, known as CONTEST, in detail. The report includes extensive background material on the evolution of British strategy, the nation's current national security structure, and what assumptions policymakers there make about the future.
Get the report
|
|
|
|
|
