November 2009
|
|
SARMA Thanks the Gold-Level Sponsor of our 3rd Annual Conference
|
Visit the PriceWaterhouseCoopers website
|
SARMA Thanks the Silver-Level Sponsor of our 3rd Annual Conference
|
Visit the BayFirst website |
Need Your Own Copy of The Risk Communicator?
|
|
Write for Us
|
| Have you seen a story you would
like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact
the newsletter staff at newsletter@sarma.org. |
Legal Matters
|
Copyright 2009
SARMA
All Rights Reserved
Privacy Policy
The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.
|
|
|
President's Corner
|
|
Dear Fellow SARMA Members,
As
a time typically reserved for enjoying family and friends, Thanksgiving is a
unique holiday. Personally, I have many
wonderful memories of good company, great food and, being a native of Texas, watching what we referred to as the "Dallas game." Win, lose or draw, it was always a good time
-- even when we had guests who were rooting for the Cowboys' opponent.
SARMA
also represents a family of sorts -- bound together as it is by a shared
professional experience. Just as we come
together to celebrate and renew our families at Thanksgiving, SARMA needs the
support and attention of its "family" to thrive. Although SARMA is slowly growing its professional staff, we remain largely dependent on the volunteer spirit of our members
to function -- whether that is developing the profession's common knowledge
base, implementing the associated training and certification programs needed to
mature the profession, planning the next well-received conference, or serving
as a source of unbiased information on security risk management issues for
government decision-makers.
There
are many benefits to be gained from being a member of the SARMA family and
participating in these activities -- both personally and professionally. However, as in real families, with benefits also come responsibilities. While that doesn't quite equate to taking out the trash or doing the
dishes, it does mean giving back and, by doing so, bettering the organization
as a whole. In that spirit, I would
urge each of you, especially our stalwarts, to look for ways you can actively contribute
to this shared success.
Our
new committee structure is one area that offers a variety of
such opportunities. Ranging from the
business of running the association to projects that are central to fulfilling
SARMA's mission of service, these 16 committees are the backbone and hub of everything we do and everything we hope to achieve. Besides the opportunity to serve on one or
more of these committees, four are currently lacking a chairman or chairwoman. These are: Training & Certification; Publications; Conferences & Events; and International Affairs. Ensuring that these critical committees have
strong leadership is one of my highest priorities, so if you have an interest in
taking on such a role in one of these areas, please contact me at kerry.thomas@sarma.org. You can also visit the SARMA website for more information on our eight Business Committees and eight Project Committees.
As
you enjoy this issue of The Risk
Communicator, I would also ask that you take a moment to think about what
you enjoy in this profession, as well as what frustrates you and what you think
is missing or could be better. Then I
would ask that you become a part of the solution by sharing your thoughts and
ideas, as well as your talents and passion, with SARMA.
Wishing
you and your family a safe and enjoyable Thanksgiving... from your SARMA family!
Sincerely,
Kerry
Kerry L. Thomas
President
Security Analysis and Risk Management Association
|
News
|
|
CBP and TSA Under Fire For Failing to Apply Risk Management Principles
The federal government's transportation and border
security efforts are being frustrated by a failure to adhere to appropriate
risk management practices, according to new reports by two oversight
offices.
The Transportation
Security Administration's (TSA) airport security technology planning, most
recently established in a March 2008 review, "does not incorporate some key risk management principles [including] a risk
assessment, cost-benefit analysis, and performance measures," as required by
the National Infrastructure Protection Plan (NIPP), the Government
Accountability Office reported. The NIPP requires risk assessments to be based on
threat, vulnerability and consequence assessments.
Between
2002 and 2008, TSA and the Department of Homeland Security (DHS) have invested over $795 million in research, development, test and evaluation, procurement and deployment
of
checkpoint screening technologies. These efforts, which have focused on
detecting explosives and creating strong identity validation systems, have been
severely criticized in recent years after a number of technological failures. Among these were the explosives trace
portal, which TSA noted were deployed in 2006 despite tests that "suggested
they did not demonstrate reliable performance in an airport environment," according
to GAO.
The
transportation agency told GAO that, although it had not yet performed a risk
analysis based on threat, vulnerability and consequence, it was currently
preparing an analysis of the entire aviation sector, known as the Aviation
Domain Risk Assessment (ADRA). That review, however, has been delayed
repeatedly, leading GAO to conclude that, "we could not determine when the ADRA
will be completed, to what extent it will incorporate all three elements of a
risk assessment, and whether it will identify and assess risks to the
checkpoint."
Similar
problems beset U.S. Customs and Border Protection (CBP), according to a new report by the DHS inspector general's office. Despite efforts to detect the shipment of radiological weapons
in cargo containers, the agency "has
not conducted a formal risk assessment to determine which pathways, including
maritime cargo, pose the highest risk of biological and chemical weapons
entering the nation." Although in 2007 the agency identified such a need
itself, "it
has not taken significant action" but rather relies on "risk assessments
prepared by other government agencies," the IG said.
In
its recommendations, the IG suggested that CBP move forward on
its earlier plans to "conduct or commission a formal risk assessment" of the
issue. CBP responded positively to the recommendation, but few details about
current and proposed operations are available due to significant redactions in
the report.
|
Legislative Update: Appropriations Bill Requires FEMA Preparedness Task Force
by Kerry Thomas
As reported in the September issue of The Risk Communicator, the Senate included language in its version of the FY 2010 Homeland Security Appropriations bill requiring the Federal Emergency Management Agency (FEMA) to "establish and operate a state, local, and tribal preparedness task force" to look at, among other things, how it measures the impact of the grant programs it oversees. When the bill emerged from conference last month, this provision not only survived, but was strengthened. Of particular note, language included in the conference report states that the task force shall evaluate "the most appropriate way to collectively assess our capabilities and our capability gaps." While it does not specifically mandate the use of enterprise risk management principles as the unifying framework for the analysis, this language certainly leaves open the door to doing so.
Under the terms of the bill, FEMA is now required to report to Congress within 45 days of the date of enactment (October 28, 2009) on its proposed approach for implementing the task force requirement. SARMA will continue to monitor this issue and provide updates as the process evolves.
|
SARMA Welcomes Caroline Hamilton as New Membership
Committee Chair
Most homeland security experts try to stay away from politics. But for Caroline
Ramsey Hamilton, SARMA's recently named Membership & Outreach Committee
chair, the world of electioneering was where her risk management career began.
As a political consultant in California in the 1970s, she relied on a
background in statistics to develop a successful forecasting tool that enabled
her to identify critical voters -- and the issues that would resonate with them.
It was a former naval officer client who in 1979 suggested that her software
program, called RiskWatch, would be a good fit for the defense industry, which
was just starting to confront information technology security issues. From
there, she spread out to managing physical security and infrastructure
projects, as well as expanding her IT business to include HIPAA compliance
issues for hospitals.
Ms. Hamilton's approach emphasizes what she calls holistic security.
IT security has for too long been considered separately
from infrastructure security, she says. When IT issues first arose, companies
and agencies developed unique systems to address them, while at the same time
physical security regimes developed without any regard for the needs of the IT
security team. This original structural decision was a great error, according
to Ms. Hamilton. After all, physical security systems now rely heavily on
networking, and IT security is always under threat of being physically
compromised.
Integrating IT and physical security programs is among her biggest challenges.
She is currently focused heavily on assisting hospitals in developing comprehensive
security solutions -- a major challenge owing to a confluence of serious health
privacy issues and the unique problem of having to care for what are
euphemistically called "forensic patients," i.e., injured or sick
criminal suspects.
Ms. Hamilton will provide a detailed look at hospital security issues in a
future issue of The Risk Communicator. Until then, please join us in welcoming
one of our newest additions to the SARMA team!
|
|
Analysis |
|
Using Model-Based Risk Assessment for Waterways and Ports
by Dr. Tayfur Altiok
Ports, waterways and coastal areas experience
dynamic risks, with surges and severe highs and lows due to maritime traffic
and water and weather conditions. Maritime environments can be highly complex,
especially in ports with long channels, such as the Delaware River and the Houston
Ship Channel in the United States, not to mention international waterways such as the
Straits of Istanbul, Malacca and Hormuz. It is critically important to be able
to quantify risks in these waterways so that sound risk-mitigation policies can
be developed to minimize potential human injuries and damage to infrastructure
that can cause disruptions to the global supply chain.
Although risk management professionals have
traditionally taken the lead in doing the number crunching typical of the
discipline, maritime risk management requires a broad swath of expertise and disciplines. There
are simply too many instigators, situational factors and consequence levels --
especially in port/waterway scenarios -- for any one individual to master. In addition to the wide variety
of accidental events such as collisions, groundings, allisions, spills and
others, instigators such as human error, steering failure,
mechanical/electrical failures, and navigational failure present significant
challenges as well. All of these in turn can be affected by unique situational
factors such as current and tide.
Needless to say, once terrorism-related incidents are
added the list, one ends up with a very large number of potential scenarios.
The solution is to develop a simulation model that will identify all of them. A
mathematical risk model is used to calculate risks for each scenario as they
develop in the simulation model. (We define risk as the expected consequence
involving possibilities of incidents along with their consequences.) The
parameters of the risk model are obtained using expert opinion and historical
data. That is, the risk and simulation models work hand in hand.
Model-based risk assessment methodology allows maritime
decision makers to investigate the impact of various risk reduction and
operational policies as manifested in the risk profile of ports or waterways. In the case of safety risks assessment, after
defining all the potential variables, the next step is to develop a
simulation model of the maritime traffic that will capture the vessel entry and
navigation procedures through the waterway and generate water and weather
conditions that will result in
hazardous situations that can potentially cause maritime accidents. A vector of situational variables is used to maintain information on the
components of the situations, such as vessel and cargo types, vessel locations,
interactions among vessels (opposite direction, same direction, overtaking,
etc.), current, visibility, local facilities and infrastructure, and other
relevant data. (See Fig. 1. of the Delaware River around the Philadelphia area.)
Fig. 1:
Simulation model of the vessel traffic in Delaware River near
Philadelphia
For risk profile computation, the waterway is
divided into several slices depending on the particular geography, infrastructure
and navigational difficulties. Slice risks are computed based on potential accidents in each slice, and
when put together, produce the requisite risk
profile of the waterway, such as the one shown in Fig. 2.
Fig. 2: Profile of the Strait
of Istanbul, in which there are 22 slices and the profile is shown over 24
hours.
Notice that
the profile presents regional and temporal variations in risk, naturally
suggesting a number of operational risk-mitigation policies such as traffic scheduling
with respect to type of cargo, escort requirements, vessel separations, overtaking
rules and lane closures.
In the case
of security risks assessment, after defining all the potential threats and
vulnerabilities, the next step is to identify all potential terrorist attacks
along with their situational factors and their consequences. Here a simulation
model becomes necessary since some of the most worrisome threats involve a high
density of people and/or vessels in and around the port or waterway -- for instance, rush-hour land traffic
over bridges combined with vessel congestion due to bridge clearance or
anchorage queues. The risk model includes a reasonable set of potential terror
incidents with plausible consequences. The simulation model generates the
aforementioned situations to feed the risk model. Once a risk profile similar
to the one shown in Fig.2 is produced, a number of mitigation policies can be
produced. It is worth noting as well that maximum risks in a risk profile are
typical disaster indices and therefore provide valuable information for
risk-reduction considerations.
Dr. Tayfur Altiok is a Professor in the Department of Industrial and Systems Engineering and Director of the Laboratory for Port Security at Rutgers, the State University of New Jersey.
|
|
Key Reports |
|
Mitre Corp: Can Rare Events Be Predicted?
A Mitre Corporation study sponsored by the Department of Defense finds great uncertainty about efforts to identify and predict rare events and warns "there is danger in premature model building and the use of such models, to the exclusion of careful data collection."
Get the report
DOT: Report on Review of FAA's Progress in Enhancing Air Traffic Control Systems Security
A new report by the Department of Transportation says that "additional action is needed to strengthen security protection and minimize the impact of long-term service disruption" and notes that "review teams did not perform an adequate analysis of site-specific system configurations during the site-selection process to determine which operational locations were most likely to exhibit configuration variances."
Get the report
A Review of the Department's Anti-Gang Intelligence
and Coordination Centers
A
new report by the Department of Justice's Inspector General finds that
the National Gang Intelligence Center and the Gang Targeting,
Enforcement, and Coordinating Center "are not effectively collaborating
and are not sharing gang-related information," nor have they
"established a gang information database for collecting and
disseminating gang intelligence as directed by statute."
Get the report
|
Jobs
|
|
Analyst Position with the DHS Homeland Infrastructure Threat and Risk Analysis Center (HITRAC)
General:
ABSG Consulting Inc. is seeking a talented young professional to provide technical and management consulting services to the federal government, specifically in the area of homeland security risk analysis for critical infrastructure and key resources. Education and experience with the systems engineering discipline is key requirement as well as strong foundations in the physical sciences. An active security clearance is preferred.
Education:
- BS or MS in systems engineering.
Experience:
- One to two years experience in an engineering related discipline using the systems engineering lifecycle to design and engineer complex systems.
Skills:
- Strong technical background in mathematics or physical sciences required.
- Must have relevant coursework in risk analysis, operations research, or other technical disciplines designed to support data-driven decision making.
- Must possess and have demonstrated excellent written and oral communication skills for technical subjects.
Please send resumes and cover letter to:
Micah McCutchan
Program Manager
ABSG Consulting, Inc.
E-Mail: mmccutchan@absconsulting.com
|
|
|
|
|
