T H E  R I S K  C O M M U N I C A T O R

The Monthly Newsletter of the
Security Analysis and Risk Management Association
April 2011

In This Issue
Save The Date: 5th Annual SARMA Conference
O'Malley: Int'l Standards for Supply Chain Security
Reports: CDC's New Public Health Guidelines, Lessons from Japan, and More
Thanks to our Gold-Level Corporate Patron

Conference Small
Need Your Own Copy of The Risk Communicator?
Join Our Mailing List
Write for Us
Have you seen a story you would like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact the newsletter staff at newsletter@sarma.org.
Get Involved, Get More from SARMA
SARMA Website
SARMApedia
Volunteer to Serve
Feedback/Input
Join SARMA
Legal Matters
Copyright 2011
SARMA
All Rights Reserved

Privacy Policy

The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.
President's Corner

Dear Fellow SARMA Members,

 

Welcome to the April issue of The Risk Communicator. As we approach the 10th anniversary of the 9/11 terror attacks, I would like to take a moment to note several important milestones in the maturation of the nation's approach to managing risk across the homeland security enterprise. 

First, on 28 March 2011, the U.S. Department of Homeland Security (DHS) issued Directive 007-03, which establishes a department-wide policy for Integrated Risk Management (IRM). While past policy statements have touched on this concept, none has been as specific in terms of defining roles and responsibilities, or in requiring department-wide compliance.
 
Among other things, this directive effectively establishes the Under Secretary for National Protection and Programs as the Chief Risk Officer of DHS, supported by the Director and staff of the Office of Risk Management and Analysis (RMA). The directive further enshrines the department's Risk Steering Committee as the principal governance structure for this policy and requires each DHS component to identify a member of the Senior Executive Service to act as its lead executive for integrating IRM into its practices and ensuring compliance with departmental IRM policy. In addition, it directs DHS components to participate in periodic reviews of the department's risk management capabilities and requires each to provide the risk data it collects to RMA, for the first time enabling the creation of a consolidated body of knowledge. Finally, it also requires a coordinated approach between the Federal Emergency Management Agency and other DHS components like the Office of Infrastructure Protection and Sector Specific Agencies in providing assistance to state and local governments for managing risk.

Likewise, on 30 March 2011, we saw the release of Presidential Policy Directive (PPD)-8. PPD-8 is the first full revision of national policy related to preparedness since 2003, replacing Homeland Security Presidential Directive (HSPD)-8. Among other things, PPD-8 states that:  

The national preparedness goal shall be informed by the risk of specific threats and vulnerabilities -- taking into account regional variations -- and include concrete, measurable, and prioritized objectives to mitigate that risk.


SARMA has long advocated for these types of policy enhancements, which we believe will help to avoid duplication of effort and ensure a more consistent, cost-effective approach to the investments we make in our nation's security and resilience. In this regard, SARMA congratulates the White House and DHS on the enactment of these important policies and stands ready to provide advice and assistance in support of their effective and timely implementation. 

These are also examples of exactly the types of evolution in thinking that we will explore during our 5th Annual Conference later this year (more details below). Featuring the theme, Security Risk 10 Years After 9/11: How Far Have We Come and What Lies Ahead?, we will closely examine these and other developments in risk policy, methodology, training and education. If you haven't already done so, mark your calendars now for this exciting event, which is scheduled for 13-15 September 2011. I also encourage our members and others in the security analysis and risk management community to send us their ideas for topics in keeping with this theme.

As always, I look forward to your input!

Kerry


Kerry L. Thomas
President

Events
 Call for Abstracts: SARMA 5th Annual Conference

As noted in the Presidents Corner, SARMA's 5th Annual Conference will take place from 8:30 AM on Tuesday 13 September to 12:30 PM on Thursday 15 September 2011.

We are once again honored that our co-hosFounders Hallt for the event will be the George Mason University School of Law's Center for Infrastructure Protection and Homeland Security (CIP/HS). We are also very pleased to report that this year's conference will take place in a beautiful new building on GMU's Arlington campus known as Founders Hall (see photo right).

Under the broad theme of Security Risk 10 Years After 9/11, we will take a retrospective look back at what we have -- or have not -- learned and accomplished over the past decade, and delve into what lies ahead for the risk profession. Specific subject areas will include the following:
  • Community Risk
  • Critical Infrastructure Risk
  • Cybersecurity Risk
  • Public Policy for Risk Management
  • Risk Education and Training
  • Risk Management Standards
  • Security Risk Methodologies and Practices
As in past years, we expect to have approximately 60 expert speakers over the two-and-a-half-day conference, and we're currently soliciting ideas and abstracts for individual presentations and panel discussions.

If you or someone you know specializes in a particular subject that addresses some aspect of our broad theme, please download and fill out our Speaker Application Form (which can be found on the SARMA website here), and email it to the conference planning team at conference@sarma.org. The deadline for early consideration of abstracts is Tuesday 31 May 2011.

Don't miss your opportunity to present at this exceptional forum for collaboration, information-sharing and networking, and to meet and interact with a wide array of practitioners from federal, state and local governments, private industry and academia.

We look forward to hearing your ideas, and hope to see you at the annual conference in September.

Analysis
Supply Chain Security:
Using International Standards to Dig Deeper
by Steven O'Malley
If you operate a business you are operating or relying on supply chains, and if you intend to stay in business you must manage the risk of supply chain disruptions. While assessment methodologies may vary, it makes little difference if a threat is intentional (security), accidental (safety) or an act of god (i.e., an earthquake). It also matters little if the portion of the supply chain you are dependent upon is within your organizational control or not. If it is disrupted you are affected. However, since elements of your supply chains are probably distributed over large portions of the planet, merely assessing the risks to which you are vulnerable is a daunting task. Simply reducing the scope of the assessment to only those operations you control isn't the solution: your secure factory cut off from their utilities is still losing money. You need to know what the risks are, act to prevent what is feasible, and develop plans to survive what you cannot prevent.

The fact is that none of us can do this by ourselves, regardless of whether "we" means the U.S. government or a small assembly plant in Georgia. We need to work with vast numbers of service providers, suppliers and others to determine the risks involved and to implement countermeasures or contingencies. Essentially, we need to establish a common language among all stakeholders and set expectations of performance.

Indeed, we already do this all the time. When we buy a USB flash drive we are selecting a product manufactured to certain standards developed by the industry that relate to its ability to interface with our computer and to how its storage capacity is rated. This is because the computer industry realized long ago the need for common component standards.

What those of us with risk management responsibilities must do is determine what are our essential operations and then assess what can disrupt them. This assessment needs to take place at a macro level to provide us with the big picture, as immediately diving into the details may prevent us from seeing the forest for the trees. Equipped with the big picture we are now better positioned to either define what we need to be accomplished or to select suppliers/service providers (business partners) that have the procedures in place that address our risk management needs. If our business partners are addressing the risk issues that could affect our supply chain we can stay out of the weeds and save money. After all, distant partners will know their operating environments better than we possibly could, and if they have done the work it isn't necessary to spend money to duplicate it. Where risk needs are not being addressed we do need to drill down further.

There is already one set of international business standards devoted to managing supply chain risks. By being international they have widespread acceptance and are well supported. The International Standardization Organization has grouped these into the ISO 28000 series and the pace of their adoption has now reached critical mass. The management system framework established by ISO 28000 can be used to cover all aspects of security: risk assessment, emergency preparedness, business continuity, sustainability, recovery, resilience and/or disaster management -- whether relating to terrorism, piracy, cargo theft, fraud or many other security disruptions. ISO 28000 is the only published and certifiable international standard that takes a holistic, risk-based approach to managing risks associated with any disruptive incident in the supply chain.

Consider the March 2011 Sendai earthquake and ensuing tsunami in Japan. While is was initially reported as a tragically freak combination, those who had adopted ISO 28002  (focused on supply chain security and not exclusively on security threats) would have understood the risk. While the 2011 earthquake was somewhat stronger than previous earthquakes in the region it actually produced a smaller tsunami (23.6 meters in height) than those produced by the same fault line in 1933 (28.7 meters) and 1896 (38.2 meters). Despite a strong tendency for our security departments to want to develop security and risk management programs for our business partners to use and to guide internal operations, it is not possible to cost effectively implement them on a wide enough scale to effectively manage risk.

I am a proponent of using international standards, but I do caution that they need to be used intelligently. If a company is certified to a particular ISO management standard the auditor determines if the company has the processes and practices in place to execute the company's management policy. A review of your company's management policies will help determine if they address your risk management needs. If the company has obtained certification of its management system, check on the reputation of the certification body and see if it is accredited to issue such a certification. Most countries maintain an accreditation body that links to the International Accreditation Forum. These national accreditation bodies provide lists of the organizations accredited to certify companies to specific standards. In the U.S. the accreditation body is the ANSI-ASQ National Accreditation Board.

Steven O'Malley is International Standardization Ship & Supply Chain Security Standards Coordinator and a partner with Analytical Innovative Solutions LLC. Previously he was the Director of Supply Chain & Maritime Security for SAIC, and a career U.S. Coast Guard officer. He has a masters degree in transportation management from Florida Institute of Technology. He is based out of the Atlanta metro area and can be contacted at aninso.llc@gmail.com
 

Key Reports

Cardiff University: Assessing the Effects of "Prevent Policing"  

 

A new report commissioned by the U.K.'s Association of Chief Police Officers (ACPO) looks at survey level data and interviews with both police and Muslim leaders to examine how well the U.K.'s Prevent Policing program is doing at preventing terrorism.

 

Get the report 


CDC: Public Health Preparedness Guidelines


A new set of guidelines from the Centers for Disease Control "creates national standards for public health preparedness capability-based planning and will assist state and local planners in identifying gaps in preparedness, determining the specific jurisdictional priorities, and developing plans for building and sustaining capabilities."

 

Get the report 


WINS: Maintaining Nuclear Security in a Complex Crisis


A new report from the World Institute for Nuclear Security "provides expert analysis of the potential security risk issues emerging from the major accident that crippled the Fukushima Daiichi Nuclear Power Station in March and April 2011 and identifies key recommendations for Nuclear Security Managers when dealing with low probability and high impact risk."

 

Get the report