The Risk Communicator: July 2011

T H E R I S K C O M M U N I C A T O R

The Monthly Newsletter of the
Security Analysis and Risk Management Association

July 2011

In This Issue

More Speakers for SARMA's 5th Annual Conference

Thomas: The Importance of the Risk-Based Approach

Serino Testifies on the Hill

Reports: Implementing the 9/11 Commission Recommendations, and More

Thanks to our Silver-Level Corporate Patron

Need Your Own Copy of The Risk Communicator?

Write for Us

Have you seen a story you would like to see included in The Risk Communicator? Do you have a research project you want to share with your colleagues? If so, please contact the newsletter staff at newsletter@sarma.org.

Get Involved, Get More from SARMA

SARMA Website
SARMApedia
Volunteer to Serve
Feedback/Input
Join SARMA

Legal Matters

Copyright 2011
SARMA
All Rights Reserved

Privacy Policy

The views expressed in The Risk Communicator reflect the views of their authors, and do not neccesarily reflect the views of SARMA, the US Government or the employers or clients of the contributors.

President's Corner

Dear Fellow SARMA Members,

As we enter the "dog days" of summer, I would like to take this opportunity to suggest an activity that's sure to be cool -- stay inside and enjoy the July issue of The Risk Communicator!

The increasing heat is also a sign we are approaching National Preparedness Month. This year, the Federal Emergency Management Agency (FEMA) has coined the slogan "A Time to Remember, A Time to Prepare" in recognition of the 10th anniversary of the September 11, 2001 terror attacks, and also to provide a backdrop for encouraging Americans to take simple steps to prepare for emergencies. FEMA's Ready Campaign has also launched a suite of new web-based tools to foster individual and group participation. I encourage each of you to visit the FEMA website to learn more about some of the things you can do to make your homes, businesses and communities more resilient, and to better manage the risks you and your family face.

Of course another highlight of September will be our 5th Annual Conference on Security Analysis and Risk Management. I am pleased to announce that the agenda is almost filled. You may have seen some of the announcements from the Conference Committee, but let me highlight just a few of the outstanding speakers that will be featured:

The Honorable Richard Serino, Deputy Administrator, FEMA

The Honorable Todd Keil, Assistant Secretary for Infrastructure Protection, DHS

Brig. General James Shamess (USAF ret.), Senior Advisor for Security Policy and Oversight, Office of the Administrative Assistant to the Secretary of the Air Force

Ms. Tina Gabbrielli, Director, Office of Risk Management and Analysis, DHS

More announcements will follow in the days ahead, so watch your email or visit the conference website for the latest news, a full speaker list and to register if you haven't already done so!

As many of you know, we also hold our Annual Meeting and Board of Directors election in conjunction with the annual conference. This year, SARMA is seeking qualified nominees to fill five seats. To read more about the nominating process and requirements, please view the SARMA Nominating Committee's official Call for Candidates. As a reminder, all nominations for the SARMA Board of Directors must be received by SARMA and/or postmarked by midnight, July 31, 2011 to be considered for this year's elections.

Similarly, the annual conference provides an opportunity to recognize outstanding contributions to the security risk management profession and SARMA. To read more about the awards and nominating process, please view the SARMA Awards Committee's official Call for Nominations. As with candidates for the SARMA Board of Directors, all awards nominations must be received by SARMA and/or postmarked by midnight, July 31, 2011 to be considered.

Finally, as I've noted in past issues of this newsletter, notable progress has been made towards elevating risk management as a core component of our national approach to homeland security. However, some important challenges still remain. One of these is the lack of a risk-based approach for informing the national investment represented by the DHS Preparedness Grants. I write about this, and potential solutions, in greater detail below in hopes of initiating a dialogue that can benefit the process. To that end, I welcome your thoughts and comments.

My best,
Kerry

Kerry L. Thomas
President

Events

Speakers Added for 5th Annual Conference!

Our 5th Annual Conference has some outstanding keynote and plenary speakers lined up, as noted above by Kerry Thomas. In addition, we have now confirmed almost the entire agenda's worth of presenters and panelists for the conference, which is scheduled to run from September 13-15, 2011 in Arlington, Virginia.

A small sampling of our confirmed speakers includes:

Guy Bernardo, San Francisco Bay Area UASI
Robin Dillon-Merrill, Georgetown University
Dr. Alexander Fekete, German Federal Office of Civil Protection and Disaster Assistance
Brent Greene, Telcordia Technologies
Jim Jaeger, General Dynamics AIS
Nathan Kathir and Steve Pranger, U.S. Army Corps of Engineers
David Keyes, PAASS, Inc
Joe Moorcones, SafeNet
Jim Mullikin, FEMA National Preparedness Assessment Division
Kathy Pherson, Pherson Associates
Ashleigh Sanders, Dept. of Homeland Security

These individuals and approximately 50 other expert speakers from government, the private sector and academia will address a variety of topics, including: community, critical-infrastructure and cyber security risk; federal, state and local government policy developments; and risk management standards, methodologies and education/training efforts.

As in past years, the conference is being co-hosted by the George Mason University School of Law's Center for Infrastructure Protection and Homeland Security (CIP/HS). The two-and-a-half-day event will take place in a new building on GMU's Arlington campus known as Founders Hall (photo right). Founder's Hall

The conference starts at 8:30 AM on Tuesday, September 13 and runs until 12:30 PM on Thursday, September 15. An Evening Welcome Reception will be held from 5:30 to 7:00 PM on Tuesday.

Important Links

Conference Summary Page

List of Confirmed Speakers

Registration Page

Fee Schedule

General Registration - $495

Government/Academic Registration - $375

Evening Welcome Reception - $60

-----

We look forward to seeing you at the conference in September!

Analysis

Why a Risk-Based Approach to Managing FEMA's Preparedness Grants is Urgently Needed...
and Eminently Doable
by Kerry Thomas

Since September 11, 2001, well in excess of $30 billion in Federal grant money has been provided to states, local communities and the owners and operators of the Nation's critical infrastructure to enhance all-hazards preparedness. However, quantifying the impact of these grants remains an enormous challenge for the agency charged with administering them, the Department of Homeland Security's (DHS) Federal Emergency Management Agency (FEMA).

Over the years, this problem has been approached in a variety of ways, often resulting in new and increasingly complicated reporting requirements, but never allowing FEMA to answer the most fundamental question - how much safer are we as a result of these investments? The urgency of the current fiscal crisis, coupled with the recent release of the Presidential Policy Directive (PPD) -8 on National Preparedness, makes this issue impossible to ignore any longer. The good news is that many of the tools needed to address the problem already exist.

Past Efforts to Measure Program Impact

In the early days, from 1998-2004, data collection efforts focused largely on the most fundamental issues, such as whether grantees could document that they had followed their approved budgets when making purchases. A parallel planning process was implemented in 1999 that resulted in the collection of baseline capability data at the State and local levels. Grantees were then asked to subjectively determine "needs" and develop State -- and later Urban Area -- Homeland Security Strategies that would be used to guide grant expenditures. This approach was modified further in 2004, when counting "widgets" was supplanted by efforts to measure program "effectiveness." This included additional reporting requirements, such as the Initial Strategy Implementation Plan (ISIP) and Bi-annual Strategy Implementation Report (BSIR). Eventually, grantees were required to submit Investment Justifications (IJs) to be peer-reviewed by panels of subject matter experts. Most recently, DHS has sought to measure program impact through capability gain as a part of its Cost to Capabilities (C2C) initiative.

What's Missing?

Getting the most "bang for the buck" should be an important goal of the FEMA preparedness grant programs. However, it cannot be the first step in measuring their impact. In the absence of understanding the actual risks faced, simply optimizing across a portfolio of investments to maximize capability gain does little to guarantee the effectiveness of the expenditure. Establishing a risk baseline first would enable the identification of the actual capabilities required, allow for the measurement of risk reduction from the capabilities gained, and ultimately, support effective comparisons of the return on investment.
Exhibit 1 illustrates this concept using the Government Accountability Office's (GAO) recognized and well established Risk Management Cycle.
Kerry Exhibit

Why Act Now?

PPD-8 represents the first complete revision of our national policy on preparedness since 2003, replacing Homeland Security Presidential Directive (HSPD)-8. The foundation of PPD-8 rests on the creation of a risk-informed National Preparedness Goal. According to PPD-8, the Goal:

"...shall be informed by the risk of specific threats and vulnerabilities -- taking into account regional variations - and include concrete, measurable and prioritized objectives that mitigate that risk. The national preparedness goal shall define the core capabilities necessary to prepare for the specific types of incidents that pose the greatest risk to the security of the Nation, and shall emphasize actions aimed at achieving an integrated, layered and all-of-Nation preparedness approach that optimizes the use of available resources."

The implementation plan for PPD-8 goes on to explain that the Goal will:

"...include a standardized, objective approach for assessing threats and hazards to identify core capabilities and where they are needed, while establishing performance objectives that measure progress towards achieving the Goal. The core capabilities that make up the Goal will represent preparedness priorities that reflect Federal, State, local, tribal, territorial, and private and nonprofit sector perspectives on risk. The threat and hazard identification and risk assessment should consider the range of natural hazards, potential accidents, and terrorist threats and factor in the identification of risks facing States and local communities as well as the Nation as a whole."

Juxtaposed against this new imperative to employ risk as a foundational element of national preparedness policy are the fiscal-year (FY) 2012 appropriations for FEMA's preparedness grants. The House of Representatives recently passed a version of this legislation that would provide nearly $3 billion less than the Obama Administration's request and represent a cut of almost $1.1 billion over FY 2011. The debate around passage of this bill underscored deepening Congressional concern with the lack of metrics for these programs. Rep. Robert Aderholt (R-AL), Chairman of the House Homeland Security Appropriations Subcommittee, had the following to say:

"Now, I know there has been some criticism on the funding level this bill is recommending for FEMA's first responder grants. Let me emphasize that not only is there more than $13 billion dollars in the pipeline that has not been drawn down, but FEMA has yet to establish a credible method for measuring the impact of these grants."

The House-passed version of this legislation also creates a single pool of funds out of what had been numerous distinct line items that funded programs like the State Homeland Security Program (SHSP), Urban Areas Security Initiative (UASI), Port Security Grant Program (PSGP), and Transit Security Grant Program (TSGP). Given the policy direction set in PPD-8, the challenges of articulating program effectiveness and the potential need to make difficult decisions about where and how to divide a limited pool of funds, it would seem that the time has come to look anew at how sound risk management principles could contribute to the solution. At the same time, however, history should not be forgotten, as many of the building blocks needed for implementing a risk-based process already exist.

A Path Forward

As noted, many of the components required for a risk-based grants management process already exist, although not all reside within FEMA or in an optimized form. Adopting such an approach would require that FEMA employ a scenario-based risk assessment process to guide its efforts, whether that is a "maximum of maximums" approach or something more like the National Planning Scenarios. The Homeland Threat and Risk Analysis Center (HITRAC) and the Office of Risk Management and Analysis (RMA), both within DHS's National Protection and Programs Directorate (NPPD), have the capability to assist with providing a national perspective on risk (something the Department is directed to do anyway as part of the implementation of PPD-8). The United States Coast Guard (USCG), Transportation Security Administration (TSA) and Sector Specific Agency Executive Management Office (SSA EMO) could also inform this discussion and help with coordination. Ultimately, and with appropriate technical assistance, this national perspective on risk could be complemented with state and regional inputs, possibly leveraging the DHS-supported fusion centers and existing methodologies like the Maritime Security Risk Analysis Model (MSRAM), Terrorism Risk Assessment Methodology (TRAM) and FEMA's own HAZUS-MH tool.

With a risk baseline established, many elements of FEMA's current grant process could then be aligned to support this approach:
The Target Capabilities List (TCL), or a successor, could provide the means for identifying gaps between existing capabilities and required capabilities; and Strategic planning efforts, such as the State Hazard Mitigation Plans, State / Urban Area Homeland Security Strategies, Regional Transit Security Strategies (RTSS), and Port-Wide Risk Management Plans (PWRMP), could provide the mechanism for addressing the identified capability gaps through defined goals, objectives and implementation steps.

Implementing this approach as a collaboration between FEMA and its state, local and private sector partners could in turn allow for new efficiencies in the grant application and reporting process. For example, the ability to fund standardized and approved plans, backed by rigorous monitoring and exercise programs, should provide the confidence needed to eliminate such costly and burdensome requirements as the IJ and BSIR.

In addition to these efficiencies, stakeholders at all levels of the process would benefit from the ability to apply common, repeatable and transparent metrics. One such measurement enabled by use of this new risk management construct would be the ability to gauge program impact as a function of risk reduction and risk reduction return on investment. Adopting such an outcomes-based approach would:

Help ensure that the focus remains on building capabilities where they are needed;

Allow states and localities to prioritize investments more effectively by understanding how much risk reduction could be achieved through investment in a particular capability; and

Provide Federal officials with the basis for measuring and articulating the overall effectiveness of the grants on reducing risk to the Nation.

The effectiveness of these investments could also be further tested through the Homeland Security Exercise and Evaluation Program (HSEEP). HSEEP-compliant exercises would provide additional confidence that the solutions implemented were in fact having their intended impact. Coupled with effective programmatic monitoring, this feedback would also support the iterative application of successive grant rounds to ensure that these funds continued to: 1) target the most pressing risks; and 2) do so in the most efficient and effective manner possible.

Potential Challenges

There are a number of potential challenges to the successful implementation of any new approach in this arena. These include:

Visibility. Since their inception in 1998, these grant programs have benefited every state and territory, most major urban areas, and even many privately owned and/or operated facilities. Their intended purpose -- to enhance the Nation's preparedness for large scale terrorist attacks and natural disasters -- coupled with the enormous amount of taxpayer funding involved, also contributes to a heightened level of interest and raised expectations at all levels (e.g., H.R. 3980, the Redundancy Elimination and Enhanced Performance for Preparedness Grants Act). An obvious danger here is having a less than ideal solution dictated. Effectively managing stakeholder relationships and expectations will also be essential to success.

Parochial Interests. One of the reasons why these programs have developed into what they are today is that responsibility is shared among many agencies within DHS - each with its own often competing interests. To succeed in changing this paradigm, there must be unanimity of purpose within the Department.

Program Complexity. Virtually every element of the current grant process has developed within its own unique stove-pipe. Aligning all of these elements will be a complex undertaking that will require patience, collaboration and resources.

Program Focus. While difficult for many of the reasons discussed, it is essential that a common and clear understanding of the purpose of these programs be arrived at. The reality is that these grants were established to assist State, Tribal and local government entities, as well as the owners and operators of critical infrastructure, acquire preparedness capabilities they did not previously possess and would not be likely to fund on their own outside of a shared commitment. In recent days, this has become intertwined with discussions about annual investments in routine law enforcement, fire, emergency medical, and emergency management capabilities. Refocusing on the original purpose of these programs, therefore, is also essential and would greatly facilitate the development of the necessary risk-based decision-making framework.

Conclusions

As recent Congressional action indicates, the inability of FEMA to quantify the impact of the preparedness grants has reached a point where it will dominate future discussions until addressed. Fortunately, many of the elements needed to address these concerns already exist. What is currently missing is the risk-based framework within which to have this discussion. By adding this element and realigning/optimizing other elements of its current preparedness programs, FEMA would possess the means to make risk-informed decisions about where and how to invest the available grant dollars, quantify program impact and reduce the management and oversight burden placed on its staff and stakeholders. This will not be accomplished without strong leadership, a focused approach and unanimity of purpose across the Department. However, without taking these steps, there is a strong likelihood that decisions will continue to be made that lack essential data - all at a time when the pressure is growing to find additional ways to cut the Federal budget.

Kerry Thomas currently serves as President of SARMA and is also Senior Director for Homeland Security Support Programs at ABS Consulting.

Work Cited

Government Accountability Office; PROTECTION OF CHEMICAL AND WATER INFRASTRUCTURE Federal Requirements, Actions of Selected Facilities, and Remaining Challenges, March 2005, GAO-05-327

Presidential Policy Directive/PPD-8, March 30, 2011.

Implementation Plan for Presidential Policy Directive 8: National Preparedness, May, 2011.

Jackson, Herb. U.S. House OKs Homeland Security Bill with Cuts, Northjersey.com, June 3, 2011.

Aderholt Statement on FY 2012 Homeland Security Appropriations Act, May 13, 2011.

On Capitol Hill

Richard Serino Testifies About Spring Storms
to Senate Homeland Security Committee

Richard Serino, Deputy Administrator of the Federal Emergency Management Agency (FEMA), will speak at SARMA's 5th Annual Conference in September. He testified earlier this month before the Senate Committee on Homeland Security and Government Affairs' Ad Hoc Subcommittee on Disaster Recovery and Intergovernmental Affairs to discuss "response and recovery efforts across all levels of government in the aftermath of the 2011 spring storms, tornadoes, and floods."

Excerpts of Mr. Serino's testimony follow:

"Our planning and preparedness efforts translate into action through FEMA's "Whole Community" approach. This approach recognizes that FEMA is only a part of the team, and not the entire emergency management team. In order to successfully prevent, protect against, respond to, recover from and mitigate all hazards, we must work with the entire homeland security community and the public. The "Whole Community" includes FEMA and our partners at the federal level; our state, local, tribal and territorial governmental partners; non-governmental organizations (NGOs) like faith-based, volunteer and non-profit groups, the private sector and industry; and most importantly, individuals, families and communities, who continue to be our greatest assets and the key to our success.

"As part of the team, FEMA, as the federal government's coordinator for disasters and emergencies, focuses our work on supporting our citizens and first responders to ensure resilience to all hazards. In order to fulfill this mission, we must leverage the resources and capabilities of all aspects of the emergency management team, both governmental and non-governmental. As a result, a "Whole Community" framework means thinking about FEMA programs and policies in conjunction with how we work to support other aspects of the emergency management team.

"We continue to work closely with our federal agency partners to help the states affected by the recent severe storms, tornadoes and floods get back on their feet. One of the ways we do this is through the use of mission assignments. Mission assignments are work orders issued by FEMA to other federal agencies that direct the completion of a specific task and are intended to meet urgent, immediate and short term needs. Mission assignments allow FEMA to quickly request federal partners to provide critical resources, services or expertise. A few recent examples of the specific support these mission assignments have provided include:

"Coordinating with U.S. Northern Command to establish an incident support base in Maxwell, Alabama, enabling FEMA to move supplies (such as water, infant/toddler kits and tarps) closer to the affected areas.

"Activating the U.S. Army Corps of Engineers to conduct debris clearance and removal, infrastructure protection, restoration and emergency repair.

"Working with the U.S. Department of Housing and Urban Development to help support housing operations under Emergency Support Function #6 -- Mass Care, Emergency Assistance, Housing, and Human Services.

"Activating U.S. Environmental Protection Agency personnel to perform the functions of Emergency Support Function #10 -- Oil and Hazardous Materials Response -- by conducting response efforts relating to oil and other hazardous materials and conducting short- and long-term cleanup.

"These are just a few examples of how the federal family works together to support survivors and state and local governments during disasters. We continue to work closely with our federal government partners to leverage the resources they bring to various aspects of our preparedness, response and recovery efforts."

Mr. Serino's testimony can be read in its entirety here.

Key Reports

DHS: Implementing 9/11 Commission Recommendations

A new report from the Department of Homeland Security "describes how DHS has addressed specific 9/11 Commission recommendations over the past ten years, making America stronger and more resilient."

Get the report

IHSS: Methods to Help State and Local Law Enforcement Detect and Characterize Terrorist Activity

A new report from the Institute of Homeland Security Solutions examines the use of suspicious activity reports [SARs], "assesses the strengths and weaknesses of data sources from which SARs are often derived, and makes recommendations for improving the collection, processing, and evaluation of tips and clues reported at the local level."

Get the report

NAF: Countering Domestic Radicalization: Lessons for Intelligence Collection and Community Outreach

A new report from the New America Foundation compares counterterrorism methods in the United Kingdom with those in New York and Los Angeles in order to develop a list of best practices for reducing radicalism and encouraging strong relationships with local communities.

Get the report