Dear Fellow SARMA Members,

As I noted in my February column, recent developments at the Department of Homeland Security (DHS) have sent mixed signals about the future of risk as a key element of decision-making, prioritization and resource allocation. Among these was the Department's decision to disband the Office of Risk Management and Analysis (RMA), which was responsible for coordinating risk practice across DHS, and which had been identified as a key resource for implementing the Department's Management Directive on risk issued just last year. In this regard, the dissolution of RMA calls into question who will now champion risk management as a core business process of the Department. With some of the RMA staff now reassigned to the Office of Policy at DHS Headquarters, one possibility is that this office will now assume responsibility for these functions and become a new center of gravity for Department-wide strategic risk management activities. This could be a logical outcome, but it would also require the articulation of the role that is in keeping with Policy's mission.

Likewise, I also mentioned that the Federal Emergency Management Agency (FEMA) had recently announced its intention to combine most of the standalone preparedness grants (State, Urban Area, Port, Transit, etc.) into a single "National Preparedness Grant Program" in FY 2013. A vision document published at the time suggested that funding allocations for the new program would be based on "prioritized core capabilities as well as comprehensive threat/risk assessments and gap analyses." As I stated then, such an approach could lead to smarter, more targeted investments -- something SARMA has long supported. However, to accomplish this, I also cautioned that a well conceived process would be needed to guide implementation. To this end, FEMA recently published Comprehensive Preparedness Guidance (CPG) 201 (see Key Reports section below).

Among other things, CPG 201 provides guidance on conducting a Threat and Hazard Identification and Risk Assessment (THIRA), the process it envisions for identifying and assessing risks and their associated impact. Importantly, CPG 201 seeks to ground the allocation of federal preparedness dollars in a comprehensive risk-based construct -- the first such effort since the State Homeland Security Assessment and Strategy (SHSAS) process was completed in 2003. However, as currently defined, the THIRA guidance does not provide for: (1) a process that is comparable and repeatable from jurisdiction to jurisdiction; (2) the consistent assessment of threats and hazards; or (3) consideration of the consequences of loss resulting from an incident (a concern also identified by the National Emergency Management Association). In addition, questions remain about how risk management practice will be harmonized between FEMA and the Office of Infrastructure Protection (OIP), which has responsibility for implementing the National Infrastructure Protection Plan (NIPP). This issue holds particular relevance for state and local governments, as well as the private sector.

The good news here is that there is ample opportunity for refinement. There are also groups, like SARMA, who I know would be willing and eager to assist -- whether as a non-biased sounding board or source of information and ideas on how to solve particular challenges. I'd like to hear what you think about these issues, too. Please send your thoughts and comments to info@sarma.org or start a discussion on the SARMA LinkedIn Group page. 

My best,

Kerry

Kerry L. Thomas

President

The National Governors Association on April 24 released a new issue brief highlighting actions states have taken to create and implement privacy policies within their justice information sharing systems. 

The report, A System of Trust: Privacy Policies for Justice Information Sharing, builds upon the lessons learned from a recent NGA meeting held in partnership with the U.S. Department of Justice, Bureau of Justice Assistance. Participating states created privacy policies designed to govern their integrated justice information systems, provide accountability for potential misuse of the system and protect the privacy rights of individuals.

"The ability to share information is vital to criminal justice decision makers' privacy policies that govern justice information systems help protect personal information," said Hawaii Gov. Neil Abercrombie. "By following these policy development recommendations, states can improve justice outcomes while ensuring personal privacy rights have not been violated."

Download a copy of the report.

The FBI on April 23 warned Internet users around the globe that hundreds of thousands of computers infected with malware stemming from a fraud scheme by an Estonian cybercrime ring could be forced offline this summer.

Last November, six Estonian hackers were arrested on charges of fraud after a two-year FBI probe called Operation Ghost Click. The FBI and Estonian authorities charged the hackers with infecting computers worldwide with malware called DNS Changer, which opened up the computers to viruse by disabling the infected system's anti-virus protection.

The hacker ring used their access to direct users to their own servers and manipulate online advertising, earning more than $14 million in illegal income, according to the FBI. A Russian collaborator remains at large.

But the FBI is now warning that 300,000 of the estimated 568,000 computers impacted by the attacks may still be relying on a temporary fix put in place by the FBI. The agency had deployed so-called "clean servers" after the arrests to ensure victims did not lose Internet access. But the effort was never meant as a permanent solution. And now hundreds of thousands of computers that are still infected (including 85,000 in the U.S.), as well as those who have been relying on the FBI's temporary servers, will be unable to access the Internet if the malware is not removed by July.

The FBI has established a Website where Internet users can scan their systems for the malware and have it automatically removed.

To scan your system and remove the malware (if present), go to: http://dcwg.org.

Ever since the Munich Olympic games, tourism officials and event managers have had to deal with the concept of risk. Risk management in tourism, while always needed, was often ignored until Munich and really only became an important element in tourism after the September 11, 2001 attacks. Until then, tourism professionals often chose to ignore risks and when something negative did occur, they then turned to crisis managers to solve the problem. Often these professionals, coming out of the world of marketing, believed that good marketing would solve all of their problems and provide an easy methodology to recover lost revenues.

Since the September 11th attacks the public has demanded that tourism interface with the world of risk management. These changes occurred in various ways. Major attractions and events, hotels, and transportation companies developed professional risk management divisions. Tourism Security conferences, a close ally of tourism risk management, gained momentum. The oldest of these conferences is the Las Vegas International Tourism Safety and Security Conference now in its 19th year. Other conferences focused on local problems, among these being the Southern California Conference in Anaheim, the Latin American conference in Bogota, Colombia, and the Caribbean conference held biennially in Aruba.

The world of risk management is extraordinarily broad. Tourism risk involves identifying and finding ways to ameliorate risks in such areas as risk to the brand's name, risk to the traveler's and tourism staff's health, risk's to the locale's economy, risks to the locale's eco and cultural systems, and risks emanating from climate or seismic conditions. Underlying all of these risks are risks to safety and security to the visitor, to the tourism staff, to the local population and to the locale's physical structures.

Like the tourism industry itself, tourism risk management is not neatly divided into specific categories, but rather form a living body of ever changing and unstable challenges. Thus, all too often when one part of the system is attacked, the shock waves reverberate throughout the entire tourism system. To make the matter even more complicated, many tourism risks are ephemeral, thus what may be a risk at one point in time, may cease to be a risk at another point in time, or vice versa.

Furthermore not all risks are the same. Some risks, such as the need to evacuate beachfront property during a hurricane may be high priorities at certain periods of the year and be of much less importance during other seasons. Thus, tourism risk, like tourism itself, has ebbs and flows and is subject to seasonal fluctuations.

There are multiple definitions of risk. For example the Pacific Asia Tourism Association (PATA) defines tourism risk as "essentially the prospect or possibility of negative events and subsequent loss to a tourism business or destination arising from a negative event. Sometimes this (the negative event) can be measured statistically" (Bounce Back: PATA, page 5).

Others define risk differently. For example, The Business Dictionary defines risk as: "Policies, procedures, and practices involved in identification, analysis, assessment, control, and avoidance, minimization, or elimination of unacceptable risks. A firm may use risk assumption, risk avoidance, risk retention, risk transfer, or any other strategy (or combination of strategies) in proper management of future tourism." (http://www.businessdictionary.com/definition/risk-management.html: April 3, 2010)

The PATA definition implies that successful tourism and event risk management works so that nothing happens, and that no loss of income occurs. Other risk management models place a much lesser emphasis on the risk of loss of income and instead focus on risks to culture, locale and life. In all cases, however, risk managers seek to produce a "non-event."

That is to say, that good risk management is preventive in nature and attempts to stop a negative action before it occurs. Ironically, successful risk management can become a risk for the risk manager.  When nothing happens politicians, administrators and the public often want to know why so much money was spent on a perceived non-event. This means that if a negative event occurs the risk manager is seen as a failure and if the risk manager successfully controls risks then he or she may risk being seen as irrelevant by higher-ups who do not understand the field and may be seeking foolishly to save money.

Tourism risk, like tourism crises, take many shapes. Gui Santana has noted: "Crises in the tourism industry can take many shapes and forms: from terrorism to sexual harassment, white collar crime to civil disturbances, a jet crashing into a hotel to cash flow problems, guest injury to strikes, bribery to price fixing, noise to vandalism, guest misuse of facilities to technology change..." (Santana, 1999). Each of these crises comes from a risk that was not managed and thus produced a crisis. In each of these cases, the tourism risk manager must be aware of the potential crisis, must have an idea of the probability of the crisis occurring and must have a plan ready to attempt to prevent the crisis before it occurs.

The following chart provides an overview of some of the differences between risk and crisis management in tourism.

CHART: Some Basic Differences between Crisis and Risk Management

(Tarlow: EDIT Program: University of Hawaii: 2006)

Tourism risk management, therefore, is an ongoing process that touches every aspect of the industry, from health issues to the public's satisfaction with a tourism destination, from issues of safety and to those of security. Risk managers must never fail to remember that they are the central bulwark between a successful and failed tourism industry. To fail to recognize the importance of managing risk is perhaps the greatest risk of all.  

 
FEMA: Understanding Our Risk: Comprehensive Preparedness Guide 201: Threat and Hazard Identification and Risk Assessment

GAO: Addition Efforts Needed by National Security-Related Agencies to Address IT Supply Chain Risks