Homeland Security Watch

News and analysis of critical issues in homeland security

March 9, 2009

Risk management and chicken bones

Filed under: Risk Assessment — by Christopher Bellavita on March 9, 2009

“The legitimate object of government,” Abraham Lincoln wrote, “is to do for a community of people what they need to have done, but cannot do at all, or cannot so well do, for themselves — in their separate and individual capacities.  In all that the people can individually do as well for themselves, government ought not to interfere.”

The Lincoln quote comes at the end of an article by Robert Charatte called “On The Lookout.” The tease for the article in the March issue of Government Executive reads “If government’s job is to protect the people, it must begin to manage risk — before disaster strikes.”

Historically, managing risk replaced relying on luck as a decision making tool. Charatte’s article does not define what risk is.  Perhaps because there are dozens of definitions.  Perhaps because managing risk is built into the evolutionary template of people who swim the human gene pool.  Being alive means you understand something fundamental about risk management.

Risk is “generally understood” (that phrase has no empirical referent) to mean the probability of something  happening (usually something negative) and the consequences if it does.  In homeland security, risk often shows up on a powerpoint slide as a function of threat, vulnerability and consequence.

The DHS risk lexicon — an effort to standardize language — has one definition of risk: “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences.” The lexicon also offers what it calls an extended definition: “potential for an adverse outcome assessed as a function of threats, vulnerabilities, and consequences associated with an incident, event, or occurrence.”

How is homeland security, writ large, doing on the risk management front?  Is anyone in the enterprise explicitly managing risk in a way intended by the various risk management theories?  Are there any exemplars in the homeland security environment that can be used to educate others about how to do — not just advocate — this activity that is supposed to be a foundation of national domestic strategy?

Obama’s homeland security agenda calls for allocating “our precious homeland security dollars according to risk….”  The Bush Administration wanted to do the same thing.  Really smart people have worked for years on this goal.  How are we doing?  What’s getting in the way of turning risk management into a routine activity?  Maybe — like target capabilities and universal tasks — risk management in homeland security is in the too hard to do honestly category.  We know in general what the strategic threats are to the homeland.  But we do not know what they are with enough specificity to allow cities and states to allocate resources with anything approaching precision.  As a GAO analysis discovered, vulnerability contributes little to risk management. Everything is vulnerable.  And we still do not know the full consequences of September 11, 2001, let alone the potential results of future attacks.

Perhaps paying unquestioned homage to risk management in homeland security is the 21st century analog to interpreting chicken bones.  It may allow us to continue to worship the rationality gods.  It is unlikely to prepare us for the next Black Swan.  Lincoln might have suggested we try something else.

Share and Enjoy:
  • Digg
  • Reddit
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • email
  • Print

3 Comments »

Comment by William R. Cumming

March 10, 2009 @ 10:26 am

In a way planning for unwanted outcomes can be deletorius to real Homeland Security. The reason, unplanned events, not unwanted events, are the basis for designing systems and processes that can be mobilized from some existing planning basis no matter what the event. Thus, the formerly independent Federal Emergency Federal Response Plan and Federal Radiological Emergency Response Plan never really had a planning basis that represented baseline capability. Roles signed onto by signatories were often unstaffed, unfunded, and of questionable legal authority. The same goes for the National Contingency Plan for Oil Spills and Hazardous Materials Releases (see 40 CFR Part 300). Okay so now with the original Homeland Security Strategy (July 2002), the Homeland Security Act of 2002 (November 2002) and HSPD-5 (February 2003) all calling for integration of the above plans, still no planning basis, i.e. no related risk management either. Now we have the evolution of the National Response Plan (NRP) into the National Response Framework (NRF) and still no underlying agreement on the planning basis (really the start point for preparedness by knowing capabilities of existing staff, funding, training, equipment, logistics, etc)or the risk management principles that underly the NRF. Isn’t it about time to do that? By the way is there a list of signatories and reveiwers of the NRF? What is the trigger for it?

Pingback by The Multiple Levels of Risk Management | Homeland Security Watch

April 2, 2009 @ 2:39 am

[...] asked [here] “Is anyone in the enterprise explicitly managing risk in a way intended by the various risk [...]

Pingback by 100 days and counting | Homeland Security Watch

April 29, 2009 @ 6:04 pm

[...] Chris Bellavita’s thoughtful skepticism regarding the liturgy of threat-vulnerability-consequence-risk, I find it a helpful thinking [...]

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>