“The legitimate object of government,” Abraham Lincoln wrote, “is to do for a community of people what they need to have done, but cannot do at all, or cannot so well do, for themselves — in their separate and individual capacities. In all that the people can individually do as well for themselves, government ought not to interfere.”
The Lincoln quote comes at the end of an article by Robert Charatte called “On The Lookout.” The tease for the article in the March issue of Government Executive reads “If government’s job is to protect the people, it must begin to manage risk — before disaster strikes.”
Historically, managing risk replaced relying on luck as a decision making tool. Charatte’s article does not define what risk is. Perhaps because there are dozens of definitions. Perhaps because managing risk is built into the evolutionary template of people who swim the human gene pool. Being alive means you understand something fundamental about risk management.
Risk is “generally understood” (that phrase has no empirical referent) to mean the probability of something happening (usually something negative) and the consequences if it does. In homeland security, risk often shows up on a powerpoint slide as a function of threat, vulnerability and consequence.
The DHS risk lexicon — an effort to standardize language — has one definition of risk: “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences.” The lexicon also offers what it calls an extended definition: “potential for an adverse outcome assessed as a function of threats, vulnerabilities, and consequences associated with an incident, event, or occurrence.”
How is homeland security, writ large, doing on the risk management front? Is anyone in the enterprise explicitly managing risk in a way intended by the various risk management theories? Are there any exemplars in the homeland security environment that can be used to educate others about how to do — not just advocate — this activity that is supposed to be a foundation of national domestic strategy?
Obama’s homeland security agenda calls for allocating “our precious homeland security dollars according to risk….” The Bush Administration wanted to do the same thing. Really smart people have worked for years on this goal. How are we doing? What’s getting in the way of turning risk management into a routine activity? Maybe — like target capabilities and universal tasks — risk management in homeland security is in the too hard to do honestly category. We know in general what the strategic threats are to the homeland. But we do not know what they are with enough specificity to allow cities and states to allocate resources with anything approaching precision. As a GAO analysis discovered, vulnerability contributes little to risk management. Everything is vulnerable. And we still do not know the full consequences of September 11, 2001, let alone the potential results of future attacks.
Perhaps paying unquestioned homage to risk management in homeland security is the 21st century analog to interpreting chicken bones. It may allow us to continue to worship the rationality gods. It is unlikely to prepare us for the next Black Swan. Lincoln might have suggested we try something else.