4
Future Plans

In addition to evaluating Reclamation’s security-related processes, working relationships, and expertise, the committee was asked to evaluate Reclamation’s future plans for its security program. In the nearly 7 years since the September 11, 2001, attacks, Reclamation has had to develop a security program starting from almost nothing. While it has made significant progress in doing so, some fundamental issues need to be resolved for Reclamation to develop a culture of security as strong as its culture of dam safety—that is, one in which the policies, practices, and procedures for dam security are well developed and reflected in Reclamation’s decision making and routine operations. Developing a culture of security and a program that is sustainable over the long term will require the following:

  • Senior management support and commitment,

  • Adequate resources,

  • Performance measurement and evaluation,

  • A system for capturing and disseminating lessons learned, and

  • A vision and a long-term plan for a sustainable program.

Chapter 4 focuses on these elements and the committee’s observations and findings related to Reclamation’s plans for its security program.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 71
4 Future Plans I n addition to evaluating Reclamation’s security-related processes, working relationships, and expertise, the committee was asked to evaluate Reclamation’s future plans for its security program. In the nearly 7 years since the September 11, 2001, attacks, Reclamation has had to develop a security program starting from almost nothing. While it has made significant progress in doing so, some fundamental issues need to be resolved for Reclamation to develop a culture of security as strong as its culture of dam safety—that is, one in which the policies, practices, and procedures for dam security are well developed and reflected in Reclamation’s decision making and routine operations. Developing a culture of security and a program that is sustainable over the long term will require the following: • Senior management support and commitment, • Adequate resources, • Performance measurement and evaluation, • A system for capturing and disseminating lessons learned, and • A vision and a long-term plan for a sustainable program. Chapter 4 focuses on these elements and the committee’s observations and findings related to Reclamation’s plans for its security program. 

OCR for page 71
 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM SENIOR MANAgEMENT SuPPORT AND COMMITMENT Building commitment and support for the security program is pri- marily the responsibility of the senior executives within Reclamation—the commissioner, deputy commissioners, regional directors, and the director and program managers of the SSLE. Support, commitment, and leadership should begin with the commissioner and the deputy commissioners and continue uninterrupted down through the regional, program, and area office directors to the facility operators and line personnel. Reclamation’s senior managers are responsible for establishing the vision and objec- tives for the security program, establishing Reclamation-wide policies and procedures, determining priorities for resource allocation, selecting personnel in key positions, and communicating why a security program is critical to achieving Reclamation’s mission. Establishing metrics for progress in achieving security-related objectives and outcomes, assigning responsibilities clearly to key individuals, providing adequate resources to meet program objectives, and holding their staff accountable for results are also responsibilities of senior managers. The federal government’s Office of Personnel Management (OPM) has developed a set of executive core qualifications (ECQs) needed to achieve a federal corporate culture that motivates for results, serves cus- tomers, and builds successful teams and coalitions within and outside the organization (OPM, 2007). The ECQs defined by the OPM include these: • Leading change . . . the ability to bring about strategic change, both within and outside the organization, to meet organizational goals [and to] establish an organizational vision and implement it in a continuously changing environment. • Leading people . . . the ability to guide people to meet the organization's vision, mission, and goals [and to] provide an inclusive workplace that fosters professional development, facilitates cooperation and teamwork, and supports constructive resolution of conflicts. • Results driven . . . the ability to meet organizational goals and customer expectations [and to] make decisions that produce high-quality results by applying technical knowledge, analyzing problems, and calculating risks. • Business acumen . . . the ability to manage human, financial, and information resources strategically. • Building coalitions . . . the ability to build coalitions internally and with other federal agencies, state and local governments, nonprofit and private-sector entities, foreign governments, or international organizations to achieve common goals.

OCR for page 71
 FUTURE PLANS The committee devoted significant time and energy to observing, discussing, and evaluating senior management’s understanding and com- mitment to the security program. Committee members met with senior executives and managers at Reclamation’s Washington, D.C., office and its Denver headquarters, at regional and area offices, and at individual sites. It was clear to the committee that Reclamation’s personnel at all levels are committed to the dam safety and emergency management programs. The relationship of these programs to the achievement of the BOR’s mission of delivering water and power seems to be consistently communicated from the top down through all levels of the organization and is well understood by all. In contrast, discussions on dam security did not convey the same level of support and commitment from senior management or field personnel. Nor was the link between security and mission achievement consistently recognized or communicated. Personnel at all levels clearly understand that the NCI facilities and some other highly visible dams constitute attractive targets for terrorists, and they support actions to protect those facilities. However, the commitment to providing security for the majority of Reclamation’s dams was not consistent. Because many dams are not icons, are located in rural areas, or are smaller, they seem less likely to be targets of terrorists, which has led to thinking “it won’t happen here.” In some instances, staff clearly felt other priorities were higher than security, and they resented the redirection of resources from other program areas to security. SSLE’s director and program managers understand the security program’s purposes and requirements. However, the organizational and communication issues described in Chapter 3 have limited the effective- ness of SSLE staff in helping to develop a culture of security. At the regional offices, the committee observed a range of attitudes regarding the need for a robust security program, from committed to indifferent to resentful. Often the attitude exhibited by a regional direc- tor was reflected by area office managers and facility operators. Frustra- tion and confusion were most evident among those area office managers who were clearly committed to providing security but who reported to regional office directors who were not as committed. Finding: Creating an effective security program and a culture of secu- rity requires the dedicated support and commitment of Reclamation’s managers at all levels of the organization. Currently, such support and commitment are uneven. Some managers clearly understand the link between Reclamation’s mission and security, and they are spearheading efforts to implement effective security procedures and programs. Others

OCR for page 71
 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM regard security as an unwelcome intrusion into other activities and resent the redirection of resources from other activities to security. Finding: Building commitment and support for the security program is primarily the responsibility of Reclamation’s senior executives—the com- missioner, deputy commissioners, and regional directors and the director and program managers of the SSLE Office. RESOuRCES An effective security program must be staffed with enough people possessing the necessary competencies to carry out assigned tasks and must be funded accordingly. Reclamation is attempting to operate a secu- rity program to protect 450 facilities distributed across 17 states with fewer than 50 full-time-equivalent positions. The responsibilities of this group include developing Reclamation-wide policies and operating pro- cedures, conducting security assessments, managing risks, identifying risk mitigation projects and prioritizing them across an inventory of facilities, conducting background checks on staff and contractors, designing and implementing physical security improvements, identifying and analyz- ing suspicious and criminal activities through liaisons with other federal agencies and local law enforcement, developing security response plans, conducting exercises, and responding to malicious acts. Reclamation’s field personnel and its partners also participate in some aspects of the security program, which leverages the resources available to the SSLE. Nonetheless, a situation in which each regional special agent (RSA) is responsible for an area covering portions of between three and nine states suggests that additional staff resources are required if the SSLE and Recla- mation are to meet their security-related responsibilities effectively. Current funding is inadequate to hire additional staff and to imple- ment other activities that are needed to improve the security program. Reclamation has a backlog of risk-mitigation projects that have not been implemented, in part because there are not enough resources for design- ing and installing them. Very few full-scale exercises have been conducted, also, in part, because of resource limitations. Furthermore, additional training for SSLE staff in communication, negotiation, and other behav- ioral skills is required to develop the sound working relationships that are fundamental to Reclamation’s activities. Reclamation has attempted to leverage its available funding by making some security-related operation and maintenance costs fully reimbursable. This initiative, however, has created additional tension between the BOR and some of its stakeholders, particularly water and power authorities. Designating projects that benefit a specific set of stake-

OCR for page 71
 FUTURE PLANS holders as reimbursable is a well-established and accepted procedure in Reclamation and on the part of its stakeholders as well. However, since security-related projects also provide benefits to the public at large, it is not unreasonable for Reclamation’s partners to object to fully funding security guards or other activities that also benefit the general public. Reclamation’s dam safety program also seeks to protect the general public. However, some dam safety projects are partially reimbursable: Reclamation pays for 85 percent of the project, and a stakeholder who benefits from the project pays 15 percent. Criteria have been developed for determining which dam safety projects are partially reimbursable. The dam safety program may serve as a model from which to develop crite- ria, a process, and a percentage for reimbursement of the costs of some security-related operations and maintenance activities. Whatever process is used to resolve the issue of reimbursability for security-related projects, the current allocation of resources—number of staff, expertise, funding—is not sufficient, in the committee’s opinion, to operate and sustain a program for protecting Reclamation’s assets and people. Continuing to redirect funds from other programs will undermine other Reclamation programs and the condition of its facilities. However, from its discussions with senior Reclamation managers responsible for the security program and the briefings it received from them, the committee found the managers apparently reluctant to fight for additional resources and funding. Finding: The resources—number of staff, expertise, funding—currently available for Reclamation’s security program are not sufficient to operate and sustain an effective program. Finding: Security improvements benefit the public at large and are not limited to specific set of stakeholders. Reclamation’s proposal to make some security-related costs fully reimbursable causes tension with its stakeholders. The safety of dams program, in which reimbursable project costs are split between Reclamation and its stakeholders, may serve as a model for developing criteria, a process, and a cost-sharing percentage for reimbursing the costs of some security-related operations and main- tenance activities. PERFORMANCE MEASuREMENT In the years since the passage of the Government Performance and Results Act of 1993, measuring the outcomes of federal programs has become an established and accepted process. key components of a per- formance measurement system include these:

OCR for page 71
 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM • Clearly defined, actionable, and measurable goals that cascade from organizational mission to management and program levels to individual performance; • Cascading key performance indicators that can be used to measure how well mission, management, program, and individual goals are being met; • Established baselines from which progress toward attainment of goals can be measured; • Accurate, repeatable, and verifiable data; and • Feedback systems to support continuous improvement of an organization’s processes, practices, and results (outcomes) (FFC, 2004). Performance measures help to identify where objectives are not being met or where they are being exceeded. Managers can then investigate the factors or reasons underlying the performance and make appropriate adjustments. Ultimately, an effective performance measurement system should inform decisions about the allocation of resources within an orga- nization (FFC, 2004). As noted in Chapter 1, Reclamation has established elements of a performance measurement system in response to the OMB’s PART evalu- ation process. The stated objective of Reclamation’s site security effort is to reduce security-related risks through a combination of prepared- ness, prevention, protection, and response. The outcome is measured as the number of assets that are rated high risk. Changes in the risk rating will be determined over the long term as security improvements are implemented and risk assessments are repeated (OMB, 2007). Table 4.1 describes the performance measures that are being tracked. These measures represent the start of a performance measurement system for Reclamation’s security program. However, the actual measures focus on the risk assessment element and do not address law enforcement, intelligence gathering and dissemination, training and exercises, protec- tion maintenance, or incident response. The committee did not ask Reclamation managers specifically about their future plans for a performance measurement system, and it may be that additional measures are being developed by Reclamation or by DOI’s OLESEM. In all events, the system should link directly to Reclamation’s mission. For example, a stated goal of the security program might be to ensure that there are no serious disruptions to the delivery of power and water as the result of a malicious act. The program objectives would include preventing, deterring, mitigating, or responding to malicious acts. The performance measures developed could be used to measure the mitigation actions taken.

OCR for page 71
 FUTURE PLANS TABLE 4.1 Performance Measures for Reclamation’s Site Security Effort Performance Measure Description Cost per active background Tracks the efficiency of the background investigation investigation and national security processes, including the ability to implement and maintain electronic methodologies for completing and submitting background investigation forms, verifying the status of investigations and clearances, and maintaining personnel security records. Number of updated regional Tracks whether threat assessments are updated threat assessments annually in each of the five regions and coordinated with state, local, and other federal entities. Number of periodic security Tracks progress in assessing risks and identifying risk assessments conducted protective measures needed at critical facilities. annually on critical or project-essential facilities Percentage of risk assessment Tracks implementation (funding, installation, recommendations that have and operation) of individual protective measures been completed identified in the risk assessment process. Developing effective measures for all aspects of Reclamation’s secu- rity program will be difficult. For example in reviewing the FBI’s intel- ligence program, the OMB concluded as follows: It is difficult to define outcomes for a program that produces intelligence. In some cases, good intelligence analysis will lead to a physical outcome, such as a terrorist attack that is averted or a foreign intelligence pen- etration that is avoided, but this is not always the case. Productive and useful analysis may merely serve to enhance the government’s body of knowledge on a particular topic. (OMB, 2008a, pp. 7 and 8) Measuring for deterrence and response, in contrast, might involve tracking suspicious incidents using Reclamation’s database and tracking the actions taken to investigate and respond to them. The National Park Service Police, for instance, tracks the number of incidents that pose a serious potential threat to selected national monuments. As noted by the OMB, the utility in this measure is not in tracking the total number, but in moni- toring (and responding to) the types of incidents, when they occur, and possible trends. This output measure is used as a proxy outcome mea- sure because measuring the desired outcome (i.e, undamaged national monuments) would be both self-evident and of little use to managers. If

OCR for page 71
 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM a national icon were attacked, a PART target would be the least of USPP concerns. More relevant for managers is tracking the number of incidents that pose potential threats and working to understand why those inci- dents occur. (OMB, 2008b, p. 2) The number of tabletop, functional, or full-scale exercises conducted, the number of identified areas requiring improvements, and the percent- age of improvements implemented might also be tracked to evaluate response capability. In developing a more complete set of measures for its security pro- gram, Reclamation could begin by looking at the performance measures used by similar programs of other federal or quasi-federal agencies, including the Federal Protective Service, USACE, the Tennessee Valley Authority, and the Western Area Power Authority. Finding: Reclamation has developed some performance measures for evaluating the risk mitigation component of its site security program. Additional measures are needed to evaluate processes related to deter- rence of and response to security-related incidents. METHODS FOR CAPTuRINg, DISSEMINATINg, AND IMPLEMENTINg LESSONS LEARNED A lesson learned has been defined as “knowledge or understanding gained by experience,” both positive and negative (GAO, 2002). Lessons learned programs are established to identify which actions or procedures worked and which did not work in a particular situation so that successes can be repeated and failures avoided. The U.S. General Accounting Office (now the Government Accountability Office) has stated that use of lessons learned is a principal component of an organizational culture committed to continuous improvement. Lessons learned mecha- nisms serve to communicate acquired knowledge more effectively and to ensure that beneficial information is factored into planning, work processes, and activities. Lessons learned provide a powerful method of sharing good ideas for improving work processes, facility or equipment design and operation, quality, safety, and cost-effectiveness. (GAO, 2002, p. 13) Most formal lessons-learned processes include a searchable lessons- learned database, a method using subject experts to verify the correctness and applicability of the lessons submitted, and a process that can dissemi- nate lessons learned to the appropriate users. Dissemination may also be accomplished by incorporating lessons learned into policies, guidelines,

OCR for page 71
 FUTURE PLANS or processes through training and seminars, meetings, and conferences or through publications in the form of alerts, newsletters, and the like. Less-formal programs may simply send documents such as after-action reports from a full-scale exercise or from important events, such as errors, accidents, and near misses, to managers and staff who could benefit from them. Tabletop and functional exercises or other forms of simulation could also be vehicles for developing lessons learned. Lessons can also be learned from other organizations that have security programs deemed to be excellent. A visit to such an organization might include on-the-spot discussions of that organization’s experiences in developing its security program. Reclamation personnel visiting these organizations might also hold after-visit, in-depth discussions of the security-related activities and processes they observed. Reclamation does not appear to have a process in place to collect and disseminate lessons learned or to use them for making appropriate changes in policies and procedures. Such a process could be especially valuable in a decentralized organization, where the staff does not regularly meet to share information. Reclamation might consult with other federal orga- nizations that have well-established lessons-learned programs, including the Department of Energy,1 the Aviation Safety Reporting System (housed at Battelle), the Army’s after-action review, the U.S. Navy’s Aviation Train- ing Exercise program (lessons learned are included in after-action “hot wash-ups”), and NASA’s astronaut training program. Finding: Lessons-learned processes can be useful for sharing experience- based information in an organization and for continually improving organizational processes, knowledge, and standards. Sources of lessons learned include after-action reports from training exercises, other forms of simulation, and other organizations. Finding: Reclamation’s security program does not appear to have a formal lessons-learned program in place. Where after-action reports followed major exercises, they were not disseminated to all the regions or the area offices that could have benefited from knowing the exercise results. A VISION AND A LONg-TERM PLAN FOR A SuSTAINABLE PROgRAM Vision and leadership are crucial for all aspects of an organization’s activities. Typically, an organization’s senior executives establish the vision 1DOE’s lessons-learned Web site can be accessed at http://tis.eh.doe.gov/ll.

OCR for page 71
0 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM based on the organization’s mission, set goals and priorities, and then communicate the vision and implementing strategies to the staff and the organization’s stakeholders (GAO, 1998). Mission and vision statements and plans are all important because they are meant to inspire and motivate employees and stakeholders alike to meet the organization’s goals. As stated on its Web site, the mission of the Bureau of Reclamation is to “manage, develop, and protect water and related resources in an environmentally and economically sound manner in the interest of the American public.” Reclamation’s Vision Statement reads as follows: Through leadership, use of technical expertise, efficient operations, responsive customer service and the creativity of people, Reclamation will seek to protect local economies and preserve natural resources and ecosystems through the effective use of water. The commissioner’s plan for how Reclamation will attain its vision includes the following: • Directing our leadership and technical expertise in water resources development and in the efficient use of water through initiatives including conservation, reuse, and research. • Protecting the public and the environment through the adequate maintenance and appropriate operation of Reclamation's facilities. • Managing Reclamation's facilities to fulfill water user contracts and protect and/or enhance conditions for fish, wildlife, land, and cultural resources. • Working with Reclamation's customers and stakeholders to achieve mutual objectives. • Assisting the secretary in fulfilling Indian Trust responsibilities. • Implementing innovative, sound business practices with timely, cost-effective, measurable results. • Promoting a culturally diverse workforce that encourages excellence, creativity, and achievement. Reclamation has also outlined four overarching goals that emphasize its mission to deliver water and generate power while addressing other water use requirements and planning for future water needs to avoid crisis and conflict: • Ensure the reliable delivery of water under Reclamation contracts. • Optimize power generation, consistent with project purposes. • Incorporate other considerations, such as recreation, fish and wildlife, environment, and Native American trust responsibilities, into our water and power operations.

OCR for page 71
 FUTURE PLANS • Identify and plan for future consumptive and nonconsumptive water supply needs by identifying unmet needs in the next 25 years. None of the statements above explicitly addresses the security of Reclamation’s facilities or its people. Protecting the public is mentioned in conjunction with the adequate maintenance and appropriate operation of Reclamation’s facilities, but it reflects a dam safety perspective as opposed to a security perspective. If security were a well-established program embedded within Rec- lamation’s culture, the lack of an explicit reference to it in Reclamation’s mission, vision, and goals statements might not be significant. After all, there is no direct mention of emergency management in the statements above, yet emergency management is clearly embedded in Reclamation’s programs and culture. However, security is a relatively new program that is not consistently supported by Reclamation personnel. The failure to mention security explicitly in the mission statement, the vision, plan, or overarching goals signals that it is not a priority within Reclamation and conveys a lack of support and commitment from senior management. Reclamation does not appear to have a plan for creating a robust, mature, and sustainable security program. When asked about their goals for the security program, senior managers focused on tactical issues such as addressing the backlog of identified risk mitigation projects, finding ways to lower the costs of site security guards, and periodically con- ducting threat assessments and training exercises. Strategic issues, such as how security is to be embedded in Reclamation’s culture and how regional security coordination is to be improved, were not identified. Finding: Among their other objectives, organizational mission and vision statements, plans, and goals are meant to inspire and motivate employees and stakeholders. Typically, they are driven by an organization’s senior executives and reflect their priorities and values. Infrastructure security does not appear explicitly in Reclamation’s mission statement, vision, plan, or goals. The failure to mention it conveys the idea that infrastructure security does not have the support and commitment of senior manage- ment, nor has it been given priority. Finding: Reclamation does not appear to have a plan for a security pro- gram that is robust, mature, and sustainable. When asked about their goals for the security program, senior managers focused on tactical issues. Strategic issues, such as how security is to be embedded in Reclamation’s culture and how regional security coordination is to be improved, were not mentioned.

OCR for page 71
 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM REFERENCES Federal Facilities Council (FFC). 2004. Key Performance Indicators for Federal Facilities Portfolios. Washington, D.C.: The National Academies Press. General Accounting Office (GAO). 1998. Leading Practices in Capital Decision-Making. Wash- ington, D.C.: GAO. GAO. 2002. Using Strategic Human Capital Management to Drive Transformational Change. Washington, D.C.: GAO. Office of Management and Budget (OMB). 2007. Program Assessment: Bureau of Reclamation–Site Security. Available at http://www.whitehouse.gov/omb/expectmore/ summary/10003701.2005.html. OMB. 2008a. Program Assessment: FBI Intelligence. Available at http://www.whitehouse. gov/omb/expectmore/summary/10003811.2006.html. OMB. 2008b. Program Assessment: National Park Service-Park Police. Available at http://www. whitehouse.gov/omb/expectmore/summary/10003727.2006.html. Office of Personnel Management (OPM). 2007. Ensuring the Federal Government Has an Effective Civilian Workforce. Available at http://www.opm.gov/ses/qualify.asp.