Review of the Department of Homeland Security’s Approach to RISK ANALYSIS

Committee to Review the Department of Homeland Security’s Approach to Risk Analysis

NATIONAL RESEARCH COUNCIL
OF THE NATIONAL ACADEMIES

THE NATIONAL ACADEMIES PRESS

Washington, D.C.
www.nap.edu



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page R1
Review of the Department of Homeland Security’s Approach to RISK ANALYSIS Committee to Review the Department of Homeland Security’s Approach to Risk Analysis

OCR for page R1
THE NATIONAL ACADEMIES PRESS 500 Fifth Street, N.W. Washington, DC 20001 NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance. Support for this project was provided by the Department of Homeland Security under sponsor award HSHQDC-08-C-00090. Any opinions, findings, conclu- sions, or recommendations expressed in this publication are those of the au- thor(s) and do not necessarily reflect the views of the organizations or agencies that provided support for the project. The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. government. International Standard Book Number—13: 978-0-309-15924-1 International Standard Book Number—10: 0-309-15924-5 Additional copies of this report are available from the National Academies Press, 500 Fifth Street, N.W., Lockbox 285, Washington, DC 20055; (800) 624- 6242 or (202) 334-3313 (in the Washington metropolitan area); Internet, http://www.nap.edu. Copyright 2010 by the National Academy of Sciences. All rights reserved. Printed in the United States of America.

OCR for page R1
The National Academy of Sciences is a private, nonprofit, self-perpetuating so- ciety of distinguished scholars engaged in scientific and engineering research, dedi- cated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Ralph J. Cicerone is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the char- ter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its mem- bers, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors en- gineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievement of engineers. Dr. Charles M. Vest is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Insti- tute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sci- ences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Ralph J. Cicerone and Dr. Charles M. Vest are chair and vice-chair, respec- tively, of the National Research Council. www.national-academies.org iii

OCR for page R1

OCR for page R1
Committee to Review the Department of Homeland Security’s Approach to Risk Analysis John F. Ahearne, Chair, Sigma Xi (Executive Director Emeritus), Research Tri- angle Park, North Carolina, and Duke University, Durham, North Carolina Gregory B. Baecher, University of Maryland, College Park Vicki M. Bier, University of Wisconsin, Madison1 Robin Cantor, Exponent, Inc., Alexandria, Virginia Timothy Cohn, U.S. Geological Survey, Reston, Virginia Debra Elkins, Allstate Insurance Company, Northbrook, Illinois2 Ernest R. Frazier, Sr., Countermeasures Assessment and Security Experts, Mid- dletown, Delaware Katherine Hall, BAE Systems, McLean, Virginia Roger E. Kasperson, Clark University (Emeritus), Worcester, Massachusetts Donald Prosnitz, Consultant, Walnut Creek, California Joseph V. Rodricks, ENVIRON, Arlington, Virginia Monica Schoch-Spana, University of Pittsburgh Medical Center, Baltimore, Maryland Mitchell J. Small, Carnegie Mellon University, Pittsburgh, Pennsylvania Ellis M. Stanley, Sr., Dewberry, Los Angeles, California NRC Staff Stephen D. Parker, Study Director Scott T. Weidman, Deputy Study Director Stephan A. Parker, Scholar Associate Glenn E. Schweitzer, Scholar Associate Ellen A. de Guzman, Research Associate Stephen Russell, Senior Program Assistant 1 Dr. Bier resigned from the committee on July 1, 2009, when she began to perform re- search supported by the Department of Homeland Security (DHS). 2 Dr. Elkins resigned from the committee on December 7, 2009 to avoid a potential conflict of interest. She took a position with DHS’s Office of Risk Management and Analysis on February 1, 2010. v

OCR for page R1

OCR for page R1
Preface T he events of September 11, 2001, changed perceptions, rearranged na- tional priorities, and produced significant new government entities, most notably the U.S. Department of Homeland Security (DHS). Whereas the principal mission of DHS is to lead national efforts to secure the nation against those forces that wish to do harm, the department also has responsibilities in regard to preparation for and response to other hazards and disasters, such as floods, earthquakes, and other “natural” disasters. Created in 2003, DHS is large and complex, with 22 “components,” some of which were well established prior to the department’s creation and others that were new creations along with the department. Across the department, whether in the context of preparedness, response, or recovery from terrorism, illegal entry to the country, or natural dis- asters, both the previous and the current DHS Secretaries have stated a commit- ment to processes and methods that feature risk assessment as a critical compo- nent for making better-informed decisions. The difficulties in developing a risk-based framework and activities for de- cisions across DHS are daunting, largely due to the great uncertainties in under- standing the suite of threats. In concept, however, risk assessment is believed to provide a good opportunity for sound analysis and consistent decision support. Against this backdrop, the U.S. Congress asked the National Research Council (NRC) of the National Academies to review and assess the activities of DHS related to risk analysis (P.L. 110-161, Consolidated Appropriations Act of 2008). Subsequently, a contract featuring the Statement of Task shown in Boxes S-1 and 1-1 was agreed upon by the National Academies and DHS officials to support this study. Our committee was appointed in October 2008 to carry out the study. The committee was a multidisciplinary group with technical, public policy, and social science expertise and experience concerning the areas of DHS’s responsibilities. During a 15-month study period, our full committee met 5 times and sub- groups of the committee met another 11 times with DHS officials and represen- tatives of a variety of organizations to gather information. (See Appendix C for a chronology of our meetings and visits and Appendix D for a list of individuals who contributed information and perspectives to our efforts.) At most of our meetings we received briefings from numerous DHS officials on various aspects of our charge. The task of reviewing a large set of continually evolving activities across an organization as large and diverse as DHS presented difficulties for the commit- tee. Although DHS is responsible for all aspects of homeland security, which vii

OCR for page R1
viii PREFACE includes planning for and responding to natural disasters such as hurricanes, the report is weighted toward terrorism because that is where DHS efforts are weighted. Throughout, however, the committee was mindful of its chief objec- tive: to help DHS by critiquing and providing advice on improving the risk- informed basis for decision making across the department. We began with a good appreciation for the difficulty of the task and that appreciation only grew as we learned more about relevant activities and their inherent challenges. We hope that this report is helpful to DHS as it proceeds with implementation of its plans. This report has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures ap- proved by the NRC’s Report Review Committee. The purpose of this independ- ent review is to provide candid and critical comments that will assist the NRC in making its published report as sound as possible and will ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their review of this report: John T. Christian, consulting engi- neer; Jared L. Cohon, Carnegie Mellon University; William H. Hooke, Ameri- can Meteorological Society; Howard Kunreuther, Wharton Risk Management Center; Linda Landesman, New York City Health and Hospitals Corporation; Stephen M. Robinson, University of Wisconsin-Madison; Kathleen J. Tierney, University of Colorado at Boulder; Detlof von Winterfeldt, International Insti- tute for Applied Systems Analysis; and Henry H. Willis, RAND Corporation. Although the reviewers listed above provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommen- dations, nor did they see the final draft of the report before its release. The re- view of this report was overseen by Patrick Atkins, Pegasus Capital Investors (Retired) and Lynn R. Goldman, Johns Hopkins University. Appointed by the NRC, they were responsible for making certain that an independent examination of the report was carried out in accordance with institutional procedures and that all review comments were considered carefully. Responsibility for the final content of this report rests entirely with the authoring committee and the institu- tion. Finally, I want to acknowledge and thank the committee members for their conscientious work, the help of DHS staff, and the dedicated work of the Acad- emies staff. John F. Ahearne, Chair

OCR for page R1
Contents ACRONYMS SUMMARY ........................................................................................................ 1 1 INTRODUCTION .................................................................................... 15 The Decision-Making Context for this Study ...................................... 16 Risk Models and Methods Examined in Detail to Carry Out This Study.................................................................... 18 How the Study Was Conducted ........................................................... 20 Structure of This Report ...................................................................... 21 2 OVERVIEW OF RISK ANALYSIS AT DHS........................................ 22 Introduction ......................................................................................... 22 The Decision Context at DHS ............................................................. 23 Review of Current Practices of Risk Analysis Within DHS................ 30 Concluding Observation ...................................................................... 42 3 CHALLENGES TO RISK ANALYSIS FOR HOMELAND SECURITY................................................................ 44 Comparison of Risk Assessment of Natural Hazards and of Terrorism ........................................................................... 44 Risk Analysis for Counterterrorism Is Inherently More Difficult Than Risk Analysis for Natural Hazards ...................................... 46 4 EVALUATION OF DHS RISK ANALYSIS .......................................... 52 Detailed Evaluation of the Six Illustrative Risk Models Examined in This Study..................................................................................... 53 A Number of Aspects of DHS Risk Analysis Need Attention............. 80 5 THE PATH FORWARD.......................................................................... 88 Build a Strong Risk Capability and Expertise at DHS......................... 88 Incorporate the Risk = f(T,V,C) Framework, Fully Appreciating the Complexity Involved with Each Term in the Case of Terrorism ...................................................................................... 93 ix

OCR for page R1
x CONTENTS Develop a Strong Social Science Capability and Incorporate the Results Fully in Risk Analyses and Risk Management Practices...................................................................................... 100 Build a Strong Risk Culture at DHS .................................................. 106 Adopt Strong Scientific Practices and Procedures, Such as Careful Documentation, Transparency, and Independent Outside Peer Review................................................................................ 109 REFERENCES............................................................................................... 115 APPENDIXES A Characterization of Uncertainty ................................................................ 127 B Evolution of Risk Analysis at EPA........................................................... 133 C List of Committee Meetings and Site Visits ............................................. 139 D Presenters and Resource Persons at the Committee’s Information- Gathering Meetings ........................................................................... 141 E Committee Biographical Information ....................................................... 143

OCR for page R1
Acronyms AEP Annual Exceedance Probability BARDA Biomedical Advanced Research and Development Authority BTRA Biological Threat Risk Assessment C2C Cost-to-Capability CAF Critical Asset Factors CBP U.S. Customs and Border Protection CBRN Chemical, Biological, Radiological, Nuclear CFATS Chemical Facility Anti-Terrorism Standards CIKR Critical Infrastructure and Key Resources CITA Critical Infrastructure Threat Assessment Division (DHS) CREATE Center for Risk and Economic Analysis of Terrorism Events CREM Council for Regulatory Environmental Modeling (EPA) CTRA Chemical Terrorism Risk Assessment DHHS Department of Health and Human Services DHS Department of Homeland Security DOJ Department of Justice DoD Department of Defense EPA Environmental Protection Agency ERM Enterprise Risk Management EVPI Expected Value of Perfect Information EVPIX Expected Value of Perfect Information About X EVSI Expected Value of Sample Information GAO Government Accountability Office FEMA Federal Emergency Management Agency HITRAC Homeland Infrastructure Threat and Risk Analysis Center HPS Hurricane Protection System HSGP Homeland Security Grant Program HSPD Homeland Security Presidential Directive I&A Office of Intelligence & Analysis (DHS) IP Office of Infrastructure Protection (DHS) iCBRN Integrated Chemical, Biological, Radiological, Nuclear ICE Immigration and Customs Enforcement (DHS) IECGP Interoperable Emergency Communications Grant Program IRMF Integrated Risk Management Framework IT Information Technology IVA Infrastructure Vulnerability Assessment xi

OCR for page R1
xii ACRONYMS MKB Models Knowledge Base MSRAM Maritime Security Risk Analysis Model NFIP National Flood Insurance Program NIPP National Infrastructure Protection Plan NISAC National Infrastructure Simulation and Analysis Center NMSRA National Maritime Strategic Risk Assessment NRC National Research Council OMB Office of Management and Budget PANYNJ Port Authority of New York and New Jersey PMI Protective Measure Index PPBE Planning, Programming, Budgeting, and Execution PRA Probabilistic Risk Analysis PSA Protective Security Advisor PSGP Port Security Grant Program QRA Quantitative Risk Analysis RAMCAP Risk Analysis and Management for Critical Asset Protection RAPID Risk Analysis Process for Informed Decision Making RFI Request for Information RMA Office of Risk Management and Analysis RMAP Risk Management Analysis Process RMAT Risk Management Analysis Tool RMS Risk Management Solutions RRAP Regional Resiliency Assessment Project RSC Risk Steering Committee (DHS) S&T Science and Technology Directorate (DHS) SHIRA Strategic Homeland Infrastructure Risk Assessment SHSP State Homeland Security Program SME Subject Matter Expert SSP Site Security Plan START Study of Terrorism and Responses to Terrorism SVA Security Vulnerability Assessment TCL Target Capabilities List TRAM Terrorism Risk Assessment and Management TSA Transportation Security Administration TSGP Transit Security Grant Program TVC Threat-Vulnerability-Consequences UASI Urban Areas Security Initiative USCG U.S. Coast Guard USGS U.S. Geological Survey VOI Value of Information WMD Weapons of Mass Destruction