Documente Academic
Documente Profesional
Documente Cultură
Homeland
Security
DHS I N T E R I M I N T E G R A T E D R I S K M A N A G E M E N T F R A M E W O R K
This page is intentionally left blank.
DHS I N T E R I M I N T E G R A T E D R I S K M A N A G E M E N T F R A M E W O R K
This page is intentionally left blank.
DHS I N T E R I M I N T E G R A T E D R I S K M A N A G E M E N T F R A M E W O R K
PG - I
I NTERIM I NTEGRATED R ISK M ANAGEMENT F RAMEWORK
The assessment and management of risk underlies the full spectrum of our homeland
security activities… We must apply a risk-based framework across all homeland security
efforts in order to identify and assess potential hazards (including their downstream
effects), determine what levels of relative risk are acceptable, and prioritize and allocate
resources among all homeland security partners …We as a Nation must organize and help
mature the profession of risk management by adopting common risk analysis principles
and standards, as well as a professional lexicon.
INTRODUCTION
The Department of Homeland Security (DHS) is the primary federal agency responsible
for homeland security. DHS is also the principal coordinator for policy and operations
across the national homeland security enterprise. DHS defines risk as the potential for
an unwanted outcome resulting from an incident, event, or occurrence, as determined by
its likelihood and the associated consequences.1 Homeland security risk arises from
multiple threats such as potential acts of terrorism, natural disasters, acts against our
political leadership, violations of the Nation’s borders and others. This risk represents a
complex and ever changing environment and the consequences to our people,
economy, and way of life can be severe.
This Interim Integrated Risk Management Framework (IRMF) provides a foundation for
developing follow-on policy, doctrine and guidance that will institutionalize integrated risk
management in the Department. The IRMF outlines a vision, objectives, principles and a
process for integrated risk management within DHS, and identifies how the Department
1
DHS Risk Lexicon, September 2008
2
Ibid.
DHS I N T E R I M I N T E G R A T E D R I S K M A N A G E M E N T F R A M E W O R K
PG - 1
will achieve integrated risk management by developing and maturing governance,
processes, training, and accountability methods.
DHS I N T E R I M I N T E G R A T E D R I S K M A N A G E M E N T F R A M E W O R K
PG - 2
1: I N T E G R AT E D R I S K M AN AG E M E N T V I S I O N
The vision for integrated risk management is to enable individual elements, groups of
elements, or the entire homeland security enterprise to simultaneously and effectively
assess, analyze and manage risk from multiple perspectives across the homeland
security mission space, as depicted in Figure 1. Although the contents of Figure 1 are
intended to be notional, the goals and functions as stated derive from the Department’s
Strategic Plan and Integrated Planning Guidance, respectively.
Dangerous People
DHS
Risk
Dangerous Goods
Goals
Protect CIKR
Preparedness
Hazard Internal Ops / Mgmt
Functions
Domain Awareness
Incident Mgmt
Federal Partners Mission Screening
Law Enforcement
Risk
Securing
State and Local
Resources
Domain
Tribal
DHS
Risk
Private Sector
Function
Risk managed across missions within a DHS component – Example: The U.S.
Immigration and Customs Enforcement agency (ICE) manages risk across its
mission strategic goals, systematically balancing resources and efforts that support
each strategic goal using an enterprise risk management model. This requires ICE
to examine risk across the different aspects of the component’s mission.
DHS I N T E R I M I N T E G R A T E D R I S K M A N A G E M E N T F R A M E W O R K
PG - 3
Risk assessed by hazard types – Example: The Bioterrorism Risk Assessment
(BTRA) and Chemical Terrorism Risk Assessment (CTRA)3 are assessments that
can be used to inform risk management efforts across DHS and other Federal
agencies. Another example is natural hazard risk management which is led by the
Federal Emergency Management Agency (FEMA) and coordinated with State, local,
tribal and private sector partners.
Achieving the integrated risk management vision is challenging for two overarching
reasons, and both underscore the importance of continuing to work towards a common
approach to risk management. First, some elements of the homeland security enterprise
manage risk across all hazards and levels of government. Others manage specific types
of risk within specific domains, or manage risk by performing specific types of functions.
While this diversity is critical to our ability to secure the homeland, it also creates a
challenge to integrate efforts across DHS and with the Department’s partners. The
second challenge arises because the responsibility for understanding risk, making
decisions, and taking actions is often distributed across multiple elements.
3
2008 BTRA Report and 2008 CTRA Report, DHS Science & Technology Directorate
DHS I N T E R I M I N T E G R A T E D R I S K M A N A G E M E N T F R A M E W O R K
PG - 4
2: I N T E G R AT E D R I S K M AN AG E M E N T O B J E C T I V E S
To achieve the above integrated risk management vision and overcome the recognized
challenges, the Department will achieve the following three objectives:
4
Australian/New Zealand Standard AS/NZS 4360 Risk management
DHS I N T E R I M I N T E G R A T E D R I S K M A N A G E M E N T F R A M E W O R K
PG - 5
3: I N T E G R AT E D R I S K M AN AG E M E N T P R I N C I P L E S
A common set of risk management principles have been identified to assist the
Department’s risk assessment, risk analysis, and risk management endeavors to better
inform decision makers. The risk management principles5 are as follows:
Practicality: The principle of practicality means that the risk assessment, analysis
and management endeavors must consider the nature of the uncertainty inherent to
the decision and the decision context and not overstate results. The principle of
practicality is based on the acknowledgement and acceptance of the limitations of
the state of understanding about homeland security risk. These limitations arise from
the dynamic nature of homeland security threats, vulnerabilities, and consequences
as well as the uncertainty6 inherent in assessing risk. Homeland security risk
involves characteristics that traditional risk analytic methods were not developed to
address. To counter this challenge, appropriate assessment and analytic methods
need to be developed to address the uncertainty inherent with homeland security risk
and the effectiveness of mechanisms to manage it.
5
These principles build on the broader set of risk management principles established by the Office of
Management and Budget in 1995 to define risk analysis and its purposes, and to generally guide agencies
as they use risk analysis in the regulatory context. The IRMF risk management principles succinctly
describe important characteristics of homeland security risk management that are wholly consistent with the
overall principles established by OMB while specifically focusing on the key principles for risk management
by DHS. See U.S. Office of Mgmt. and Budget, Memorandum for the Regulatory Working Group, Principles
for Risk Analysis (1995), at www.whitehouse.gov/omb/inforeg/regpol/jan1995_risk_analysis_principles.pdf.
6
The DHS Risk Lexicon defines “uncertainty” as the degree to which a calculated, estimated, or observed
value may deviate from the true value.
DHS I N T E R I M I N T E G R A T E D R I S K M A N A G E M E N T F R A M E W O R K
PG - 6
Transparency: The principle of transparency establishes that risk assessment,
analysis and management information must be available and openly conveyed when
appropriate. It is imperative that risk assessment, analysis and management
information are not portrayed as a “black box” processes. To effectively inform
decision-making risk management information must have some degree of
transparency. This transparency is critical, whether in the assessment, analysis, or
the development of alternative strategies that contribute to the decision-making.
Transparency of the assumptions made, the uncertainty involved and the associated
communications are also crucial to traceability, comparability, repeatability, and
defensibility. However, in some cases security considerations will limit the
accessibility of details.
DHS I N T E R I M I N T E G R A T E D R I S K M A N A G E M E N T F R A M E W O R K
PG - 7
4: T H E DHS R I S K M AN AG E M E N T P R O C E S S
Define the Context: DHS risk management efforts are intended to achieve or
inform goals and objectives within a specified context. Therefore, the context of the
decision and related decision-maker goals and objectives must be understood and
incorporated in the design of the assessment and analysis in order to effectively
support the development of alternative strategies. This includes defining goals and
objectives that the decision supports, as well as identifying the relevant stakeholders
and the constraints that the organization and decision maker are operating under.
These goals, objectives, stakeholders, and constraints are used to influence the
design of the risk assessment and analysis.
Assess and Analyze Risk: The risk identified in the previous phase is assessed
and analyzed so it can be used as a foundation for developing alternative strategies
to manage the risk. This phase of the process requires assessing and analyzing risk
DHS I N T E R I M I N T E G R A T E D R I S K M A N A G E M E N T F R A M E W O R K
PG - 8
in terms of threats, vulnerabilities, and consequences of a potential incident, event,
or occurrence. This phase also requires prioritizing risk, such that risk management
alternatives can be considered in terms of limited resources.
Develop Alternatives: Alternative risk management strategies are the ways and
means to achieve ends, or using alternative language, methods and resources to
achieve objectives. Risk management strategies, which are potentially appropriate
responses to identified and assessed risk are developed and then evaluated for
projected risk reduction and cost effectiveness. Projected risk reduction
effectiveness and cost effectiveness are the key factors considered in this phase.
Decide and Implement: Risk management requires decisions about best options
among alternative strategies with uncertain outcomes. One key event in the
execution of the risk management process is when a decision maker reviews and
selects among the alternative strategies for managing risk and makes the decision to
implement the selected strategy. Risk information is usually one of many factors
decision makers consider and is not necessarily the sole factor influencing the
decision. There may be times when the strategy selected and implemented does not
optimally reduce risk. Decision makers consider all factors when selecting and
implementing strategies.
This risk management process supports the Department’s mission and is intended to be
compatible with other similar risk management approaches. These approaches include
the National Infrastructure Protection Plan (NIPP) risk management framework, the risk
management cycle recommended by the Government Accountability Office (GAO), the
Integrated Planning System (IPS), and the risk management approach in the Target
Capabilities List (TCL). The process is also in alignment with standards promulgated by
other governments and transnational organizations, such as the draft International
Standards Organization (ISO) 31000 standard, provisionally titled, Guidelines on
Principles and Implementation of Risk Management. The DHS risk management process
is general enough to meet the diverse needs of the Department.
Risk communication underpins each phase of the risk management process. Risk
communication is the exchange of information with the goal of improving risk
understanding, affecting risk perception and/or equipping people or groups to act
appropriately in response to an identified risk.7 Risk is a complicated concept,
intertwined with the concept of uncertainty and judged, in part, on factors such as human
7
DHS Risk Lexicon, September 2008
DHS I N T E R I M I N T E G R A T E D R I S K M A N A G E M E N T F R A M E W O R K
PG - 9
perception and tolerances. As a result, risk communication must continue throughout
the process to ensure that the decision maker, analysis team, and ultimately those
impacted by the decision share a common understanding of what the risk is, what
factors should contribute to managing it, and the associated limitations of the
assessment and analysis. Risk communication is also an essential element in executing
adopted courses of action to manage risk.
DHS I N T E R I M I N T E G R A T E D R I S K M A N A G E M E N T F R A M E W O R K
P G - 10
5: A C H I E V I N G T H E O B J E C T I V E S O F T H E IRMF
Consistently implementing the DHS risk management process will improve the capability
of components to use risk management concepts in support of their missions, while
creating mechanisms for aggregating, sharing, and using risk information and analysis
across the Department. Integrated risk management supports the development and
implementation of a core risk management capability in each component.
Each DHS component should utilize the common risk management approach when
establishing programmatic priorities and the allocation of resources for accomplishing
missions. Component risk management capabilities can include component-level risk
management practices that are appropriate and required for respective mission spaces
and component-level decision-making. However, component-level risk management
practices must also be consistent with the common approach shared by the
Department. Adopting a common approach will enable DHS to facilitate and support
effective risk management within components, integrate component-level risk
management processes, and ensure Department-wide strategic level decisions are risk-
informed.
Implementing a common risk management approach will improve the capability of DHS
as an enterprise to assess, analyze, and manage homeland security risk. This improved
risk management capability will enable the Department to fully incorporate risk-informed
decision-making into its strategic-level decision processes. Several Department-wide
strategic decision-making processes require an integrated risk management capability in
order to function optimally. Planning, Programming, Budgeting, and Execution (PPBE) is
one of these strategic decision-making processes. The PPBE is the process by which
DHS long-term strategic decisions are made to align resources to the Department’s
priorities and goals over a multi-year period. Using an integrated risk management
process to inform resource allocations on a Department-wide basis is critical to balance
resources across the set of DHS strategic objectives. Another example is the Integrated
Planning System (IPS). The IPS is the process by which DHS and its Federal, State
local and tribal partners develop plans for preventing, protecting against, responding to,
and recovering from priority hazards. Prioritization of plan development and even
aspects of plans themselves must be informed by a shared understanding of risk that will
be considerably strengthened by achieving this objective of integrated risk management.
Achieving the integrated risk management objectives is also critical for optimizing
contingency planning and crisis action planning, setting preparedness standards, guiding
the allocation of preparedness assistance, and other risk-informed Department-wide
strategic decisions.
DHS I N T E R I M I N T E G R A T E D R I S K M A N A G E M E N T F R A M E W O R K
P G - 11
Institutionalize a Risk Management Culture in DHS
This document describes a vision for integrated risk management that requires using a
common approach in terms of risk management principles and risk management
processes. It also describes how a common approach to risk management will improve
both the capabilities of Department components to implement risk management and the
capability of DHS to manage risk leveraging the interactions, interdependencies,
relationships and synergies of the enterprise. However, a common approach to applying
the risk management principles and the risk management process within components
and across the Department is not sufficient to embed integrated risk management into
the Department's philosophy, practices, and business processes.
To institutionalize an enduring risk management culture, DHS will develop and address
the following:
1. Policy, Doctrine, and Guidance: DHS must establish, maintain, and draw from a
coherent body of policy, doctrine, and guidance that articulate requirements for
integrating risk management into established DHS business processes.
2. Processes: DHS processes must ensure components have the ability to manage
risk, while creating repeatable mechanisms for sharing, aggregating and using
component-level risk information to inform the Department’s decision-making
processes.
To build and sustain a fully mature integrated risk management capability, the
Department must achieve four key objectives with respect to establishing and
maintaining decision-making processes:
DHS I N T E R I M I N T E G R A T E D R I S K M A N A G E M E N T F R A M E W O R K
P G - 12
Apply the risk management process to decision-making processes at all levels,
when and where it is practical
Develop and maintain processes for identifying and promulgating effective risk
management practices to enable continuing incremental improvements in risk
management approaches
The RSC will advance integrated risk management across the Department. Its
duties include:
Monitoring trends, issues, and progress in integrated risk management for the
Secretary of DHS
The RSC consists of three tiers. The Chair of the RSC is the Under Secretary of
NPPD. Tier I includes the senior component leadership. Tier II includes senior
executives within each component, and Tier III includes the risk management leads
within each component.
DHS I N T E R I M I N T E G R A T E D R I S K M A N A G E M E N T F R A M E W O R K
P G - 13
4. Training and Education: DHS must ensure that its personnel and partners are
equipped to understand, communicate, and execute its system of processes and
governance through training and education. Training and education ensures that the
principles and processes of integrated risk management are applied consistently
across the Department and fosters the development and sustainment of a risk
management capability and culture.
Training and education are required to improve the skills of risk practitioners across
DHS, as well as the ability of decision makers to interpret and use the results of risk
analyses, assessments and management efforts. An essential part of this training
and education is the flexibility to allow for the development of customized,
component-level risk analyses by analysts who know the unique characteristics of
their mission space and the decision needs of their leaders, while providing the
foundation for a common approach across the Department.
DHS I N T E R I M I N T E G R A T E D R I S K M A N A G E M E N T F R A M E W O R K
P G - 14
6: T H E IRMF & T H E H O M E L AN D S E C U R I T Y E N T E R P R I S E – T H E W AY F O R W AR D
“DHS is uniquely positioned to lead a national effort at developing a risk management
approach to securing the homeland. Determining the risks to the homeland, and using a
risk management approach to allocate resources, make decisions, and communicate
threats, readiness, and protective actions… will require establishing and improving
performance metrics for measuring risk and building a framework for risk-informed
decision-making.”
Top Ten Challenges Facing the Next Secretary of Homeland Security, Report of the Homeland Security Advisory
Council, September 2008
This keystone document provides a foundation for advancing the Department’s risk
management capability and begins to position DHS to lead the Nation’s integrated effort
for homeland security risk management by:
• Establishing the need for and facilitating the development of information sharing and
coordination structures, protocols, and models to standardize and improve the
exchange of risk information within DHS;
• Ensuring coordination between related groups to minimize the potential for conflicting
guidance, duplicative efforts and reporting requirements, and the inefficient use of
resources.
DHS I N T E R I M I N T E G R A T E D R I S K M A N A G E M E N T F R A M E W O R K
P G - 15