Risk Management
Daniel W. Saunders Jr.
HLSS302
Abstract
The risk management matrix equation, R = (CxVxT), is utilized to assess different variables that influence the vulnerability of a potential target of terrorism. As such, the Department of Homeland Security has utilized this formula and to inform, educate and prepare for potential terrorist attacks. The definition of each variable helps communicate a clear definition of terms and how they relate to preparedness.
R = level of risk
C = consequence, i.e. public health, economy, government, confidence in institutions
V = assessed vulnerability of target
T = threat, or likelihood of attack
Risk Management
In order to discuss the risk management matrix equation, R = CxTxV, we must first explore the topic of risk management as it relates to the Department of Homeland Security (DHS) and the institutions the Federal Government has deemed critical infrastructure. According to DHS, “Risk management and analysis supports specific homeland security missions and determines how homeland security functions can be best used to prevent, protect, mitigate, respond to, and recover from hazards to the Nation” (2010, p. 13). This definition provides the outline for which the equation is founded on. Further, it clearly define terms in order to help communicate risk across departments, as well as provide the information necessary to make informed decisions in matters of threat reduction, nature, cause and severity of risks (DHS, 2010).
Risk management theory implies that though we cannot successfully eliminate each potential risk, we can properly plan against known threats to help reduce risk. According to Decker, there are three main elements of successful risk management, “threat assessment, a vulnerability assessment, and a criticality assessment” (2001, p. 13). The threat assessment is a great decision making tool utilized to help develop security planning programs by identifying threats based on various factors, such as capability, intentions, and lethality of a terrorist attack (Decker, 2001). The vulnerability assessment, regardless of impending threats, identifies critical infrastructure weaknesses that could potentially be exploited by terrorists. The DHS Risk Lexicon elaborates, stating that this tool is the “Product or process of identifying physical features or operational attributes that render an entity, asset, system, network, or geographic area susceptible or exposed to hazards” (2010, p. 39). Through identifying soft targets, the vulnerability assessment provides suggestions to help mitigate exposure to risk for critical infrastructure. Finally, the criticality assessment is utilized to evaluate the particular mission or function of potential targets. It establishes a critical infrastructure hierarchy and prioritizes which require higher levels of protection based on personnel risk and overall significance of a potential successful attack (DHS, 2010, p.11).
Risk Management Fundamentals
The DHS utilizes Risk Management Fundamentals (RMF) to serve as a foundational document to help bridge their communication with the homeland security enterprise. “Risk Management Fundamentals is intended to help homeland security leaders, supporting staffs, program managers, analysts, and operational personnel develop a framework to make risk management an integral part of planning, preparing, and executing organizational missions” (DHS, 2011, p. 5). The key points of RMF is to: (a) help promote a common understanding of risk management, (b) establish best practices to be utilized within DHS, (c) create a standard for conducting risk assessments and weighing risk management options, (d) set standard procedures and adopt a risk management culture through constant training and usage of risk management principles, and (e) educate and inform homeland security professionals in proper risk management applications including the assessment of capabilities, operations and program performance utilizing those assessments for resource and policy decisions (DHS, 2011, pg. 5).
Risk management, particularly Risk Management Fundamentals, is DHS’s “process of weighing cost and potential harm in order to establish planning, training and execution… using processes employing cost-benefit estimates to make policies” (DHS, 2011 p. 6). These policies help identify which policy implementation makes the most sense.
Equation
The initial Risk Management equation was created by the Department of Justice (DOJ) in 2001. This simple equation determined Risk (R) was equal to the Population (P) affected. In 2002, the DHS was given the responsibility of assessing risk, and in 2004 the equation was changed to incorporate critical infrastructure and population density. Still not taking in account threat probability, the equation changed again to Risk (R) equaled the sum of Threat (T) + Critical Infrastructure (CI) + the Population Density (PD) (Masse, O’Neil, and Rollins, 2007).
Our risk analysis is based on these three variables: threat, vulnerability, and consequences. These variables are not equal. For example, some infrastructure is quite vulnerable, but the consequences of an attack are relatively small; other infrastructure may be much less vulnerable, but the consequences of a successful attack are very high, even catastrophic (Chertoff, 2005, p. 2).
In 2006, with a change of strategy, the DHS implemented yet another equation. This new equation no longer added risk variables, but multiplied them. The equation Risk (R) = Threat (T) x Vulnerability (V) x Consequence (C) took into consideration the “threat to a target/area, multiplied by vulnerability (V) of the target/area, multiplied by consequence (C) of an attack on that target/area” (Masse, O’Neil, and Rollins, 2007, pg 9). This also allowed for proper allocation of resources to prepare for and respond to terrorist acts.
DHS defines threat as dealing with the likelihood of attack, vulnerability and consequence in relation to the exposure and expected impact of an attack (DHS, 2007). Threat is assigned a value of 20%, which takes into account reporting, plots, investigations and threat tiers. Vulnerability and consequences are assigned 80%, incorporating the sub-components of population index (40%), economic index (20%), national security index (5%), and infrastructure index (15%) (DHS, 2007). With this risk evaluation, the DHS “considers the populations in a particular area that could be at risk, the concentration of people in the area, and specific characteristics of their location that might contribute to risk, such as Intelligence Community assessments of threat, proximity to nationally critical infrastructure, and the economic impact of an attack” (DHS, 2007, p. 8). Specifically, Intelligence Community threat assessments outline the areas of the country most likely to be attacked. As for vulnerability and consequence, overall impact and outcomes of an attack occurring in key locations are taken into consideration (DHS, 2007).
Conclusion
The DHS utilizes the Risk Management Matrix in order to communicate terms and understanding throughout Federal, State and Local law enforcement agencies, as well as pertinent private sector organizations. Defining key terms and procedures, its is also used to prepare, educate and respond to terrorist acts. Overall, the formula helps the DHS to properly assess potential damage to key infrastructure and citizens’ way of life should a terrorist attack occur. After this critical step is accomplished, the DHS can then allocate funding to protect high priority critical infrastructure targets.
References
Chertoff, M. (2005). Secretary Michael Chertoff US Department of Homeland Security Second
Stage View Remarks. United States Department of Homeland Security Press office.
Retrieved from https://www.dhs.gov/ on June 16, 2018.
Decker, R. J. (2002). Homeland security: Key elements of a risk management approach. U. S. Government Accountability Office. Washington, D.C.: Government Printing Office.
Department of Homeland Security. (2007). “FY2007 Homeland Security Grant Program:
Program Guidance and Application Kit.” Retrieved from http://www.ojp.usdoj.gov/odp/
docs/fy07_hsgp_guidance.pdf on June 16, 2018.
Department of Homeland Security. (2010). DHS Risk Management Lexicon. Washington, D.C.: U.S. Government Printing Office.
Department of Homeland Security. (2011). Risk management fundamentals: Homeland security
risk management doctrine. Washington, D.C.: U.S. Government Printing Office.
Masse, T., O’Neil, S., & Rollins, J. (2007). The Department of Homeland Security’s risk assessment methodology: Evolution, issues, and options for Congress. Congressional Research Service. Report RL33858. Washington, DC: Office of Congressional Information and Publishing.