DHS Risk-Based Grant Methodology Is Reasonable, But Current Version's Measure of Vulnerability is Limited
GAO-08-852, Jun 27, 2008
Since 2002, the Department of Homeland Security (DHS) has distributed almost $20 billion in funding to enhance the nation's capabilities to respond to acts of terrorism or other catastrophic events. In fiscal year 2007, DHS provided approximately $1.7 billion to states and urban areas through its Homeland Security Grant Program (HSGP) to prevent, protect against, respond to, and recover from acts of terrorism or other catastrophic events. As part of the Omnibus Appropriations Act of 2007, GAO was mandated to review the methodology used by DHS to allocate HSGP grants. This report addresses (1) the changes DHS has made to its risk-based methodology used to allocate grant funding from fiscal year 2007 to fiscal year 2008 and (2) whether the fiscal year 2008 methodology is reasonable. To answer these questions, GAO analyzed DHS documents related to its methodology and grant guidance, interviewed DHS officials about the grant process used in fiscal year 2007 and changes made to the process for fiscal year 2008, and used GAO's risk management framework based on best practices.
For fiscal year 2008 HSGP grants, DHS is primarily following the same methodology it used in fiscal year 2007, but incorporated metropolitan statistical areas (MSAs) within the model used to calculate risk. The methodology consists of a three-step process--a risk analysis of urban areas and states based on measures of threat, vulnerability and consequences, an effectiveness assessment of applicants' investment justifications, and a final allocation decision. The principal change in the risk analysis model for 2008 is in the definition of the geographic boundaries of eligible urban areas. In 2007, the footprint was defined using several criteria, which included a 10-mile buffer zone around the center city. Reflecting the requirements of the Implementing Recommendations of the 9/11 Commission Act of 2007, DHS assessed risk for the Census Bureau's 100 largest MSAs by population in determining its 2008 Urban Areas Security Initiative (UASI) grant allocations. This change altered the geographic footprint of the urban areas assessed, aligning them more closely with the boundaries used by government agencies to collect some of the economic and population data used in the model. This may have resulted in DHS using data in its model that more accurately estimated the population and economy of those areas. The change to the use of MSA data in fiscal year 2008 also resulted in changes in the relative risk rankings of some urban areas. As a result, DHS officials expanded the eligible urban areas in fiscal year 2008 to a total of 60 UASI grantees, in part, to address the effects of this change to MSA data, as well as to ensure that all urban areas receiving fiscal year 2007 funding continued to receive funding in fiscal year 2008, according to DHS officials. Generally, DHS has constructed a reasonable methodology to assess risk and allocate funds within a given fiscal year. The risk analysis model DHS uses as part of its methodology includes empirical risk analysis and policy judgments to select the urban areas eligible for grants (all states are guaranteed a specified minimum percentage of grant funds available) and to allocate State Homeland Security Program (SHSP) and UASI funds. However, our review found that the vulnerability element of the risk analysis model has limitations that reduce its value. Measuring vulnerability is considered a generally-accepted practice in assessing risk; however, DHS's current risk analysis model does not measure vulnerability for each state and urban area. Rather, DHS considered all states and urban areas equally vulnerable to a successful attack and assigned every state and urban area a vulnerability score of 1.0 in the risk analysis model, which does not take into account any geographic differences. Thus, as a practical matter, the final risk scores are determined by the threat and consequences scores.
- Closed - implemented
- Closed - not implemented
Recommendation for Executive Action
Recommendation: To strengthen DHS's methodology for determining risk, the Secretary of DHS should instruct the Federal Emergency Management Agency (FEMA), Office of Intelligence and Analysis (I&A), and National Protection and Programs Directorate (NPPD) - DHS components each responsible for aspects of the risk-based methodology used to allocate funds under the Homeland Security Grant Program - to formulate a method to measure vulnerability in a way that captures variations across states and urban areas, and apply this vulnerability measure in future iterations of this risk-based grant allocation model.
Agency Affected: Department of Homeland Security
Status: Closed - Implemented
Comments: Federal Emergency Management Agency (FEMA) officials reported in August 2011 that the agency, in coordination with other DHS components, modified the measurement of vulnerability for the fiscal year 2011 risk-based grant allocation model to better capture the risk to states and urban areas. For example, the current risk model considers infrastructure and international borders when calculating the vulnerability of states and urban areas. This change was reflected in FEMA's May 2011 Homeland Security Grant Program Guidance and Application Kit that notes that in fiscal year 2011, the risk formula used in the allocation model calculates the contribution of vulnerability and consequence separately as compared to prior years. As a result, DHS now uses a methodology that measure variations in vulnerability across states and urban areas and, therefore, better incorporates risk into the allocation of homeland security grant funding.