Risk Management: Further Refinements Needed to Assess Risks and Prioritize Protective Measures at Ports and Other Critical Infrastructure
Highlights
Congress and the President have called for various homeland security efforts to be based on risk management--a systematic process for assessing threats and taking appropriate steps to deal with them. GAO examined how three Department of Homeland Security (DHS) components were carrying out this charge: the Coast Guard, which has overall responsibility for security in the nation's ports; the Office for Domestic Preparedness (ODP), which awards grants for port security projects; and the Information Analysis and Infrastructure Protection Directorate (IAIP), which has responsibility for developing ways to assess risks across all types of critical infrastructure. GAO's work focused on identifying the progress each DHS component has made on risk management and the challenges each faces in moving further.
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
United States Coast Guard | The Secretary of Homeland Security should direct the Commandant of the Coast Guard to take action in the area of risk assessment by developing plans to establish a stronger linkage between local and national risk assessment efforts. This effort could involve strengthening the ties between local assessment efforts, such as area maritime security plans, and national risk assessment activities. | In fiscal year 2006, we analyzed how multiple Department of Homeland Security (DHS) Components, including the United States Coast Guard, were basing their homeland security efforts on risk management--a systematic process for assessing threats and taking appropriate steps to deal with them. We reported, among other things, that the Coast Guard had developed the ability to compare and prioritize risks at individual ports but it could not yet compare and prioritize relative risks of various infrastructure across ports. In 2006, the Coast Guard transitioned its risk assessment model from the Port Security Risk Assessment Tool to the Maritime Security Risk Analysis Model (MSRAM); a tool... based on the risk management framework proposed in GAO-06-91. MSRAM is a security risk analysis tool that assists in the prioritizing of relative risks associated with critical infrastructure across ports. It is designed to capture the security risk facing different types of targets spanning every industry sector, allowing comparison between different targets and geographic areas at the local, regional, and national levels. It does this by assessing the risk posed by different scenarios in terms of threat, vulnerability, and consequence. Coast Guard officials said that MSRAM continues to evolve and that it will be the risk management tool used by the Coast Guard moving forward. In prior years the decision to use MSRAM was communicated using Navigation and Vessel Inspection Circulars and message traffic. However, officials noted a contractor was hired to provide support to MSRAM stakeholders and will help develop a Commandant's Instruction addressing the use of MSRAM. As such, the Coast Guard has developed and is using a tool that enables it to establish a stronger linkage between local and national risk assessment efforts.
View More |
United States Coast Guard | The Secretary of Homeland Security should direct the Commandant of the Coast Guard to take action in the area of alternatives evaluation and management selection by ensuring that procedures for these two processes consider the most efficient use of resources. For example, one approach involves refining the degree to which risk management information is integrated into the annual cycle of program and budget review. | In 2006 we reported that just as the Coast Guard's ability to assess risk is stronger at the individual port level than across ports, its ability to evaluate various alternatives for addressing these risks is greater at the port level as well. Part of this limitation is due to the Port Security Risk Assessment Tool (PS-RAT), which was designed to allow ports to prioritize resource allocations within, not between, ports to address risk most efficiently. We said data from PS-RAT help identify vulnerabilities within a port and can be used in improving security measures related to the area maritime security plans. PS-RAT is not designed to work, however, above the port level. At the national...
|
Office for Domestic Preparedness | To strengthen ODP efforts to implement a risk management approach to its port security grant program, the Secretary of Homeland Security should direct the Executive Director for ODP to clarify, in its grant guidance, the conditions under which greater leveraging of federal dollars should be included as a strategic goal for the port security grant program. | In 2006 we found that the Office of Domestic Preparedness (ODP) (now within FEMA) had made progress setting goals, the first phase of GAO's risk management framework for the port security grant program. Congress and the Administration had laid out broad policy goals for maritime security and for the grant program. Congress's stated purpose in establishing the program was to finance the costs of enhancing facility and operational security at critical national seaports. We also reported a challenge DHS faced involved determining an appropriate way to ensure that grants address key needs while at the same time ensuring that they make the most efficient use of federal dollars. We reported in...
|
Office for Domestic Preparedness | To strengthen ODP efforts to implement a risk management approach to its port security grant program, the Secretary of Homeland Security should direct the Executive Director for ODP to develop measurable objectives for managing the grant program's progress toward achieving strategic goals and use these measures to gauge progress and make adjustments to the program. | In 2006 we reported that the evaluation of alternatives in risk management is an area that the Office for Domestic Preparedness (ODP) now within FEMA) recognizes as being an important part of awarding port security grants. We reported that one change that was instituted for the fiscal year 2005 grant process involved additional steps to consider benefits and costs. We said when ODP asked local Coast Guard Captains of the Port to review applications, one criterion it asked them to apply is to determine which projects offer the highest potential for risk reduction for the least cost. We said ODP's ability to assess proposed security improvements, like the Coast Guard's, is influenced by...
|
Office for Domestic Preparedness | To strengthen ODP efforts to implement a risk management approach to its port security grant program, the Secretary of Homeland Security should direct the Executive Director for ODP to coordinate efforts with the Coast Guard and IAIP to use more reliable risk assessment data as they become available. At a minimum, such data should include (1) the relative likelihood of various threat scenarios, (2) consequences and vulnerabilities that are linked to terrorist scenarios, and (3) a comparison of risks across ports. | In 2006, we reported on ODP's (now within FEMA) adjustments to its fiscal year 2005 Port Security Grant Program (PSGP) procedures at the national level, and that it had made a concerted effort to narrow the program to ports of greatest concern, and to use threat, vulnerability, and consequence data to rank and prioritize both ports and applications. Our review of ODP's risk assessment approach and our discussions with ODP and Coast Guard personnel identified several challenges related to limitations regarding the existing data on threats, vulnerabilities, and consequences. We also noted there was a key methodological limitation at the time that affected one goal of risk assessments:...
|
Directorate of Information Analysis and Infrastructure Protection | To help ensure the development of risk management approaches to homeland security activities, the Secretary of Homeland Security should direct the Undersecretary for IAIP to work with the intelligence community to develop ways to better assess terrorist threats and use available information and expert judgment to develop a relative probability for various terrorist scenarios and provide this information to sector-specific agencies. | In fiscal year 2006, we analyzed how multiple Department of Homeland Security (DHS) components-including its Information Analysis and Infrastructure Protection component(now known as the Office of Infrastructure Protection and the Information Analysis Directorate) were basing their homeland security efforts on risk management: a systematic process for assessing threats and taking appropriate steps to deal with them. We reported, among other things, that these groups face challenges in developing data on the relative likelihood of various threat scenarios--a key part of the assessments it must conduct under the Homeland Security Act of 2002--because the information produced by the...
|
Directorate of Information Analysis and Infrastructure Protection | To help ensure the development of risk management approaches to homeland security activities, the Secretary of Homeland Security should direct the Undersecretary for IAIP to, as tasked by presidential directive, develop a methodology for comparing and prioritizing risks of assets within and across infrastructure sectors by including data on the relative probability of various threat scenarios. | In fiscal year 2006, we analyzed how multiple Department of Homeland Security (DHS) Components-including its Information Analysis and Infrastructure Protection component(now known as the Office of Infrastructure Protection and the Information Analysis Directorate) were basing their homeland security efforts on risk management; a systematic process for assessing threats and taking appropriate steps to deal with them. We reported, among other things, that these groups face challenges in developing data on the relative likelihood of various threat scenarios--a key part of the assessments it must conduct under the Homeland Security Act of 2002--because the information produced by the...
|
Directorate of Information Analysis and Infrastructure Protection | To help ensure the development of risk management approaches to homeland security activities, the Secretary of Homeland Security should direct the Undersecretary for IAIP to, in completing the National Infrastructure Protection Plan, include target dates for completing sector-specific plans, developing performance measures, and identifying protective measures that could address multiple threat scenarios. | In fiscal year 2006, we analyzed how multiple Department of Homeland Security (DHS) Components-including its Information Analysis and Infrastructure Protection (IAIP) Directorate(now known as the Office of Infrastructure Protection and the Information Analysis Directorate) were basing their homeland security efforts on risk management; a systematic process for assessing threats and taking appropriate steps to deal with them. We reported, among other things, that IAIP's progress in all five phases of risk management has been limited. Specifically, despite issuing an Interim National Infrastructure Protection Plan (NIPP) in February 2005 IAIP faced developing performance measures to...
|
Directorate of Information Analysis and Infrastructure Protection | To strengthen individual agency efforts to implement a risk management approach to homeland security activities, the Secretary of Homeland Security direct the Undersecretary for IAIP to, as required by presidential directive, establish uniform policies, approaches, guidelines, and methodologies for integrating federal infrastructure protection and risk management activities within and across sectors, along with metrics and criteria for related programs and activities and develop a timetable for completing such guidance. Such policies and guidance should address the issue of integrating risk management systems into existing systems of program and budget review. | In fiscal year 2006, we reported, among other things, that Information Analysis and Infrastructure Protection IAIP) has been challenged in establishing uniform policies, approaches, guidelines, and methodologies for integrating federal infrastructure protection and risk management activities within and across sectors, along with metrics and criteria for related programs and activities as called for by the Homeland Security Presidential Directive-7 (HSPD-7). Since 2006, DHS has implemented and updated the National Infrastructure Protection Plan (NIPP), its Risk Lexicon, and the NIPP implementation guidance thereby establishing uniform policies, approaches, guidelines and methodologies for...
|
Directorate of Information Analysis and Infrastructure Protection | To strengthen individual agency efforts to implement a risk management approach to homeland security activities, the Secretary of Homeland Security direct the Undersecretary for IAIP to, as DHS continues to review its organizational structure, work with the Secretary's office to determine which office is best suited to help ensure that the responsibility for risk management policy and implementation has a broad enough perspective on all elements of risk, including threats, as well as the necessary authority to coordinate with DHS component agencies and hold them accountable for risk management activities. | In fiscal year 2006, we reported, among other things, Information Analysis and Infrastructure Protection's (IAIP) (now National Protection and Programs Directorate) risk management efforts were focused mainly on assessing and reducing vulnerabilities which had the potential of limiting DHS's ability to achieve the broader goal of using risk-based data as a tool to inform management decisions. In 2007, the Secretary for the DHS issued Delegation Number 17001 which delegated authority to the Under Secretary for the National Protection and Programs Directorate (NPPD) for managing risk to the nation's critical infrastructure and key resources (CIKR). The Under Secretary, in collaboration...
|
Directorate of Information Analysis and Infrastructure Protection | To strengthen individual agency efforts to implement a risk management approach to homeland security activities, the Secretary of Homeland Security direct the Undersecretary for IAIP to work with the Office of Management and Budget to examine options for holding departments and agencies accountable for integrating risk management for homeland security programs and activities into the annual cycle of program and budget review. | In fiscal year 2006, we analyzed how multiple Department of Homeland Security (DHS) components--including the Information Analysis and Infrastructure Protection (IAIP) Directorate (now known as the National Programs and Protection Directorate) were basing their homeland security efforts on risk management: a systematic process for assessing threats and taking appropriate steps to deal with them. We reported, among other things, that beyond DHS, integrating risk with existing systems for budget and program review is complicated by the fact that IAIP and DHS must depend on others to follow risk management principles for programs and budgets at the other six major Departments or agencies...
|