ComputerScienceExpert
$18/per page/
Find attached the question on Wk5 file. You only have to work on one of the other 2 attachments: DoD or DHS. Whichever one you chooses, please read the requirements and follow the instruction on Wk5 file.
Risk Management
Fundamentals
Homeland Security Risk Management Doctrine
April 2011 LETTER FROM THE UNDER SECRETARY
NATIONAL PROTECTION AND PROGRAMS DIRECTORATE
In May 2010, the Secretary of Homeland Security established a Policy for Integrated Risk
Management (IRM). Central to this policy is the premise that security partners can most
effectively manage risk by working together, and that management capabilities must be built,
sustained, and integrated with Federal, state, local, tribal, territorial, nongovernmental, and
private sector homeland security partners. While successful integration requires implementation
across the entire homeland security enterprise, the Department of Homeland Security (DHS)
plays an essential role in leading the unified effort to manage risks to the Nation from a diverse
and complex set of hazards, including acts of terrorism, natural and manmade disasters,
pandemics, cyber attacks, and transnational crime.
An essential first step in the integration of risk management is the establishment of doctrine and
guidance. Risk Management Fundamentals is the first in a series of publications that will
provide a structured approach for the distribution and employment of risk information and
analysis efforts across the Department. While this is the capstone publication for homeland
security risk management, implementation of risk management requires the combined efforts of
Components to tailor and implement key risk management methods and practices. Homeland
security risk management is on a positive trajectory and this publication will further enable DHS
to mature and strengthen its capabilities to address homeland security risks. The key objectives
of this publication are to promote a common understanding of and approach to risk management
for homeland security; establish a common foundation that enables consistent risk management
application and training; and support the development of a risk management culture and
philosophy across DHS. Risk Management Fundamentals establishes doctrine for DHS,
although concepts within the doctrine may be a useful guide to our Federal interagency partners,
state and local agencies, as well as the larger homeland security community.
Risk Management Fundamentals, produced by the Office of Risk Management and Analysis, in
coordination with the Office of Policy, has been vetted and approved by the DHS Risk Steering
Committee, a governing body of which I serve as the Chairman. Pursuant to the authority vested
in the Under Secretary for the National Protection and Programs Directorate by the Secretary of
Homeland Security in Delegation Number 17001 to lead the Department’s efforts to establish a
common framework to address the overall management and analysis of homeland security risk,
this publication is hereby recognized and approved for official use until revised or superseded. RAND BEERS
UNDER SECRETARY
NATIONAL PROTECTION AND PROGRAMS DIRECTORATE
DEPARTMENT OF HOMELAND SECURITY Letter from the Under Secretary 1 This page intentionally left blank. 2 Risk Management Fundamentals TABLE OF CONTENTS
I. Key Objectives ........................................................................ 5
Purpose ................................................................................................... 5
Audience ................................................................................................. 6 II. Introduction ........................................................................... 7
Homeland Security Risks ............................................................................. 7
Sound Decision Making ............................................................................... 7
The Value of Risk Management ..................................................................... 8
Risk Management Applications ...................................................................... 9 III. Homeland Security Risk Management Tenets and Principles 11 IV. A Comprehensive Approach to Risk Management ................. 13
Internal Sources of Risk ............................................................................. 13
External Sources of Risk ............................................................................ 13
Key Business Practices .............................................................................. 14 V. The Homeland Security Risk Management Process ............... 15
Risk Communications................................................................................ 15
Risk Management Processes ........................................................................ 16
Elements of the Homeland Security Risk Management Process ............................. 16 VI. 1. Define the Context ............................................................................................ 16 2. Identify Potential Risk........................................................................................ 18 3. Assess and Analyze Risk .................................................................................... 19 4. Develop Alternatives ......................................................................................... 22 5. Decide Upon and Implement Risk Management Strategies............................................ 24 6. Evaluation and Monitoring .................................................................................. 25 7. Risk Communications ........................................................................................ 26 Conclusion ........................................................................... 29 Table of Contents 3 This page intentionally left blank. 4 Risk Management Fundamentals I. KEY OBJECTIVES This doctrine, Risk Management Fundamentals, serves as an authoritative statement regarding the
principles and process of homeland security risk management and what they mean to homeland security
planning and execution. It is intended as the capstone doctrine on risk management for the Department of
Homeland Security (DHS). Furthermore, Risk Management Fundamentals serves as a foundational
document supporting DHS risk management efforts in partnership with the homeland security enterprise.1
Risk Management Fundamentals is intended to help homeland security leaders, supporting staffs,
program managers, analysts, and operational personnel develop a framework to make risk management an
integral part of planning, preparing, and executing organizational missions. The development of
homeland security risk management doctrine is an essential element in promoting a risk-informed culture
enabling training, capability development, and integration across DHS to strengthen and improve the
Nation’s security. Risk Management Fundamentals articulates a desired end-state that DHS aspires to
achieve in promoting risk management.
This doctrine is not a substitute for independent thought or innovation in applying these principles and
concepts. Simply reading the doctrine will not make one adept in managing risks, nor will attempting to
follow the ideas herein as if they were a checklist; rather, doctrine serves to shape how one thinks about
the issues that you are considering and should be applied based on the operating environment. Homeland
security practitioners should compare the doctrine herein against their own experience and think about
why, when, and how it applies to their situation and area of responsibility.
Purpose
The purpose of this document is to: Promote a common understanding of, and
approach to, risk management; Establish organizational practices that should be
followed by DHS Components; Provide a foundation for conducting risk
assessments and evaluating risk management
options; Set the doctrinal underpinning for
institutionalizing a risk management culture
through consistent application and training on risk
management principles and practices; and A Note on the Scope and
Application of this Document
Risk Management Fundamentals
captures the theoretical underpinnings
of homeland security risk management
and articulates principles and practices
that should be strived for across
homeland security decision making.
In doing so, this document should not
be read as criteria to be evaluated
against, but instead as a statement of
aspirations for improved homeland
security decision making, applied in a
variety of operating environments,
many of which face constraints. Educate and inform homeland security
stakeholders in risk management applications,
1 As noted in the 2010 Quadrennial Homeland Security Review Report, the homeland security enterprise “refers to the collective
efforts and shared responsibilities of Federal, state, local, tribal, territorial, non-governmental, private volunteer, and privatesector partners — as well as individuals, families, and communities — to maintain critical homeland security capabilities. It
connotes a broad-based community with a common interest in the safety and well being of America and American society.” Key Objectives 5 including the assessment of capability, program, and operational performance, and the use of such
assessments for resource and policy decisions.
Audience
The principal audiences for Risk Management Fundamentals are DHS employees, including: Executives who establish strategic and operational priorities, select courses of action, and allocate
resources; Program Managers and Planners who turn executive decisions into actionable, implementable
plans and oversee the day-to-day execution of these plans; Operational Personnel who implement plans and programs using specific, tactical and operational
risk management tools; and Risk and Decision Analysts who collect, assess, and present risk information to help executives
make decisions, aid program managers and planners in explaining decisions and approaches to
stakeholders, and assist operational personnel in connecting their work to the desired outcome.
Risk Management Fundamentals may be helpful to Federal interagency partners, state and local agencies,
as well as the larger homeland security community. 6 Risk Management Fundamentals II. INTRODUCTION “. . . a safe and secure homeland must mean more than preventing terrorist attacks from being
carried out. It must also ensure that the liberties of all Americans are assured, privacy is protected,
and the means by which we interchange with the world — through travel, lawful immigration, trade,
commerce, and exchange — are secured. Ultimately, homeland security is about effectively
managing risks to the Nation’s security.”
~ Quadrennial Homeland Security Review Report, 2010
Homeland Security Risks
The United States homeland security environment is complex and filled with competing requirements,
interests, and incentives that must be balanced and managed effectively to ensure the achievement of key
national objectives. The safety, security, and resilience of the Nation are threatened by an array of
hazards, including acts of terrorism, malicious activity in cyberspace, pandemics, manmade accidents,
transnational crime, and natural disasters. At the same time, homeland security organizations must
manage risks 2 associated with workforce management, acquisitions operations, and project costs.
Collectively, these external and internal risks have the potential to cause loss of life, injuries, negative
psychosocial impact, environmental degradation, loss of economic activity, reduction of ability to
perform mission essential functions, and loss of confidence in government capabilities.
It is the role of DHS and its partners to understand and manage these myriad homeland security risks. We
live in a dynamic and uncertain world where the past does not serve as a complete guide to the future. In
addition, the systems that provide the functions essential for a thriving society are increasingly intricate
and interconnected. This means that potential disruptions to a system are not fully understood and can
have large and unanticipated cascading effects throughout American security. Compounding this
complexity is the fact that future trends — such as technological advancements, global climate change,
asymmetric threats, and the evolving nature of Nation-states — have the potential to significantly alter the
homeland security risk landscape in unexpected ways. Yet such emerging trends hold promise as well as
peril and should be understood and managed.
Sound Decision Making
Establishing the capability and capacity to identify, understand, and address such complex challenges and
opportunities is the crux of risk management. Risk management is an approach for making and
implementing improved homeland security decisions.
“Risk management is the process for identifying, analyzing, and communicating risk and
accepting, avoiding, transferring, or controlling it to an acceptable level considering associated
costs and benefits of any actions taken.”
- DHS Risk Lexicon, 2010 Edition 2 Throughout this document, risk is defined as “the potential for an unwanted outcome resulting from an incident,
event, or occurrence, as determined by its likelihood and the associated consequences.” DHS Risk Lexicon, 2010
Edition.
Introduction 7 To improve decision making, leaders in DHS and their partners in the homeland security enterprise must
practice foresight and work to understand known and uncertain risks, as best they can, in order to make
sound management decisions. These leaders need to consider the risks facing the homeland to make
appropriate resource tradeoffs and align management approaches. Addressing these risks and promoting
security is a shared responsibility that depends on unity of effort among Federal, state, local, tribal and
territorial governments, the private sector, non-governmental organizations, and the citizenry as a whole.
The Value of Risk Management
The Secretary of Homeland Security has established the requirement for DHS to build and promote an
integrated approach to homeland security risk management, working with partners across the homeland
security enterprise. The Department’s role in establishing integrated risk management is to build security,
safety, and resilience across domains by connecting efforts to prevent terrorism and enhance security,
secure and manage our borders, enforce and administer our immigration laws, safeguard and secure
cyberspace, ensure resilience to disasters, and provide essential support in assuring national and economic
security.
Improved homeland security depends on connecting information about risks, activities, and capabilities
and using this information to guide prevention, protection, response, and recovery efforts. The
establishment of sound risk management practices across DHS and the homeland security enterprise will
help protect and enhance national interests, conserve resources, and assist in avoiding or mitigating the
effects of emerging or unknown risks. At the organizational level, the application of risk management
will complement and augment strategic and operational planning efforts, policy development, budget
formulation, performance evaluation and assessments, and reporting processes.
Risk management will not preclude adverse events from occurring; however, it enables national homeland
security efforts to focus on those things that are likely to bring the greatest harm, and employ approaches
that are likely to mitigate or prevent those incidents. Furthermore, the American people, resources,
economy, and way of life are bolstered and made more
resilient by anticipating, communicating, and preparing
Resilience and Risk Management
for hazards, both internal and external, through
comprehensive and deliberate risk management.
One of the foundational concepts of
Risk management is not an end in and of itself, but
rather part of sound organizational practices that include
planning, preparedness, program evaluation, process
improvement, and budget priority development. The
value of a risk management approach or strategy to
decision makers is not in the promotion of a particular
course of action, but rather in the ability to distinguish
between various choices within the larger context.
Establishing the infrastructure and organizational
culture to support the execution of homeland security
risk management is a critical requirement for achieving
the Nation’s security goals. Risk management is
essential for homeland security leaders in prioritizing
competing requirements and enabling comprehensive
approaches to measure performance and detail progress. 8 Risk Management Fundamentals homeland security is the need to build
resilient systems, communities, and
institutions that are robust, adaptable and
have the capacity for rapid recovery.
Resilience and risk management are
mutually reinforcing concepts.
Risk management contributes to the
achievement of resilience by identifying
opportunities to build resilience into
planning and resourcing to achieve risk
reduction in advance of a hazard, as well
as enabling the mitigation of
consequences of any disasters that do
occur. Risk Management Applications
The practice of risk management allows for a systematic and comprehensive approach to homeland
security decision making. Risk management promotes the development and use of risk analysis3 to
inform homeland security decision making, to better inform selection among alternative strategies and
actions, and to evaluate the effectiveness of the activities we undertake. Risk management applications
include:
Strategic Planning
Homeland security strategies should be designed to address the risks that a particular organization faces,
taking a long-term view to building capabilities that can mitigate risk through prevention, protection,
response, and recovery activities. Homeland security strategies should shape how organizations approach
building and sustaining capabilities. Capabilities-based Planning
Risk management allows planners to prioritize which capabilities might have the greatest return on
investment in preparedness activities. Risk management can also help identify which capabilities are most
relevant to an organization and identify potential capability gaps. Resource Decisions
Risk management should be a key component of an evidence-driven approach to requesting and allocating
resources, including grant funding. By understanding risk, organizations can identify realistic capability
requirements, fund projects that bring the greatest return on investment, describe desired outcomes and
how they will mitigate risk, and explain the rationale behind those decisions in clear, objective, and
transparent terms. Operational Planning
Through risk management, organizations can better understand which scenarios are more likely to impact
them, what the consequences would be, what risks merit special attention, what actions must be planned
for, and what resources are likely to be needed, as well as what risks have the ability to negatively impact
operations. Exercise Planning
Risk management can be used to identify realistic scenarios for exercises, zeroing in on special threats and
hazards, as well as priority capabilities and applicable assets. Real-world Events
Risk management can help decision makers weigh potential courses of action within a contextual
understanding of the risk of different threats and hazards to critical assets, geographic areas, and
population centers during a crisis. Research and Development
Risk analysis can be used to inform decisions on filling homeland security gaps and identifying
opportunities that may be best met with enhanced technologies and/or innovative solutions, thereby
establishing priorities for long-term research and development investments. 3 Risk analysis is the “systematic examination of the components and characteristics of risk.” DHS Risk Lexicon,
2010 Edition.
Introduction 9 This page intentionally left blank. 10 Risk Management Fundamentals III. HOMELAND SECURITY RISK MANAGEMENT TENETS AND
PRINCIPLES Risk management enables homeland security leaders to distinguish between and among alternative
actions, assess capabilities, and prioritize activities and associated resources by understanding risk and its
impact on their decisions.
Standard risk management principles are not designed to promote uniformity or conformity; rather, they
offer broad guidance that should be uniquely tailored for the specific needs of each organization. While a
“one-size-fits-all” approach for homeland security risk management is neither feasible nor desirable, all
DHS risk management programs should be based on two key tenets: Risk management should enhance an organization’s overall decision making process and
maximize its ability to achieve its objectives. Risk management is used to shape and control risk, but cannot eliminate all risk.
The key principles for effective risk management include: Unity of Effort Transparency Adaptability Practicality Customization
A description of each principle follows:
Unity of Effort: The principal of unity of effort reiterates that homeland security risk management is an
enterprise-wide process and should promote integration and synchronization with entities that share
responsibility for managing risks.
Risk management efforts should be coordinated and integrated among all partners, with shared or
overlapping risk management responsibilities, to include Federal, state, local, tribal, and territorial
governments, as well as the private sector, non-governmental organizations, and international partners.
Most homeland security measures involve representatives of different organizations, and it is important
that there is unity of effort amongst those charged with managing risks to ensure consistent approaches
are taken and that there is a shared perspective of security challenges.
Transparency: The principle of transparency establishes that effective homeland security risk
management depends on open and direct communications.
Transparency is vitally important in homeland security risk management due to the extent to which the
decisions involved affect a broad range of stakeholders. Transparency is important for the analysis that
contributes to the decision making. It includes the assumptions that supported that analysis, the
uncertainty involved with it, and the communications that follow the decision. Risk management should Homeland Security Risk Management Tenets and Principles 11 not be a “black box” exercise where analysis is hidden. Those impacted by a risk management approach
should be able to validate the integrity of the approach.
This principle does not countermand the times when there is need for security of sensitive or classified
information; however, it does suggest that the processes and methodologies used for homeland security
risk management may be shared even if the information is not. In turn, transparency will foster honest
and realistic dialogue about opportunities and limitations.
Adaptability: The principle of adaptability includes designing risk management actions, strategies, and
processes to remain dynamic and responsive to change.
The homeland security landscape is constantly evolving as priorities, threats, and circumstances change,
requiring DHS to adapt to meet the Nation’s expectations and requirements. DHS and its homeland
security partners must be flexible in their approach to managing risk. This means that homeland security
solutions must be dynamic. A changing world, filled with adaptive adversaries, increased
interdependencies, and new technologies, necessitates security measures that are equally adaptable.
Practicality: The principle of practicality pertains to the acknowledgement that homeland security risk
management cannot eliminate all uncertainty nor is it reasonable to expect to identify all risks and their
likelihood and consequences.
The limitations of managing homeland security risk arises from the dynamic nature of homeland security
threats, vulnerabilities, and consequences, as well as the uncertainty that is generally associated with
assessing risks. This is especially true when facing a threat from an adaptive adversary, such as a terrorist
or criminal organization.
Homeland security decisions often are made amidst uncertainty, but that uncertainty does not preclude the
need for sound analysis or well thought-out and structured decision making. Risk management is an
effective and important management practice that should lead to better-supported decisions and more
effective programs and operations.
Customization: The principle of customization emphasizes that risk management programs should be
tailored to match the needs and culture of the organization, while being balanced with the specific
decision environment they support.
DHS organizations and personnel should tailor the methods for the dissemination of risk information and
decision making and communications processes to fit the needs of their mission. The customization
principle includes ens...
Actions for 'Implementing Risk Management Strategies'
Choose one of the policy implementation documents from this week's readings (a) DHS Risk
Management Fundamentals OR (b) DoD Cybersecurity Culture and Compliance Initiative.
Using your selected policy implementation document (DHS or DoD), prepare a two page briefing paper (5
to 7 paragraphs) for the senior leadership and corporate board of the case study "company." (Use the
case study and provide specific information about "the company" as appropriate for your briefing).
In your briefing paper, you should address how this type of policy implementation document can be used
to support implementation of specific risk management strategies. For the DHS document, you should focus on the use of training and doctrine (establishing a
specific business process) as a risk management strategy. Discuss the pro's and con's of using a single
risk management process across all corporate operations. Make sure to explain the risk management
process you choose.
For the DoD document, you should focus on the use of "culture shift" as a risk management
strategy. Discuss the pro's and con's of using "culture shift" and "individual responsibility / accountability"
as a risk management strategy.
Provide in-text citations and references for 3 or more authoritative sources. Put the reference list at the
end of your posting.