Home Information Sharing & Analysis Prevention & Protection Preparedness & Response Research Commerce & Trade Travel Security Immigration
About the Department Open for Business Press Room
Current National Threat Level is elevated

The threat level in the airline sector is High or Orange. Read more.

Homeland Security 5 Year Anniversary 2003 - 2008, One Team, One Mission Securing the Homeland

Remarks by Homeland Security Secretary Michael Chertoff at the University of Pennsylvania Wharton School on Risk Management

Release Date: October 16, 2008

Philadelphia, Pa.
University of Pennsylvania, Wharton School

Secretary Chertoff: Well, Dean, I want to thank you for that kind introduction. I also want to thank Dr. Kunreuther for inviting me here. We met in Dallas, I guess, about a little over a year ago, had -- I was interested in what he was writing about and we got into a very animated discussion. I understand he’s got a new book coming out that’s going to be called At War With the Weather. That was actually going to be the title of my autobiography.

Secretary Chertoff: The first thing I’ll tell you is that the only time of the year when we don’t have a weather event is Christmas. And August, which is the time when most normal people kick back and relax all over the world is the peak of hurricane season and therefore those in the line of work of disaster response feel their stomachs beginning to clench up.

So I said to the head of FEMA recently, I’m looking forward to this coming summer after he and I both left office and when we see hurricane alerts on the television, we’ll just pour ourselves another beer and toast to the people who are in charge.

Secretary Chertoff: But in seriousness, seriously, I’m delighted to join you here at Wharton and particularly in conjunction with the discussion of risk management which lies at the core of what we try to do at the Department of Homeland Security.

This year is actually the fifth anniversary of the department’s creation and as part of the recognition of the five years that have passed, I’ve taken the opportunity to look back and tried to devote a series of speeches covering some of the various elements of what we do at the department.

Our mission is very broad. It covers everything from preventing and reducing our vulnerability to terrorist attacks and other disasters to protecting and reducing the vulnerabilities of our infrastructure, including our cyber infrastructure, and then mitigating the consequences of disasters by strengthening our preparedness and response. So I see risk across the board from all elements of the spectrum, both before and after.

In looking back over the last five years in the department, I talk a little bit about the nature of our current threat posture, what I think the current and emerging threats to our country are. I discuss the strategies that we have in place to prevent terrorists and other bad people from bringing their threats to fruition, and I talk about how we can reduce our vulnerabilities, first by coming up with a better system for protecting ourselves with a 21st century system and then by looking at our critical infrastructure and the rebuilding and maintenance of that infrastructure as a very high priority for our country.

When we looked at preventing and reducing vulnerabilities, there comes in the end, of course, only the question of response and we know we can’t prevent all calamities and all manmade and natural acts. What we have to do is to try to figure out how we prepare for and how we respond to attacks and so in this speech, which is really the last in a series, I want to take the broadest look. I want to consider preparedness and response as well as prevention, but I’d like to put it in a larger context of managing risk which I think is the first objective I saw when I got sworn in almost four years ago and remains, I think, the fundamental social problem that we face in the 21st century.

If you look at the events we’ve had in the last eight years, and it’s been my either good fortune or ill fortune to be part of virtually all of these, whether it be 9/11 and the terrorist attacks on New York and Washington and Pennsylvania, or whether it be the hurricanes and natural disasters, fires and floods, or even the current financial crisis, it becomes very clear that we have not always handled risk properly.

In the case of September 11th and the terrorist attacks that occurred there, the 9/11 Commission, looking backward in hindsight, painstakingly catalogued just how many ways our nation failed to prepare for such an event and to take the necessary steps to reduce the chances of this happening and reflect from it. This was not in a gross sense a total surprise. Obviously, the individual date and place and method of attack was a surprise, but we had known for years that bin Laden had declared war against us. We knew that efforts had been made to bomb the World Trade Center, that there had been bombings in embassies, there had been a bombing on a U.S. warship. We had report after report that talked about the need to strengthen our homeland security and with all of that, we had not devoted even a fraction of the investment we currently put into homeland security into that security before September 11th. So you have to say we misjudged the risk with respect to that attack.

With respect to hurricanes like Katrina, we’ve known for decades that hurricanes exist and can hit places like New Orleans and Mississippi and Texas and that there’s a particular challenge that occurs when you build in areas that are below sea level. That’s not something that comes as a big surprise and yet despite that fact, over the years that led up to 2005, it’s clear the government at all levels simply failed to invest in maintaining critical infrastructure, such as the levees, which led to the fact that a storm that was bad but certainly not in historical context enormous, a storm that was bad was sufficient to tip over a wall in a canal that protected part of the city and basically flood most of New Orleans like a great bath basin, bringing untold havoc on one of our great cities and its people.

And we’re living now in the middle of financial woes that were to some degree or another predicted over a period of years, going back into the 1990s, in terms of over-leverage, too much credit, too little equities, home values that are on the tip of a bubble, and with all of that, we have not acted to address the risk in a way that prevented what was to my mind in the financial world a disaster the magnitude of natural disaster and terrorism disaster which I previously described.

Now, each of these three cases, once the disaster occurred, we did then respond and responded in a very big way with a lot of money, with a lot of effort, and in many cases with more expense and investment after the fact than would have been necessary before the fact to prevent the event from occurring or to mitigate the damage and that to me is a sign of an inefficient system for managing risk.

The problem is that responding to disasters after they occur is not risk management. That’s suffering the consequences of unmanaged risks. Managing risk is not about looking backward at something that’s already happening, although that can be useful in terms of what we do going forward, but managing risk is fundamentally looking ahead to the possibility of a disaster that is yet to happen and then to make cost-benefit driven plans to prevent disaster or to reduce our vulnerability to the disaster or mitigate the effects of the disaster that occurs and that’s really not a particularly startling definition of risk management and yet if you look at all of the events I’ve described – 9/11, Katrina and the financial crisis we are currently embroiled in – you will see that our society simply failed on a looking-forward basis to manage risk properly.

I want to get even more specific about this because to me, the problem is not really that we have failed to anticipate the one-time risk. It is that we not only -- we don’t learn the lesson. Each time we fail to anticipate a risk that comes about, we then after the fact usually wind up punishing somebody in some way. We then invest a whole lot of money in reducing the risk for the next one and then with the passage of time as the risk becomes a matter of -- as the original event becomes a matter of memory, we begin to decide we’re spending too much money trying to avert the risk and we begin to degrade our preparation once again.

Let me give you some examples. In the wake of September 11th, we created a new department, we eliminated the stovepipes between intelligence agencies, we embarked on a hunt for al-Qaeda leaders overseas, we put into effect a huge number of measures that significantly increased our ability to prevent attacks and reduce our vulnerability, but because, thank God, thanks to all of the hard work that was done, no successful attack has been mounted against this country in this country since September 11th, we are beginning to hear more and more people say, “Well, you know, we don’t need to do this anymore, the problem is over, it’s history, let’s move on to do something else.”

After Katrina, 2005, when people did not evacuate, found themselves flooded in many cases in houses that were inundated above the sea line, people said, “Well, we’ve got to make sure we evacuate next time.” And yet just in the past couple of months when Hurricane Gustav came and was moving toward the Gulf heading towards New Orleans, we began to hear people say again, “What do I need to evacuate for? Katrina was three years ago. I’ll be able to ride this out.”

Fortunately, in this case, due to effective work at all levels of government, we did manage to get people to get out of the city and even though the storm was less catastrophic than feared, at least we were able to learn a lesson from 2005. I question whether in 2010 or 2011 we will still keep that lesson in mind.

That’s why it’s even more urgent than ever to look at the issue of risk management, not that we can undo the risks that we failed to manage up to now but because God help us if we don’t learn the lesson of the last three catastrophes in building a disciplined risk management approach going forward so we don’t have to deal with the same kinds of crises going forward.

So let me try to put into perspective today what I see as the appropriate role of individuals and private businesses on the one hand and government on the other hand in terms of managing risk because right now, as we are dealing with the question of the financial condition in which we find ourselves, we are beginning to discuss, well, does this change the balance of the role of government in dealing with the risk in the financial sector and perhaps across the board?

And although it’s getting less publicity, these very same questions are being asked with respect to natural disasters. For example, what is the role of government in letting people rebuild in those places like Galveston and East Texas that have been flooded by the most recent set of hurricanes and, of course, also in terms of the issue of terrorism and the threat of manmade weapons of mass destruction.

So let me begin with this premise. I still believe with all that we’ve experienced in a free society like our own, the default position, the starting point for risk management is we need an enterprise center. People routinely balance risk and reward. This is the essence of what freedom is. We have to make that judgment. They balance costs and benefits and they do it on their own.

First of all, they have a very keen interest in balancing their risks. They’re also generally best positioned to understand what the true cost is and the true benefit is of the various measures and countermeasures that it takes to reduce risk and that’s why, if they’re prepared to live with the consequences of the risks that they deliberately undertake, they are really in the first instance where risk management and risk balance occur.

In other words, private economy is really, first and foremost, the fundamental engine of risk management and, by and large, it works very well. Every day, every week, every year, hundreds of thousands of individual decisions are made about risk and made effectively. Risk management doesn’t mean risk elimination, so it doesn’t mean bad things are not going to happen, but it means, by and large, we have a system that has figured out the right level of risk.

Basically, if you drive on the highway, that’s a good illustration. We’ve come to a point where we’ve set appropriate speed limits. We know how much risk we’re prepared to take getting behind the wheel of a car, what we’re not prepared to do. Some people do make misjudgments, particularly if their judgment is impaired by alcohol, but that’s the area where we don’t insist, for example, that people don’t drive themselves, they have the government drive the car for them. So that’s a great example of kind of my base proposition.

But at the same time, let us say there are some who view the free market as the be all and end all. There really is no such thing as a truly free market. The market is always bound by rules and regulations that are put in place by government. Even the most ardent capitalist, the most ardent free marketer accepts as a fundamental premise the government does have a role to play in laying down certain rules of the road that make it possible for a free market to function and two of them are very obvious.

One is, we make sure that we enforce contracts. Enforcing contracts allows us to enjoy the benefit of the decisions that we make and although it’s a set of legal rules and therefore it doesn’t allow complete freedom, it’s an enabler of freedom. Likewise, we have rules that prevent people from simply robbing us, you know, hitting us over the head with a blackjack and taking our wallets. That’s an important enabler of the free market. Even though we’re to use state power in order to police the boundaries of that rule, again it enables a free market.

So my point is simply this. Although the free market is a good beginning point and a good general baseline proposition for risk management, the government is inevitably involved because a free market needs the government and needs rules and regulations for it to function.

And so the question becomes are there some additional things the government can and should do as a general proposition in order to allow risk management at a social level and at an individual level to proceed in a much more informed, balanced, accessible way, and I would argue there are three classic types of cases in which government action is in fact necessary and prudent in order to ensure that all of us, both individually and collectively, are properly managing risk across our society.

Another way to put it is to say there are three areas where individual risk management seems to fail because there are imperfections in the way the free market operates. The first has to do with time horizon, the mismatch or misalignment between short-term benefits and long-term costs.

Left to itself in the real world, maybe not in the world of fear but in the real world, the free market and people who operate in the free market tend to favor and focus on the short-term rather than the long-term when it comes to risk management and deciding how much risk they want to bear. Simply stated, the markets and individuals often favor the kinds of choices that produce short-term benefits immediately realized and immediately capitalized at the expense of potentially higher long-term costs, especially when those long-term costs are uncertain. This is what I call the musical chairs theory of risk management.

You know the chair’s going to be pulled away but you don’t know when. So the hope is that as long as you’re going around, the music’s going to continue to play and that you’ve left the room by the time they stop the music and someone else is going to fall down when the chair gets pulled. That is relying on luck as a way of risk management, but all too often that is in fact the kind of behavior that drives risk management in a whole host of examples, and I’ll give you one from the hurricane experiences that we’ve had.

It is undeniably clear and proven over and over again that in a hurricane-prone coastal region where you’ve going to have flooding and storm surge, physically elevating homes is critical to minimizing or mitigating the risk of damage. The problem is that in the short run, the cost of elevating is high and the benefit may only be realized a decade, two decades, maybe even 50 years when the hurricane hits in exactly the right spot and a storm surge comes and flows into the area where you elevated your house.

So for a lot of people, the decision to elevate a house is a trade-off between the immediate sacrifice of a high cost and the benefit that will only be realized, if it ever is, at some point in the future and, by the way, may well be realized after you sold the house to somebody else.

Given the high upfront costs and the uncertainty and distant benefit of having elevation, there is, unfortunately and historically, very strong incentive not to elevate and what we see again and again is that when we come with flood maps and we say it’s time to elevate the houses you’re going to rebuild, we start to see community pushback. The developers don’t want to do it, the mayors are concerned that people can’t afford it and they’re going to leave the community and go some place else, and enormous political pressure is put on the people who are doing the assessment. Do I change the assessment or waive the assessment so people can rebuild in the same area and then, of course, if they’re unlucky, we’re going to be back in the same place again.

I saw a very good example of this, by the way, in Port Arthur and the eastern part of Texas when I went there after Hurricane Ike. There had been previous flooding and as part of the response to that, a number of the homeowners did build their houses on 14 foot high pilings and when I walked through the desolated areas which were completely inundated, I saw house after house that looked like it had been crushed by a giant, but then I saw about a half dozen houses on pilings that were absolutely pristine and as soon as the power went back on, the people who owned those houses were going to get right back in the house and it was going to be like the old television commercial goes, like it never even happened.

That is a vivid demonstration of the fact that there was misjudgment on the part of the people who did not elevate their houses.

So how do we deal with this? How do we recognize the fact that we have a systemic failure to manage risk properly? We have to have a political will, the government does, to enforce building codes and that means saying upfront if you’re going to build in this area, you’re going to have to put this kind of a foundation or this kind of measure into effect, and we have to back up those codes because the second problem we have in judging risk in terms of time horizon comes when we’re not forced to live with the consequences of bad risks.

If we tell people to elevate and they don’t elevate and we say to them, well, now you’re not insured anymore, so therefore you’re on your own, we know and experience teaches us that there’s a high likelihood that there will be a lot of political pressure to reverse that and come up with some kind of aid package. This is what everybody calls moral hazard and it’s a very clear message to people that they can continue to ignore the warning because even if they don’t get the insurance which they’ve now been disqualified for because they didn’t elevate the house, they’re going to get rescued anyway. And that’s why I come back to the fact that this is the area where government involvement before the disaster is critical to make sure that people properly internalize the costs and benefits of their own risk management. And that means you’ve got to be stubborn about the building codes and when you go, for example, to a place like Sacramento, California, where you can see literally the water behind the levees on the river puddling in the front yards of the houses that the developers have built by the levee, so that it’s perfectly evident to the naked eye that you’re fighting with Mother Nature and sooner or later the levee’s going to go and you’re going to have flooding, when you go in there and you say we need to elevate those houses, we need to put tax money or bond money into strengthening the levees, the developers become outraged and the mayor condemns the authorities, the disaster authorities for daring to suggest you elevate the homes, and you’re inviting once again the same problem we’ve seen over and over again.

So that’s the first prong. Our failure to align time horizons and that’s where government involvement before the fact is critical to making sure we deal with this imperfection in the market.

The second is the problem that occurs when we may properly internalize our own costs and we simply don’t internalize the costs that we’re imposing on others. This is an old problem in economic activity that goes back hundreds of years.

If you go back and read common law cases of one or two centuries ago, you’ll see that there were often situations where someone was dumping garbage or other kinds of waste into the river and it was floating downstream polluting somebody else’s fishing or somebody else’s property miles down the river.

Now, from the standpoint of the polluting landowner, he’s internalized all of his costs and his benefits. He doesn’t have a cost because the river washes the waste away. He’s got the benefit of easy disposal of his garbage and the problem is the guy who’s got the cost doesn’t have the ability to affect the conduct.

So what the courts did is they came up with the law of nuisance. The law of nuisance allowed the upstream landowner to force -- the downstream landowner to force the upstream landowner to desist from dumping. Well, that’s kind of the basic principle which I think applies, you know, to a broad range of circumstances, but it’s much more important in a world where we’re much more interdependent because increasingly the failure of business to internalize its own costs has collateral and cascading consequences for people in unrelated businesses and individual businesses may simply not realize it or simply not care about those cascading costs.

Here’s a perfect example. In every hurricane I have seen, the critical cornerstone of recovery is you’ve got to get the power up and running and often that means you’ve got to get people out to repair the power lines and maybe even go to the power plant and make sure they can be cleaned out and resume operation, but in order to do that, people have got to get in their cars and they’ve got to drive there, so they can do the work to get the power plant done.

When they go to the gas station, the problem is the gas station doesn’t have power, so the gas station can’t pump the gas into the cars, the people can’t drive to work, they can’t fix the power plant and the power lines, and the gas station remains shut. This is not a joke. This is exactly what we saw in Hurricane Rita in 2005.

As a consequence of this, the Secretary of Energy and I urged the heads of major oil companies to make sure that their gas stations had generators in place. If they have generators, you can start the fuel moving. That allows us to then get the power grid back up and, of course, then everything operates. That is a classic example of the interdependency.

The gas station owner, he may not care about losing a couple days of revenue without a generator, but from the public standpoint, the degree of interdependence requires that we in some way impose an obligation on the gasoline station owner to take account of measures that protect the costs that his failure will impose on other people. This is why, for example, in Florida they now have a mandatory rule that gas stations have to have generators in order to be licensed.

We see this in the area of terrorism as well. Here often the failure to internalize the costs has to do with people who don’t want to take security requirements that would protect the general community. You know, they figure from their standpoint, they internalize the cost of a problem and they don’t consider the fact that there will be a larger social cost that they’re not taking care of.

For example, we are in the process of debating/discussing whether we should acquire additional information about containers coming into the United States that are shipped from overseas so that we know not only where the container last departed for our coasts but where was the container originally assembled and stuffed. Obviously, the container that’s stuffed from Southampton and a container that’s stuffed in Somalia present somewhat different risks and yet the industry flatly opposes the additional costs of giving us this information from the standpoint of each manufacturer and each shipper, he thinks he’s taken account of his particular issue of his container. He’s accounted for his own cost and benefit and he doesn’t want to bear any responsibility for the costs, but here’s why that’s shortsighted.

If in fact, God forbid, because of the failure of information, a container came in and exploded and caused damage, maybe even catastrophic damage to a port, the consequences would be felt not only by the owner of that container but by the general public and by the entire shipping industry because the next move that would occur is an immediate demand that we physically inspect every container and essentially halt the flow of commerce.

So even a rational business, if you think about, should understand that in the end, the external costs would come back to haunt him, too, because a failure of the whole system would occur and he is a hostage of the system, but as government tries to step in here and impose the kind of rule that would properly align the costs, again and again we come up against the shortsighted mentality that says I’m only concerned with my costs. I’m not looking beyond my balance sheet and, of course, all too often we see where the consequences of that lead.

So I’ve talked about two areas where I think government plays a role, internalizing and aligning the time horizon and making sure you take responsibility for your external costs, not only your internal costs.

The third area has to do with what I call validation, eliminating the transaction costs that are imposed by risk when we don’t really have confidence in what we are dealing with or what we’re seeing.

The greatest benefit that we can bring to the free market is transparency. If we have confidence that we know who we’re dealing with and what we’re getting, so that we can make a risk-based judgment, then in fact commerce can occur and we can make good decisions about how we spend our resources, but that again requires government to step in and make sure that we have that transparency in much the same way that government makes sure that people don’t violate their contracts.

When consumers buy food products or children’s toys, what they’re doing is they’re relying on the fact that the items are safe. When investors put money in a company’s stock or a bank, they’re trusting that the firm isn’t cooking the books and its stability is what it’s warranted to be, and when a business asks for someone’s identification so you can, you know, get into the building or engage in some kind of transaction, they’re trusting the identification documents, that the person is who they purport to be.

So all of these systems of the marketplace depend on trust and when this trust fails, we see very serious consequences. Let’s just take a look at real life. In the last year, we’ve seen again and again instances where food and products imported from China turn out to have dangerous ingredients. That is ultimately not only damaging to the people who buy the product and who ingest the ingredient or children who play with the toy, but it is bad for the people in the business and it actually undercuts our trust with the entire supply chain and our food and our products.

When we see what’s going on with the financial crisis, the uncertainty, when our people come to realize that there’s not sufficient transparency in the nature of the financial products that are moving around our financial system, we see the crisis of confidence has a huge impact and, of course, when we can’t trust the identification documents that are presented, we see identity theft, we see people losing huge amounts of money, including 40 million numbers, credit card numbers that were stolen in the largest identity theft in history in a case that was announced a couple months ago, and that damages the willingness of people to engage in trade over the Internet or even face to face.

So all of these three areas, short-term costs, externalized costs and transaction costs, transparency, I believe that while the market plays an important role, it has to be a role that is regulated in a way that allows us to make sure we are really aligning the consequences of our decisions, the good and the bad, with the decision-making process.

The case in these instances is for intelligent, strong, and not overly-coercive regulation. We don’t want to move to the extreme of a smothering initiative, but we also want to make sure initiative is rewarded because it can be properly used to manage and allocate resources.

I’ll give you one example of what I consider to be regulation going forward. I use the example of our shipping containers and our effort to get some more information so we can say, well, this is a container that appears to be a regular shipper. It’s coming from a known country where we know there’s very good security. We know the people involved in the supply chain are very reliable, so we don’t have to worry too much about that.

The second container’s coming from a part of the world where there’s very little governance and even less law enforcement. We know there are bad people out there in that area and we have low confidence that we know the shippers and therefore we have to take a close look at that. That is what we consider to be proper risk management and yet there are some who want to over-regulate it. Their answer is we want to look at every container. We want to scan every container from overseas. We want to physically open every container in the United States.

Now that, I have to admit, would reduce the risk further than the proposal I have made. In fact, we would eliminate the risk, but the reason we would eliminate the risk is it would eliminate the trade and that’s the same principle that would allow me to say I can absolutely guarantee there would be no airplane hijackers if I seek to prevent people from flying.

So that’s over-regulation and I wouldn’t want to complete my talk on risk management without reminding people that over-regulation and over-risk elimination is as much of a problem as under-regulation.

So from homeland security to economic security, I’m confident in the coming years that we can and I’m confident that we must improve our management of risk with a judicious partnership between government as a regulator in a disciplined and focused way and a public that is willing to embrace that regulation as enabling it to proceed with its free market prerogative to make decisions in an intelligent and informed fashion.

But let me leave you with a cautionary note even about the current crisis. As I said at the beginning of my talk, seven years ago after 9/11, you would never have imagined, I never would have imagined, people saying, “Well, maybe we don’t need to connect all the dots with intelligence agencies, let’s go back to the old way where everybody keeps their own information to themselves.” But actually I’ve heard that argument.

Three years ago, it never would have occurred to me that we’d be hearing people say having to evacuate from New Orleans, there’s a Category 4 hurricane heading here, I’m just going to ride it out, and right now, it must seem incredible to think that down the line, when we get to a point where reasonable regulation of the financial market is rejected and people say we don’t need that anymore, let’s go back to, you know, a free for all.

If nothing else, if the disasters and the problems that have wreaked havoc in the last eight years teach us nothing else, it is shame on the disaster-maker, whether it be Mother Nature or man, for the first disaster that we don’t properly manage, but shame on us for failing to manage the risk for the second disaster.

To me, the foundation of proper risk management in the next ten years is going to be very keen memory of what we’ve experienced in the last eight years in some extraordinary challenges. I think we’ve learned a lot. I think we’ve got a much better way of doing things, but I think we will fail to execute if we don’t have the commitment of responsible actors in the government and the private sector to make sure that we do truly achieve a partnership in managing risk.

Dr. Robertson: Secretary Chertoff, you can hear just from this applause what an impact you have made on all of us here. I want to just give you one additional anecdote I’m sure you know about before we open this up for questions.

When the -- when people are letting individuals buy flood insurance voluntarily, the only time that people seem to buy it was after the flood occurred. There was never an interest in buying it beforehand and then a few years later, people were saying, “Well, I haven’t had my flood, I think I’m going to have to cancel my policy.” And no matter what you would say, the best return was no return at all. There was a tendency to feel, God, I haven’t gotten a good return on my investment.

Secretary Chertoff: The same with health insurance. I would say for the last five years, when I let my health insurance go, I think you could make the argument -- I’m suspicious of grand fears of everything being explained by one concept, but you can actually explain an awful lot of the problems that we wrestle with economically, socially in terms of the difficulty we have as human beings in properly measuring risk. We either overweight or underweight and we have real problems, maybe it’s the way we’re wired, in dealing with the issues of time horizon.

Dr. Robertson: So what we’d like to do is we have a couple mics on either side of the room. We’d like to open it up for the next few minutes for questions and if you could just basically line up in front of one of the mics and then Secretary Chertoff will rotate between the two and introduce yourselves so everyone knows who you are and the floor is yours.

Question: Welcome, Secretary. I’m in the Executive MBA course here. I’d like to ask you about your people risk. It’s hard to get a feel on how big a risk is it that we can keep people or motivate our people or retain our people and in terms of your department, how concerned are you about recruiting the right people in management and specifically, is it in the top 20 things that keep you awake at night?

Secretary Chertoff: Well, motivating people is -- it’s -- I wouldn’t even describe it as a risk. We all know that motivating people is an important part of any -- managing any organization.

In government, you’re constrained because one of the main motivators in the private world is money and you can’t really use money as a motivator in government because it’s a very rigid system. We’ve tried to change that and been somewhat unsuccessful.

We use other things to motivate. Part of it is commitment to the mission. Part of it is trying to give people expanded opportunities to advance and involve a career path. One of the things that the head of TSA did is being a screener, TSA’s a very tough job. It’s physically demanding. You deal with people in the airport who are usually not in a terrific frame of mind, given the way airports are, and he was very concerned about making a job where there were career paths, ways to advance yourself, to specialize, and that’s actually done a lot to raise morale.

So I think, you know, the answer is in part to use a whole lot of non-monetary incentives, but I have one other tool that I use to motivate people and it comes from my experience when I was a prosecutor. I believe most people, not everybody, but most people are highly motivated to see an accomplishment and when I was a prosecutor, we used to put cases together, you know. I’d have -- there was a guy that worked at the lab and there was an agent that did part of the investigation, a detective did another part, and everybody did their piece, but they weren’t necessarily integrated into the process to go to the conclusion which was the trial of the case, and I worked very hard to get my agents to participate in the entirety of the process because I believed and I think this was proved to be correct, that when they began to see their job not in terms of a task but in terms of the contribution of the overall mission, it changed the way they thought about it. They didn’t punch the clock. They looked at what they could do to get over the goal line and they shared in the glory or in the infamy if we didn’t succeed.

Part of what we’ve tried to work at DHS, and it’s still a work in progress, is a concept of joint planning and operations that explains to people and sometimes it’s a little harder than others because they don’t see where it fits in, how what they do contributes to the overall mission. I think you can do that and you can measure it and you can give people feedback, that’s a very powerful motivator.

Question: My name is Dave Morrison. I’m a second year MBA. I was wondering with the current financial crisis and sort of -- it seems like there’s a flight of capital from the United States. What color is sort of the terrorism meter right now? Is it like -- is it sort of a riskier time? If a bomb went off in a port, how quickly would commerce, national commerce shut down? If this something that --

Secretary Chertoff: You know, I don’t think historically we’ve seen terrorist attacks pegged to external events. It’s not to say that terrorists aren’t mindful of the impact on the economy. There’s a good basis to assert that bin Laden believed that part of the benefit of the attack on 9/11 was going to have an impact on the economy.

What I don’t mean is that their operational tempo is very quick and that they say, well, there’s a financial crisis, let’s jump quickly into doing something. So that being said, I think, you know, we view -- we assess risk with respect to terrorism as we try to look much more specifically at much more particularized facts. That’s what the role of intelligence is. They look at real specific facts of what’s going on. We look at indications that are much more finely drawn than just kind of what the general condition of the economy is.

So I think, you know, terrorism can happen any time and it would be bad. Obviously in a weak economy, it would be worse. You could argue in some ways maybe it would even have less impact because it would be subsumed in a general atmosphere, but from our standpoint, I don’t get asked about, you know, as an anniversary, something where you have -- well, anything that might attract attention by a terrorist because people crowd together or because there may be perception that we are distracted. We haven’t seen historically that they’re very driven to conduct operations based upon kind of general current events.

What they are quick to do is to jump on the bandwagon after the fact and then say, oh, yeah, this happened and either they claim credit for it or they show this -- this means God is on their side and they’re punishing us, but that’s not operationally predictive. That’s more trying to go in and crank a little credit.

Question: Hello. I’m Don. I’m a senior doing undergrad here. My question relates to what you mentioned about over-managing risk. So I’m curious if you can enlarge at all on how it’s possible to design when the costs of remedying a risk are too great or the probability itself are too small and it’s necessary just to let it go.

Secretary Chertoff: Well, that’s -- that’s the core question in risk management because it’s a lot tougher to know that’s too much and what’s too little going into something.

I’ll tell you the one general principle. I put a lot of weight on consequences. Consequence is catastrophic, even if it’s the low probability, is to me something that warrants a lot of effort to prevent and to prepare for. Consequence that is bad but not out of the ordinary is one where I might be more willing to be a little bit more modest in terms of preventive measures that I take and that’s because I’ve put a lot of weight on the collateral effects of very high-consequence problems, particularly those we have experienced before, because they can have ripple effects and psychological effects and economic effects that are multipliers of the consequence.

So my big rule of thumb is when I look at the issue of, you know, probability and consequence, I put a lot of weight on the consequence end of the equation.

Question: My name’s Adam. This is actually tied into the previous question. How methodical is the department in assessing the costs and benefits of the different courses of action it can take to deal with the competing risks out there?

Secretary Chertoff: We try to be very methodical. It depends on the nature of the particular risk we’re concerned about. In some cases, it’s possible to be very methodical. We’ve done things, for example, with the chemical industry, with the transportation of dangerous chemicals, where we have a lot of data, and we can really pinpoint where the high-risk things are, and then we can focus our attention on regulating those high-risk things.

There are other things which are much harder because the data doesn’t exist and is much less. I mean, the question of, for example, you know, how much effort is worth putting into preventing a weapon of mass destruction from coming into this country. There’s not going to be a mathematical answer to that because we don’t have traffic and the one thing I try is this. Sometimes there’s a tendency to overweight quantitative measures that are actually only partial in their accuracy because they’re quantitative. So the eye naturally gravitates there because it has an appearance of being rejected but it actually measures what the true risk is.

So we try to inject a dose of common sense, but in the final point of judgment because certainly when you deal with terrorism, there is a human element and your ability to kind of anticipate that is something you can’t necessarily quantify. Maybe there’s some people that can, I can’t. So we try to balance between data and that, but we also recognize the limits of that approach.

Question: My name’s Zack. I’m a senior. I’m wondering, could you comment on the U.S.A. Patriot Act and how you understand that within the risk management framework.

Secretary Chertoff: That -- that’s one of the great misunderstood Acts of all time. The Patriot Act, notwithstanding its name, is pretty modest and it’s actually in this way a very good risk management tool.

The insight didn’t take a long time to come to it after 9/11 as the best way to drive down risk with respect to terrorism was more information about people. If I had to guess on the population, you know, of millions of people coming to the U.S. who’s dangerous, I could either search everybody, which would be astronomically expensive and inconvenient, I could do it randomly which would give me no better than a random chance of identifying somebody, or I could let everybody come in without looking at them in which case I would face really the question of do I fill up because I have no way to stop a bad person from coming in, but if I get more information about each of these people, you know, something about their travel pattern, something about their passport, something about where they have, for example, communicated, if I can take intelligence data from a lot of different agencies and combine it to get a better picture of what are potentially dangerous people, now I can look at that pool of people and I can say, well, I have information that here are people where there’s reason to believe they may be a higher than average risk and I can focus on that.

What the Patriot Act mainly did was say we have a whole series of legally separated databases and intelligence agencies who are forbidden to talk to each other. They can’t connect the dots. If we tear down walls and we let them connect the dots, we’re going to have a better idea of the total amount of information available about people who are dangerous and that’s going to enable us to focus more specifically on people who are dangerous. And that’s going to be a way to reduce the risk and it’s actually a fairly low-cost way to reduce risk because it frees a lot of people from any scrutiny and focuses certainly on people who are, because of some connection that they have, likely to be in a higher-risk group.

Question: Nick, sociology major. On the issue of internal security, in the wake of the 2001 anthrax attacks which were initially pinned on al-Qaeda, until a few months afterwards it became evident that it was not an al-Qaeda attack but rather some sort of internal security breach because the particular strain of anthrax that was used was one of 118 strains, one of which that came out of Fort Detrick, Maryland, the Department of Defense program in the 1980s, Project Jefferson had developed, it was essentially a derivation of a military grade weapon, and then they tried to put it on to Steven Hatfield, one of the engineers or the technicians out at the department but he was later exonerated and he won a $5 million settlement. Then more recently we had Bruce Ivins, who was pinned as the perpetrator and he conveniently committed suicide, the real issue here -- the real issue is he wouldn’t have been able to create this weaponized grade of an anthrax because he needed a static charge and a machine with infrared capabilities that was well outside of his purview.

So this really looks to be to be furthermore an inside job, but the question is who particularly is involved, and we know from 1962 and Operation Northwoods that criminal elements in the U.S. Government have planned and staged terrorist attacks as a way of justifying political agendas and furthering whatever aims they have.

So the question is -- the question is what -- what has the Department of Homeland Security done to further investigate this issue?

Secretary Chertoff: Well, first let me say that it is incorrect to say that -- I don’t know that anybody seriously thought that al-Qaeda might have been responsible. I don’t think anybody officially ever asserted that.

The FBI has done a very comprehensive review of this. Now that’s -- you know, the risk that the government, based on a 1962 program, launched an anthrax attack, it was put in the basic non-existent risk category and that’s actually a great example -- if that’s the kind of risk we worry about, then we’re moving away from the real risks into the realm of imaginary risks because that’s not the risks.

Dr. Robertson: We have time for one more question.

Question: Hi. My name’s Rick. What, in your opinion, is the next major source of threat for the U.S. after al-Qaeda?

Secretary Chertoff: It’s hard -- it’s hard to rank them. Let me put it in a little bit of context. In terms of terrorism, obviously al-Qaeda and a series of associated groups are the most actively engaged and openly engaged in a war against the United States.

In terms of sophistication, Hezbollah is generally regarded as a more sophisticated terrorist organization than al-Qaeda. It has not in recent years actually engaged in activities against Americans but that could change.

Then when you look at -- you’ve got various kinds of transnational criminal groups. Those are obviously not threats of the dimension of the terrorist groups but they pose other issues.

I would say, though, if you stand back, I would leave you with the following thought. In the Cold War, we lived in a world where threats were clearly defined. We had nation states. It was a very stable system. There was terrorism but terrorism was generally state sponsored or it was really just very rudimentary and that was -- everybody had a very high degree of confidence that we could figure out the architecture to minimize the risk of a true attack because of the circumstance.

We now live in a world with a lot of ungoverned space. There’s ungoverned space in the virtual world and there’s ungoverned space in the real world and when you couple that with technology which has dramatically enhanced the leverage a single individual has to cause damage, you now have a risk for a much more [inaudible] form of serious consequential attack.

The challenge in the next ten years is how do we -- who takes responsibility for the ungoverned space? It doesn’t -- you know, the world position is if you’ve got people in your country who are attacking us, you have to take care of that problem, but if your country doesn’t have the capability or the will to do that, do we have the ability and right to go in and protect ourselves?

What do we do in virtual reality, in the virtual world where we can’t pinpoint the geographic location of who’s carrying out these attacks?

So here in the 21st century, the biggest challenge we have is that globalization has broken down many defense structures. There are huge advantages to that, but it’s also created an increased risk and, frankly, this is a discussion for another lecture, the legal and institutional models that we currently operate with are simply not yet adapted for what we need to do in a world of very mobile and very work-at-risk with a lot of ungoverned areas.

Dr. Robertson: As you can see, Secretary Chertoff, we have a large number of students who are here today and you can hear from the questions how involved they are.

I’d like to end our session with Todd Mortenson, who is an MBA student who wanted to make a remark to -- on behalf of the MBA students and all the students here at Wharton.

Question: Secretary Chertoff, on behalf of the student body, we would like to thank you for coming to Wharton and speaking to us in person and choosing the Wharton School as a platform to deliver your address.

I know that in light of recent events over the past few years, the past few weeks, each of us understand that the ability to manage risk effectively should be one of the most important skills that we can have as we enter the workforce and it’s helpful for us to hear your vision of how risk can be managed effectively, what some of the most common pitfalls are, and then where the responsibility to manage risk lies between individuals, businesses, and government, and lastly, we want to say thank you for the work that you do and the work that your department does to keep our nation safe and to allow us to pursue our dreams and our careers in environmental freedom.

So thank you.

Secretary Chertoff: Thank you. Let me say, resist the lure of the big bucks on Wall Street that got us in the mess we’re in.

Secretary Chertoff: Consider putting your skills to use in public service. In line with the comment earlier about motivating people, I spent probably more than half my life in public service, mostly as a lawyer. It was -- it paid less than I would have made in private practice but it’s tremendously rewarding and you see the visible, tangible benefits of what you do all the time.

We’re certainly in a period of time now when getting the best-skilled and most energetic people into government is of great value to the country.

So thank you very much.

###

This page was last reviewed/modified on October 16, 2008.