Summary

From the terrorist attacks of September 11, 2001, to Hurricane Katrina, homeland security risks vary widely. The nation can neither achieve total security nor afford to protect everything against all risks. Managing these risks is especially difficult in today's environment of globalization, increasing security interdependence, and growing fiscal challenges for the federal government. It is increasingly important that organizations effectively target homeland security funding--totaling nearly $65 billion in 2008 federal spending alone--to address the nation's most critical priorities. GAO convened a forum of experts on October 25, 2007, to advance a national dialogue on applying risk management to homeland security. Broadly defined, risk management is a process that helps policymakers assess risk, strategically allocate finite resources, and take actions under conditions of uncertainty. Participants included federal, state, and local officials and risk management experts from the private sector and academia. The forum addressed effective practices, challenges federal agencies face in applying risk management to homeland security, and actions that can strengthen homeland security risk management. Comments expressed during the proceedings do not necessarily represent the views of any one participant, the organizations they represent, or GAO. Participants reviewed a draft of this report and their comments were incorporated, as appropriate.

Forum participants discussed risk management practices currently used or being considered in the private and public sectors, such as the position of chief risk officer (CRO). Private sector CROs communicate information about risks to the business executives responsible for mitigating risks and steer mitigation efforts. A government CRO could address the need forleadership in public sector risk management initiatives, such as improving emergency response and disaster recovery efforts. Participants also noted differences between the public and private sectors. For example, the private sector has the flexibility to choose which risks to insure against, while the public sector must accommodate the public's beliefs about risks and preferences for risk management. Participants identified and ranked the challenges in applying risk management principles to homeland security that in their view were the most critical to address. The top three challenges were (1) improving risk communication, for instance, addressing the lack of a common vocabulary to discuss risk management and lack of a public dialogue about acceptable levels of risk; (2) political obstacles to risk-based resource allocation, such as the reluctance of policymakers, at times, to make difficult choices about what to protect; and (3) lack of strategic thinking, including lack of a governmentwide discussion and strategy related to homeland security investments. When asked to rank which challenge should be addressed first, participants most often selected improving risk communication followed by political obstacles and improving strategic thinking. The expert panel proposed a number of actions to strengthen the use of risk management principles, such as increasing meaningful public outreach to provide fact-based estimates of risk, highlighting the importance of risk management to incoming policymakers, and identifying effective risk assessment practices.