Summary
Congress and the President have called for various homeland security efforts to be based on risk management--a systematic process for assessing threats and taking appropriate steps to deal with them. GAO examined how three Department of Homeland Security (DHS) components were carrying out this charge: the Coast Guard, which has overall responsibility for security in the nation's ports; the Office for Domestic Preparedness (ODP), which awards grants for port security projects; and the Information Analysis and Infrastructure Protection Directorate (IAIP), which has responsibility for developing ways to assess risks across all types of critical infrastructure. GAO's work focused on identifying the progress each DHS component has made on risk management and the challenges each faces in moving further.
The three DHS components GAO studied varied considerably in their progress in developing a sound risk management framework for homeland security responsibilities. The varied progress reflects, among other things, each component's organizational maturity and the complexity of its task. The Coast Guard, which is furthest along, is the component of longest standing, being created in 1915, while IAIP came into being with the creation of the Department of Homeland Security in 2003. IAIP, which has made the least progress, is not only a new component but also has the most complex task--addressing not just ports but all types of infrastructure. The Coast Guard and ODP have a relatively robust methodology in place for assessing risks at ports; IAIP is still developing its methodology and has had several setbacks in completing the task. All three components, however, have much left to do. In particular, each component is limited in its ability to compare and prioritize risks. The Coast Guard and ODP can do so within a port but not between ports; IAIP has not demonstrated that it can do so either within or between all infrastructure sectors. Each component faces many challenges in making further progress. Success will depend partly on continuing to improve various technical and management processes that are part of risk management. For example, obtaining better quality data from intelligence agencies would help DHS components estimate the relative likelihood of various types of threats--a key element of assessing risks. In the longer term, progress will depend increasingly on how well risk management is coordinated across agencies, because current approaches in many ways are neither consistent nor comparable. Also, weaving risk-based data into the annual budget cycle of program review will be important. Supplying the necessary guidance and coordination is what the Department of Homeland Security was set up to do and, as the Secretary of Homeland Security has stated, what it now needs increasingly to address. This is a key issue for the department as it seeks to identify relative risks and take appropriate actions related to the nation's homeland security activities.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Margaret T. Wrightson
Government Accountability Office: Homeland Security and Justice
(415) 904-2200
Recommendations for Executive Action
Recommendation: The Secretary of Homeland Security should direct the Commandant of the Coast Guard to take action in the area of risk assessment by developing plans to establish a stronger linkage between local and national risk assessment efforts. This effort could involve strengthening the ties between local assessment efforts, such as area maritime security plans, and national risk assessment activities.
Agency Affected: Department of Homeland Security: United States Coast Guard
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Homeland Security should direct the Commandant of the Coast Guard to take action in the area of alternatives evaluation and management selection by ensuring that procedures for these two processes consider the most efficient use of resources. For example, one approach involves refining the degree to which risk management information is integrated into the annual cycle of program and budget review.
Agency Affected: Department of Homeland Security: United States Coast Guard
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To strengthen ODP efforts to implement a risk management approach to its port security grant program, the Secretary of Homeland Security should direct the Executive Director for ODP to clarify, in its grant guidance, the conditions under which greater leveraging of federal dollars should be included as a strategic goal for the port security grant program.
Agency Affected: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Office for Domestic Preparedness
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To strengthen ODP efforts to implement a risk management approach to its port security grant program, the Secretary of Homeland Security should direct the Executive Director for ODP to develop measurable objectives for managing the grant program's progress toward achieving strategic goals and use these measures to gauge progress and make adjustments to the program.
Agency Affected: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Office for Domestic Preparedness
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To strengthen ODP efforts to implement a risk management approach to its port security grant program, the Secretary of Homeland Security should direct the Executive Director for ODP to coordinate efforts with the Coast Guard and IAIP to use more reliable risk assessment data as they become available. At a minimum, such data should include (1) the relative likelihood of various threat scenarios, (2) consequences and vulnerabilities that are linked to terrorist scenarios, and (3) a comparison of risks across ports.
Agency Affected: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Office for Domestic Preparedness
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To help ensure the development of risk management approaches to homeland security activities, the Secretary of Homeland Security should direct the Undersecretary for IAIP to work with the intelligence community to develop ways to better assess terrorist threats and use available information and expert judgment to develop a relative probability for various terrorist scenarios and provide this information to sector-specific agencies.
Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To help ensure the development of risk management approaches to homeland security activities, the Secretary of Homeland Security should direct the Undersecretary for IAIP to, as tasked by presidential directive, develop a methodology for comparing and prioritizing risks of assets within and across infrastructure sectors by including data on the relative probability of various threat scenarios.
Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To help ensure the development of risk management approaches to homeland security activities, the Secretary of Homeland Security should direct the Undersecretary for IAIP to, in completing the National Infrastructure Protection Plan, include target dates for completing sector-specific plans, developing performance measures, and identifying protective measures that could address multiple threat scenarios.
Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To strengthen individual agency efforts to implement a risk management approach to homeland security activities, the Secretary of Homeland Security direct the Undersecretary for IAIP to, as required by presidential directive, establish uniform policies, approaches, guidelines, and methodologies for integrating federal infrastructure protection and risk management activities within and across sectors, along with metrics and criteria for related programs and activities and develop a timetable for completing such guidance. Such policies and guidance should address the issue of integrating risk management systems into existing systems of program and budget review.
Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To strengthen individual agency efforts to implement a risk management approach to homeland security activities, the Secretary of Homeland Security direct the Undersecretary for IAIP to, as DHS continues to review its organizational structure, work with the Secretary's office to determine which office is best suited to help ensure that the responsibility for risk management policy and implementation has a broad enough perspective on all elements of risk, including threats, as well as the necessary authority to coordinate with DHS component agencies and hold them accountable for risk management activities.
Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To strengthen individual agency efforts to implement a risk management approach to homeland security activities, the Secretary of Homeland Security direct the Undersecretary for IAIP to work with the Office of Management and Budget to examine options for holding departments and agencies accountable for integrating risk management for homeland security programs and activities into the annual cycle of program and budget review.
Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
