Homeland Security Secretary Chertoff delivered a speech before the Institute of European Affairs in Dublin last Thursday and hit the usual high notes of transatlantic cooperation, which continues to strengthen below the radar of our politically charged policy environment on this side of the Pond.
How the Secretary portrayed that progress was with a lingua franca unfamiliar to the State Department diplomats. For example, he cited three principles on which he believes Americans and Europeans agree.
First, nations “must be willing not only to operate within their own borders and ports of entry, but beyond them as well.†He probably doesn’t mean that the way it sounds. Translation: find effective ways to cooperate with other nations to pursue shared interests in countering terrorism that crosses national boundaries.
Second, complete safety is out of reach and “the best alternative is a strategy that is governed by risk management.†While it may seem unremarkable by now, that concept will likely leave observers wondering what exactly the U.S. means by it.
Third, security can only be pursued effectively if in partnership with other nations. Put Chertoff on the National Security Council, please. It’s another unremarkable concept, but one that needs to be stated repeatedly.
So risk is inevitable and we should “manage†it. The closest this country has gotten to defining risk at the strategic level is in the context of debating where to apply federal funds, such as UASI grants.  Unfortunately, for all the work DHS and its component agencies have put toward defining risk over the years – since long before 9/11 – the latest Homeland Security Strategy barely addresses the idea.
The National Strategy gets only so close:
“the [National Preparedness Guidelines] constitutes a capabilities-based preparedness process for making informed decisions about managing homeland risk and prioritizing homeland security investments across disciplines, jurisdictions, regions, and levels of government, helping us to answer how prepared we are, how prepared we need to be, and how we prioritize efforts to close the gap.â€
That’s what we should get if we manage risk, but what is the nature of risk in a post 9/11 strategic context? Later in the Strategy is a longer paragraph representing the only other description of risk:
“The assessment and management of risk underlies the full spectrum of our homeland security activities, including decisions about when, where, and how to invest in resources that eliminate, control, or mitigate risks. In the face of multiple and diverse catastrophic possibilities, we accept that risk – a function of threats, vulnerabilities, and consequences – is a permanent condition. We must apply a risk-based framework across all homeland security efforts in order to identify and assess potential hazards (including their downstream effects), determine what levels of relative risk are acceptable, and prioritize and allocate resources among all homeland security partners, both public and private, to prevent, protect against, and respond to and recover from all manner of incidents. A disciplined approach to managing risk will help to achieve overall effectiveness and efficiency in securing the Homeland. In order to develop this discipline, we as a Nation must organize and help mature the profession of risk management by adopting common risk analysis principles and standards, as well as a professional lexicon.”
Over 150 words and it still seems as though we’re talking around the concept without really saying what risk is apart from “a function of threats, vulnerabilities, and consequences.†That’s the same way we described risk on September 10, 2001. What we need is a straight forward explanation of risk in the 21st century. Sure its terrorism, but it is also much more if we consider that terrorist targets include almost anything in the civilian and commercial realm. Risk is therefore a function of how interconnected today’s world has become. A danger in this hemisphere ripples around the world depending on numerous factors beyond just threats, vulnerabilities, and consequences.
With little else to go on, our allies overseas listening to Secretary Chertoff last week could be forgiven if they walked away from his speech wondering just what it means to choose “a strategy that is governed by risk management.â€
The new IBM white paper we wrote and I blogged about earlier offers the following:
“Risk today is characterized by the rise of the individual as well as the rise of small groups as strategic threats and the speed and unpredictability with which the harmful effects of disruptions in one part of the world can spread to other companies, sectors and countries.â€
The National Homeland Security Strategy makes a sound point when in another slight reference to risk, it suggests that “companies that minimize risk will be rewarded by the market.†You might say that this maxim applies to the government, too.
While the National Strategy may have prompted more questions than it answered, there is another opportunity for us to get this knotty issue of risk nailed down so that we can plan against it and make wiser investments in both the public and private sector. Recall that Congress mandated that DHS issue a Quadrennial Homeland Security Review along the lines of the Pentagon’s Quadrennial Defense Review. This repesents a valuable opportunity for DHS to take this head on. No better document – at this point, anyway – than the first QHSR to put forth a workable concept of risk.