Daily Archives: February 1, 2010

Guest Post – Why is it so difficult to make risk-based decisions in homeland security?

Today this post is by guest blogger KR who addresses the first question of the Homeland Security Round Table centering around an article in the recent issue of Homeland Security Affairs.

Ok, first I should introduce myself I am not a security, military or defense professional. I am a certified financial planner who, as an American citizen has a vested interest in this dialogue. My objective here is to broaden my knowledge on these subjects,  explore and clarify my opinions and hopefully, share some thoughts of a lay person with the more educated members of the group.

As a financial planner, I’d qualify a large part of my job as risk management. I do this by seeking both concrete and anecdotal information about variables that contribute to an overall premise on market, sector and specific holding performance expectations. This is a top down assessment starting at the economic level, eventually reaching the local or company-specific data. It seems remarkably similar to the risk management associated with anti-terrorism activities and threat assessment. There however, are some significant differences which tie in directly with Mr. Bellavita’s questions (numbers 1 and 5 in particular).

Axiom or law, I think we have to start with the premise: Risk is either held, shared or transferred, increased or decreased. It is never, ever eliminated.

In financial risk management, we have a firm concept of acceptable losses. There is never an expectation of only gains or zero losses. That’s understood to be unrealistic and in fact, pursuing those misinformed objectives actually incurs significant risk and expense. Fortunately, in my business, many theories and actual practices are tested, retested and back-tested to measure effectiveness. Quantifiable results are just that, quantifiable. Part of the issue confronting homeland security is the non-quantifiable nature of success, failure and ongoing performance. Politics, psychology and general culture play heavily into those definitions.

I’ve heard more than once, that, “Counter-terrorism activities have to be successful all of the time, terrorists only have to succeed once.” Frankly, I find that concept dangerous and misleading. It sets up everyone involved for failure. That statement is true when considering the execution of a terrorist act. But it would be unwise to consider that completion to be a failure of a homeland security system. By leading people to believe that any terrorist activity is a failure, and the converse, that the only success of homeland security is zero terrorist activity, we create an environment that ironically benefits the terrorists. By mismanaging their expectations, our population is more susceptible to fear and disappointment. The professionals are subject to criticism, policy shifts and general turnover (typically as a result of political responses).   Homeland security is a defensive, reactive activity. That’s not to say it’s passive. Merely that it’s goal is to counter the objectives of those engaged in hostile, terrorist acts agains the US. So what is success for a terrorist? I think the real definition of success by a terrorist is the changing of a culture or general set of policies to coincide with the specific goals of the terrorist organization. It is not the death or destruction of a particular target for its own sake. These groups and individuals want to have impact, whether by spreading a message, changing our attitudes and ways, or actually changing US policies. If that is true, success for homeland security should be the disruption or mitigation of enough activities to prevent those cultural or policy changes.

In my business, I determine a targeted risk level, or concept of ‘acceptable losses’ for each client. My worst client is one who expects to never lose a penny. I cannot help that client and can either educate them or fire them. I admit, it can be difficult to do the prior, but when it works, the change is usually dramatic. Instead of focusing on the occasional losses, we focus on their financial goals. Those in reality are their priority.   In the homeland security arena, it seems the American citizens are being trained to expect perfection. I think that is a product of both our political environment and our cultural belief that we can have everything, all the time, at no cost, now. I’ll summarize that notion simply as ‘short sightedness’ for simplicity sake. While we cannot ‘fire’ our way out of this relationship with our fellow citizens, we absolutely hav eto edicate them on the follow of that false expectation.

Homeland security is a process, not an event. It needs to be viewed similarly to our national education system, the population’s general health and wellness, our overall transportation infrastructure or similar issues of long term, national importance which may be subject to event risk, but are actually systems, not discrete events, locations or organizations. Instead, our national discussion seems focused on the granular level  how did which person get onto what plane. By looking so closely without the larger context we seem to repeatedly miss the forest for the trees.

Similar to my own risk management processes, when considering the homeland security situation, I again approach from a top down perspective. At a high level there is the question: what can be done to prevent terrorism. At a lower, more tactical level, there is the question of how do we prevent terrorist acts. I do believe that addressing the first question is fundamental to a long term American solution. Obviously, the better we do there, the fewer incidents we will have to address at the lower level. However, the reality of the present situation calls for us to address them both simultaneously. Mr. Bellavita seems focus primarily on the tactical level.   I think the first step in dealing with risk-based decsion making, and all decision making for that matter, is to accept the situation. The real, honest situation. These acts will be attempted. And some, despite our best efforts, will be executed as planned. We also must realize, that is very different from saying that the terrorists have succeeded.   And, in my opinion, therein lies part of the difficulty in making risk-based decisions. That very acceptance is untennable from a political standpoint. It is far better for any individual’s career to pretend that perfection exists, despite how stunting it is to our capability to address the situation, than to speak plainly about costs, consequences and long term goals with the American public.   ===============================   Here are a couple questions for those more educated that I on these matters. Please forgive me if they are not directly related to the first question on our list.   We’ve had extremist, militant groups in this country for quite some time. We’ve investigated and  infiltrated them, tracked their leadership, mapped their organizations and, at times, taken direct actions against them. We’ve had some terrible events such as the 1993 World Trade Center and 1995 Oklahoma City bombings. Are the strategies and methods of dealing with these homegrown radicals so different than the ways we should approach terrorists from outside of the country? I realize that the specific agencies and resources employed, and degrees of local cooperation and competence will impact implementation, but my question is regarding the actual practices. If we consider our domestic counter-terrorism activities to be successful (even without a 100% event-free history), shouldn’t we map those activities (and definitions of success) to the global scene?

As a lay person, I see homeland security largely as a police activity. That is not to say it should be performed solely by police departments, rather it is more similar to police work than say, military or emergency response work. Activities center around information gathering, investigation, analysis, apprehension, prevention and disruption. It seems that the inclusion of emergency response functions are a separate matter that only get involved when a threat is identified or action has taken place. Is that a gross oversimplification?

Risk based decisions in homeland security issues

Christopher Bellavita’s recent article “Changing Homeland Security: Twelve Questions From 2009” says:

In 2009, U.S. residents were threatened by border violence, pandemics, violent extremists, improvised explosive devices, a dirty bomb (or at least the possibility of one), random shootings, cyber attacks, threats to the food supply, severe winter storms, tornadoes, fires, floods, old American dams, and radioactive Canadians.  Is there an appropriate way to think about and prioritize those risks?

He asks the question:  Why is it so difficult to make risk-based decisions in homeland security?

Now, it’s worth noting that he didn’t ask ‘Are our homeland security decisions risk based?’

I think it’s generally accepted that our decision making process with regards to homeland security is a bit screwy.  It could have been the prohibitions against butter knives in the months after 9/11 or the identification of a mini-golf course as worthy of being placed on a list of potential al-Qaeda targets.  But…is the current situation really that strange?  Should we be shocked that many decisions aren’t risk based?  I would argue no. Why, you ask?

First, let’s begin at the beginning.  Risk management wasn’t a part of the national security process prior to 9/11 and agencies resisted attempts to have it integrated into their decision making process.  Remember, we’re talking about bureaucracies here that have their own interests and goals (self-preservation, accumulation of power, promotion of those who support the organization).  They strive for maximum freedom and chafe at being forced to do things which limit their freedom of action.  Monkeying around with their decision making processes (how they allocate resources) strikes right at the heart of institutional prerogatives and requires a significant shock to the system in order to gain acceptance.

Secondly, when we’re talking about risk management we’re looking for “a means to mitigate or “buy down” risk over time by
developing certain capabilities across the country
.”  More often than not, that means money.  Every other part of the budget process is marked by demands to spread the wealth so that elected officials can demonstrate to their constituents that they’re bringing home the bacon.  If risk management can be circumvented in the defense budget to promote systems that aren’t needed, why should we expect different in the Homeland Security field?  At least through 2007, only 60% of DHS grant funding was based on risk assessments.  The rest?  Called ‘statutory mandated’ funds, it generally can be considered to be the money that had to be paid off to various low-risk districts and states for their representatives and senators to approve the release of the rest of the money.

Thirdly, our general CYA mentality which, as KR points out, asserts that any successful attack (and after the underwear bomber apparently even an unsuccessful attack) has to be viewed as a complete systematic failure and someone will have to be held accountable.  Every Just about every elected official and government employee, no matter how tangentially involved in homeland security is going to want to ensure that it isn’t them who ends up in front of a congressional committee or on the 6 o’clock news and will therefore go to extremes in order to limit their risk.  Movie plot threats will have to be countered even if they’re impossibly complicated and highly unlikely while passing up more likely threats.  But we’ve now conditioned the public to expect 100% perfection and collapse into hysteria whenever a guy with a tan yells ‘boo’.

So, how do we get to risk management?  Certainly, the process is known so that’s not it.  I think there are few ways to actually get all of the actors (institutions, public officials and public) to change their orientation sufficiently to totally accept something like this, much beyond current levels.  The more time that passes without a serious attack, the more the homeland security process will fade into the background of regular operations, subject to the same pressures as every other large money spigot.

I think many people agree that the wrong way to get people to accept risk management in the decision making process would be in the wake of more attacks.  Certainly they would focus our collective mind but the cost clearly makes such a line of reasoning unacceptable.  And, of course, even that wouldn’t be a guarantee of positive change.  It’s just as likely that we could end up with a system that’s even more panicky and knee-jerk in fashion (water-boarding for everyone!).

I was going to suggest the release of more information to the public and some real, adult conversations between our national (and I guess state and local as well) decision makers and the population about risk and what where as a people we want to go.  It is, after all, 2010 and I still don’t think we’ve had this conversation, at least in a sustained concerted way to engage a large part of our population.

When some bonehead talks about the threat of anthrax killing tens of millions, it’d be nice to have some official information to explain why, exactly, that’s nonsense and really, really unlikely.

    But I must be a bit more cynical than normal today.  Let’s face it, you could put all the information you want out there (and I still think it’s a good idea) but there’s just no way that’ll be able to compete with CNN’s latest reporting of ‘What if…’ or Glen Beck’s Doom Room.  Panic sells.  Money (or votes) in your pocket today is better than reducing the risk of a possible future tomorrow (provided it doesn’t happen and if it does happen, it’s not on your watch).

    So maybe our system is the best we can hope for.  Are homeland security decisions that are 60% risk based better than the other possible alternatives?  Is 100% (or 80%) risk management too much to hope for in our system?