Christopher Bellavita’s recent article “Changing Homeland Security: Twelve Questions From 2009” says:
In 2009, U.S. residents were threatened by border violence, pandemics, violent extremists, improvised explosive devices, a dirty bomb (or at least the possibility of one), random shootings, cyber attacks, threats to the food supply, severe winter storms, tornadoes, fires, floods, old American dams, and radioactive Canadians. Is there an appropriate way to think about and prioritize those risks?
He asks the question: Why is it so difficult to make risk-based decisions in homeland security?
Now, it’s worth noting that he didn’t ask ‘Are our homeland security decisions risk based?’
I think it’s generally accepted that our decision making process with regards to homeland security is a bit screwy. It could have been the prohibitions against butter knives in the months after 9/11 or the identification of a mini-golf course as worthy of being placed on a list of potential al-Qaeda targets. But…is the current situation really that strange? Should we be shocked that many decisions aren’t risk based? I would argue no. Why, you ask?
First, let’s begin at the beginning. Risk management wasn’t a part of the national security process prior to 9/11 and agencies resisted attempts to have it integrated into their decision making process. Remember, we’re talking about bureaucracies here that have their own interests and goals (self-preservation, accumulation of power, promotion of those who support the organization). They strive for maximum freedom and chafe at being forced to do things which limit their freedom of action. Monkeying around with their decision making processes (how they allocate resources) strikes right at the heart of institutional prerogatives and requires a significant shock to the system in order to gain acceptance.
Secondly, when we’re talking about risk management we’re looking for “a means to mitigate or “buy down” risk over time by
developing certain capabilities across the country.” More often than not, that means money. Every other part of the budget process is marked by demands to spread the wealth so that elected officials can demonstrate to their constituents that they’re bringing home the bacon. If risk management can be circumvented in the defense budget to promote systems that aren’t needed, why should we expect different in the Homeland Security field? At least through 2007, only 60% of DHS grant funding was based on risk assessments. The rest? Called ‘statutory mandated’ funds, it generally can be considered to be the money that had to be paid off to various low-risk districts and states for their representatives and senators to approve the release of the rest of the money.
Thirdly, our general CYA mentality which, as KR points out, asserts that any successful attack (and after the underwear bomber apparently even an unsuccessful attack) has to be viewed as a complete systematic failure and someone will have to be held accountable. Every Just about every elected official and government employee, no matter how tangentially involved in homeland security is going to want to ensure that it isn’t them who ends up in front of a congressional committee or on the 6 o’clock news and will therefore go to extremes in order to limit their risk. Movie plot threats will have to be countered even if they’re impossibly complicated and highly unlikely while passing up more likely threats. But we’ve now conditioned the public to expect 100% perfection and collapse into hysteria whenever a guy with a tan yells ‘boo’.
So, how do we get to risk management? Certainly, the process is known so that’s not it. I think there are few ways to actually get all of the actors (institutions, public officials and public) to change their orientation sufficiently to totally accept something like this, much beyond current levels. The more time that passes without a serious attack, the more the homeland security process will fade into the background of regular operations, subject to the same pressures as every other large money spigot.
I think many people agree that the wrong way to get people to accept risk management in the decision making process would be in the wake of more attacks. Certainly they would focus our collective mind but the cost clearly makes such a line of reasoning unacceptable. And, of course, even that wouldn’t be a guarantee of positive change. It’s just as likely that we could end up with a system that’s even more panicky and knee-jerk in fashion (water-boarding for everyone!).
I was going to suggest the release of more information to the public and some real, adult conversations between our national (and I guess state and local as well) decision makers and the population about risk and what where as a people we want to go. It is, after all, 2010 and I still don’t think we’ve had this conversation, at least in a sustained concerted way to engage a large part of our population.
When some bonehead talks about the threat of anthrax killing tens of millions, it’d be nice to have some official information to explain why, exactly, that’s nonsense and really, really unlikely.
But I must be a bit more cynical than normal today. Let’s face it, you could put all the information you want out there (and I still think it’s a good idea) but there’s just no way that’ll be able to compete with CNN’s latest reporting of ‘What if…’ or Glen Beck’s Doom Room. Panic sells. Money (or votes) in your pocket today is better than reducing the risk of a possible future tomorrow (provided it doesn’t happen and if it does happen, it’s not on your watch).
So maybe our system is the best we can hope for. Are homeland security decisions that are 60% risk based better than the other possible alternatives? Is 100% (or 80%) risk management too much to hope for in our system?