DSBlog

Comments (0)

Our June 15 post examined the relatively heavier emphasis placed on state and local governments in the recently released Implementation Plan that guides the execution of Presidential Policy Directive 8 (PPD-8) on National Preparedness. We now turn to the question of how it approaches risk in ways that appear to differ from the March 30 Directive, and how these might influence development of the National Preparedness Goal (NPG) and National Preparedness System (NPS), which are due respectively by September 25 and November 24.

As we noted in Part 1, the Implementation Plan appears to somewhat de-emphasize risk, or at least to decouple it from core capabilities needed for Prevention, Protection, Mitigation, Response and Recovery (PPMRR).

In one key example of this shift, the Directive states that the NPG “shall define the core capabilities necessary to prepare for the specific types of incidents that pose the greatest risk to the security of the Nation.” The Implementation Plan reflects this statement as: “The [NPG] will define the core capabilities that must be established by the Nation in order to prevent, protect against, mitigate the effects of, respond to, and recover from the specific types of incidents that pose the greatest threat to the security of the Nation, including acts of terrorism and emergencies and disasters regardless of cause.”

There are three differences between these statements that provide insight to the views of the Department of Homeland Security (DHS):

1) The original Directive’s phrase “to prepare for” is replaced in the Implementation Plan by, and therefore identified with, PPMRR. This effectively represents a new policy, since similar frameworks were encountered only in the context of capabilities, not preparedness (see, for example, the four mission areas of PPRR in the Target Capabilities List of bygone national preparedness guidelines). Preparedness has been identified as the intersection of – or gap between – risks and capabilities. So this new identification decouples risk from preparedness, at least in an explicit way. (Risk may be assumed in the concept of core capabilities, but only indirectly.)

2) The Directive’s “risk to the security of the Nation” is replaced by “threat to the security of the Nation.” While this may seem like a trivial semantic change, risk and threat have well-defined technical meanings, and substituting one for the other changes the context of the statement substantially. While a threat may be identified almost intuitively, risk is a quantity that must be computed. Therefore, substituting threat for risk reduces DHS’ requirement to perform risk analysis. The Implementation Plan does call for a national risk assessment, so it does not appear to be abandoning risk altogether, but the change in this statement seems significant.

3) The list of incident types has changed. In the opening statement of the Directive, four types of incidents are identified: acts of terrorism, cyber attacks, pandemics, and catastrophic natural disasters. The Implementation Plan mentions only terrorism and “emergencies and disasters regardless of cause,” never referring to cyber attacks or pandemics, and subsequently reverts to the general term “all hazards.” The four event types called out explicitly by the Directive represent different disciplines and call for vastly different capabilities to address. For the Implementation Plan to omit mention of cyber attacks and pandemics suggests that the Federal Emergency Management Agency (FEMA), which historically lacks experience with these two types of events, is either distancing itself from considering them or does not recognize their unique characteristics.

These changes in phrasing provide clues that perhaps DHS does not intend to perform a detailed risk analysis to drive capabilities, but would rather start from the capabilities it deems important. The Implementation Plan does state that the NPG “will include a standardized, objective approach for assessing threats and hazards to identify core capabilities and where they are needed…” and, later, “[DHS] will conduct a strategic, national-level risk assessment to identify the relevant risk factors that guide where core capabilities are needed…” However, these two statements leave the connection between core capabilities and risks uncomfortably vague.

Other mentions of core capabilities imply that they represent an unprioritized list, with a set of performance measures for each. The Directive does in fact call for a set of “prioritized objectives to mitigate that risk,” but nowhere in the Implementation Plan is it specified how the core capabilities are connected to risk mitigation. Once the core capabilities are identified based on an assessment of threats and hazards, they take on a life of their own, with their own performance objectives. It is therefore unclear how DHS will determine the “level of performance” needed by different geographies, which are subject to different risks from different threats and hazards. This is, of course, the critical question in the feedback loop of risk management; FEMA has never answered it, and this plan does not promise to do so, either.

Lastly, the Implementation Plan distinguishes between performance objectives for “all-hazards” capabilities and those for “catastrophic preparedness.” This distinction is not apparent in the Directive, which calls only for DHS to consider “catastrophic natural disasters” among its list of “greatest risk” event types. This may reflect a FEMA preoccupation with non-catastrophic natural hazards – as would the previous substitution of threat for risk, which emphasizes frequency over consequence.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.