 |
||||||||||||||||||||||||||||
 |
||||||||||||||||||||||||||||
 |
||||||||||||||||||||||||||||
 |
||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||
Resource allocation is one of the biggest challenges in developing and implementing an effective state or regional Homeland Security program. Most states and urban areas are moving toward a risk management model. This approach enables large jurisdictions to understand the risks posed by terrorism threats and natural disasters across their entire area.
By developing a comprehensive view of risk, decision makers can set priorities, allocate resources, and respond more effectively to threats. Additionally, they can collect the information they need to justify Homeland Security investments.
Five Reasons to Implement a Risk Management Program
Required Program Components
Before You Implement…
Five Reasons to Implement a Risk Management Program
- Risk is a valuable, defensible basis for prioritizing efforts and expenditures.
- You can’t implement a Critical Infrastructure Protection Program (CIPP) without a risk management program, as recommended by the National Infrastructure Protection Plan (NIPP).
The FY07 Homeland Security Grant Program directs all eligible states and UASIs to implement a Critical Infrastructure/Key Resources (CI/KR) program based on the NIPP risk management framework. - Risk management is essential for achieving the National Preparedness Goal (NPG), which requires your target capability levels be based on your jurisdiction’s unique risk profile.
- Analyzing your risk and tying investments to it will make you organization more competitive in HSGP and infrastructure grant programs now and in the future.
- The federal government does not manage state and regional risk. States and UASIs are responsible for managing their own risk.
- Comprehensive CI/KR Catalog
A comprehensive CI/KR catalog is the fundamental building block of a critical infrastructure protection and risk management program. You should be able to quickly filter, sort, and report on infrastructure data and communicate it to your local, regional, federal, and industry partners. - Dynamic Threats and Hazards Analysis
Manmade threats and natural hazards form the baseline of your risk analysis. Threats and hazards should be rated based on the best available historical and intelligence inputs. Ratings should be continually updated as new intelligence is received. - Security/Vulnerabilities Survey and Assessment
In order to collect and report detailed security and vulnerability information on your high priority assets, you must conduct onsite assessments of your CI/KR facilities. Your tools and processes should allow security experts to be quickly trained and operational. - Risk Analysis
The risk to any CI/KR asset should be assessed from each threat/hazard in your catalog. Your analysis should reflect generally accepted principles of quantitative risk analysis as well as emerging national standards and best practices. You should also be able to group results by sector, jurisdiction, and more. - Risk Management Processes
Risk analysis drives prioritization and resource allocation. Your processes should support the entire risk management lifecycle, from analysis to risk mitigation investments to resource allocation.
- Define the risk management functions you want to implement. This will determine which components you need to integrate and their data requirements.
- Identify all available internal and external data sources so you can collect enough information to begin risk management immediately.
- Borrow best practices, but do so with caution. Remember, each organization solves problems from its own perspective and the measures and metrics it uses might not be appropriate for you.
- Take advantage of technology to facilitate the system-wide collection, storage, analytic processing, and reporting of data.