Article Preview
TopA Strategy Without A Theory
The United States Department of Homeland Security’s (DHS) charge is to “Build a safer, more secure, and more resilient America by preventing, deterring, neutralizing, or mitigating the effects of deliberate efforts by terrorists to destroy, incapacitate, or exploit elements of our Nation’s CIKR, and to strengthen national preparedness, timely response, and rapid recovery of CIKR in the event of an attack, natural disaster, or other emergency” (U.S. Department of Homeland Security, 2009, p. 9). The homeland security strategy is considered all-hazards because it embraces both natural and human-made catastrophes such as Hurricane Katrina, and the 9/11 Terrorist attacks. It is considered risk-informed, because allocation of resources is based on risk reduction through a variety of means.
The effective implementation of a risk-informed, all-hazards approach hinges upon our understanding of the general theory of catastrophes spanning a wide variety o incidents: earthquakes and wild fires in Southern California; hurricanes in Florida; terrorist attacks on infrastructure; and pandemic threats such as the H1N1 influenza. Unfortunately, DHS has not applied a unifying theory of catastrophe to guide decision-making, preparedness, or response. The department, for example, has no universal definition of risk and resilience with sufficient operational rigor to uniformly apply a risk-informed decision-making process across all hazards. The National Infrastructure Protection Plan (NIPP) (U.S. Department of Homeland Security, 2009) does provide verbal definitions of risk and resilience, but these leave too much up to miss-interpretation of terms in the definition. For example, risk is defined as, “the potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences”, and resilience is defined as, “the ability to resist, absorb, recover from, or successfully adapt to adversity or a change in conditions” (U.S. Department of Homeland Security, 2009, p. 111).
This lack of operational rigor has led to organizational confusion, duplication of effort (different agencies doing the same thing), and poor utilization of limited resources (inadequate identification of the most at-risk assets, suboptimal return on investment, and non-optimal allocation of response capability). DHS has adopted a risk-informed decision-making process, but has done so without rigorously defining key terms such as “risk” or quantifying the primary elements of risk: “threat”, “vulnerability”, “resilience”, and “consequence” – terms used throughout DHS policy and strategy documents. Risk-informed decisions are difficult to make without operational definitions of risk and resiliency.
For example, the NIPP document states, “The cornerstone of the NIPP is its risk analysis and management framework that establishes the processes for combining consequence, vulnerability, and threat information to produce assessments of national or sector risk” (U.S. Department of Homeland Security, 2009, pp. 2-4). And then on page 32, the NIPP defines risk as a function of threat, vulnerability, and consequence, “R = f(T, V, C)”. This definition is non-operational, for a number of reasons. Moreover, it does not provide a unifying theory of catastrophic events, nor does it reveal a deep understanding of catastrophe, the nature of an emergency incident, or human-caused attack. It is not even clear that risk reduction is an adequate strategy, especially given the complex nature of most infrastructure systems underpinning modern societies.
In place of a formula for risk, we seek to understand the very nature of disaster. Are there elements common to all disasters? Can incidents be categorized into low and high risk? What does resiliency mean in a system as opposed to a single asset? What is the impact of a minor failure in a component on the larger system? The critical sectors such as energy, power, telecommunication, water, and public health are complete systems – more than the sum of their parts – because of their complex interactions and interdependencies. A failure in power, for example, can propagate to other sectors such as transportation, energy, and telecommunications. Thus, cascading effects may magnify the impact of a failure in one sector on the performance of another sector. Thus, criticality is more than risk or resilience of individual assets – rather, it is a property of a complex system.