In my experience in security risk management, one of the tools that I see as being the most valuable is a risk register. My definition of a risk register is a representation of priority risks (usually in table or chart form), as evaluated by likelihood and impact. It is intended to help guide executive decision making and support identifying management priorities and assigning responsibilities for, and activities to, monitor and address priority risks. (See discussion: “Risk Register in Three Parts” https://www.cisa.gov/cybersummit-2020-session-day-1-risk-registers-three-parts)
Such a register is not a risk assessment per se – although risk assessments certainly contribute to it – but instead is a management tool to help leaders remain focused on the things that can go wrong and appropriately allocate attention to addressing them. In other words, a risk register enables risk governance. In my time at DHS, I was – and I remain – an advocate of utilizing registers to help drive homeland security strategic efforts.
So, what items should be in the current strategic homeland security risk register? For the next 3-5 years, I see the following overarching risks at the top of the register:
- Natural hazards, worsening because of the impact of climate changes;
- Systemic cybersecurity risk, exacerbated by ubiquitous hardware and software and related technologies;
- Domestic violence and terrorism, inspired by, among other things, the current mis- and dis-information environment;
- Border instability, driven by political unrest across the Central American region and demand for narcotics, as well as policy failures;
- Supply chain shocks, linked to geopolitical events and foreign investment;
- Infrastructure failures, caused, in part, by pervasive underinvestment in upgrades and maintenance of critical systems;
- Public health crises, elevated by many of the factors above and linked to lack of confidence in medical advice;
- Inadequate workforce and expertise, related to the lack of incentives and skills to deal with modern homeland security risks, and;
- Outdated processes and technology and administrative inertia, to rise to the challenges we face as a nation.
In each of these risks you see clear linkages to non-security related trends. Anyone who has done foresight planning recognizes the “STEEP Framework” – where STEEP stands for societal, technological, economic, environmental, and political factors – and it is clear that homeland security risks are being driven quite significantly by larger STEEP trends.
This reality has implications for the discipline of homeland security. Traditional disaster management and contingency planning involve preparing for shock events and addressing incidents as they occur and entering “response mode.” We have reached a point, however, where governments are almost in permanent response mode and that has serious implications for the state of the discipline and the ability to reduce risk driven by STEEP factors. An enterprise that is constantly responding has little time for planning and evolving. And shifting that balance is an imperative if we want a country that is more resilient. This can be done, in part, through more attention to risk governance.
Returning to the idea of a risk register, the focus of a register is not on what problems loom but instead on what needs to be done to keep them from bringing substantial risk to the enterprise.
The good news in addressing the risks identified above is that there have been significant efforts undertaken in the last year by policymakers to make big risk mitigation bets in some identified areas: The passage by Congress of the infrastructure and inflation reduction bills will enable investment in more resilient infrastructure and combat carbon emissions to address climate change. The CHIPS and Science Act establishes approaches to enhance the supply of key microelectronics technologies in the United States and limit the exposure of supply chains to conflict in East Asia. Meanwhile, through Executive Branch action in the cyber arena, the administration has taken key steps to enhance the requirements for secure technologies, particularly software and hardware, and increase transparency of risk which can reduce systemic cyber vulnerabilities. And it has indicated a willingness to stimulate workforce development and promote acquisitions reforms.
In other areas on my notional risk register, however, there has been less-clear policy progress. I see no evidence of a clear strategic approach to addressing the interaction between disinformation and domestic terrorism. Nor is it clear that current political realities will allow for a more stable border security approach. And the country still needs a reckoning with the lessons learned from the failures of public health preparedness to the COVID pandemic, so as to incorporate those lessons into future disease responses and to make needed investments in the public health enterprise.
Whether or not there have been new policies, strategic approaches, and investments made in homeland security risk mitigation, however, there is still a need for systematic processes and authorities for risk governance, and particularly monitoring implementation and ensuring that key risks are being addressed. Here, again, there is work to be done.
The Organization for Economic Cooperation and Development’s (OECD) High-Level Risk Forum, which I chair and which the U.S. government is a key member of, has put forth a series of recommendations for governing critical risks, which the Forum is in the process of updating. (https://www.oecd.org/gov/risk/Critical-Risks-Recommendation.pdf) They include designing an all-hazards structure for risk governance (not just response), utilizing foresight analysis and risk assessment to anticipate events, taking concerted efforts to mobilize whole-of-society risk awareness, and developing an adaptive capacity for response.
I think it is fair to say that, as a country, we still have work to do to achieve those recommendations – particularly in the face of the risks guiding the risk register that I have identified above.
The current setup of the Executive Branch and the associated White House coordinating bodies has not led to a consistent approach for governing critical risks. This is not as much a criticism of the administration but instead an acknowledgment that 21st century risks outpace the design of our government to consistently stay on top of cross-discipline risks and engage the whole of society in addressing them. Innovation of approaches to risk governance are needed. There is some evidence that the White House recognizes this, such as in the Office of the National Cyber Director and the Resilience Directorate at the National Security Council, but they need to be rationalized and supported by the relevant departments and agencies.
A goal for the homeland security enterprise should be to consistently track the most significant risks, engage policy makers and critical industry and non-government groups on those risks, identify mitigation strategies and, perhaps most importantly, stay focused on the challenges ahead. That’s effective risk governance. Enhanced institutional solutions and authorities as well as consistent leadership attention are needed to achieve that aim. A clearly articulated risk register would be a good start.
