On the Notion of Risk Management at DHS

By W.D. Reasoner on September 19, 2012

Since taking office, Department of Homeland Security (DHS) Secretary Janet Napolitano has been extolling the virtues of a risk management strategy. For instance, risk management formed a part of her very first testimony before the House of Representatives' Committee on Homeland Security in February 2009.

And as recently as July of this year, the Secretary was still speaking of risk management measures, almost exclusively in the context of immigration and border management, at a House Judiciary Committee hearing.

In fact, a quick check of the DHS website gives us an entire online "Risk Management Series".

For those who don't know, risk management is a convenient shorthand way for governing officials to acknowledge that they cannot guarantee they will always be able to stop a terrorist attack or other threat to public safety and security because there are too many unknowns and variables, including "under the radar" and "lone wolf" scenarios. Therefore, good governance requires that they assess and minimize the knowable, or at least predictable, risks. It's kind of like saying that because finding a needle in a haystack is very difficult, we will do what we can to reduce the size of the haystack.

I will admit that I'm not fully comfortable with the phrase. In fact, I'm downright ambivalent about it, for what I think is a very good reason: I get the distinct sense that whenever this phrase is uttered by politicians and our political leaders, it is a way of explaining, in advance, that they are not going to be held responsible for some horrible act of terror or mayhem, should it occur; that it will inevitably be described as a "one-off" or otherwise unforeseeable event, however tragic.

Now whether in fact such an event is truly one-off, or could have been mitigated or averted will only be known after the fact, and that is when we are least competent to make such judgments because emotions are running high. It is also when those same political leaders will be sending out the spinmeisters in droves to put their own unique, and quite possibly self-serving, twist on the event.

Think I'm exaggerating? Look at how the administration is describing the events that led to the death of the U.S. ambassador and other American government employees in Benghazi, Libya, on September 11, 2012. They have gone out of their way to describe security procedures in place as more than adequate, and to dismiss the notion that the attack was pre-planned. But when was the last time you saw peaceful protesters carrying rocket-propelled grenade launchers and automatic weapons to the site of their demonstration? Looks to me more like the Salafist attackers set up and used the "peaceful" protest as a diversion to achieve success:

  • Benghazi was well known by both the Libyan and U.S. governments to be home to a number of well-armed Islamic militant groups;
  • Libya's government is still weak and struggling to assume and hold the reins of power;
  • American consulates have been the subject of terrorist attacks before (the consulate in Jeddah, Saudi Arabia, comes immediately to mind); and
  • The attack took place on the eleventh anniversary of 9/11, a date when American outposts abroad are supposed to be in a state of heightened alert.

So what within the principles of risk management was not reasonably foreseeable about this attack?

In fairness to Secretary Napolitano, she is not the only DHS secretary to warm up to this notion of risk management. Yet perhaps that only underscores my point that politicians of any stripe look ahead to the possibility of disaster and begin employing P.R. strategies that blunt or avoid personal or career damage, and lower public expectations.

However, I understand that there is still some validity to the concept of risk management (and, hopefully, mitigation), even if it's susceptible to the political spin I find so repugnant, and knowing full well that it isn't a panacea. So it's often helpful to look at what actions are being or have been taken to decide if risk management principles are truly being applied.

In doing so, I often look through the lens of the 9/11 Commission reports, including the staff monographs that accompanied the reports. I do so because they are thorough, thoughtful, and nonpartisan. The findings and recommendations provide benchmarks against which we can measure progress in our security efforts, including risk management. It is significant that a number of the findings and recommendations directly relate to immigration matters. The Commission understood, apparently more than many officials in this administration, that there truly is a nexus between good border security and immigration enforcement on the one hand and national security on the other.

So considering the principles of risk management in the context of the 9/11 Commission, how is DHS (which, ironically, came into being as a direct result of the terrorist attacks of that day) doing? Here are just a few markers to tell us:

An entry/exit system so that the United States can track who is within our borders. We have no exit system to speak of. And GAO recently issued a report on the entry system, within the context of the umbrella of US-VISIT. Among other things, they determined that the system is has no safeguards against pranksters — presumably government employees — who enter data for the likes of "Mickey Mouse" and "Jarvis Sample", or who are so indifferent to data error reconciliation that hundreds of entries are simply described as "frequent traveler".

Departure compliance to ensure nonimmigrants leave when and as required. The above-mentioned GAO report states that US-VISIT is unable to meaningfully identify individuals using aliases to fraudulently enter the United States. This is quite a handicap. Furthermore, US-VISIT officials could only identify a couple of instances of referrals to their ICE counterparts for investigation. But that's probably just as well, because, according to those pesky bean counters at GAO again, officials at DHS's Immigration and Customs Enforcement agency (ICE) only expend about 3 percent of their investigative resources to track down overstayed visitors and students, even though most assessments, including those of DHS itself, gauge that at least 40 percent of the give-or-take 10 million aliens living in the United States illegally are nonimmigrant overstays.

Foreign students in the United States. Going clear back to the crisis of 1979 when radicals took over the American Embassy in Tehran and President Carter ordered all Iranian students present in the United States to be identified and registered, it has been clear that there is no real capacity to do so. If nothing else, one might have assumed after the 9/11 attacks — given the number of "students" who figured among the attackers — that this problem would have been resolved. But we know what they say about that word "assume" don't we? GAO reports from June and July 2012 tell us that DHS internal controls over its Student and Exchange Visitor Program are weak and lack any capacity to identify and assess risks posed by schools permitted to host foreign students. What is more, GAO also issued a report in July acknowledging that flight schools were gaining authorization despite training foreigners illegally in the United States.

Visa security offices manned by experienced DHS officers at embassies and consulates abroad who can assist State Department consular officers in a layered line of defense against terrorists, criminals, and fraudsters attempting to obtain visas and enter the United States. DHS's most recent budget submission to Congress pretty much zeroes out the budget for this important function. Can we infer from this that risk management principles are working well in the visa-issuing arena, without need for these offices? Not really. Another recent GAO report suggests that many consular officers feel strongly that they don't have nearly enough assistance in the fraud detection arena and aren't sure where to turn for the expertise or resources, and senior consular program managers have not thought it important to make sure they get the training and assistance they need.

Not a very good report card for DHS's risk management efforts, is it?

In the end, what it all comes down to is this: without actions, strategies, and substantive efforts to back it up, the phrase "risk management" is just words — and words can be as insubstantial as the air on which they float.