Risk Management Curriculum Review Group

Risk Management Curriculum Review Group Findings Report December 2010

PREFACE

This report is presented on behalf of the Department of Homeland Security Risk Management Curriculum Review Group, co-chaired and administered by the Office of the Chief Learning Officer, the Office of Risk Management and Analysis, and the Office of Professional Development and Training in the National Protection and Programs Directorate.

Homeland security is about managing risks to the nation's security. As such, it is vital that the Department of Homeland Security train and develop a workforce of skilled risk managers. This document, which is a collaborative effort across the Department, is a critical step toward achieving that goal.

Coherent, effective and efficient risk management training for the Department cannot be achieved in isolation. We look forward to continued collaboration as we make progress on the recommendations outlined herein.

We applaud the hard work of the Risk Management Curriculum Review Group members and stand behind their findings and recommendations.

Dr. George . Tanner Chief Learning Officer US Department of Homeland Security

Risk Management Curriculum Review Group Findings Report

Tina W. Gabbrielli Director, Office of Risk Management and Analysis National Protection and Programs Directorate US Department of Homeland Security

Page i

Risk Management Curriculum Review Group Page ii Findings Report

TABLE OF CONTENTS Executive Summary ................................................................................................................. iii

I. Introduction and Background ............................................................................. 1

II. Methodology Overview ...................................................................................... 3

III. Training Audiences ............................................................................................ 6

IV. Needed Risk Management Competencies .......................................................... 8

V. Available Risk Management Training ............................................................. 14

VI. Gap and Redundancy Analysis ......................................................................... 17

VII. Recommendations ............................................................................................ 20

VIII. Next Steps ......................................................................................................... 25

IX. Conclusion ........................................................................................................ 28

Appendix A: Risk Management Curriculum Review Group Staff Members ........................ 29

Appendix B: Contributors to Risk Management Competency Needs Analysis .................... 30

Appendix C: Contributors to Available Training Analysis ................................................... 31

Appendix D: Available DHS Risk Management Courses Used for Analysis ....................... 32

Risk Management Curriculum Review Group Page iii Findings Report

EXECUTIVE SUMMARY

The 2010 Quadrennial Homeland Security Review states that homeland security is about “effectively managing risks to the Nation’s security.”1 The Department of Homeland Security (DHS) recognizes that managing the many risks facing the Nation requires a well trained workforce.

Therefore, in support of the Secretary of Homeland Security’s Efficiency Review and the goals outlined in the DHS policy for Integrated Risk Management (IRM), the Risk Management Curriculum Review Group (CRG) was formed to present an action plan to improve the efficiency and effectiveness of DHS training in the risk management discipline. After analysis, the CRG identified six critical gaps and redundancies in current DHS risk management training and developed ten recommendations designed to address them.

To arrive at these recommendations, the CRG performed a gap analysis comparing the Department’s need for staff with risk management competencies to the current state of training in those areas. The effort took seven months of research and analysis, coordinated through the participation, review, and consensus of 18 different Department components, directorates, and offices.

To structure the analysis, the CRG identified four target audiences and three areas, or types, of risk management training. The four audiences are: (1) Executives, (2) Program Managers and Planners, (3) Operational Personnel, and (4) Risk and Decision Analysts. The three types of risk management training are: (1) General Risk Management, (2) Homeland Security Risk Management, and (3) Institutional Risk Management. The CRG identified dozens of risk management competencies for each audience and catalogued 100 courses available to these audiences in the three areas of risk management training.

Based on the availability and nature of current training, the CRG concluded that the Department is not currently training its employees to be competent and robust risk managers. In addition to lacking sufficient training programs, the Department also lacks the career tracks, and governance necessary to ensure that employees are able to effectively manage risk within their domain. Furthermore, current in-house training options in risk management are unevenly distributed among key training audience groups and components within the Department.

1 US Department of Homeland Security, Quadrennial Homeland Security Review Report: A Strategic Framework for a Secure Homeland, February 2010, pg 2.

Risk Management Curriculum Review Group Page iv Findings Report

To tackle these issues, the CRG proposes a strategic roadmap consisting of ten separate recommendations implemented over three phases that will both fill gaps in the Department’s risk management training capabilities and realize long-term efficiencies. The recommendations include making process improvements – such as creating standards and oversight for risk management training – developing new training materials, and introducing improvements to the human capital strategy for risk management staff within the Department.

Recommendation # 1: Formally establish the Risk Management CRG under the DHS Risk Steering Committee and the Office of the Chief Human Capital Officer to (a) oversee the implementation of the recommendations in this report, (b) review risk management training efforts, and (c) assess training for compliance with risk doctrine (once it is formalized)

Recommendation # 2: Develop materials on risk management basic principles and available resources for DHS new hire orientation to support a culture of risk management within DHS

Recommendation # 3: Institute a risk management seminar series for the DHS leadership cadre

Recommendation #4: Engage components to encourage incorporation of identified risk management competencies into performance and hiring goals and training plans

Recommendation #5: Publicly release the desired risk management competencies for DHS staff, as identified by the CRG, to support integration of training efforts across the greater homeland security enterprise

Recommendation #6: Develop a standards guide for risk management training to keep key content and terminology consistent across the Department

Recommendation #7: Develop a ‘Fundamentals of Risk Management’ course available online that teaches basic risk management principles to DHS staff

Recommendation #8: Explore the concept of establishing a new Risk Management Fellows program and integrating it with existing DHS-wide initiatives to facilitate diversified on-the-job training and sharing of best practices

Recommendation #9: Develop risk management modules to insert into the standard training for executive leadership, program managers, and planners

Risk Management Curriculum Review Group Page v Findings Report

Recommendation #10: Develop a career track with learning and development goals for DHS Risk and Decision Analysts, possibly including a certificate program with continuing education requirements, to standardize and solidify this profession

The ten recommendations represent the most pressing actions that the Department should take to support the Efficiency Review and the IRM policy in the area of risk management training. The CRG recommends implementing the first five actions within fiscal year 2011 as a means to jump start the risk management training effort and support the DHS Efficiency Review. These recommendations require relatively few resources and have the potential to have broad impact, allowing the Department to realize efficiencies and eliminate critical gaps in the near term that will build momentum, credibility, and support for larger, more complex efforts in subsequent years.

These ten recommendations will greatly increase the number of Department employees who receive risk management and analysis training, ensure critical audiences receive sufficient training, and avoid redundancies and inconsistencies in current and future risk management training programs. They also support the “One DHS” initiative by encouraging Department-wide standards and cross-component communications.

Risk Management Curriculum Review Group Page 1 Findings Report

I. INTRODUCTION AND BACKGROUND

Purpose

The Department recognizes risk management2 as fundamental to protecting the Homeland. As stated in the 2010 Quadrennial Homeland Security Review, “ultimately, homeland security is about effectively managing risks to the nation’s security.”3 Although created to support a DHS Efficiency Review initiative, the broader goal of the Risk Management Curriculum Review Group (CRG) is to help create a DHS workforce that clearly understands and consistently practices sound risk management, while integrating Departmental risk management training efforts to gain efficiencies wherever it makes sense to do so. This document identifies both gaps and redundancies in current risk management training at DHS and offers actionable recommendations to move the Department closer to the Secretary’s vision for integrated risk management within an efficient organization.

Origins of the Project

The DHS Efficiency Review, launched by Secretary Napolitano and the DHS senior leadership team in 2009, is a major effort to improve efficiency and streamline decision-making through a series of agency-wide initiatives. One key initiative is improving the efficiency and effectiveness of the Department’s learning and development programs. The Secretary’s intent for the learning and development initiative is to maximize training opportunities and employee time while reducing costs by standardizing training modules across the Department and expanding cross training.4

As such, the Secretary tasked the Chief Learning Officer (CLO) and the Training Leaders Council (TLC) to inventory training activities, seek ways to reduce duplication, and open enrollment across the Department for any non-mission-specific training opportunities. The CLO also established curriculum review groups to ensure that key capabilities within the Department are built in a deliberate, systematic manner. Because the Secretary identified

2 The Department of Homeland Security defines risk as the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences;” and risk management as the “process of identifying, analyzing, assessing, and communicating risk and accepting, avoiding, transferring or controlling it to an acceptable level considering associated costs and benefits of any actions taken.” Definitions from the 2010 DHS Risk Lexicon (http://www.dhs.gov/files/publications/gc_1232717001850.shtm). 3 US Department of Homeland Security, Quadrennial Homeland Security Review Report: A Strategic Framework for a Secure Homeland, February 2010, pg 2. 4 Efficiency Review 90-Day Initiative: Employee Learning and Development, Internal document.

“DHS must ensure that its personnel and partners are equipped to understand, communicate, and execute its system of processes and governance through training and education. Training and education ensures that the principles and processes of integrated risk management are applied consistently across the Department and fosters the development and sustainment of a risk management capability and culture.”

- DHS Interim Integrated Risk Management Framework (January 2009)


risk management as a key capability within the Department, the CLO worked with the Office of Risk Management and Analysis (RMA) and the Professional Development and Training Office within the National Protection and Programs Directorate (NPPD) to launch the cross-component Risk Management CRG effort. The CRG is aligned with the DHS Risk Steering Committee (RSC)5, whose designees sit on the CRG, enabling incorporation of organizational and operational needs from components and fulfilling DHS Strategic goals.

This CRG effort takes place within a broader policy context, wherein DHS leadership reaffirmed the importance of risk management in both protecting the Nation and strengthening the Department as an organization. The importance of risk management is reflected in the 2010 Quadrennial Homeland Security Review, which sets the homeland security strategic framework, as well as the accompanying Bottom-Up Review, which aligns Department actions to achieve strategic goals. To further emphasize the point, Secretary Napolitano issued a policy statement on Integrated Risk Management (IRM) in May 2010, calling on the Department to use risk management to inform strategies, processes, and decisions for enhancing homeland security and to work in a unified manner to manage risks to the Department and homeland security enterprise. A key step in implementing the Secretary’s IRM policy is training Department employees in risk management concepts and applications.

The Risk Management Curriculum Review Group (CRG)

The purpose of the CRG is to provide expertise, analysis, and support in the area of risk management training in order to develop a strong risk management culture at the Department. Although its initial focus is an analysis of training needs, ultimately the CRG’s objectives are to:

Provide the Secretary of Homeland Security with a coordinated approach to risk management training within the Department

Develop and implement a systematic approach for identifying and building risk management capabilities within the DHS components, as well as integrating risk management principles throughout the homeland security enterprise

Monitor risk management learning and development activities within the Department to ensure they are effective, consistent, and not duplicative

Advance strategic-level homeland security risk management and analysis and, ultimately, decision-making through coordinated and integrated risk management training

Pattern risk management training from the best curriculums, utilizing lessons learned that can improve risk training across the Department

The CRG is co-chaired by the Office of the CLO, the NPPD Professional Development and Training Office, and RMA. As indicated in Appendix A, through the efforts of the DHS

5 The DHS Risk Steering Committee is the risk governance structure for the Department. It is comprised of leaders from across the Department, chaired by the Undersecretary for the National Protection and Programs Directorate, and administered by the Office of Risk Management and Analysis.


RSC, and the CLO, CRG membership spans DHS, with subject matter expertise in curriculum development, risk management, and process improvement.

II. METHODOLOGY OVERVIEW

In order to identify the training needs and areas for efficiencies across the Department, the CRG conducted an analysis that was both comprehensive and reasonable given the available resources and the objectives of the group. The methodology used by the CRG is discussed below.

The ADDIE Process

The CRG follows a widely accepted Instructional Systems Design process that consists of five phases: Analyze, Design, Develop, Implement, and Evaluate (ADDIE). This process is diagrammed on the left side of Figure 1.

Figure 1: The ADDIE Process linked with the Gap Analysis Process used by the CRG

The focus of the initial effort by the CRG, and the topic of this report, is the “Analyze” step of the ADDIE process, which seeks to answer four primary questions:

Who are the audiences – that is, what are the job categories that require competencies in risk management?

What risk management competencies are needed for each audience?

What courses and materials are currently available?

Analyze

Design

DevelopImple‐ment

Evaluate

• "To Be" Analysis

• "As Is" Analysis

•Gap and Redundancy Analysis


Where are the biggest gaps and redundancies for imparting needed risk management competencies given available training?

While this report covers only the “Analyze” step of the ADDIE process, the recommendations pave the way for subsequent stages.

Gap Analysis Process

To answer the questions for the initial “Analyze” phase of ADDIE, the CRG applied its own knowledge as well as the inputs from other DHS and external experts to a traditional three-step gap analysis process. The three-step analysis process is diagrammed on the right side of Figure 1 and includes:

1. Determining what risk management competencies DHS should strive to achieve: the “To Be” analysis

2. Determining the current state of risk management training within DHS: the “As Is” analysis

3. Gap and efficiency assessment

While some gap analyses start with the current state of affairs and build on that to determine the desired, or “To Be,” state, the CRG started with the desired state and kept it separate from an assessment of the current, “As Is,” state. This allowed the CRG to accurately capture an unconstrained vision of where the Department should be in terms of risk management competencies, and avoid tailoring the desired state to match or justify elements of the status quo.

“To Be” Analysis Step

To identify the desired risk management capabilities of the Department, the CRG interviewed 28 representatives from 13 different DHS components, as well as experts outside the Department familiar with homeland security risk management (see Appendix B). These expert inputs were compiled, analyzed, and fleshed out to determine what specific skills, abilities, and knowledge –what the CRG termed “competencies”– DHS employees required in order to successfully manage risk within their domains. The CRG supplemented these expert interviews with data from a variety of additional sources, including homeland security and risk analyst job descriptions from across the government and private sector, and reviews of relevant academic degree program curricula. Additionally, the CRG leveraged existing DHS training reports, such as the Learning Roadmaps for Intelligence Professionals (2007) and the National Infrastructure Protection Plan/Critical Infrastructure and Key Resources (NIPP/ CIKR) Education and Training Assessment Report and Implementation Plan (2008) to ensure consistency with prior DHS efforts.

Based on these conversations, the CRG identified four target audiences and three areas, or types, of risk management training. The four audiences are: (1) Executives, (2) Program Managers and Planners, (3) Operational Personnel, and (4) Risk and Decision Analysts. The three types of risk management training are: (1) General Risk Management, (2) Homeland Security Risk Management, and (3) Institutional Risk Management. General risk management refers to skill areas that can be applied across domains, whereas homeland


security risk management refers to management of security/safety risks specific to homeland security, and institutional risk management refers to the management of enterprise and programmatic risks relating to an organization and its business processes. These training types are differentiated because training in one area will not necessarily provide the skills needed to manage risk in another area; for example, the specific skills required to complete a vulnerability assessment of a building or port of entry are different than those needed to manage risks to a multi-million dollar acquisition program and vice-versa.

“As Is” Analysis Step

To establish a baseline of existing training for risk management competencies, the CRG surveyed the breadth of courses available to Department employees to produce the best snapshot available of current DHS risk management training.

The effort involved a Department-wide data call to which 14 components responded (see Appendix C for a list of the components that responded and contributed course materials).

As part of its due diligence, the CRG also performed searches on a variety of Department training databases and component course catalogues, including the inventory of courses obtained through the Efficiency Review Initiative, the DHS Cross Component Course Catalogue, and online sources like DHScovery6, among others. In total the CRG identified 100 relevant courses, as listed in Appendix D.

Due to the variation in terminology across components, and the fact that much of the Department’s risk management training comes as modules in larger training courses, there was no easy way to identify courses that may feature risk management competencies unless they explicitly identify doing so as a primary purpose. Consequently, while the CRG recognizes that courses may be missing, the process was thorough, open, and as comprehensive as possible.

Gap and Redundancy Analysis Step

By comparing the competencies identified in the “To Be” analysis to the available training identified in the “As Is” analysis, the CRG was able to make judgments on the gaps and redundancies in current risk management training. Because the CRG could not gain access to the course material for all 100 courses, and because no widely-accepted standards currently exist for risk management training, the CRG did not evaluate the quality of each course or how well it might teach a risk management competency. Instead the CRG looked at high-level trends and practices in providing risk management training to each audience, both in terms of the number of courses and the types of risk management they cover.

This approach was both more efficient and more feasible than a competency-by-competency review of each of the 100 courses. The subsequent data analysis therefore achieves the CRG’s critical goals by illustrating general trends and large gaps or redundancies.

6 DHScovery is a web-based learning management system that provides access to mandatory and professional development learning activities for DHS employees. It has over 2500 online courses, including DHS mandatory training.


III. TRAINING AUDIENCES

Each and every DHS employee contributes to risk management. Behind every activity that directly addresses a specific threat or hazard, there is an array of supporting functions that ensure resources and capabilities are available and employed in the most effective manner to accomplish the mission. Each DHS employee has a duty to manage risks associated with his or her sphere of responsibility, and needs to understand both risk management and his or her role in implementing it.

As noted in the Methodology Overview section, the CRG categorized DHS employees into four different training audience categories. These categories are a broad construct, and some individuals may fall into more than one of these key categories depending on the specifics of their job. This section describes each audience and the role they have in managing risk.

Executives

Executive level decision-makers apply risk management principles for both institutional and homeland security risk management at the strategic level. Executives are responsible for setting objectives and allocating resources across their portion of the homeland security mission-space. While decisions are made at all levels of an organization, executives make strategic decisions based on limited resources, set risk tolerance levels—the amount of risk the organization is willing to accept7—and are ultimately responsible for the organization’s performance.

Executives have to understand how risk management at all levels contributes to achieving strategic and operational objectives. They must also take responsibility for communicating strategies and risk tolerance levels to the organization and accept accountability for managing risks within their sphere of responsibility. Consequently, executives typically establish the context for risk analysis by outlining the decision(s) the analysis will inform and factors that may serve as assumptions or constraints. Following the analysis, the executive must be an informed user who can effectively question and contextualize risk analysis results and communicate how the risk analysis impacted their decisions up and down the chain of command.

Executives are also responsible for embedding the risk management cycle into their organization’s operating culture. Therefore, executives must clearly understand the relationship between institutional and homeland security risk management, and articulate this to staff to ensure that the organization is successfully implementing risk management principles at the enterprise and programmatic levels.

Program Managers and Planners

Program managers and planners are responsible for turning strategic guidance received from executives into functioning plans and programs that address homeland security risks and

7 The Department of Homeland Security defines risk tolerance as the “degree to which an entity, asset, system, network, or geographic area is willing to accept risk.” Definition from the 2010 DHS Risk Lexicon (http://www.dhs.gov/files/publications/gc_1232717001850.shtm).


support risk management goals. Program managers and planners work with analysts, budgeters, and executives to ensure that risk management concepts and risk analysis outputs are considered and incorporated into plans, management strategies, and definitions of success.

While program managers and planners have primary responsibility for implementing risk management within their spheres, their job is also to translate strategic guidance and priorities received from leadership into executable terms such that risk analysts and operational personnel can apply the guidance to their efforts. Additionally, program managers and planners must be able to communicate information about their programs and risk management efforts to decision-makers, as well as to external stakeholders.

Operational Personnel

Operational personnel are responsible for implementing and executing the risk management strategies, countermeasures, programs, and plans developed by their chain of command. Operational personnel contribute to tactical risk assessments within their domains and are responsible for communicating risks to analysts, program managers and planners. Their job often entails using tailored risk analysis tools and gathering risk data from the field. While specific roles and responsibilities vary widely across domains, operational personnel generally serve as subject matter experts on the tactical risks within their area.

Risk and Decision Analysts

Risk and decision analysts receive strategic and programmatic direction from decision-makers and program managers and apply it to specific risk management problems. This involves performing risk and decision analysis; developing proper methodologies and approaches; verifying, validating, and analyzing the outputs of risk assessments; and developing risk mitigation strategies and alternatives, among other tasks.

For a specific assessment, risk analysts are responsible for defining terms, identifying data sources, documenting assumptions, noting limitations, and communicating outputs, including any uncertainty. The quality and credibility of a risk assessment process and its outputs rests in large measure with the risk analysts who perform the analysis. Consequently, risk and decision analysts must be thoroughly versed in analytic tools and techniques, capable of applying general principles to specific problems, and communicating technical findings to a variety of audiences. They must also understand the context of the operating or decision environment in order to help develop and communicate risk management recommendations.


IV. NEEDED RISK MANAGEMENT COMPETENCIES

During the “To Be” portion of the analysis, the CRG identified core risk management competencies that apply to all DHS employees, as well as competencies specific to key categories of staff. These competencies represent capabilities or subject matter knowledge that DHS needs individual employees to possess at hiring or to acquire through training and development programs. Because there is such a wide range of competencies that fall under the term risk management – from how to assess the vulnerabilities of a Federal building, to managing the Department’s budget – the CRG also categorized the competencies according to different possible focus areas for risk management training. As mentioned in the Methodology Overview section, these areas are:

1. General Risk Management competencies, which address general understanding and knowledge of risk management principles and how to apply them

2. Homeland Security Risk Management competencies, which address management of homeland security specific risks, including hazard types such as terrorism or natural disasters, and mission areas, such as facility security or border security

3. Institutional Risk Management competencies, which primarily address management of internal business processes, efficiencies, and organizational risks

The CRG applied these risk management categories to the competencies for each audience group, and also included a set of universal competencies applicable to all DHS staff.


All DHS Employees should have the following general risk management knowledge: The fundamental concept of risk management and its value to the homeland security

enterprise How their function contributes to the success of the

Department and how they can use risk management concepts and information to improve the execution of their duties

Basic risk terminology (referencing the DHS Risk Lexicon)

The DHS Risk Management Cycle and how it can be applied to different types of decisions

The elements of risk for homeland security, including the accepted definitions for likelihood and consequence

The various strategies for managing risk (e.g., accept, avoid, transfer, and control)

How to apply logical reasoning and critical thinking to risk management problems

Available risk management guidelines and resources, and where they can be found

Each DHS employee has a duty to manage risks associated with his or her sphere of responsibility, and needs to understand both risk management, and his or her role in implementing it.

UNIVERSAL


General Risk Management Competencies: Understand the fundamental limits and potential of risk management Establish and maintain a clearly structured, transparent process for identifying, analyzing,

and communicating risks throughout their organization, including identifying parties responsible for overseeing the management of those risks

Define the questions and challenges that require risk analysis, including setting and communicating the context, goals, assumptions, and constraints for the analysis

Incorporate risk analysis findings into a variety of decisions (e.g., budget, policy, planning, etc.) and communicate to stakeholders how the risk analysis was used

Comprehend the strengths and limitations of risk analysis, including an appreciation of uncertainty

Compare and contrast competing risk analysis results and understand how to apply or disregard findings

Make decisions across multiple risk management alternatives, and provide guidance to the program managers, risk analysts, and operational personnel executing and supporting those efforts

Use quantitative and qualitative metrics to evaluate the efficacy of ongoing risk management efforts

Communicate risk management priorities to key stakeholders

Develop and maintain an organizational culture that uses, values, measures, and supports risk management efforts

Homeland Security Risk Management Competencies: Set and communicate acceptable levels of homeland security risk (sometimes called risk

appetite or tolerance) to planners, program managers, operational personnel and risk analysts Set and communicate preferences for considering homeland security hazards, threats, and

consequence levels Institutional Risk Management Competencies: Set and communicate acceptable levels of institutional risk (sometimes called risk appetite or

tolerance) for program performance to program managers Monitor institutional risks to ensure that they are within acceptable thresholds

The Executive group includes all senior officials at the Under Secretary level and above, as well as Assistant Secretaries, Administrators, Directors, Commissioners, and military equivalents. Some senior staff members may also have executive level responsibilities.

EXECUTIVES Executives establish strategic and operational priorities, select approaches, and allocate resources


General Risk Management Competencies: Communicate the strategic relevance and constraints of risk assessments to those responsible

for completing or using the assessment or who otherwise have a need for the information Use the results of finished risk assessments to help determine appropriate courses of action

and to develop implementation plans Maintain clearly structured, transparent processes for identifying, analyzing, and

communicating risks throughout their program Incorporate risk analysis findings into program and planning decisions and processes Assess and decide whether risk analysis models and/or assessment tools, given different

strengths and weaknesses, are appropriate to the circumstances and constraints of the specific program or planning requirement

Participate in the identification, recommendation, and development of risk management alternatives

Monitor and evaluate the efficacy of on-going risk management efforts using metrics

Develop and maintain processes for sharing and reporting risk information among risk analysts, operational personnel, and other planners and program managers

Homeland Security Risk Management Competencies: Communicate homeland security risk tolerance

levels – as determined by executive decision-makers – to operational personnel and risk analysts

Balance the management of multiple homeland security risks across hazard areas and missions within a DHS component as necessary

Institutional Risk Management Competencies: Communicate institutional risk tolerance levels for program performance – as determined by

executive decision-makers – to risk analysts and operational personnel Set program goals (e.g., milestones, timelines and budget) and identify risks to those goals

Program managers and planners include Strategic Planners, Program Managers for any DHS level 1, 2 or 3 investment, Division and Branch Chiefs, business continuity planners, Operating Program Managers who provide policy and planning for the execution of operational activities carried out in the field, acquisition specialists, and emergency response planners.

PROGRAM MANAGERS AND PLANNERS Program Managers and Planners turn executive decisions into actionable, implementable plans and oversee the day-to-day execution of these plans


General Risk Management Competencies: Use and apply the risk assessment and analysis tools developed for their operational area

(e.g., software applications, risk ranking systems, risk scenarios) Comprehend the strengths and limitations of the risk assessment and analysis tools they are

using Execute risk management programs and functions

and provide feedback on their efficacy Contribute to operational and tactical risk

assessments within their domain Identify the emergence of new risks and opportunities

within their operational area and communicate them to relevant stakeholders

Gather risk data from the field and share it with stakeholders as appropriate

Contribute to the development of risk management alternatives using their local domain knowledge

Accurately gather and report metrics for evaluating the effectiveness of risk management efforts

Homeland Security Risk Management Competencies: Assess the components of homeland security risk (e.g., threat, vulnerability and consequence,

or the equivalent components as appropriate to a given hazard) at a tactical level Apply homeland security risk tolerance levels – as

determined by executive decision-makers – to operational risk management decisions

Provide granular-level domain knowledge to analysts developing and validating models of their domain

Institutional Risk Management Competencies: Develop and maintain processes for gathering and

reporting relevant business data to support institutional risk management efforts

Apply risk management principles and institutional risk tolerance levels – as determined by executive decision-makers – to daily operational decisions, duties, and practices

Operational personnel include land and maritime border enforcement officers, emergency responders, law enforcement officers, transportation and cargo screeners, port security officers, and other executionlevel personnel, such as auditors.

OPERATIONAL PERSONNEL Operational Personnel implement plans and programs using specific, tactical and operational risk management tools


General Risk Management Competencies: Describe the decision space or system being analyzed in order to identify potential hazards and threats Apply risk and decision analysis methodologies and techniques to support homeland security

decisions Develop risk assessment methodologies that meet decision-maker needs and constraints,

acknowledging the strengths and limitations of qualitative and quantitative analysis

Select the types of analysis most appropriate for a decision context, including consideration of time, data and resource constraints, considering the availability and quality of data

Communicate the approach and results of a risk analysis to a variety of technical and non-technical audiences

Identify sources of data for risk analysis, including data that informs likelihood and consequences estimates

Write technical reports that can be understood by a variety of audiences Document methodology and approach, including assumptions, that allows for review Use quantitative and qualitative methods for capturing and communicating uncertainty Understand and use, as needed, advanced research and data gathering methods, including structured

elicitations from subject matter experts and data mining techniques Apply structured decision support and analytic tools and techniques (e.g., decision trees, the Analytic

Hierarchy Process, multi-criteria decision making, risk mapping, sensitivity analysis, etc.) Develop and evaluate risk management alternatives, including creating risk reduction metrics Homeland Security Risk Management Competencies: Identify homeland security risks including threats, hazards, and vulnerabilities using tools and

techniques such as scenario development Model the various types of consequences considered in security risk management (e.g., lives lost,

economic impact, mission disruption) Apply mathematical techniques for modeling various aspects of homeland security risk (e.g.,

statistical analysis, regressions, Bayesian analysis, and Monte Carlo simulations) Apply qualitative tools and techniques for analyzing homeland security risks and decisions (e.g., risk

mapping, risk ranking, risk matrices, Delphi method) Institutional Risk Management Competencies: Model types of consequences considered in institutional risk management (e.g. time loss, financial

loss) Apply techniques to model institutional level risks, values, and processes (e.g., value chain analysis,

system design review, Strengths Weakness Opportunities and Threat (SWOT) analysis, risk mapping, risk ranking, etc.)

Risk and decision analysts include critical infrastructure risk analysts, analysts performing terrorism risk assessments, regulatory economists, policy analysts, risk analysts supporting operational personnel and program managers at the regional or national headquarters level, actuaries, and budget analysts.

RISK AND DECISION ANALYSTS Risk and Decision Analysts collect, assess, and present risk information to help executives make choices that will support their objectives, program managers and planners explain decisions and approaches to stakeholders, and operational personnel connect their work to desired outcomes


V. AVAILABLE RISK MANAGEMENT TRAINING

In order to identify training gaps and redundancies and make recommendations, the CRG first had to establish a baseline of learning and development opportunities. For this study, the CRG’s primary goal was identifying courses currently available to Department employees that teach any of the risk management competencies listed in the previous section. These courses – listed in Appendix D – constitute the courses that the CRG used for the gap and redundancy analysis.

Scoping the Data

The CRG limited the scope of the analysis to courses currently available to Department staff and used by DHS personnel. 8 While the CRG also sought, whenever possible, to identify courses that could be modified to deliver risk management training in the future such as general introductory training courses – these courses were omitted from the analysis because they do not currently explicitly support training in the identified risk management competencies.

Many excellent risk training courses are also available outside the Department through the private sector, academic institutions, and even other government agencies. However, the universe of private and academic course offerings is large, redundant, conflicting, and too poorly defined for a viable gap analysis. Furthermore, these courses may not be readily available to DHS staff. Therefore, these courses are not included in the analysis.

The final data set includes 100 courses from 14 operational and headquarters components from across the Department. The courses were categorized based on four basic criteria:

Target audience – Toward which audience group identified by the CRG is the training course directed? Are there other audience groups that would benefit?

Type of training – Does the course primarily provide training in general risk management, homeland security risk management, or institutional risk management?

Course goals and format – What are the course goals and how is the training delivered?

Availability to DHS employees – Can any DHS employee take the course or is it restricted by component or job description?

Findings

The CRG found that there are relatively few courses that provide training in any type of risk management to personnel of any audience group, and the distribution of those courses is very unbalanced between components and audience groups. In addition, many specific competencies, such as those relating to risk communication, are rarely – if ever – addressed.

8 This does not include risk courses that DHS provides to outside partners such as state, local, tribal, territorial, and private sector entities.


Overall, the CRG identified 100 courses across the Department with elements of risk management training. By comparison, as part of the Efficiency Review the CLO identified over 800 courses listed that provide leadership training. While leadership training is unquestionably critical to DHS, it serves as a useful benchmark for understanding the relatively small scope of risk management training currently provided to DHS employees. Leadership training applies to, and is offered to, a limited segment of DHS employees. By contrast DHS has a stated policy of building a risk management culture across the entire Department, which suggests that all DHS employees require training in risk management competencies.

Furthermore, only 44 of the 100 courses identified are regularly made available to all DHS employees. Of those 44, fewer than half are readily accessible through web-based training on DHScovery, and these courses tend to address a limited number of competencies. In addition, the CRG found that the distribution of training courses varied widely across components. Some DHS components are developing risk analyst tracks or new risk management courses targeted to their organizational needs, while other components lack even a single risk management course.

Other notable findings include:

None of the required training courses for DHS employees9 specifically include risk management competencies, nor mention that DHS wants to promote a “culture of risk management”

Ten courses in the inventory of courses obtained through the Efficiency Review Initiative and three in the DHS Cross-Component Training Catalog have “risk” in the title

More than 30 of the 100 identified courses include some training in “basic” or “fundamental” risk concepts

Many additional DHS funded courses are targeted at homeland security enterprise partners (State/Local/Tribal/Territorial agencies, private sector) rather than DHS employees

Audience-Specific Findings

The small subset of courses directed towards Executives typically fails to address the competencies needed to manage homeland security risk at the highest levels. Many of the courses available to executives are generic web-based courses developed by contractors on management best practices and institutional risk management. They do not offer skills in how to use or manage risk analytic efforts that may exist within DHS, or how to apply the results of such efforts to decision-making. Notably there is little to teach executives how to deal with uncertainty in the types of complex multi-variable situations that they regularly encounter on the job.

9 A list of the Annual Legislatively Mandated Training Requirements can be found at http://dhsconnect.dhs.gov/org/comp/ops/ald/training/Documents/2010MandatoryTraining.html


Program Managers and Planners are the target of more courses offered than any other audience group.10 Much of this training, understandably, is based on institutional risk management needs to improve program performance and efficiency; only about a quarter of Program Manager and Planner courses address homeland security risk management content. These courses include required certification courses for DHS acquisition managers and other program managers.

In contrast, Operational Personnel have most of their risk management training on specific risk management tools relevant to their area of homeland security, such as port security or facility security risk management. Many of this group’s courses have a homeland security risk management focus, with few courses teaching operational personnel about how their efforts contribute to organizational efficiency, or how to communicate their risk management efforts to other relevant divisions or components within the Department. In addition, because of their narrow focus, most courses for operational personnel are not available to DHS employees outside of the component offering the course.

Finally, the CRG found that the courses directed toward the Risk and Decision Analyst group were offered by just two components, none of which were readily available to DHS personnel outside of those components. The CRG discovered that most components are just starting to recognize risk and decision analysts as a desired professional track. Consequently, in contrast to the training plans for executives, program managers and planners across components, few branches of DHS have developed training plans, allocated positions for risk and decision analysts, or even recognized the need for technical training.

10 The number of courses offered to Program Managers and Planners is only slightly higher than the number targeted towards Operational Personnel.


VI. GAP AND REDUNDANCY ANALYSIS

The gap and redundancy analysis is the most critical portion of the CRG’s analysis and is the rationale behind the group’s recommendations. Since the CRG operates in part under the auspices of the DHS Efficiency Review, identifying redundancies that could potentially save the Department time, money, and resources is a priority. At the same time, gaps in training mean that the Department lacks the capabilities it needs to fulfill its mission. Because of the methodology used by the group, the gaps identified by the CRG represent high-level, pressing needs rather than an exhaustive list of competency-based gaps. Likewise, the two key redundancies identified offer what the CRG believes are the greatest opportunities for improving efficiencies going forward.

Gap #1: Risk management is not explicitly taught as a fundamental part of the DHS approach to homeland security, contrary to stated policies

While Department policy states that risk management is fundamental to homeland security, current DHS training does not reflect that vision. None of the required basic training courses for DHS employees specifically include risk management concepts in any module, nor do any describe how employees might contribute to Department risk management efforts. Further, risk management is not addressed in new hire orientation. As a result, new employees begin duty without learning that the Department considers risk management part of the organizational culture and that everyone is a risk manager, regardless of his or her other duties.

Gap #2: Minimal risk management training is available for executives, who typically have the most difficult risk management tasks and are arguably the most important group to understand and promote risk management

Nowhere is an understanding of risk management more important than at the top of an organization, where the most critical decisions are made. Executives’ decisions have the greatest impact on Departmental operations, and, consequently, on homeland security. Therefore DHS should prioritize training for executives who must understand good risk management practices and how to apply those principles to both institutional risk management and homeland security risk management activities. Currently, only eight out of 100 risk management courses are directed toward the Executives group, and very few components provide tailored risk management training to their executives.


Gap # 3: Most components lack formal professional development and training plans for risk and decision analysts

As noted above, most DHS components are just beginning to recognize the importance of having risk and decision analysis capabilities; few hire qualified risk and decision analysts and few have instituted professional development programs designed to train, develop, and promote such personnel. Of the components surveyed, only NPPD and the US Coast Guard have developed specific training plans for risk analysts. The US Coast Guard has a professionalized tiered training program in development for risk analysts, while the Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) and RMA within NPPD have developed a few courses for their own internal training needs. None of these courses are currently available DHS-wide. Other components may have individual courses geared towards risk and decision analysts, but there is no evidence of a coherent, structured development program for risk and decision analysts across the Department.

Gap #4: DHS has few courses on communicating risk and its various elements to facilitate the risk management cycle

Risk communications is the “exchange of information with the goal of improving risk understanding, affecting risk perception, and/or equipping people or groups to act appropriately in response to an identified risk.”11 Communicating risk information underpins the entire risk management process, as illustrated in Figure 2 below. Each audience group plays a unique and important role in communicating risk information, whether it is executives articulating their risk management goals, or analysts sharing the results of their assessments. Despite the important role of risk communications, the CRG identified only three courses that appear to teach risk communication skills, and of these two are only available through the US Coast Guard. The CRG believes that this is a glaring gap in the current state of risk management training.

Figure 2: DHS Risk Management Cycle

11 2010 DHS Risk Lexicon, http://www.dhs.gov/files/publications/gc_1232717001850.shtm.

Define the Context

Identify Potential Risk

Assess and Analyze Risk

Develop Alternatives

Decide and Implement

Evaluate and Monitor

Communication


Redundancy #1: Inconsistency in terminology, processes, concepts, and doctrine across DHS risk management courses.

With 100 courses, there is a great diversity in the basics of how risk management is presented to audiences. Definitions of key terms like “risk,” “threat” “likelihood,” and “consequences” differ from course to course and are not always consistent with the DHS Risk Lexicon. Different versions of the risk management cycle are also taught. While these definitions and processes may be valid within the context of the course, the differences can result in confusion and mistakes when people who use different terminology attempt to discuss risk management issues, or move to different components within the Department. The diversity of terminology and processes also detracts from the “One DHS” concept and the creation of a culture of risk management.

Redundancy #2: Multiple courses across the components teach “fundamental” or “basic” risk management competencies

According to course descriptions and other materials provided, over 30 courses cover basic or introductory elements of risk management. Five courses listed have “introduction” in the title, another seven have “basic” in the title, and CRG research and anecdotal evidence suggests that much of the course material tends to cover and repeat basic concepts. This is potentially a waste of Department resources if the same material is covered in multiple courses, and employees are required to take a new “introductory” course every time they try to develop a new risk management competency.


VII. RECOMMENDATIONS

Based on the gap and redundancy analysis, the CRG has identified ten action items that can be taken to address the clear gaps in risk management training and improve the efficiency of the current training program. These are summarized and prioritized in a table at the end of this section.

Recommendation # 1: Formally establish the Risk Management CRG under the DHS Risk Steering Committee and the Office of the Chief Human Capital Officer to (a) oversee the implementation of the recommendations in this report, (b) review risk management training efforts, and (c) assess training for compliance with risk doctrine (once it is formalized)

The CRG’s findings clearly demonstrate that there is much work to be done to integrate risk management learning and development within the Department. A CRG authorized by the DHS RSC and the Office of the Chief Human Capital Officer (CHCO) would be well placed to oversee the implementation of the recommendations of this report to ensure gaps and redundancies are addressed, while accounting for the needs and concerns of its constituent member components. This body, comprised of subject matter experts in both risk management and human capital development, will provide regular briefings to the DHS RSC on its progress and plans for building more robust risk management capabilities within the Department.

Without such a body providing oversight, risk management learning and development efforts will continue to grow in an organic, often ad hoc, manner, resulting in wasted resources and further complicating intra-departmental coordination.

Formally establishing the CRG under the DHS RSC and CHCO to integrate risk management learning and development addresses Redundancies #1 and #2.

Recommendation #2: Develop materials on risk management basic principles and available resources for DHS new hire orientation to support a culture of risk management within DHS

Orientation is when new employees begin to get a sense of the Department’s values and culture, which makes it the perfect time to introduce employees to the notion that risk management is a key part of the Department’s approach to homeland security and organizational management. Providing a short handout or short video to new DHS staff during the orientation process would provide them with an awareness of risk management principles and resources, without overburdening employees during an already busy orientation schedule. The materials should be targeted for a diverse audience with varying education levels and backgrounds.


This recommendation supports the goals of the Efficiency Review by providing a single point of common training to all employees rather than relying on each component to develop and provide its own basic risk management training. Furthermore, training new employees right away in risk management helps establish the culture of risk management.

Developing orientation materials addresses Gap #1 and Redundancies #1 and #2.

Recommendation #3: Institute a risk management seminar series for the DHS leadership cadre

The CRG discovered that DHS leadership – the Executives group in the analysis – has a critical deficiency in risk management training. The Department cannot hope to institute a culture of risk management or implement IRM without the backing and understanding of its leaders. A seminar series will use case studies and/or component-specific challenges to show how risk management principles can be applied to support sound decision-making and relevance to executives’ day-to-day jobs. Because executives have great demands on their time, organizers should ensure that executives are incentivized to attend and actively participate.

Instituting a risk management seminar series addresses Gap #2.


The CRG should share the risk management competencies derived through this report with components and their human resource personnel to better inform job descriptions for hiring and to ensure performance plans reflect the desired risk management competencies. This is important as employees and their managers are less likely to actively engage in building risk management competencies if these skills are not articulated in performance goals and development plans.

Engaging components to link risk management competencies with human resource processes addresses Gap #3.


In order to best leverage the resources available outside of the Department, DHS should communicate its human capital needs. Publicly releasing the risk management competencies that DHS desires in personnel and new hires – as outlined in the Needed Risk Management Competencies section of this report – would enable academic or private training providers to


incorporate these competencies into their training curricula. If this were done, it could result in a larger pool of eligible applicants with more competencies for DHS hiring, and more options for risk management training, at a notional cost to the Department. Additionally, the release of these competencies could contribute to and benefit the larger public conversation about the risk management profession. If these risk management competencies remain strictly within the Department their value and impact will be curtailed.

Publicly sharing the risk management competencies addresses Gaps #3 and #4.


To avoid the inefficiencies that come from redundant and divergent training programs, DHS should develop a standards guide to ensure courses funded by the Department are consistent and adhere to basic principles (e.g., DHS Risk Lexicon, Integrated Risk Management Framework). A standards guide will also ensure that DHS components providing risk management training, either internally or externally, have consistent terminology and basic competencies to enable better risk communications and facilitate smooth employee transfers across the Department.

Developing a standards guide addresses Gap #4 and Redundancies #1 and #2.


A “Fundamentals of Risk Management” course should be available online to all DHS employees to teach the universal risk management concepts. This course would help establish a foundation of risk management understanding across the Department, to support both “One DHS” and a strong risk management culture.

A “Fundamentals in Risk Management” course also avoids the wasteful process of multiple components independently developing a basic risk management course. For components that already offer risk management training courses, using “Fundamentals of Risk Management” can eliminate inefficiencies by allowing component courses to focus on critical component or function-based lessons, secure in the knowledge that their audience has already received relevant, DHS-approved training in the basics of risk management.

Developing a ‘Fundamentals of Risk Management’ course addresses Gaps #1, #3, and #4, and Redundancies #1 and #2.


Recommendation #8: Explore the concept of establishing a new Risk Management Fellows program and integrating it with existing DHSwide initiatives to facilitate diversified onthejob training and sharing of best practices

Integrating a new Risk Management Fellows Program, where senior risk analysts serve rotational assignments throughout the Department, with similar existing CHCO programs would leverage an existing effort to develop risk management competencies and align risk management efforts across the Department without the cost burden of developing a new program. It would also help address the need for risk and decision analysis in components that are in the nascent stages of developing a risk management program until they can develop their own capabilities. Training and development could occur in two ways: first, analysts could further develop technical skills in a rotation to components with better-developed risk management and analysis capabilities; second, analysts would deepen experience in applying skills and techniques to new problems through rotations to components needing assistance with risk management and analysis efforts.

Integrating a Risk Management Fellowship addresses Gap #3 and Redundancy #1.


To ensure consistency and to reduce the time and resources components will spend on developing risk management training, DHS should develop modules in standard coursework that could be inserted into larger training curricula to meet component-specific needs. These modules could address general risk management principles, risk communications, broad institutional risk management skills, and homeland security risk management competencies. Target curricula might include the Program Manager Level 1, 2, and 3 certifications, among others.

Developing risk management modules addresses Gaps #2 and #4.


The findings demonstrate that few components have any training available for risk and decision analysts. As the need for more risk and decision analysts becomes clearer, the importance of training and providing advancement opportunities for existing personnel will also grow, as will the need to maintain professional standards within the field. However, it is unclear which components will be able to independently support a viable risk and decision analyst specialty given the resources that would be required. Developing a career track with


cross-component elements will allow risk analysts to transfer throughout the Department, enhance information sharing, promote the “One DHS” effort, make DHS a more attractive place to work for talented individuals, and spread valuable competencies and best practices organically. Unless a defined or formal career track is established, DHS risks losing qualified individuals to the private sector.

This recommendation demands a long-term effort and may require the Department to engage with partners and academia to develop training strategies and tailored course material to address the needs of risk and decision analysts as other federal agencies have previously done in sought after career fields.

Developing a risk and decision analyst career track addresses Gap #3.

Table 2: Recommendations Tracked to Gaps and Redundancies

Gap/Redundancy Relevant Recommendations Gap 1: Risk management not taught as a fundamental part of DHS

Rec 2: Develop materials for DHS new hire orientation Rec 7: Develop online “Fundamentals of Risk Management” course

Gap 2: Minimal RM training available for Executives

Rec 3: Institute RM seminar series for DHS leaders Rec 9: Develop RM modules to incorporate in standard training

Gap 3: DHS and components have no Risk and Decision Analyst career track

Rec 4: Engage components to link RM competencies to HR processesRec 5: Publicly share CRG findings on RM competencies Rec 7: Develop online “Fundamentals of Risk Management” course Rec 8: Explore DHS Risk Management Fellows program Rec 10: Develop risk/decision analyst career track

Gap 4: Minimal training in risk communication

Rec 5: Publicly share CRG findings on RM competencies Rec 6: Develop RM training standards guide Rec 7: Develop online “Fundamentals of Risk Management” course Rec 9: Develop RM modules to incorporate in standard training

Redundancy 1: Inconsistent RM training content across DHS

Rec 1: Formally establish CRG under DHS RSC and CHCO to integrate RM learning anddevelopment

Rec 2: Develop materials for DHS new hire orientation Rec 6: Develop RM training standards guide Rec 7: Develop online “Fundamentals of Risk Management” course Rec 8: Explore DHS Risk Management Fellows program

Redundancy 2: Many courses teach “basic” risk management

Rec 1: Formally establish CRG under DHS RSC and CHCO to integrate RM learning and development

Rec 2: Develop materials for DHS new hire orientation Rec 6: Develop RM training standards guide Rec 7: Develop online “Fundamentals of Risk Management” course


VIII. NEXT STEPS

The 10 recommendations provided above represent the most pressing actions that the Department should take in the area of risk management training to support the Efficiency Review and the IRM policy. However, the CRG recognizes that there are limited resources and other priorities with which these actions must compete. Consequently, the CRG proposes that the Department implement the recommendations in three phases. This plan emphasizes quick, but realistic goals in the near term to establish efficiencies and eliminate critical gaps that will build momentum, credibility, and support for larger, more complex efforts in the later stages. This section explains the rationale behind each priority.

Near-Term Actions

The CRG recommends implementing the first five actions within fiscal year 2011 as a means to jump start the risk management training effort and support the DHS Efficiency Review. These recommendations require relatively few resources and have the potential for very broad impact:

Recommendation #1: Formally establish the Risk Management CRG under the DHS Risk Steering Committee and Office of the Chief Human Capital Officer to (a) oversee the implementation of the recommendations in this report, (b) review risk management training efforts, and (c) assess training for compliance with risk doctrine (once it is formalized)

Recommendation #2: Develop materials on risk management basic principles and available resources for DHS new hire orientation to support a culture of risk management within DHS

Recommendation #3: Institute a risk management seminar series for the DHS leadership cadre



The first step is to formally establish the CRG under the DHS RSC and CHCO as the responsible party to oversee implementation of the recommendations in this report. The CRG will coordinate tasks and establish timelines for completion, creating accountability and coherence for the effort and constituting the framework for accomplishing the remaining actions to follow.


The second priority is to develop basic risk management training materials for orientation. This step is the most efficient way to provide risk management training to the greatest number of DHS employees in the shortest amount of time. It also provides a good base for further risk management training efforts and supports a number of other goals, including the “One DHS” initiative.

The CRG believes the next action is to institute a risk management seminar series for DHS leadership. This is a critical action that directly addresses arguably the most glaring gap identified by the CRG: the paucity of risk management training targeted towards executives.

Step four is to engage the components by sharing the risk management competencies, with a view toward leveraging them in human resource processes. This is a low-cost and easy step to improve the quality and breadth of risk management qualifications of incoming hires to DHS.

The final near-term priority is to publicly release the DHS risk management competencies. This is also a relatively simple step that will benefit the building of DHS risk management capabilities while simultaneously supporting other Department priorities to improve transparency and engage the public.

Mid-Term Actions

The following mid-term actions will build on the progress made from the above efforts. These initiatives are more complex and/or require the consensus or coordination of multiple actors within the Department. While they are equally important, the CRG judges that the need for these initiatives is either not as acute, or not as practically achievable within the next year given budget and staffing limitations.



Recommendation #8: Explore the concept of establishing a new Risk Management Fellows program and integrating it with existing DHS-wide initiatives to facilitate diversified on-the-job training and sharing of best practices

Establishing standards for risk management training is critical for evaluating current and future training opportunities to ensure that they are in line with the identified competencies. Developing such a guide will take time however as much of the doctrine for risk management at the Department is still in development. This guide will ultimately be a consensus document that builds upon both risk management doctrine and the elements of effective training.

Developing new training courses can be resource and time intensive, which is why creating the “Fundamentals of Risk Management” course is a mid-term priority. The course should


be developed through the ADDIE process, with possible topics including fundamental risk management principles, the DHS risk management cycle, the IRM policy, the value of risk management for homeland security, risk communication, and examples of how risk management contributes to a variety of DHS missions.

Exploring the concept of a Risk Management Fellows program should be relatively simple, however, since many of the fellowship and intern programs at DHS are still maturing, it may take time to identify the best approach for leveraging them to include a risk management element.

Long-term Actions

The final two recommendations require the greatest effort and have the longest timeline for success. Therefore the CRG suggests they should be implemented only after the previous actions have paved the way and established a greater framework for, and understanding of, risk management training efforts.



Developing new risk-management training modules for a variety of audiences would help ensure that all employees are competent and skilled risk managers in their domains. However, developing these modules will likely require significant time and resources. Likewise, developing a career track for risk and decision analysts would be significant for institutionalizing risk management and creating a core analytic capability at the Department, but it will take time to create a track that meets the needs and requirements of all stakeholders.


IX. CONCLUSION

The CRG membership has carefully reviewed and discussed the recommendations above and these priorities represent the group’s consensus. The members recognize the importance of this effort and stand ready to support the Efficiency Review and the Secretary’s IRM policy by implementing these actions.

The CRG hopes the findings from the gap and redundancy analysis will stimulate a broad discussion about the best way to provide risk management training to DHS employees. This is a very important topic that impacts the operations of the entire Department, and ultimately impacts the security and resilience of the Nation.


APPENDIX A: RISK MANAGEMENT CURRICULUM REVIEW GROUP STAFF MEMBERS

RM CRG Role Name Organization Co-Chair Representative

Cheryl Seminara Office of Management/Office of the Chief Human Capital Officer

Co-Chair Representative

Mark Hilton National Protection and Programs Directorate (NPPD)/Professional Development and Training

Co-Chair Representative

Charles Rath NPPD/Office of Risk Management and Analysis

Representative Bob Kolasky NPPD/Office of Risk Management and Analysis Representative Debra Elkins NPPD/Office of Risk Management and Analysis Representative Mary McGoldrick Civil Rights and Civil Liberties Representative Brendan Plapp Domestic Nuclear Detection Office Representative Steve Streetman Domestic Nuclear Detection Office

Representative Eric Berman Federal Emergency Management Directorate (FEMA)/Mitigation Directorate

Representative Steve Carruth FEMA/Mitigation Directorate Representative Henry Simpson FEMA/National Training and Education Division Representative Terry Pruitt FEMA/National Training and Education Division Representative Paul Cox Immigration and Customs Enforcement Representative Marianna Hennig Office of Management Representative Mark Harvey NPPD/Federal Protective Service Representative Joseph Cuciti NPPD/Federal Protective Service Representative Kenneth Yung NPPD/Infrastructure Protection Representative Craig Gordon NPPD/Infrastructure Protection Representative Susan Smith NPPD/Infrastructure Protection Representative Steve Botzum NPPD/Infrastructure Protection

Representative Jennifer Mills NPPD/US Visitor and Immigrant Status Indicator Technology

Representative Jim Bentley Operations Coordination Representative Richard Moore Office of Policy Representative Marvin Fell Office of Policy Representative Chad Wood Office of Public Affairs Representative Bob Ross Science and Technology Directorate Representative Rich Kraske Transportation Security Administration Representative Al Golden US Coast Guard Representative Chris Toms US Coast Guard Representative LT HseinYen Fu US Coast Guard

Note: CRG Representatives who actively attended at least one CRG meeting are listed above, although CRaaG interim reports and data went out to a larger group.


APPENDIX B: CONTRIBUTORS TO RISK MANAGEMENT COMPETENCY NEEDS ANALYSIS

DHS Organizations Subject Matter Expert Office of Civil Rights and Civil Liberties Mary McGoldrick Domestic Nuclear Detection Office Brendan Plapp Federal Emergency Management Agency Eric Berman Federal Emergency Management Agency Steve Carruth Federal Emergency Management Agency Dave Kaufman Federal Emergency Management Agency Terry Pruitt Federal Emergency Management Agency Hank Simpson Federal Emergency Management Agency Sarah Bjork (ctr) Federal Emergency Management Agency Sarah Tater (ctr) Immigration and Customs Enforcement Paul Cox Federal Protective Service Joseph Cuciti Federal Protective Service Mark Harvey Office of Risk Management and Analysis Debra Elkins Office of Risk Management and Analysis Bob Kolasky Office of Risk Management and Analysis Evan Levine Office of Risk Management and Analysis Charles Rath US Visitor and Immigrant Status Indicator Technology Jennifer Mills Office of Policy Marvin Fell Office of Policy Richard Moore Office of Policy Noelle Notarnicola (ctr) Science and Technology Directorate Bob Ross Transportation Security Administration Rich Kraske Transportation Security Administration (former) Robyn Garnett Transportation Security Administration (former) Mo McGowan Transportation Security Administration (former) Mike Restovich US Coast Guard Al Golden

Non-DHS Organizations Subject Matter ExpertRAND Corporation Henry Willis Security Analysis and Risk Management Association Geoff French


APPENDIX C: CONTRIBUTORS TO AVAILABLE TRAINING ANALYSIS

DHS Organizations Contributing CBP – Customs and Border Protection ESEC – Office of the Executive Secretary FEMA – Federal Emergency Management Agency FEMA/EMI – Federal Emergency Management Agency/Emergency Management Institute FEMA/NDPC – Federal Emergency Management Agency/National Domestic Preparedness Coalition FLETC – Federal Law Enforcement Training Center ICE – Immigration and Customs Enforcement I&A – Office of Intelligence and Analysis MGMT – Management Directorate MGMT/CHCO – Office of the Chief Human Capital Officer MGMT/CSO – Office of the Chief Security Officer NPPD – National Protection and Programs Directorate NPPD/FPS – Federal Protective Service NPPD/IP – Office of Infrastructure Protection OPS – Office of Operations Coordination TSA – Transportation Security Administration USCG – US Coast Guard

Note: Acronyms used above correspond to “Source” column entries in Appendix D.


APPENDIX D: AVAILABLE DHS RISK MANAGEMENT COURSES USED FOR ANALYSIS

Note: Course names and descriptions are derived from the course materials provided by respondents. Please contact the source agency for further course details.

AVAILABLE DHS RISK MANAGEMENT COURSES USED FOR ANALYSIS

Training Event Title

Primary Audience

Secondary Audience

Risk Management

Focus Source

All DHS

Course Description

Introduction to Risk Analysis


General and Homeland Security

NPPD/IP

Five day course that teaches risk analysis tools and techniques, and how the Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) fits into the DHS structure.

IS-860.a - The National Infrastructure Protection Plan, An Introduction

PM and Planners

Operators Homeland Security

FEMA/EMI X

2-hour web-based training that presents an overview of the doctrine used to integrate existing and future critical infrastructure protection and resiliency efforts into a single national program.

IS-870 - Dams Sector: Crisis Management Overview Course

Operators PM and Planners

Homeland Security

FEMA/EMI

Web-based training that presents an overview of the doctrine used to integrate existing and future critical infrastructure protection and resiliency efforts into a single national program.

HLS-CAM Certification Course


FEMA/NDPC

Teach officials at the state and local level how to use the HLS CAM tool assess and prioritize hazards and mitigation efforts to Critical Infrastructure and Key Resources (CIKR) assets.

Analytic Tradecraft: Intermediate Course for HITRAC Analysts


General NPPD/IP

2-day course designed to teach principles of intelligence analytic tradecraft as adapted to risk analysis product planning and writing.

Countermeasure Overview and Taxonomy


Homeland Security

NPPD/FPS

This course is designed to familiarize the student with countermeasure design and management as it applies to the Federal Protective Service (FPS) Risk Assessment and Management Program (RAMP) the Facility Security Assessment (FSA) and the risk analysis process.

Consequence Assessment


NPPD/FPS

The course will provide the Inspector with the required knowledge, skills and abilities to perform a consequence assessment in the Risk Assessment Management Program (RAMP).

The FSA Process: Site Visit


NPPD/FPS

This course is designed to familiarize the student with the various roles and responsibilities associated with the Site Visit and how it applies to the FPS FSA process and RAMP.




Primary Audience

Secondary Audience

Risk Management

Focus Source

All DHS

Course Description

Facility Security Level (FSL)


NPPD/FPS

This course is designed to familiarize the student with the Facility Security Level (FSL), its history, significance and the roles and responsibilities of FPS, the General Services Administration (GSA) and the stakeholders.

Overview of NIPP Operators General and Homeland Security

NPPD/FPS

This course is designed to familiarize the student with the National Infrastructure Protection Plan (NIPP) as it applies to physical security assessment and risk management.

Conducting the FSA Pre-Site


NPPD/FPS

This course is designed to familiarize the student with the processes and procedures required to prepare prior to the on-site risk assessment as it relates to the protection of government facilities.

Risk Score Operators Homeland Security

NPPD/FPS

This course is designed to familiarize the student with the risk score as it relates to the FPS methodology and the protection of government facilities.

Threat Assessment Operators Homeland Security

NPPD/FPS

This course will provide the inspector with the required knowledge, skills and abilities to perform a threat assessment in RAMP.

The Vulnerability Assessment


NPPD/FPS This course provides definitions and methodology to the inspectors so they can conduct a vulnerability assessment.

Risk Based Approach to Physical Security


NPPD/FPS

This course is designed to familiarize the student with the principles of risk management as it relates to the protection of government facilities.

Operational Value of Threat, Risk, and Vulnerability Assessment


Homeland Security

FEMA/NDPC

X

This course will help homeland security professionals, including those in multiple response disciplines and the private sector, understand, analyze, and apply information gathered in the assessment process.

Internal Control/Risk Assessment

PM and Planners

Operators General and Institutional

CBP Training in risk assessment/internal control evaluation (regulatory audit).

Asset and Risk Management Training

Operators General ESEC X IT Asset Management course.

Anticipating Hazardous Weather and Community Risk

PM and Planners


FEMA/EMI X

This course will enhance your ability to recognize potentially hazardous weather and flooding situations and how they may affect your community and familiarize you with National Weather Service (NWS) products so that you understand




Primary Audience

Secondary Audience

Risk Management

Focus Source

All DHS

Course Description

how to use and interpret forecasts.

Application of HAZUS Multi-Hazard for Risk Assessment


Homeland Security

FEMA/EMI X

This training focuses on HAZUS-driven risk assessment methodology, data requirements, and applications to assist local communities and other organizations in addressing their disaster-related risk assessment needs. The 3-day EMI HAZUS-driven risk assessment course will involve technical presentations on risk assessment methodology and hands-on exercises using HAZUS-MH.

Basic Intelligence and Threat Analysis Course (Vulnerabilities and Threat Risk Analysis)

Operators Risk and Decision Analysts

Homeland Security

I&A

This entry-level course provides new DHS Intelligence Enterprise intelligence professionals with an introduction to DHS, the IE, and the Intelligence Community (IC). The curriculum explains the DHS mission to new employees and teaches a variety of intelligence-related skills and knowledge, including the domestic and transnational threat currently facing the homeland.

Risk Management for the Security Professional

Operators Risk and Decision Analysts


MGMT/OCSO

X

This 3-day course will provide the student with an in-depth understanding of risk management as it relates primarily to facilities or site protection and the assets contained within a facility or specified area.

Safety Manager PM and Planners

Operators General and Homeland Security

USCG

Provide the principles of safety management techniques to Sector Safety Managers, Sector Safety Officer and Safety Officers positions to help establish a Safety and Occupational Health program. This course will assist with the application of basic risk identification and assessment on a day to day basis and provide an understanding of the critical safety management elements. These activities have proven effective for dealing with risks and controlling loss.

Maritime Security and Risk Assessment Model (MSRAM) 101: Introduction to MSRAM



USCG • Understand basic risk concepts • Understand how MSRAM results are used throughout the USCG




Primary Audience

Secondary Audience

Risk Management

Focus Source

All DHS

Course Description

MSRAM 103: Threat Assessment



USCG

• Understand the MSRAM threat methodology • Score threat factors for example terrorist attack scenarios using the Threat module

MSRAM 201: Risk Analysis Process



USCG

Gain ability to provide detailed maritime threat assessments, do alternatives analysis, and understand how MSRAM results impact USCG operations and grants processes.

MSRAM 202: Specialized Training on Scoring of Vulnerability



USCG

• Explore all of the vulnerability components (achievability, system security, target hardness) • Score scenarios using all of MSRAM’s system security models, including independent and combined system security • Score each system security phase (detect, decide, engage, and defeat) for (1) high and low performing system security capabilities

MSRAM 203: Blast Effects on CDC Storage Configurations



USCG

• Understand the effects of explosive attacks on various Certain Dangerous Cargo (CDC) storage configurations, including safe distances for each of the charge weights • Explore the effectiveness of various blast shielding approaches • Score the vulnerability of example scenarios involving various CDC storage configurations

MSRAM 204: Secondary Economic Effect Scoring



USCG

• Understand the modeling considerations of various secondary economic effects • Explore the ability of stakeholders to mitigate secondary economic impacts • Score the secondary economic impacts of example scenarios with a range of secondary economic effects

MSRAM 205: Consequence Mitigation Scoring



USCG

• Explore the nature of a variety of high primary consequence scenarios • Explore the ability of stakeholders to mitigate primary impacts • Score response capabilities for example scenarios with a high primary consequence range




Primary Audience

Secondary Audience

Risk Management

Focus Source

All DHS

Course Description

MSRAM 221: Threat Assessment Process



USCG

• Understand the MSRAM threat methodology • Score threat factors for example terrorist attack scenarios using the Threat module Threat methodology overview • Identify source data overview • Define terrorist group goals/objectives module • Set initial group threat • Assess specific intent and capability for example scenarios • Generate customized threat profile results using the Threat analysis/reporting module • Understand threat analysis milestones and areas of emphasis

MSRAM 222: Risk Information Support of Threat Assessment



USCG

• Understand basic risk concepts • Understand how MSRAM results are used throughout the USCG • Generate customized risk profile results using the Analyze Results module to support threat assessments

MSRAM 301: Results Analysis and Communication


PM and Planners

Homeland Security

USCG

• Generate customized risk results using MSRAM’s results generation tools: Analyze Results screen, Simplified Reporting Interface, and Geographic Information System (GIS) • Prepare analyses of MSRAM data to support real world decisions • Use the Risk Management Module to capture risk mgmt strategies for high-risk targets • Use of the Alternatives Evaluation module to analyze the risk buy-down and cost of proposed risk management strategies • Generate results communicating strategy’s risk reduction and return-on-investment metrics

MSRAM 401: Results Application

PM and Planners

Executives General and Homeland Security

USCG

• Gain awareness of the available information about potential targets • Gain awareness of the available risk information • Explore how MSRAM data is being used to support a variety of real world decisions (strategic, operational, and tactical) • Develop a working knowledge of integrating risk principles into operational activities to mitigate and/or manage risk




Primary Audience

Secondary Audience

Risk Management

Focus Source

All DHS

Course Description

MSRAM 402: Advanced Risk Communication

PM and Planners

Executives General and Homeland Security

USCG

• Explore the risk information supporting critical USCG decision making processes• Develop tailored risk results to support a variety of decisions • Present risk results to support a variety of decisions

Strategic Planning and Risk Management

PM and Planners

General and Institutional

TSA X

This course will help you analyze where your business is going and how it should get there. This will help you successfully navigate the dangers inherent in risk taking.

Financial Risk Management

PM and Planners

Institutional TSA X

This course familiarizes you with the strategies and products used to manage corporate risk. You will gain useful experience in risk management through a series of exercises and examples aimed at teaching various options that significantly reduce exposure to risk.

Approaches to Risk Management

PM and Planners


TSA X

The basics of analysis and assessment are presented in this course to help you improve your analytical ability in evaluating dangers so that you can lead your company to success.

Risk Management Planning

PM and Planners

Institutional TSA X

This course provides a foundational knowledge base reflecting the most up-to-date project management information so learners can effectively put principles to work at their own organizations. This course will assist in preparing the learner for the PMBOK® Guide certification exam. This course is aligned with the PMBOK® Guide Fourth Edition, published by PMI, Inc., 2008.

Risk Basics PM and Planners

Executives General and Institutional

TSA X

The information presented in this course on risk and hedging techniques are vital survival tools for today's corporate environment. This course can bolster your management and leadership abilities by increasing your comfort level with risk management.

Analyzing Project Risk

PM and Planners



TSA X

In this course, you will learn qualitative and quantitative risk analysis techniques that will enable you to identify the probability of various levels of risk and to assess the impact of both negative and positive risks on objectives, budget and schedule.




Primary Audience

Secondary Audience

Risk Management

Focus Source

All DHS

Course Description

Responding to and Controlling Project Risk

PM and Planners

Executives Institutional TSA X

The learner will learn how to plan effectively for responding to risk, and how to monitor and control risk over the life of the project. This course is aligned with 'A Guide to the Project Management Body of Knowledge' (PMBOK® Guide) -Third Edition, published by the Project Management Institute, Inc., 2004.

Risk Response, Monitor, and Control

PM and Planners

Executives Institutional TSA X

In this course, the last two processes in the Project Risk Management knowledge area - Plan Risk Responses and Monitor and Control Risks will be introduced. Specifically, the learner will be introduced to strategies for handling both negative and positive risk, and how to monitor and control these risks. This course will also cover all the necessary project documents and plans that require updates as these processes are performed.

Identifying Project Risks

PM and Planners

Institutional TSA X

In this course, learners will continue to learn about processes within the Project Risk Management knowledge area. It covers the best practices outlined in A Guide to the Project Management Body of Knowledge (PMBOK® Guide) Fourth Edition published by the Project Management Institute (PMI®).

Working without a Net: Decisions Simulation

PM and Planners


General TSA X

The course has been designed to allow participants to practice making everyday decisions within the relative safety of a learning environment. Over the course of the simulation, participants will apply their decision-making skills to overcome a host of obstacles by decisively applying proven risk management strategies and analytical methods.

Introduction to Homeland Security Risk Management



FEMA X Overview course provides the basic elements of risk management and how key risk concepts are defined in DHS.

Homeland Security Preparedness and Response


Homeland Security

FEMA/EMI X

This Integrated Emergency Management Course (IEMC) focuses on preparing for and responding to the consequences of a terrorist act. The IEMC places public officials and other key community leaders in a disaster simulation. The course methodologies of classroom instruction, planning sessions, and exercises, allow for structured decision making in a learning, yet realistic, environment.




Primary Audience

Secondary Audience

Risk Management

Focus Source

All DHS

Course Description

Building Design for Homeland Security

PM and Planners

Homeland Security

FEMA/EMI X

This course will cover the content of FEMA 426, Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings. The course is designed to enhance participant knowledge of measures and technology available to reduce risks from terrorist attacks.

Basic HAZUS Multi-Hazards

PM and Planners

Homeland Security

FEMA/EMI X

This course is designed to provide federal, state, and local Geographic Information Systems (GIS) specialists in emergency management with the skills and knowledge to use HAZUS-MH, the nationally applicable standardized methodology and software program that contains models for estimating potential losses from earthquakes, floods, and hurricanes.

Homeland Security Fundamentals of System Acquisition Management (HSAC 101)

PM and Planners

Institutional MGMT X

This course provides basic training and understanding of the acquisition process, its role in planning, and how risk management is a critical part of that process.

Homeland Security Introductory Program Management (HSPM 102)

PM and Planners


Introduction to the basics of program management, skills tools, and processes, including risk management and mitigation.

DHS Intermediate Systems Acquisition (HSAC 201 A/B)

PM and Planners


Provides additional background, tools, and more advanced understanding of DHS and acquisition management processes.

DHS Program Management Tools (HSPM 250)

PM and Planners


This course discusses key PM tools and techniques including work breakdown structure, Earned Value Management, scheduling, cost estimating, contracting, and risk management.

DHS Program Management Office Course (HSPM 350)

PM and Planners


This course provides in depth knowledge of key PM tools, techniques and concepts as well as exercises to practice these skills.

Approaches to Risk Management

PM and Planners

Executives General and Institutional

DHScovery X

The basics of analysis and assessment are presented in this course to help you improve your analytical ability in evaluating dangers so that you can lead your company to success.




Primary Audience

Secondary Audience

Risk Management

Focus Source

All DHS

Course Description

Communication Skills and Project Management

Executives PM and Planners


DHScovery X

This course explores how communication takes place, and presents techniques and strategies for enhancing communication. It also examines how various project management tools can be used to analyze project risk, feasibility, and priority.

Computer Technology Industry Association (CompTIA) Security +2008: Risk analysis, Vulnerability Testing, IDS and Forensics

Operators Institutional DHScovery X

This course looks at modern risk analysis techniques, forensic methodologies, intrusion detection systems (IDS), and methods to harden network devices and operating systems.

Configuration Management, Risks, and Incidents in Software Testing


Institutional DHScovery X

Effective software testing is integral to mitigating harm caused by software failures and providing confidence in software systems. This course introduces software testing methodology and principles. It explores why testing is necessary, the basic testing process, and the psychology behind testing.

Decisions and Risk Executives PM and Planners

General DHScovery X

This course sheds light on the decision-making process by moving from practical methodologies to decision-making intelligence.

Developing and Controlling the Project Schedule

PM and Planners

Executives Institutional DHScovery X

This course covers developing and controlling the project schedule in the project management discipline, and introduces best practices including how to analyze activity sequences, durations, and resource and schedule constraints, to create the project schedule.

Improvement Methods and Implementation Issues in Six Sigma

PM and Planners


This course looks at improvement methods and implementation issues in Six Sigma. It examines Lean methods used to reduce waste, such as cycle-time reduction, the Japanese principles of kaizen and kaizen blitz, and the application of Goldratt's Theory of Constraints. Finally, the course examines risk analysis and mitigation through the use of SWOT analysis, feasibility studies, and PEST analysis.




Primary Audience

Secondary Audience

Risk Management

Focus Source

All DHS

Course Description

Information Security and Risk Management

PM and Planners

Executives Homeland Security

DHScovery X

To identify the security requirements associated with identifying and protecting organizational information assets, perform the analysis techniques used in risk management, and recognize the responsibilities associated with different roles in an organization.

Managing Quality and Risk in a PRINCE2-alligned Project

PM and Planners


This course introduces the components of a PRINCE2-aligned project; Quality in a Project Environment and Management of Risk. PRINCE2 is recognized as an international standard for process-based project management.

Managerial Skills and Abilities

PM and Planners

Executives Institutional DHScovery X

This course explores basic principles of management, management theories, styles and tools, and interdependence of functional areas in an organization. It identifies tools and techniques used by the HR, Finance, Risk, and Knowledge management functions in an organization.

Making Decision Dynamically

Executives Risk and Decision Analysts

General DHScovery X

The objective of this course is to develop dynamic decision makers. You'll gain the skills necessary to avoid the psychological pitfalls that adversely affect decision making and hone decision-making ability in risky and uncertain circumstances. You'll walk away from this course with concrete and powerful decision-making tools, both rational and statistical.

Organizational Scope of Critical Thinking



Organizational systems, with complex and intricately interrelated components, demand the application of critical thinking to avoid this risk and to use the systems most effectively. In this course, learners will understand the role that critical thinking can play across an organization.

Performing Risk Analysis

PM and Planners



DHScovery X

The science of project management was founded, in large part, to manage risk and prevent it from negatively affecting project objectives, schedules, and budgets. This course explores both qualitative and quantitative risk analysis techniques.




Primary Audience

Secondary Audience

Risk Management

Focus Source

All DHS

Course Description

Project+ 2009 Instructor Series: Resources, Risks and Quality

PM and Planners


This course is intended to provide formal project management principles with a focus on enhancing the ability of managers and coordinators to lead project teams to deliver exceptional project results within the constraints of schedule, budget, scope, quality and resources.

Requirements Planning and Management

PM and Planners


This course will examine how to identify and manage requirements risk, identify and estimate requirements activities, control requirements scope, track metrics for projects and products, and manage requirements change.

Risk Assessment and Prevention (HRCI/PHR)

PM and Planners


DHScovery X

In this course you will learn about the health, safety and security risks in the workplace, injury and illness prevention and compensation programs, and safety training programs. The course will also help you understand business continuity planning and workplace privacy and investigation.

Risk Strategies: The Cutting Edge



DHScovery X

This course explores seldom-discussed topics vital to your risk-taking strategies. Maintaining a balance between risk and recklessness depends upon your knowledge of business, people, and that little bit extra.

Strategic Approaches to Risk Management (HRCI/SPHR)

PM and Planners

Operators General DHScovery X

This course explains how to apply common occupational health, safety, and security guidelines and programs. It also outlines how security risk analysis can be used to avoid future emergencies.

Strategic Planning and Risk Management



DHScovery X

Understanding how to excel in a climate of risk using strategic planning is crucial in today's business environment. This course will help you analyze where your business is going and minimize your risk through strategic planning.

Field Operations Officer Basic Training (FOOBT)


CBP Basic training for CBP's Office of Field Operations, includes sections on risk targeting for both cargo and people

International Trade Specialist (ITS)


Homeland Security

CBP Basic training for CBP's ITS trainees, includes modules on risk management and the RM process.




Primary Audience

Secondary Audience

Risk Management

Focus Source

All DHS

Course Description

Incident Command System (ICS 300)



CBP

Within the Incident Command System (ICS) course, five of the six blocks of instruction address risk management. The course goals are to understand the Incident Command System including its: History, Rationale, Principles and to use Table Top Exercises to learn how to implement the system during an event.

Crises Action Team Training

PM and Planners


CBP

This course has been developed to ensure that CBP Crisis Action Team members are prepared to use the Crisis Action Team Process in response to incidents of national significance.

Air Cargo Targeting Training


CBP

To enable CBP Officers to understand the theory and principles behind targeting and use critical intelligence tools and automated systems to manage the risk of terrorism related activities in air cargo shipments.

Sea Cargo Targeting Training


CBP

To enable CBP Officers to understand the theory and principles behind targeting and use critical intelligence tools and automated systems to manage the risk of terrorism related activities in sea cargo shipments and within the Container Security Initiative (CSI) environment.

Passenger Analytical Unit Air


CBP

To enable CBP Officers and Agriculture Specialists working in the air passenger environment to: acquire targeting skills, quickly gain proficiency using CBP systems designed to facilitate targeting, and use a systematic, analytical approach to targeting.

Passenger Analytical Unit Sea


CBP

To enable CBP Officers and Agriculture Specialists working in the sea passenger environment to: acquire targeting skills, quickly gain proficiency using CBP systems designed to facilitate targeting, and use a systematic, analytical approach to targeting.

Basic Entry Specialist Training


CBP Basic training for CBP's Entry Specialists, includes sections on risk targeting and using automated CBP tools.




Primary Audience

Secondary Audience

Risk Management

Focus Source

All DHS

Course Description

Basic Import Specialist


CBP

This course teaches the impact of using risk analysis on issues ranging from classification to valuation to basic admissibility of imported merchandise. The following lessons provide more of an in-depth focus on the issue of risk assessment and analysis. These lessons address the global amount of international trade and how to use our resources (Import Specialists and automated tools) to effectively counter terrorism and illegitimate trade.

Regulatory Auditor Basic



CBP

The one lesson focusing on risk assessment has been identified as PAR (Preliminary Assessment of Risk). This lesson is offered to the Regulatory Auditor, who is the primary target audience, once in the course. It must be emphasized that much of the RABAB course material in the Focused Assessment lessons, mention risk and risk analysis tools. This lesson provides the basic training in the area of risk identification, evaluation and analysis.

012300 Risk Management for Trade Compliant Operations (RMTCO)


General CBP

This course is designed to help the participants apply the steps of the customs risk management process to their daily activities.

061546 Software Risk

PM and Planners

Institutional CBP

Manage project risks; apply effective tools to identify and respond to risks; understanding risk as part of the life-cycle chain; develop practical response strategies; obtain organizational support.

141300 Risk Analysis



CBP Understand USDA risk analysis and its impacts in the federal government.

151508 Risk Management

PM and Planners

General CBP

Overview of the fundamentals of risk management and benefit analysis to improve records management programs. Provides tools to help address current and future program needs.


PM and Planners


General CBP

Develop techniques to seize opportunities, minimize threats and achieve optimum results. Provides clear understanding of qualities and quantitative approaches to risk management.




Primary Audience

Secondary Audience

Risk Management

Focus Source

All DHS

Course Description

161518 Reducing Losses


General CBP

This seminar explores the areas of activity outside of accident prevention for the safety professionals ready to assume responsibility for the health and environment challenges with their organizations.




CBP

Provides participants with an overview of the risk management process that customs is using to manage its workload in accordance with set goals and priorities. Includes discussion of the four basic steps of risk management, the key components of each step.




CBP

Provides participants with training in the tools and skills to properly manage workload, in accordance with customs goals and priorities, in the area of trade. Includes training in the four basic steps of risk management, the key components of each step.




CBP

Provides participants with training in the tools and skills to properly manage workload, in accordance with customs goals and priorities, in the area of trade. Includes training in the four basic steps of risk management, the key components of each step.




CBP

Examines threat and opportunity and how to address them through a proactive approach to managing risk. Risk identification, analysis and prioritization, response, and monitoring and control are addressed. It is part of the Office of Information Technology (OIT) program management curriculum and is tailored.

164000 Risk Management and You

Universal General and Homeland Security

CBP This course is an introduction to the Customs risk management process for all employees.

164701 Statistical Risk Assessments in Excel


CBP

This course shows how to construct a statistical risk assessment in Microsoft excel at the Harmonized Tariff Schedule (HTS) chapter level for a Customs Management Center. This course shows how to collect data for the risk assessment via the following analytical tools: such as the Computer Assisted Passenger Prescreening System (CAPPS), Entry Summary Findings Analysis System (ESFAS), and others.




Primary Audience

Secondary Audience

Risk Management

Focus Source

All DHS

Course Description

171705 How to use Risk Assessments in Planning Performance Audit Assignments


CBP How to use risk assessment in planning performance audit assignments.

Risk Management Curriculum Review Group

Documents

Transcript of Risk Management Curriculum Review Group