United States Coast Guard

Risk Management
Overview
LCDR David Cooper
CG-512: Office of Performance Management and Assessment
David.w.Cooper@uscg.mil
202-372-2588
“Because it is not feasible to secure our
homeland against every conceivable
threat, we have instituted risk
management as the primary basis for
policy and resource allocation decision
making.”
» - DHS Strategic Plan 2008-2013
 Secretary of Homeland Security
“Given the extensive number of vulnerabilities to manmade
and natural disasters and the limitations on resources,
determining national priorities and the judicious distribution
of resources are a major element of the department’s
mission. What is the status of risk analysis metrics and
what is the plan and time frame for setting up a full-blown
system to govern the establishment of critical infrastructure
programs, the priorities among national planning scenarios,
and the distribution of grants to state, local, and tribal
entities? More broadly, how can DHS enhance risk
management as the basis of decision making?
Secretary Napolitano Issues First in a Series of Action Directives 21JAN09
 National Strategy for Homeland Security

. . . We must apply a risk-based

framework across all
homeland security efforts in
order to identify and assess
potential hazards (including
their downstream effects),
determine what levels of
relative risk are acceptable,
and prioritize and allocate
resources among all
homeland security partners
…
 USCG & Risk Management

• A Principle of USCG Operations

• Challenging due to the multi-mission
nature of the organization
• One criteria in USCG decision making
• Ultimately – an Integrated Performance
Management System for Risk, Readiness
& ROI
 Basic Elements of Risk
Risk
Understanding

How likely What can What are

is it? go wrong? the impacts?

Risk ƒ Likelihood x Consequence

Foundation for Risk Assessment

• Historical • Analytical • Knowledge
experience methods and intuition
 Key Coast Guard Risk Efforts
• Maritime Security Risk Analysis Model (MSRAM): field level risk analysis tool to
support terrorism risk management decisions at all levels; integrates national level
threat with geo-specific vulnerability and consequence data.
• Ports, Waterways and Coastal Security (PWCS) Outcome measure: Built off
MSRAM we utilize a simplified, scenario based, event tree model to calculate the
expected risk reduction of CG operational, regime and domain awareness activities.
• National Maritime Strategic Risk Assessment (NMSRA): an all hazard / all mission
risk assessment; shows the residual risk or the risk after Coast Guard intervention in
the maritime domain.
• Risk Management Module: Builds a field level, all mission risk analysis tool based off
the NMSRA to support operational planning, and risk management decisions.

Challenges:
• For terrorism profiles, we have a data-poor problem set with significant
uncertainty of expected attack frequencies, and to some extent consequence.
• Heavy reliance on Subject Matter Expert judgment
• assessing public “risk tolerance”,
• accepted/equated values across consequence types and indirect or secondary
impacts,
• geographic risk factors, including dealing with threat shifting and changes over
time.
• Still a burgeoning field
 Collaborative Efforts
• DHS Risk Management and Analysis (RMA) efforts
– Homeland Security National Risk Assessment
• CREATE: Strong partnership to include:
– Review of Coast Guard terrorism risk efforts
– exchanging ideas and best practices
– discussing and sharing methods, models, data, etc
• Leveraging CREATE strengths in
– Risk analysis
– Economic assessment, particularly calculation of
indirect/secondary economic impact consequences
– Resource allocation methodology
Questions?
• Back-up slides
Risk Assessment Phase
…is focused on defining the “problem”

FY11 Risk Assessment

• Strategic Risk
• Operational Risk
– National Maritime Strategic Risk
Assessment

• Mission Support Risk

• Institutional Risk
 Risk Assessment Methodology
• Name the undesirable incidents and scenarios within purview
that cause public loss
– Statutes, Mandates, Roles and Missions
• Scope
– Time horizon
• Consequence Table
• Describe, for each incident the best way to estimate and
represent the risk:
– Likelihood:
• Threat * Vulnerability * Consequence
• Frequency * Consequence

• Assess the Risk

– Systematic approach based on the HAZOP analysis technique
– Performed using a team of subject matter experts
– Leverages historical incident information and applicable models/studies.
 Incidents
• Grounding • Drug smuggling
• Collision/Allision • Illegal migrant entry
• Flooding/sinking • Seasonal conditions
affecting waterways
• Fire/explosion
• Interruption of military
• Personal injury/illness operations
• Oil spills • Periodic/expected natural
• Discharge of debris/sewage disaster
• Release of HAZMAT • Non-maritime incident
affecting a waterway
• Species damaged by marine
operations • Nation state attack
• Invasive species • Attack on Port Infrastructure
introduction • Transfer of WMD
• U.S. EEZ encroachment • Transfer of Terrorist
• Fish stock non-sustainability
 Example Maritime Accident
Grounding of a Container Ship that results in:
Property Damage
$ $15M of Damage to
Ship and Cargo
Deaths/Injuries
1 Crew Member
Killed Risk assessment
process estimates the
national expected
frequency that
groundings of container
ships result in impacts
Environmental Impacts of each type and
5K Barrels of Fuel Oil Spilled
severity level
 of scenarios
Expert judgment

Facilitated analysis

Enterprise Data Sources

& Tool
Method Flo
0
1000
2000
3000
4000
5000
6000

odi
ng-
Sin
kin
Per
son g
nel
Mis
Dr u hap
gS
Atta mu
ggl
ck Na ing
on tura
Por l Di
t In sas
fras ter
truc
ture
or M
Co TS
llisi
on-
For Alli
eig sio
n Il n
leg
al F
ish
ing
Oil
Na Spi
tion ll
Sta
No te A
n-M ttac
arit k
ime
Do Inc
me
stic id ent
Inv Ille
asi gal
ve Fis
Spe
cie hing
Dis s In
cha trod
rge uct
of D ion
ebr
Risk Profiles

is/S
Ma ew
rine age
Ca
sua Gro
lty und
Inte Affe ing
rrup ctin
tion gW
of M a terw
Process Overview

ilita ay
ry O
per
Sea atio
son ns
al C
ond
itio
ns
Fire
-Ex
plo
Ille
gal s ion
Spe Mig
cie ran
Re t En
sD
am l eas try
age eo
db fH
yM AZ
MA
arin T
eO
per
atio
ns
 Flo

1000
2000
3000
4000
5000
6000

0
odi
ng-
Sin
kin
Per
son g
nel
Mis
Dr u hap
gS
Atta mu
ggl
ck N ing
on atu
Por ral
t In Dis
fras ast
truc er
ture
or M
Co TS
llisi
on-
For Alli
eig sio
n Il n
leg
al F
ish
ing
Oil
Na Spi
tion ll
Sta
No te A
n-M ttac
arit k
ime
Do Inc
me ide
stic nt
Inv
asi Illeg
ve al F
ish
Spe
Dis c ie
ing
s In
cha trod
rge uct
of D ion
ebr
is/S
Ma ew
rine age
Ca
sua Gro
lty
Inte A ffec
und
ing
rrup ting
tion Wa
of M terw
ilita ay
ry O
planning and budgeting decisions.

per
Sea atio
son ns
al C
All incidents (excluding transfer of WMD or terrorists)

ond
itio
ns
Fire
Important Note: These are not suggested

-Ex
plo
2006 Residual Risk Results

Ille
these profiles are able to meaningfully inform

sio
gal n
M
resourcing profiles! Context is required before

Spe igra
cie Re nt E
sD
am l e a ntry
age se
of H
db AZ
yM MA
arin T
eO
Severity

per
atio
ns
Category-1
Category-2
Category-3
Category-4
Category-5
Category-6
Category-7
Category-8

13
 Tra

5000
10000
15000
20000
25000
30000
35000

0
nsf
er o
Tra fW
nsf MD
er o
f Te
Flo rror
odi ist
ng-
Sin
Per kin
son g
nel
Mis
Dr u hap
gS
Atta mu
ck ggl
ing
on Na
t
Por ura
t In l Di
fras sas
truc ter
ture
All incidents

or M
Co TS
llisi
For o n-A
eig llisi
on
n Il
leg
al F
ish
range of frequencies and

ing
terrorism attacks, we conduct

consequences for these attacks.

Na Oil
sensitivity analyses on the credible

Spi
Due to the highly uncertain nature of

tion ll
Sta
2006 Residual Risk Results

No te A
n-M ttac
arit
i k
Do m e In
me cid Ve
Inv stic ent ss
asi I lleg els
/W
ve a l Fi Ve ate
Spe shi ss r si
c els de
0
200
400
600
800
1,000
1,200
1,400
1,600
1,800

Dis ies ng /S At
ho tac
k
cha Intr re
rge odu Ve sid
ss eA
of D ctio els tta
ebr n Ve
ss /A
ir c ck
Ma is/S els ra
ew /S ft A
rine tan tta
Ca age d-o ck
ff W
sua
lty G ea
rou
Ve Ve po
Inte Affe ndi Ve ss ss ns
rrup ctin ng ss el/ el/
tion gW el/ Su CB
Ex b-s RN
of M ate Ve plo urf E
r wa ss ita ac
ilita y el/ tio eA
ry O Ex n/ tta
plo Int ck
er
Sea per ita
tio nal
atio n/ Fo
son ns Fa Ex rc e
From

al C c il ter s
it ie na
MSRAM

s/ lF
W
ond or
itio Fa ate ce
ns c il r si s
Fire it ie d e
-Ex s/
Sh A tta
Ille plo Fa ore ck
sio sid
Spe
gal
Mig n c il
it ie eA
r Fa s/ tta
cie
sD Re a nt E c il
it ie
Air
cr a
ck
am lea s /S ft A
seo
ntry
Fa tan tta
ck
age d-
db f HA c il
it ie off
s /S W
yM ZM ub eap
arin AT - su on
eO r fa s
per ce
At
atio tac
ns k
13
 Uses of NMSRA Risk Information
• Strategic Planning Direction
• Commandant’s budget intent
• Performance target setting process
• Operational effectiveness modeling
• Requirements development
• Mission analysis
• Resource Proposal development and evaluation
• Resource allocation
Maritime Security Risk Analysis Model

Objective
Create a field-level risk analysis tool to support
risk management decisions at all levels

• Support tactical decisions at the field level by

enabling users to consider the full spectrum of
terrorist risks to assets within their AOR
• Support operational and strategic decisions by rolling
up of field-level risk assessments to portray risk
density of targets Sector, District, Area, HQ
 How our PWCS / CMT Measure Works

1) Assessment of Risk - the 15 Scenarios that cause the most risk

• Transfer through the Maritime Domain of Terrorists • Use of Vessel as Weapon - Exploitation by Internal Forces
• Transfer through the Maritime Domain of WMD • Use of Vessel as Weapon - Exploitation by External Forces
• Waterside attack on Vessel • Waterside attack on Facility
• Shoreside attack on Vessel • Shoreside attack on Facility
• Aircraft attack on Vessel
• Aircraft attack on Facility
• Stand-off Weapons attack on Vessel
• Stand-off Weapons attack on a Facility
• CBRNE attack on Vessel
• Sub Surface attack on a Facility
• Sub-surface Attack on Vessel

Risk the CG
Threat X Vulnerability X Consequence = can Impact
(we own)
2) Assessment of Performance
Coast Guard Risk the CG
X Coast Guard X Coast Guard =
T Reduction V Reduction C Reduction Reduced

Risk we Reduced Our Annual 15% 20%

= = 2007 =
Performance 2008
Risk we can Impact (own)
(% Risk Reduction)
 CMT Strategic Risk Model

A simplified, scenario-based, event tree model used in

planning efforts to:

• Illustrate the layered security strategy that the USCG provides/could

provide against each meta-scenario’s continuum to prevent, protect,
respond, and recover
• Define the roles of USCG activities and how they relate to one
another (e.g., detection, intervention, support)
• Calculate the magnitude of risk that is being reduced by the layered
security strategy
• Provide a mechanism for estimating the risk reduction importance of
individual activities within the layered security strategy for a scenario
• Estimate the cost associated with performing each activity/groups of
activities
 Step 1 – Define the Waterside attack on Vessel Scenario
Scenario

Legend:
Prevention
(Threat Reduction)
Protection
(Vulnerability Reduction)
Response & Recovery
(Consequence Reduction)
 Step 2 – Identify USCG Waterside attack on Vessel Scenario
Interventions
Suspect Vessel
Boarding
1

Specialized
Use of Force
2

End Game
3
Prosecution

Legend:
Escort
Prevention 4
(Threat Reduction) Vessel
Protection Intervene After
(Vulnerability Reduction) Attack - Response
5
Response & Recovery
(Consequence Reduction)
 Step 3 – Identify which Waterside attack on Vessel Scenario
interventions depend on
external detection Provides detection
Suspect Vessel function to cue
Boarding
1 “dependent” activities Intel

Specialized
Use of Force
2

End Game
3
Prosecution

Legend:
Escort
Prevention 4
(Threat Reduction) Vessel
Protection Intervene After
(Vulnerability Reduction) Attack - Response
5
Response & Recovery
(Consequence Reduction)
 Step 4 – Estimate the Waterside attack on Vessel Scenario
probability that the activity fails 93%
to perform its role Provides detection
Suspect Vessel function to cue
Boarding
1 “dependent” activities Intel
50%

Specialized
Use of Force
2

18%

End Game
3
Prosecution
5%

Legend:
Escort
Prevention 4
(Threat Reduction) Vessel
Protection Intervene After
(Vulnerability Reduction) 5 83%
Attack - Response
Response & Recovery
(Consequence Reduction) 93%
 What types of activities were
assessed?
• Probability that USCG activities successfully
perform their role:
– Detection Activities (e.g., MDA) Probability of
successfully detecting, tracking, and communicating
attack information to dependent activities
– Dependent Activities Probability of successfully
intervening given cuing by MDA
– Independent Activities Probability of successfully
detecting and intervening
 Who assessed the various types of
• Detection Activities
activities?
– MDA - Asked MDA team to assess the capability and capacity of MDA to detect,
track, and communicate attack information
– Tactical Surveillance - Asked group of operations SMEs to assess the capability
of surveillance assets to track underway attacks
– Intelligence – CMT team assumed a range of probabilities (5% to 25%) for
outside intelligence cuing of an attack
• Dependent Activities
– Capability - Asked group of operations SMEs to assess the capability of the
activity to successfully intervene if “on the target”
– Capacity – CMT team performed modeling to determine probability of getting the
activity “on the target”
• Independent Activities
– Capability - Asked group of operations and regime SMEs to assess the capability
of the activity to detect that an attack is underway and successfully intervene if “on
the target”
– Capacity – CMT team performed modeling to determine probability of getting the
activity “on the target”
 How did they assess the activities?

• Highly Effective (HE) - 90-100%

• Effective (E) - 75-90%
• Substantial (S) - 25-75%
• Limited (L) - 10-25%
• Very Limited (VL) - 5-10%
• Measurable (M) - 1-5%
• Not Measurable (NM) - <1%
 Step 5 – Calculate the risk impact of USCG interventions

Threat Vulnerability Consequence

Raw Risk Line of Assurance Failure Probabilities Residual Risk

700 RIN * 96% * 94% * 93% * 83% * 93% = 448 RIN
Targets directly
protected by USCG 1 2 3 4 5

End Game Prosecution*

Specialized Use of Force*
Suspect Vessel Boarding*

Escort Vessel
activities

Response
Attack -
Intervene After
700-448 = 252 RIN
300-233 = 67 RIN
319 RIN
Risk Reduction
32%

Raw Risk Line of Assurance Failure Probabilities Residual Risk

300 RIN * 96% * 94% * 93% * 93% = 233 RIN
Targets not directly
protected by USCG 1 2 3 5
activities

*Lines of Assurance dependent on external detection activities (e.g., MDA)