An article by Aliya Sternstein titled Agencies don’t often share tips on potential terrorist activity on the Nextgov Web site (see http://www.nextgov.com/defense/2012/08/agencies-dont-often-share-tips-potential-terrorist-activity/57496/?oref=ng-channelriver) complains that "Nearly half of federal agencies are not sharing documented incidents of potential terrorist activity with U.S. intelligence centers, according to officials in the Office of the Director of National Intelligence."
Hardly encouraging.
But reading on, there are three paragraphs that suggests high level planning that failed to consider lower-level considerations.
"One problem with shuttling reports to fusion centers is officers in the field, even years after the program’s inception, lack training in how to create the proper records, said Paul Wormeli, Integrated Justice Information Systems Institute executive director emeritus and a consultant on the project. “Some agencies still just rely on the old manual system of getting tips from the public over the telephone, which is insufficient,” he said.
In addition, it takes time and money to tweak police software so that it works with the system supporting the information exchanges, Wormeli said. And turf wars sometimes get in the way of progress.
“This is a serious problem because unless we are able to convince all the local agencies to participate and to submit their SARs to the fusion center, we create the very real possibility that we will miss detecting the next Mohammed Atta who goes around taking flying lessons and passing up on the lecture of how to land his aircraft,” he said.
How does this relate to enterprise risk management?
Simple: LACK OF TWO-WAY COMMUNICATION.
A fiat from on high. "You will implement ABC."
At the bottom, the responses are:
- We don't have the resources
- We don't have the training
- We don't have the time
This is similar to the complaints of municipalities to the state and the states to the federal government: You burden us with a law, but fail to provide resources, funding, and training.
One of the risk management practitioner's many duties that rarely appear in the job description is "develop cross-silo communication"; get everyone involved.
Risk management, correctly practiced, is an all-encompassing program.
It requires, again, "if properly practiced," that management fully understand the impact on the troops of that fiat from on high.
Telling, as the Feds apparently did, different federal, state, and municipal agencies that they must send reports of suspicious activity to a data center - what the Feds are calling fusion centers - is fine, but based on the Nextgov article, the information gatherers
- Lacked the resources
- Lacked the training (what to submit)
- Lacked the time to acquire resources and be trained to use them
Practitioners usually start a Business Impact and Risk Analysis with a questionnaire.
- What are the critical processes.
What are the risks to the processes (this identifies resources).
What are the work-arounds if a resource is not available.
Eventually the practitioner gets around to making recommendations on how to respond to a threat if it occurs.
At that point, the practitioner should work from the bottom (folks in the trenches) up (to management).
The folks in the trenches usually have the best information on tools to avoid or mitigate a threat and to restore the process to "business as usual" as economically, efficiently, and expeditiously as possible. They also know what they need regarding
- Resources
- Training
- Time to implement resources and training
Sadly, providing all the resources, training, and time won't do much good until the sundry agencies get over their turf wars and start treating all members of the "intelligence" community as equal partners, each with their own value and resources.
Hopefully this cooperation will occur before the next threat become reality.