DHS Risk Lexicon 2010 Edition

1y ago
54 Views
3 Downloads
910.49 KB
72 Pages
Last View : 2d ago
Last Download : 6m ago
Upload by : Emanuel Batten
Transcription

Risk Steering CommitteeDHS Risk Lexicon2010 EditionSeptember 2010DH S R I S K L E XI C O N – 2 0 1 0 E D I T I O NPG. i

This page is intentionally left blank.DH S R I S K L E XI C O N – 2 0 1 0 E D I T I O NP G . ii

DH S R I S K L E XI C O N – 2 0 1 0 E D I T I O NP G . iii

This page is intentionally left blank.DH S R I S K L E XI C O N – 2 0 1 0 E D I T I O NP G . iv

DH S R I S K L E XI C O N – 2 0 1 0 E D I T I O NPG. v

This page is intentionally left blank.DH S R I S K L E XI C O N – 2 0 1 0 E D I T I O NP G . vi

E XECUTIVE S UMMARYThis is the second edition of the Department of Homeland Security (DHS) Risk Lexicon and represents anupdate of the version published in September 2008. More than seventy terms and definitions wereincluded in the first edition of the DHS Risk Lexicon. The 2010 edition includes fifty new terms anddefinitions in addition to revised definitions for twenty-three of the original terms.It was produced by the DHS Risk Steering Committee (RSC). The RSC, chaired by the Under Secretary forthe National Protection and Programs Directorate and administered by the Office of Risk Management andAnalysis (RMA), has produced a DHS Risk Lexicon with definitions for terms that are fundamental to thepractice of homeland security risk management and analysis.The RSC is the risk governance structure for DHS, with membership from across the Department, formed toleverage the risk management capabilities of the DHS Components and to advance Departmental effortstoward integrated risk management. The DHS Risk Lexicon makes available a common, unambiguous setof official terms and definitions to ease and improve the communication of risk-related issues for DHS andits partners. It facilitates the clear exchange of structured and unstructured data that is essential to theexchange of ideas and information amongst risk practitioners by fostering consistency and uniformity inthe usage of risk-related terminology for the Department.The RSC created the Risk Lexicon Working Group (RLWG) to represent the DHS risk community of interest(COI) in the development of a professional risk lexicon. The RLWG’s risk lexicon development andmanagement process is in accordance with the DHS Lexicon Program. Terms, definitions, extendeddefinitions, annotations, and examples are developed through a collaborative process that is open to all DHSComponents. Definitions are validated against glossaries used by other countries and professionalassociations. Terms, definitions, extended definitions, annotations, and examples are then standardizedgrammatically according to the conventions of the DHS Lexicon Program.All terms in the DHS Risk Lexicon were completed using this process and represent the collective work ofthe DHS risk COI. The DHS Risk Lexicon terms and definitions will be included as part of the DHS Lexicon,and future additions and revisions will be coordinated by the RSC and RLWG in collaboration with the DHSLexicon Program.DH S R I S K L E XI C O N – 2 0 1 0 E D I T I O NP G . vii

This page is intentionally left blank.DH S R I S K L E XI C O N – 2 0 1 0 E D I T I O NP G . viii

L IST OF T ERMSThe following terms have been defined for the DHS Risk Lexicon: 1.Absolute Risk*, page 631. Fault Tree*, pages 15,162.Absolute Risk (Unmitigated)*, page 632. Frequency*, page 163.Acceptable Risk*, page 733. Frequentist Probability*, pages 16,174.Accidental Hazard, page 734. Function Ω, page 175.Adaptive Risk*, page 735. Game Theory*, page 176.Adversary, page 736. Hazard, pages 177.Alternative Futures Analysis*, pages 7,837. Horizon Scanning*, page 178.Asset, page 838. Human Consequence (Health) Ω, page 189.Attack Method, page 839. Implementation, page 1810. Attack Path, page 840. Incident, pages 1811. Baseline Risk*, page 841. Indirect Consequence*, page 18,1912. Bayesian Probability*, page 942. Integrated Risk Management Ω, page 1913. Bayesian Probability (SubjectiveProbability)*, page 943. Intent Ω, pages 1914. Break-Even Analysis*, pages 915. Capability, page 916. Conditional Probability*, page 1017. Consequence, page 1018. Consequence Assessment Ω, pages 1019. Cost-Effectiveness Analysis (CEA)*, page 1020. Cost-Benefit Analysis (CBA)*, page 1021. Countermeasure Ω, page 1122. Criticality*, page 1123. Criticality Assessment*, page 1124. Decision Analysis*, page 1125. Deterrent Ω, page 11,1226. Direct Consequence*, page 1227. Economic Consequence, page 1228. Enterprise Risk Management*, pages 12,1329. Evaluation, page 1330. Event Tree*, pages 13,1444. Intentional Hazard, page 1945. Joint Probability*, page 1946. Likelihood Ω, pages 2047. Likelihood (Statistical)*, page 2048. Marginal Probability*, page 2149. Mitigation*, pages 2150. Mission Consequence, page 2151. Model Ω, page 2152. Natural Hazard, page 2153. Net Assessment*, page 2254. Network Ω, page 2255. Normalized Risk*, page 2256. Non-Adaptive Risk*, page 2357. Operational Risk*, page 2358Primary Consequence*, page 2359. Probabilistic Risk Assessment, page 2360. Probability Ω, pages 23-25DH S R I S K L E XI C O N – 2 0 1 0 E D I T I O NP G . ix* New terms for 2010Ω Definitions revised from 2008

61. Psychological Consequence, page 2592. Risk Perception, page 3162. Qualitative Risk Assessment Methodology,page 2593. Risk Profile Ω, pages 3263. Quantitative Risk Assessment Methodology,page 2594. Risk Reduction Ω, page 3295. Risk Score, page 3296. Risk Tolerance Ω, page 3264. Redundancy, page 2697. Risk Transfer, pages 3265. Relative Risk*, page 2698. Risk-Based Decision Making, page 3366. Residual Risk, page 2699. Risk-Informed Decision Making, page 3367. Resilience Ω, page 26,2768. Return on Investment (Risk), page 2769. Risk Ω, page 27100. Scenario (Risk), page 33101. Secondary Consequence*, pages 33102. Semi-Quantitative Risk AssessmentMethodology, page 3470. Risk Acceptance, page 2771. Risk Analysis, page 27,28103. Sensitivity Analysis, page 3472. Risk Assessment, page 2873. Risk Assessment Methodology, page 2874. Risk Assessment Tool, page 2875. Risk Avoidance, page 2876. Risk Communication, page 2977. Risk Control, pages 29104. Simulation Ω, page 34105. Social Amplification of Risk*, pages 34106. Strategic Foresight*, page 35107. Strategic Risk*, page 35108. Subject Matter Expert Ω, page 35109. Subjective Probability*, page 35,3678. Risk Data*, page 29110. System, pages 3679. Risk Exposure*, page 29111. Target, page 3680. Risk Governance*, page 29112. Threat, page 3681. Risk Identification, page 29113. Threat Assessment Ω, page 3782. Risk Indicator*, page 3083. Risk Management Ω, pages 3084. Risk Management AlternativesDevelopment, page 3085. Risk Management Cycle, page 3086. Risk Management Methodology Ω, page 3087. Risk Management Plan, page 3088. Risk Management Strategy, pages 31114. Threat Shifting*, pages 37115. Unacceptable Risk*, page 37116. Uncertainty, page 38117. Unmitigated Risk (Residual Risk)*, page 38118. Value of Statistical Life (VSL)*, page 38119. Vulnerability Ω, page 38120. Vulnerability (Degree)*, page 39121. Vulnerability Assessment Ω, page 3989. Risk Matrix, page 31122. Willingness-To-Accept*, page 3990. Risk Mitigation Ω, page 3191. Risk Mitigation Option, page 31123. Willingness-To-Pay*, page 39DH S R I S K L E XI C O N – 2 0 1 0 E D I T I O NPG. x* New terms for 2010Ω Definitions revised from 2008

T ABLE OF C ONTENTSPrefaceExecutive SummaryList of TermsvviiixIntroductionA. Project Goals and ObjectivesB. Project GovernanceI. Lexicon Process PhasesA. CollectionB. Harmonization ProcessC. Validation, Review and NormalizationII. DefinitionsIII. DHS Lexicon Governance StructureA. The DHS Executive SecretariatB. Risk Steering CommitteeIV. Maintenance of the DHS Risk LexiconA. Maintenance of Existing TermsB. Addition of New TermsC. Consistency with Related Federal/Interagency EffortsD. AvailabilityE. Notification of UpdatesV. Use of the DHS Risk LexiconVI. AppendicesAppendix A: Revised Definitions from 2008 PublicationAppendix B: Comment/Revision FormAppendix C: Common DHS Acronyms for Risk Methodologies and ProgramsAppendix D: DHS Lexicon Contact H S R I S K L E XI C O N – 2 0 1 0 E D I T I O NP G . xi

This page is intentionally left blank.DH S R I S K L E XI C O N – 2 0 1 0 E D I T I O NP G . xii

I NTRODUCTIONRisk is a key organizing principle for homeland security strategies, programs, efforts, and activities. TheDepartment’s risk management process, by which risk information is gathered, aggregated, analyzed, andcommunicated, must be supported by precise and unambiguous language. The Department of HomelandSecurity (DHS) Risk Steering Committee (RSC) initiated the DHS Risk Lexicon Project and in September2008 published the first DHS Risk Lexicon. The DHS Risk Lexicon provides a set of terms for use by thehomeland security risk community of interest (COI) and represents an important and ongoing effort toenable integrated risk management (IRM) across the Department.The DHS Policy for Integrated Risk Management, signed by Secretary Napolitano in May 27, 2010, statesthat IRM is achieved, in part, by:Building a common understanding of risk management through developmentof a risk lexicon, risk-informed planning process, training, and standards ofpractice.Risk management and analysis supports specific homeland security missions and determines how homelandsecurity functions can be best used to prevent, protect, mitigate, respond to, and recover from hazards tothe Nation. The ability to communicate precise concepts and meanings is essential for effective riskinformed decision making. Clear communication allows information to be used consistently to supportdecisions about the nature, cause, and severity of risks. This ability to communicate homeland security riskinformation with precision is critical to support decision making at all levels throughout the Department.The DHS Risk Lexicon Project has identified and defined the terms that are essential to the practice ofhomeland security risk management. The DHS Risk Lexicon is intended to improve the internalmanagement of DHS and facilitate commonplace discussions among the departmental risk community. TheDHS Risk Lexicon establishes a common vocabulary and language that will improve risk-relatedcommunications between DHS Components. However, it must be noted that other definitions may befound in guidance, regulations, or statutes that will be specifically applicable in those regulatory or legalcontexts. The DHS Risk Lexicon is not intended to create any right or benefit, substantive or procedural,enforceable at law or in equity, against the United States, its departments, agencies, or other entities, itsofficers or employees, or any other person.This publication represents the most recent collection of terms and definitions of the DHS Risk Lexicon.Additionally, it describes the governance process for generating additional terms and maintaining the DHSRisk Lexicon. Finally, it lays out expectations for the adoption and use of the DHS Risk Lexicon within thehomeland security risk COI.A. Project Goals and ObjectivesThe purpose of the DHS Risk Lexicon Project is to establish and make available a comprehensive list ofterms and definitions relevant to the practice of homeland security risk management and analysis. Tosupport IRM for the Department, the DHS Risk Lexicon: Promulgates a common language to ease and improve communications for DHS and its partners.DH S R I S K L E XI C O N – 2 0 1 0 E D I T I O NPG. 1

Facilitates the clear exchange of structured and unstructured data, essential to interoperability amongstrisk practitioners. Garners credibility and grows relationships by providing consistency and clear understanding withregard to the usage of terms by the risk community across DHS and its components.Project GovernanceThis DHS Risk Lexicon was created by the DHS RSC. The RSC provides strategic direction for integratingrisk management approaches across DHS. Working groups are created by the RSC to execute initiatives.One of these groups is the Risk Lexicon Working Group (RLWG). The RLWG includes representativesfrom DHS Components and serves as the homeland security risk COI in the development of a professionalrisk lexicon. RLWG members collectively provide the subject matter expertise necessary for the collection,normalization, and harmonization of terms and meanings in the lexicon.The RMA coordinates regular meetings of the RLWG and supports a variety of collection, documentation,and workshop activities to develop the DHS Risk Lexicon. RMA, in coordination with the DHS LexiconProgram, also supports the RSC in developing governance processes and procedures for the maintenanceand growth of the DHS Risk Lexicon.Definitions are developed through a three-phase process: Collection: Terms are collected from across DHSand the risk community.Harmonization: Multiple, often conflicting,definitions are harmonized to produce a singlemeaning for each term.Validation, Review, and Normalization:Harmonized definitions are validated against anumber of non-DHS sources to ensure that thedefinitions produced for use in DHS are consistentwith those used by the larger risk community.Proposed definitions are provided to the entireRLWG for comment. Comments are adjudicatedand definitions are standardized for grammar and format.DH S R I S K L E XI C O N – 2 0 1 0 E D I T I O NPG. 2

I. L EXICON P ROCESS P HASESA. CollectionThe collection of terms for the DHS Risk Lexicon is coordinated through the RLWG, representing DHSComponents, RLWG members collect terms that are relevant to the practice of homeland security riskmanagement from within their respective Components. Data sources include directives, glossaries, andother procedural or guidance documents. In addition, RMA staff review foundational homeland securitypolicy and doctrine to identify and collect relevant definitions, including the following documents: Unclassified Presidential Policy and Homeland Security Presidential Directive National Security Strategy Quadrennial Homeland Security Review (QHSR) National Strategy for Physical Protection of Critical Infrastructure and Key Assets National Strategy to Secure Cyberspace DHS Strategic Plan, ―Securing Our Homeland‖ National Response Framework National Incident Management System National Infrastructure Protection Plan DHS Bottom-Up Review Grant Guidance for the Homeland Security Grant Program, Port Security Grant Program, TransitSecurity Grant Program, and other homeland security grants Homeland Security Exercise and Evaluation Program Policy and Guidance Federal Emergency Management Agency (FEMA) Comprehensive Preparedness Guide 101 FEMA State and Local Mitigation Planning (386) SeriesThis is the second edition of the DHS Risk Lexicon and represents an update of the version published inSeptember 2008. Seventy-three terms were recommended for inclusion in the first edition. The 2010Edition includes fifty new terms and revised definitions for twenty-three of the original terms. Each ofthese terms represent a fundamental concept of risk and meets the majority of the following criteria: Relevant to all DHS Components with a role in risk management (i.e., broadly used terms). Previously used differently or inconsistently across the homeland security risk community. Have specialized meaning in a homeland security context that is not captured by common usage ordictionary definition. Necessary for applying IRM.DH S R I S K L E XI C O N – 2 0 1 0 E D I T I O NPG. 3

B. Harmonization Proces sThe most critical phase in the lexicon development process is the synthesis or ―harmonization‖ ofdefinitions received during the initial phase to arrive at a single unified definition.RLWG members utilize a protocol for harmonization that is consistent with DHS Lexicon Programprocedures. This protocol allows for a thorough examination of relevant sources to ensure that theharmonized definitions produced by the RLWG are appropriate for DHS and the external homeland securityrisk community. During a series of Harmonization workshops, RLWG members discuss the availabledefinitions and reach consensus on harmonized definitions for the core terms.The RLWG members execute the following process to harmonize definitions:1) Examine dictionary definitions to ensure that the eventual harmonized definition is compatible withdictionary definitions and common usage.2) Examine definitions submitted during the collection phase, as well as DHS Lexicon submissions andhomeland security policy, to determine key concepts and requirements for term definition. ConsultRLWG members for additional key concepts and requirements.3) Determine if any submitted definitions contain all of the key concepts or if multiple definitions can bemodified or combined to create a definition that captures the key concepts.4) Create a definition, based on key concepts and requirements, which is consistent with current usage.C. Validation, Review and NormalizationDefinitions contained in this Lexicon have been validated against other lexicons, reviewed by members ofthe RLWG, and standardized for grammar and format with the assistance of the DHS Lexicographer.1.Validation:Each of the proposed definitions is validated against non-DHS professional sources (glossaries from othercountries, professional communities, and standards organizations) to ensure that the proposed DHS RiskLexicon definitions are compatible with those used in the larger risk management community.Validation sources include: Intelligence Experts Group All Hazards Risk Assessment Lexicon; Defense R&D Canada, Centre forSecurity Science; November, 2007. Australia / New Zealand Risk Management Standard 4360; prepared by Joint Technical Committee OB 007, Risk Management; August 2004. Society of Risk Analysis (SRA) Glossary; produced by the Committee for Definitions; estimated date,2008. International Risk Governance Committee (IRGC) definitions from the white paper ―Risk Governance,Towards an Integrated Approach‖; authored by Ortwin Renn with annexes by Peter Graham; January,2006.DH S R I S K L E XI C O N – 2 0 1 0 E D I T I O NPG. 4

―International Standards Organization (ISO) Risk Management Vocabulary‖ ISO/ICE CD Guide 73;produced by Secretariat of ISO TMB WG on Risk Management; June, 2009.RMA staff, in support of the RLWG, cross-referenced each of the proposed core definitions with eachvalidation source. Fifty of the 123 terms included in the DHS Risk Lexicon are found in at least one of thevalidation sources. In the majority of cases, definitions for the DHS Risk Lexicon are consistent withdefinitions being used in the larger international risk community. When the definitions differ, it canusually be attributed to differences in the communities that the definitions are intended to serve (Forexample, the Society for Risk Analysis serves a much broader community of risk practitioners who may dealwith financial or health risks, in contrast to the DHS Risk Lexicon, which is focused on homeland securityrisk.). In other cases, differences are due to the use of common words that have taken on a specificmeaning in the domestic homeland security context (For example, Canada’s Centre for Security Sciencedefinition for ―critical infrastructure‖ focuses on interdependent networks, while the term is used morebroadly in the United States homeland security paradigm.).This validation effort demonstrates that the definitions in the DHS Risk Lexicon are consistent with the useof similar terms in related communities. DHS Risk Lexicon definitions are broad enough to accommodatecommunication with communities outside the domestic risk homeland security paradigm, but specificenough to be useful for practitioners within the DHS risk COI.2.Review:Validated DHS Risk Lexicon definitions are circulated to all members of the RLWG for comment beforebeing submitted to the RSC for review. RLWG members review definitions and examples and makerevisi

81. Risk Identification, page 29 82. Risk Indicator*, page 30 83. Risk Management Ω, pages 30 84. Risk Management Alternatives Development, page 30 85. Risk Management Cycle, page 30 86. Risk Management Methodology Ω, page 30 87. Risk Management Plan, page 30 88. Risk Management Strategy, pages 31 89. Risk