[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]


 
                THE GOODYEAR EXPLOSION: ENSURING OUR 
NATION IS SECURE BY DEVELOPING A RISK MANAGEMENT FRAMEWORK FOR HOMELAND 
                                SECURITY

=======================================================================

                                HEARING

                               before the

                SUBCOMMITTEE ON TRANSPORTATION SECURITY
                     AND INFRASTRUCTURE PROTECTION

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             SECOND SESSION

                               __________

                             JUNE 25, 2008

                               __________

                           Serial No. 110-123

                               __________

       Printed for the use of the Committee on Homeland Security
                                     
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                     

  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html

                               __________

                         U.S. GOVERNMENT PRINTING OFFICE 

44-064 PDF                       WASHINGTON : 2008 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
Washington, DC 20402-0001 





























                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman

Loretta Sanchez, California          Peter T. King, New York
Edward J. Markey, Massachusetts      Lamar Smith, Texas
Norman D. Dicks, Washington          Christopher Shays, Connecticut
Jane Harman, California              Mark E. Souder, Indiana
Peter A. DeFazio, Oregon             Tom Davis, Virginia
Nita M. Lowey, New York              Daniel E. Lungren, California
Eleanor Holmes Norton, District of   Mike Rogers, Alabama
Columbia                             David G. Reichert, Washington
Zoe Lofgren, California              Michael T. McCaul, Texas
Sheila Jackson Lee, Texas            Charles W. Dent, Pennsylvania
Donna M. Christensen, U.S. Virgin    Ginny Brown-Waite, Florida
Islands                              Gus M. Bilirakis, Florida
Bob Etheridge, North Carolina        David Davis, Tennessee
James R. Langevin, Rhode Island      Paul C. Broun, Georgia
Henry Cuellar, Texas                 Candice S. Miller, Michigan
Christopher P. Carney, Pennsylvania
Yvette D. Clarke, New York
Al Green, Texas
Ed Perlmutter, Colorado
Bill Pascrell, Jr., New Jersey

           I. Lanier Lavant, Staff Director & General Counsel

                     Rosaline Cohen, Chief Counsel

                     Michael Twinchek, Chief Clerk

                Robert O'Connor, Minority Staff Director

                                 ______

 SUBCOMMITTEE ON TRANSPORTATION SECURITY AND INFRASTRUCTURE PROTECTION

                 SHEILA JACKSON LEE, Texas, Chairwoman

Edward J. Markey, Massachusetts      Daniel E. Lungren, California
Peter A. DeFazio, Oregon             Ginny Brown-Waite, Florida
Eleanor Holmes Norton, District of   Gus M. Bilirakis, Florida
Columbia                             Paul C. Broun, Georgia
Yvette D. Clarke, New York           Peter T. King, New York (Ex 
Ed Perlmutter, Colorado              Officio)
Bennie G. Thompson, Mississippi (Ex 
Officio)

                   Michael Beland, Director & Counsel

                   Natalie Nixon, Deputy Chief Clerk

                 Coley O'Brien, Minority Senior Counsel

                                  (II)






















                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Sheila Jackson Lee, a Representative in Congress 
  From the State of Texas, and Chairwoman, Subcommittee on 
  Transportation Security and Infrastructure Protection..........     1
The Honorable Gus M. Bilirakis, a Representative in Congress From 
  the State of Florida...........................................     5

                               Witnesses
                                Panel I

Mr. Robert D. Jamison, Under Secretary, National Protection and 
  Programs Directorate, Department of Homeland Security:
  Oral Statement.................................................     7
  Prepared Statement.............................................     9
Mr. Norman J. Rabkin, Managing Director, Homeland Security and 
  Justice, Government Accountability Office:
  Oral Statement.................................................    12
  Prepared Statement.............................................    14

                                Panel II

Mr. John P. Paczkowski, Director, Emergency Management and 
  Security, Port Authority of New York and New Jersey:
  Oral Statement.................................................    30
  Prepared Statement.............................................    32
Mr. James Jay Carafano, The Heritage Foundation:
  Oral Statement.................................................    37
  Prepared Statement.............................................    38
Mr. Raymond Mcinnis, Private Citizen, Widower of Victim of 
  Goodyear Explosion:
  Oral Statement.................................................    43
  Prepared Statement.............................................    45
Mr. John S. Morawetz, Director, Health and Safety, International 
  Chemical Workers Union Council/UFCW:
  Oral Statement.................................................    47
  Prepared Statement.............................................    49

                             For the Record

Mr. Joseph Copeland, Vice President, Goodyear Tire and Rubber 
  Company:
  Prepared Statement.............................................     4


 THE GOODYEAR EXPLOSION: ENSURING OUR NATION IS SECURE BY DEVELOPING A 
            RISK MANAGEMENT FRAMEWORK FOR HOMELAND SECURITY

                              ----------                              


                        Wednesday, June 25, 2008

             U.S. House of Representatives,
                    Committee on Homeland Security,
Subcommittee on Transportation Security and Infrastructure 
                                                Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 2:33 p.m., in 
Room 311, Cannon House Office Building, Hon. Sheila Jackson Lee 
[Chairwoman of the subcommittee] presiding.
    Present: Representatives Jackson Lee and Bilirakis.
    Ms. Jackson Lee [presiding]. The subcommittee will come to 
order.
    The subcommittee is meeting today to receive testimony on 
the Goodyear explosion, ensuring our Nation is secure by 
developing a risk-management framework for homeland security. 
Our witnesses today will testify about the Department of 
Homeland Security's approach to risk management. In addition, 
we will hear a real-life story, real-life testimony on the 
tragedy of the Goodyear explosion that occurred in Houston 
exactly 2 weeks ago.
    I offer to all of those who have been affected and all of 
those who have lost loved ones, in particular our witness on 
the second panel, our deepest and expressed and sincere 
sympathy.
    I do want to indicate that my colleague, Congressman Green, 
was here earlier, and I would like to ask without objection 
that the gentleman from Texas, if he is able to arrive again, 
be authorized to sit for the purpose of questioning witnesses 
during the hearing today. Without objection, hearing none, it 
is so ordered.
    Before I begin, there is always a moment of reflection and 
joy, and I do want to acknowledge the Calentar family. Mr. 
Perez and his nephew Mr. Calentar, if you all would stand? This 
young man is the recipient of the Artist Award from Wheaton 
High School in Houston, Texas. So we welcome him and we welcome 
his family, his sister, his brother, and his uncle. Thank you. 
You are all very welcome. Thank you very much.
    [Applause.]
    I am proud to convene today's hearing, which will focus on 
the Government's homeland security approach to risk 
management--a very key element of survival in this Nation. If 
you cannot manage risk, then you are ultimately unable to 
address the questions of pending terrorist acts if they are to 
occur, and those unpredictable natural disasters.
    Two weeks ago, there was a tragic accident at the Goodyear 
chemical plant in Houston, Texas. It is my belief that these 
types of incidents can be avoided if the appropriate risk 
management strategies are put in place. If the Department of 
Homeland Security can facilitate a comprehensive risk 
management program across the Federal Government and the 
private sector, it will go a long way toward preventing 
additional tragedies like the one that occurred in my own home 
town.
    We are well aware that 85 percent of the critical 
infrastructure is in the hands of private entrepreneurs. 
Therefore, this must be a deeply embedded partnership in order 
for us to be able to save lives. In particular, I want to thank 
Mr. Raymond McInnis for his courage to testify here today after 
tragically losing his wife in the chemical explosion at the 
Goodyear plant on June 11. We thank him for his courage. His 
courage reminds us that we must push our Nation's chemical 
plants to take all of the necessary precautions to ensure that 
the American people are not put in unnecessary danger.
    Mr. McInnis will address what this Government and our 
country's employers can do to keep events like the one at the 
Goodyear plant from happening. Again, Mr. McInnis, we thank you 
very much for being here today. We are well aware of the 
service of years that you have given to the Goodyear plant, so 
we are aware as well that in addition to your tragedy and your 
personal loss, you will give us a welcome knowledge and 
understanding. We are so grateful for your presence here today.
    I would like to note that Goodyear declined our invitation 
to testify this afternoon. However, I have been assured that I 
will be kept informed of the developments related to its 
investigation of this serious matter. I have had an opportunity 
for discussion. Discussion must continue. The involvement must 
continue. We must find a way to ensure that these incidents do 
not occur.
    The DHS must be on the frontlines of being preventive in 
preventing these tragedies however they may occur from 
happening to undermine the security and the safety of America. 
In no way is this hearing intended to influence an ongoing 
investigation. I encourage my colleagues to respect this fact 
as we attempt to learn about the need for a risk management 
framework for homeland security and how such a framework may 
apply to workers at chemical facilities.
    Chairman Thompson, Ranking Member Lungren and I have taken 
a special interest in risk management. The reason for this is 
clear. Scarce Federal resources must be devoted to implementing 
meaningful homeland security strategies and programs designed 
to reduce risk from all hazards. I applaud Secretary Chertoff 
for espousing a risk-based approach to homeland security. 
Today, we are going to learn more about what that means and how 
it can be improved.
    Our focus on risk cannot come at a more meaningful time. 
The threat posed by all types of hazards continues to endanger 
the American people. The resources to mitigate that threat must 
be allocated efficiently. We are in a budgetary situation that 
requires us to make difficult choices and to embrace a risk 
management strategy that will help us make rational investment 
decisions with our homeland security dollars.
    This subcommittee has sent three letters to the Department 
in an effort to understand its risk management practices. We 
have not been satisfied with many of its responses. Today, I 
look forward to getting answers from Under Secretary Jamison, 
who oversees many of the Department's risk-related programs.
    Our approach to homeland security risk management must 
encompass all of the Federal departments and agencies, State 
and local governments, and the private sector. Today, we will 
hear from the Port Authority of New York and New Jersey. It has 
developed what I consider to be an effective risk management 
program. The more we learn about these types of successes, the 
more alternatives we have to choose from in adopting and 
promoting strategies at the Federal level.
    I am fully aware that no methodology or analytical tool 
exists that will serve as a silver bullet. Indeed, there needs 
to be a baseline or set of principles that guides the 
Department's components so that they can develop new methods of 
risk analysis to support their activities.
    I have many concerns about the Department's Office of Risk 
Management and Analysis. I believe we should increase the 
budget. It has yet to produce a baseline or a set of principles 
to guide the Department's risk management program. It has yet 
to justify its $10 million budget. I believe it will need more 
money. In order to do that, because risk management is so 
important, it is at the cutting edge of saving lives, we need 
to have the first baseline so we can make the argument for more 
funding.
    Still more troubling is the fact that there is no clear 
legislative or executive mandate supporting this office. It is 
unclear to this subcommittee whether it has the necessary 
authority to do its job. In the shadow or in the sunrise of a 
pending new administration, this all points to being prepared 
during the transitional time. The fact that we have this 
transitional time is key to focus on this risk management 
question.
    Today's discussion will not end here, but I hope it will 
encourage the Department to implement policies adequate for the 
task at hand. I look forward to hearing the opinions of our 
witnesses on a new risk management Presidential directive, the 
potential for a chief homeland security risk officers and 
national homeland security risk assessment, and how we can 
ensure that budget recommendations are based upon risk 
management principles.
    Furthermore, we want to know where the Office of Risk 
Management and Analysis fits into the Department's risk 
management program.
    Once again, I would like to thank everyone for their 
participation today. I look forward to hearing from our 
witnesses.
    At this time, without objection, I would like to enter two 
documents into the record. The first is a statement submitted 
by Dr. Henry H. Willis of the RAND Corporation entitled 
``Challenges of Applying Risk Management to Terrorism Security 
Policy''. The second is an April, 2008 report by GAO, 
``Highlights of a Forum: Strengthening the Use of Risk 
Management Principles in Homeland Security.''
    Hearing no objection, it is so ordered.*
---------------------------------------------------------------------------
    * The documents have been retained in committee files.
---------------------------------------------------------------------------
    Let me also indicate that at the conclusion of the opening 
statements, you will be entering into the record three 
documents. So let me correct the record and indicate that 
instead of two, we will have three. That is the additional 
statement that is now being presented to us by Goodyear. As I 
indicated, Goodyear was invited to testify, and this committee 
will keep an open record and also continue to the extent that 
legislation will probably generate it out of this hearing.
    They declined to testify, Goodyear, at today's hearing 
because they indicated that it was inappropriate to testify at 
this time. As I have already informed you, we have no intention 
of interfering with a pending investigation, but we welcome 
Goodyear's future testimony. As I have indicated that it is 
appropriate, we are going to submit a statement from Goodyear 
for the record that I would like to include at this time if 
there is no objection.
    Hearing no objection, their statement will be submitted and 
we appreciate the presence of their statement.
    [The information follows:]
 Prepared Statement of Joseph Copeland, Vice President, Goodyear Tire 
                           and Rubber Company
                             June 25, 2008
    Goodyear appreciates the opportunity to submit this brief statement 
for the record of the hearing before the House Subcommittee on 
Transportation Security and Infrastructure Protection of the Committee 
on Homeland Security entitled ``The Goodyear Explosion: Ensuring Our 
Nation is Secure by Developing A Risk Management Framework for Homeland 
Security.'' We want to express our heartfelt condolences to the McInnis 
family and friends for their tragic loss, and to assure the committee, 
as we have the Chairwoman, our employees and our community, that we are 
cooperating fully with all ongoing investigations of the accident by 
our company and the Occupational Safety and Health Administration 
(OSHA) and will be available to discuss their findings when the 
investigations are complete. In light of the brief passage of time 
since the accident 14 days ago, and these ongoing investigations, it 
would be inappropriate for us to speculate at the hearing today. Since 
witnesses may be offering opinions on this matter at the hearing, we 
ask that the following brief statement by Goodyear be included in 
today's hearing record.
    On the morning of June 11, an explosion occurred at the Goodyear 
chemical plant in Houston, killing longtime Goodyear associate Gloria 
McInnis and injuring six other workers. The explosion, which appears to 
have been caused by the buildup of pressure in a device called a heat 
exchanger, also resulted in the release of ammonia in the immediate 
vicinity and required us to evacuate associates and contractors from 
the entire site.
    As required by our safety protocols, emergency response 
coordinators began accounting for everyone who was on site at the time 
of the explosion. In fact, Mrs. McInnis was an emergency response 
coordinator and therefore would not have been evacuated off the plant 
property, but would have worked with other coordinators to respond to 
the emergency. Unfortunately, the shift foreman responsible for 
accounting for Mrs. McInnis' whereabouts mistakenly attributed a 
telephone conversation he had with Mrs. McInnis moments before the 
explosion as occurring after the explosion. He wrongly marked Mrs. 
McInnis as accounted for and assumed she was attending to duties 
elsewhere on site. That incorrect assessment resulted in the Goodyear 
plant manager making an inaccurate statement to the public, and 
Goodyear and the plant manager sincerely apologize to the community and 
to the McInnis family in particular.
    Later in the morning, it was deemed safe for associates to return 
to work in other areas of the plant, but not the area in the immediate 
vicinity of the explosion. When work crews were able to access that 
area and inspect it more thoroughly, they tragically found Mrs. 
McInnis' body.
    During the course of the day, investigators from multiple 
agencies--OSHA, the Department of Homeland Security, the U.S. Chemical 
Safety and Hazard Investigation Board, the Texas Commission on 
Environmental Quality and others--visited the site or made inquiries. 
As this has been deemed an industrial accident and not a matter of 
homeland security, OSHA has assumed jurisdiction over the 
investigation. That investigation is ongoing, and Goodyear is 
cooperating fully.
    Goodyear's Houston team was shaken to its core by Mrs. McInnis' 
death and the injuries to another Goodyear associate and several 
contractors. Mrs. McInnis was a well-liked and hard-working associate 
who had been with the company for 31 years. Like Mrs. McInnis, a high 
percentage of our associates in Houston have worked at the plant for 
decades and they know each other quite well. Goodyear immediately 
offered grief counseling services to all who needed it.
    Despite some media reports to the contrary, Goodyear officials made 
multiple attempts to reach out to the family. After the McInnis family 
retained an attorney, the attorney required all attempts to communicate 
with the family go through him. Company officials extended their 
condolences and requested permission to attend the funeral. In 
addition, the company offered to pay for the funeral and to use its 
Government relations team to help get Mrs. McInnis' son returned from 
Iraq for the funeral. Our human resources department immediately began 
processing the necessary paperwork to ensure that the family members 
receive all the benefits that they are entitled to. Her coworkers 
created a memorial to Mrs. McInnis at the plant, held a plant-wide 
moment of silence in her memory and even collected donations for the 
family.
    Goodyear itself is conducting an investigation into whether 
individuals adhered to our safety and security protocols before and 
after the explosion. At this point, we do know that our security system 
was not compromised and no unauthorized individuals were on the site at 
the time of the explosion.
    As for safety protocols, Goodyear works hard to eliminate injuries 
of any degree through its ``No One Gets Hurt'' safety initiative. The 
initiative includes educating all associates about our safety protocols 
and conducting drills to ensure that associates know what they are to 
do in case of an emergency. In fact, the initiatives have been so 
successful that OSHA recordable incidents--meaning injuries of any 
type, large or small--at the Houston plant dropped from 67 in 2000 to 
just 7 last year. We have seen similar improvements company-wide, and 
we have set even more aggressive goals to reduce workplace accidents 
and injuries. This is another reason why Mrs. McInnis' death and the 
injuries to the other workers are so devastating to the Goodyear 
family.
    Our investigation into what caused the pressure to buildup in the 
heat exchanger and the aftermath is continuing. Therefore, it is 
premature for us to speculate on the cause. We have committed to 
cooperating fully with the committee, and we will provide our findings 
at the appropriate time.
    In the meantime, we are grateful that the last two injured workers 
have been released from local hospitals. And we again want to extend 
our apologies to our community for the mistaken initial reports and our 
heartfelt condolences to Mrs. McInnis' family and friends for their 
loss.

    Ms. Jackson Lee. I am also very pleased to, No. 1, share 
this podium with the distinguished gentleman from California, 
who is the Ranking Member, Mr. Lungren. As was indicated by his 
office, he has been detained because of an item that could not 
be removed. We will be looking forward to working with him.
    I am more than pleased to have a very dedicated, committed, 
and very informed Member of the House, but also a respected 
Member of the Homeland Security Committee, and an equally 
respected Member of the Subcommittee on Transportation Security 
and Infrastructure Protection, to serve today as Ranking 
Member. The Chair now recognizes Mr. Bilirakis, the 
distinguished gentleman from Florida, for an opening statement.
    Mr. Bilirakis. Thank you, Madam Chairwoman. I really 
appreciate it very much.
    I am pleased that you have called this hearing to examine 
the use of risk management in homeland security. I am honored 
to be filling in for Ranking Member Lungren who could not be 
with us today.
    I think it is important to acknowledge at the outset of 
this hearing that neither public nor private sector entities 
can protect everyone everywhere from everything at all times. 
The Government and others instead seek to accurately understand 
the nature of threats, vulnerabilities, and their potential 
consequences to better inform themselves and us of the smartest 
and most efficient ways to manage and reduce risk.
    Congress has rightly directed Federal agencies to use a 
risk-based approach to help guide important decisions about 
policy and resource allocation. The results have been mixed at 
best. However, the Department of Homeland Security has made 
progress analyzing risk within certain critical sectors. The 
progress of these risk assessments differs across each sector 
and within the Department for comparing cross-sector risk. This 
is an area that clearly needs attention and improvement.
    Federal policymakers and those we represent deserve to know 
whether we are using scarce public resources as wisely as 
possible to minimize risk and maximize security. To be fair, I 
am not sure whether anyone can reasonably be expected to 
definitely answer that question right now, but we surely need 
to.
    I think we also must be especially sensitive to the roll 
that Congress plays in providing political obstacles to risk-
based resource allocation and strategic thinking in this area. 
We each fight to represent our constituents as best as we can, 
and in that process zealously, and perhaps without the benefit 
of having the broadest possible perspective, direct and 
redirect funding and policy priorities in a manner that may be 
inconsistent with the most effective risk-based homeland 
security strategy.
    In that regard, I am interested to hear the perspectives of 
today's witnesses on whether the Federal policies and 
investment priorities are properly aligned with those areas 
that are most vulnerable and in which an attack or natural 
catastrophe could have the greatest consequence on our homeland 
security. We should not simply be throwing money at problems 
without reasonable assurances objectively based in fact that we 
are actually reducing risk.
    Before I conclude, I want to express my condolences to Mr. 
Raymond McInnis, whose wife Gloria was killed in the explosion 
at the Goodyear plant in Houston earlier this month. My heart 
goes out to him and the other victims of this tragedy.
    Madam Chairwoman, I want to thank you again for calling 
this hearing to help shed more light on a critical component of 
our homeland security strategy. I look forward to hearing from 
our distinguished witnesses on this very important topic. Thank 
you again, Madam Chairwoman. I yield back the balance of my 
time.
    Ms. Jackson Lee. Let me thank the gentleman very much for 
his statement today, a very constructive statement as we lay 
the groundwork for this hearing.
    Other Members of the subcommittee are reminded that under 
committee rules, opening statements may be submitted for the 
record.
    It is my pleasure now to begin the testimony of the first 
witness, the witnesses on the first panel. Our first witness is 
Under Secretary Robert D. Jamison. Mr. Jamison is under 
secretary for the National Protection and Programs Directorate 
at the Department of Homeland Security. In his capacity as 
under secretary, Mr. Jamison looks at the Department's 
integrated efforts to analyze, manage and reduce risk.
    Prior to joining NPPD, Mr. Jamison served as deputy 
administrator at the Transportation Security Administration. 
Before joining DHS, Mr. Jamison served for over 3 years as a 
deputy administrator of the Federal Transit Administration at 
the Department of Transportation.
    Our second witness, Mr. Norman Rabkin, is a managing 
director for homeland security and justice at the Government 
Accountability Office. Mr. Rabkin helped to host a comptroller 
general's forum on strengthening the use of risk management 
principles in homeland security on October 25, 2007. The forum 
convened a group of experts to address effective practices and 
the challenges Federal agencies face in applying risk 
management to homeland security, and actions that can 
strengthen homeland security risk management.
    We believe that setting the framework on the challenges as 
we move forward in looking for the legislative reform, these 
witnesses are going to add very much to our discussion and our 
roadmap in going forward.
    Without objection, the witnesses' full statements will be 
inserted in the record. I now ask each witness to summarize his 
statement for 5 minutes, beginning with Under Secretary 
Jamison.
    Gentlemen, you are welcome.

   STATEMENT OF ROBERT D. JAMISON, UNDER SECRETARY, NATIONAL 
  PROTECTION AND PROGRAMS DIRECTORATE, DEPARTMENT OF HOMELAND 
                            SECURITY

    Mr. Jamison. Thank you, Chairwoman Jackson Lee and 
Congressman Bilirakis, for the opportunity to appear before you 
this afternoon to address the Department's implementation of 
risk management practices.
    DHS is committed to applying a risk management framework 
across all homeland security efforts to prioritize our 
prevention, protection and resource efforts. The standup of the 
Office of Risk Management and Analysis within the National 
Protection and Programs Directorate and the longstanding 
collaboration on risk analysis and risk management across the 
Department bear out this commitment.
    With approximately 95,000 miles of coastline, 1 million 
passengers arriving daily through our ports, 450 airports and 
thousands of other critical infrastructure assets, our homeland 
cannot be secured at every moment in every way against every 
possible threat. Instead, as a Nation, we must be able to 
determine what levels of risk are acceptable and prioritize our 
efforts.
    As a result, the Department must adopt an approach of 
analyzing risk and using the information to devise the most 
effective ways to improve security. DHS components have long 
recognized the need to use risk analysis as a guide to 
decisionmaking. Eager to leverage DHS components' existing 
work, DHS has made it a priority for the new Office of Risk 
Management and Analysis to examine risk from a departmental 
perspective, working closely with each component with risk 
management responsibilities.
    DHS's risk management architecture must allow for the 
diversity of operational environments in DHS, yet consistently 
generate reliable results that can be further utilized for 
strategic decisionmaking across the domain. It must be 
simultaneously flexible, yet robust.
    Because DHS has multiple responsibilities with several 
unique operating environments, the Department-wide risk 
management architecture has to be flexible enough to allow for 
the development of customized component-level risk analysis by 
experts who know the characteristics of their mission space. 
For example, TSA's air domain risk analysis was developed by 
experts who understand the particulars of airports, airlines 
and the Nation's air space, while NPPD's chemical facility 
regulatory regime known as CFAS was developed by risk experts 
in DHS and the chemical industry.
    On the other hand, DHS risk architecture needs to be robust 
enough to allow us to draw from those component analyses to 
inform decisionmaking at a strategic level. DHS seeks to create 
a structure that provides components with guidance to conduct 
those risk analyses, but does not constrain them with overly 
specific or rigid requirements, while providing the leaders of 
the Department comprehensive information to make resource and 
management decisions that are risk-based.
    How are we going to unite these two competing requirements? 
First, we need to establish an integrated risk management 
framework. This framework will consist of the doctrine, 
principles, processes, guidance and information flows that will 
enable risk-informed and cost-effective decisionmaking at all 
levels. A properly executed risk management framework serves as 
a force multiplier because it enables better alignment of 
security priorities and resources to needs.
    Next, we will conduct strategic integrated risk analyses. 
Integrated risk analyses defines a path forward, while 
leveraging the existing body of work that has already been 
completed or conducted within or outside the Department. These 
integrated analyses will put all the hard work DHS components 
have completed to date to work, and provide DHS leadership with 
a strategic look at risk across multiple mission areas. The 
ultimate goal is to fully integrate those strategic analyses 
into a larger planning and resource allocation process.
    The principal vehicle for implementing these goals is the 
DHS steering committee that NPPD has established. The risk 
steering committee is comprised of risk analysis leaders from 
across the Department, and works to ensure collaboration, 
information sharing, and consensus building across the 
Department.
    The committee is already working on several projects that 
support the development of the integrated risk management 
framework and the integrated strategic risk analysis. NPPD is 
confident this approach will reap the benefits of all the hard 
work that has already been completed in the area of risk 
analysis, while also delineating a strategic vision for risk 
management.
    Finally, I would like to take a moment to offer my personal 
condolences to the McInnis family. Events such as the recent 
plant explosion in Houston weigh on all of us. Earlier, I 
mentioned CFAS, the chemical facility regulation that requires 
identification of high-risk facilities that hold chemicals of 
interest, and the subsequent development of security measures.
    As we implement CFAS, we are striving to manage the risks 
associated with chemical security across the country. Over the 
coming months, we will be requiring high-risk chemical 
facilities to determine their most critical security 
vulnerabilities and put strategies in place to address those 
vulnerabilities. This risk-based approach not only advances the 
security of chemical facilities, but will also contribute to 
the broader understanding of risk as we integrate those results 
across the Department.
    Thank you for holding this hearing and for your attention 
to this critical area of risk management. I would be happy to 
answer any questions you might have.
    [The statement of Mr. Jamison follows:]
                Prepared Statement of Robert D. Jamison
                             June 24, 2008
    Thank you, Chairwoman Jackson Lee, and distinguished Members of the 
subcommittee. It is a pleasure to appear before you today to address 
the Department's implementation and execution of risk management 
practices. The Department of Homeland Security (DHS) is committed to 
the careful analysis of risk to inform a broad range of decisions. This 
commitment is demonstrated by the establishment of the Office of Risk 
Management and Analysis (RMA) within the National Protection and 
Programs Directorate (NPPD), the long-standing level of attention 
devoted to risk assessment and analysis within DHS components, and the 
collaboration in risk analysis across DHS components.
                             the challenges
    Secretary Chertoff has reiterated the theme that no one entity--
public or private--can effectively protect every single person at every 
moment in every place against every threat. Rather, the approach that 
the Department, indeed the Nation as a whole, must adopt is one of 
analyzing risk and using that information to devise the most cost-
effective way of managing risk and improving security.
    In the context of homeland security, estimating risk includes 
characterization of three key factors: threats, vulnerabilities, and 
consequences. Terrorist threats can change rapidly and adapt to new 
security measures, making the estimation of threat extremely 
challenging. Vulnerabilities are usually quantifiable through subject 
matter expert judgment and ``red team'' exercises that probe for 
weaknesses, but they vary widely for different scenarios or types of 
attack. The direct consequences of an attack are fairly straightforward 
to calculate, but it is very difficult to quantify indirect 
consequences, potential cascading effects, and the impact on the public 
psyche. Last, integrating terrorism risk assessments with other all-
hazard risk assessments, such as natural disasters, is difficult. For 
these reasons, and many others, risk management in homeland security 
remains a complex and arduous undertaking.
    Given these complexities in conducting risk assessments, there are 
two priorities when designing an overarching risk architecture for the 
Department. These priorities are:
    1. Allowing for the development of customized, component-level risk 
        analyses by analysts who know the unique characteristics of 
        their mission space and the decision needs of their leaders, 
        and
    2. Creating risk analysis guidelines and standards that will allow 
        the Department to aggregate risk information across the broad 
        spectrum of the DHS mission space to inform strategic 
        decisionmaking.
    The key challenge for DHS and RMA moving forward is to develop 
approaches and guidance materials that are both flexible and robust 
enough to accommodate these two priorities.
                      dhs' risk management vision
    The Department's approach to risk-informed decisionmaking has 
matured considerably over the past 5 years. It will continue to evolve 
as our understanding grows and as new analytic approaches are developed 
to deal with the complexities and uncertainties inherent in many of the 
risks for which DHS holds responsibility. Despite the progress already 
made, there is clearly much that remains to be done. The Department 
continues to focus on improving DHS risk assessment methodologies, 
advancing decision support tools, and identifying risk-related 
information gaps. For example:
   The Transportation Security Administration (TSA) has 
        identified critical vulnerabilities within certain 
        transportation modes, such as unattended railcars carrying 
        Toxic Inhalation Hazards, and analyzes the mitigation of these 
        vulnerabilities through the use of detailed metrics reports.
   The Office of Infrastructure Protection (IP) continuously 
        tracks National Infrastructure Protection Plan (NIPP) 
        implementation activities across all sectors. This allows IP to 
        monitor the progress of establishing sector-specific risk 
        management processes.
   The Homeland Infrastructure Threat and Risk Analysis Center 
        (HITRAC) conducts an annual risk assessment called the 
        Strategic Homeland Infrastructure Risk Assessment (SHIRA) that 
        spans across all Critical Infrastructure/Key Resource (CIKR) 
        sectors.
   RMA has instituted a risk governance structure within the 
        Department.
   The Federal Emergency Management Agency (FEMA) is 
        modernizing flood maps to help communities improve their level 
        of security from a natural disaster through smart building and 
        setting of construction standards to create safer housing.
   The Office of Health Affairs is relying on risk assessments 
        conducted by the Science and Technology Directorate to guide 
        all of our bio-defense countermeasure strategies--both medical 
        and nonmedical--and to inform our policies.
    In all of these examples, DHS and its components are improving the 
Department's ability to develop information about risks and use this 
information to inform decisions. To advance these efforts, and to 
leverage the expertise, the Department must continue to further the 
integration efforts. Based on this key challenge, RMA, in collaboration 
with the Department's components, has developed a vision to support the 
Department's efforts to advance its risk management capabilities. The 
vision is twofold:
    1. Establish and institutionalize an integrated risk management 
        framework. This framework will consist of the doctrine, 
        principles, processes, guidance, and information flows that 
        will enable risk-informed and cost-effective decisionmaking 
        within components and at the DHS headquarters level. A properly 
        executed risk management framework effectively serves as a 
        force multiplier, as it enables better alignment of security 
        priorities and resources to needs.
    2. Conduct strategic, integrated risk analysis. We must be 
        informed, at the strategic level, by an integrated departmental 
        risk assessment. The integrated risk assessment should leverage 
        the various risk analyses being conducted within and outside 
        the Department.
    An integrated risk management framework will help better ensure 
that these efforts are harmonized and work from the same principles and 
understanding. Strategic, cross-component analysis will leverage the 
advances DHS' components have made with regard to risk management while 
incorporating those advances into DHS' larger planning and resource 
allocation processes.
                   current risk management practices
    The Department is tasked with fulfilling missions that range from 
finding persons lost at sea to detecting renegade nuclear weapons. 
Without a clear understanding of the risks facing our society, 
decisionmaking could become less effective. Our resources could be 
spent to protect the Nation against risks that are less significant, 
while we simultaneously fail to protect the Nation against the risks 
that are more critical.
    NPPD, through RMA, is continuing to build the foundation for sound 
risk management practices across the Department. To enable the sharing 
and integration of RMA and component risk-related efforts, RMA has 
implemented a risk governance process within the Department. Central to 
this risk governance process is the DHS Risk Steering Committee (RSC) 
that RMA established. The RSC is comprised of risk analysis leads from 
across the Department and meets on a monthly basis. This approach 
ensures that there is collaboration, information-sharing, and 
consensus-building across the Department as we identify guidelines and 
recommendations for risk management and analysis. Currently, there are 
three working groups within the RSC. The efforts of the RSC working 
groups will provide the foundation for the integrated risk management 
framework and for strategic, cross-component analysis.
   The Risk Assessment Process for Informed Decision-Making 
        (RAPID) Working Group.--RAPID is a strategic-level, Department-
        wide process that will assess risk and inform strategic 
        planning, programming, budgeting, and execution processes. The 
        process is focused on developing techniques to evaluate the 
        risk reduction impacts of relevant DHS programs.
   The Lexicon Working Group.--The lexicon is a comprehensive 
        glossary of words and terms relevant to the practice of 
        homeland security risk management that will be used to ensure 
        better understanding of risk management terminology throughout 
        the homeland security organization.
   The Best Practices Working Group.--The product is an 
        inventory of risk management lessons learned and recommended 
        procedures and guidelines that will be used to guide the 
        components to ensure that the Department's risk methods are 
        coherent, consistent, and technically sound.
    The RSC has also been a very useful means for DHS components to 
coordinate their risk management efforts with each other. Examples of 
the programs that have RSC representation and participation include:
   IP's NIPP Risk Management Framework and its work with 
        Federal/State/local/tribal partners in setting and pursuing 
        CIKR protection goals and the establishment of Risk Integration 
        and Analysis programs;
   The United States Coast Guard's (USCG) Maritime Security 
        Risk Analysis Model (MSRAM), which allows USCG to develop and 
        aggregate risk information at the port, sector, area, and 
        national levels, and which supports numerous Coast Guard/DHS 
        planning and resource allocation efforts at the strategic, 
        operational, and tactical levels;
   The Office of Science and Technology's risk model, which 
        analyzes the risk-reduction potential of various research and 
        development initiatives.
   The Federal Emergency Management Agency's (FEMA) grant 
        programs that utilize a risk-informed approach by considering 
        both the risk profiles of specific jurisdictions and the 
        quality of the business cases that the grant applicants develop 
        to mitigate the risk.
   TSA's agent-based risk simulation model, called the Risk 
        Management Analysis Tool, which takes into account that 
        terrorists are a dynamic and adaptive adversary and allows TSA 
        to identify the risk reduction value of any single layer of 
        security within the U.S. aviation system.
    These component efforts demonstrate both the quality and diversity 
of risk management efforts within DHS. The goal of RMA is not to 
mandate that DHS components use a certain tool or analytical technique 
to conduct their specific risk analyses. Instead, RMA is serving as the 
bridge to connect these existing efforts together and is building 
products and collaboration forums to better ensure they are harmonized 
moving forward. The DHS integrated risk management framework will 
embrace a wide range of analytical tools and techniques. Most 
importantly, the framework will help ensure that all DHS risk analysis 
efforts are transparent, defensible, and documented. It will also help 
ensure that these analyses can be leveraged for strategic, cross-
component analysis at the DHS headquarters level.
    Lastly, the RSC is a primary formal mechanism for the internal 
sharing of DHS risk information. However, a number of key external 
communications mechanisms are also in place at DHS because a critical 
part of the Department's risk management practices is how it 
communicates and works with its State, local, and tribal partners. For 
example, through the NIPP, DHS has established a framework that enables 
stakeholders from the private sector and public sector to coordinate on 
risk management issues. Government Coordinating Councils and Sector 
Coordinating Councils have been established across all CIKR sectors. 
Active information exchange occurs through the councils and through the 
Homeland Security Information Network. As the integrated risk 
management framework is developed, it will be shared with Federal, 
State, local, tribal and private sector stakeholders through these and 
other mechanisms that RMA is currently assessing.
                    advancing risk management at dhs
    While we have made significant progress in our efforts to build an 
integrated, effective, and harmonized architecture for risk management 
at the Department, we are still in the early stages of a long journey. 
As a Department, we are striving to implement an approach where major 
decisions about investments, budgets, grants, planning priorities, 
operational posture, and security priorities are risk informed. To do 
so, we are moving toward an integrated framework of risk-informed 
decisionmaking where:
    1. Decisions are framed to include an understanding of the risks 
        associated with them;
    2. Risks are identified, analyzed, communicated and assessed, so as 
        to ensure we fully understand the nature of the problems we are 
        trying to manage;
    3. Alternative strategies for risk management are developed and 
        analyzed for costs and benefits;
    4. Decisions amongst these strategies are made with the best 
        understanding of how they impact the risk; and
    5. Decisions are monitored and reviewed so as to understand how 
        they mitigated the risk.
    Such a risk management process for decisionmaking will be applied 
across DHS to address strategic, operational, and tactical risks. As we 
move forward, the Department, through RMA and the RSC, expects to make 
this process the center of an integrated risk management framework.
    In addition, DHS will continue to build the foundational efforts 
necessary to execute the framework and strategic analyses. These 
efforts will include the development of a risk management training and 
education program for both risk analysts and senior leaders, investment 
in new technologies for risk data collection, improved Department-wide 
access to resources for modeling and simulation, and the identification 
of useful risk management metrics.
                               conclusion
    As noted in the 2007 National Strategy for Homeland Security, the 
assessment and management of risk underlies the full spectrum of our 
homeland security activities, including decisions about when, where, 
and how to invest in resources that eliminate, control, or mitigate 
risk. We at DHS recognize that risk management within the context of 
homeland security is an evolving field. We know that there are 
improvements that we can make in applying risk management and analysis 
to support our decisionmaking. We rely on collaboration with experts 
inside and outside the Government to learn how we can improve our 
abilities to understand, communicate about, and manage risk.
    Managing risk depends on accepting uncertainty; managing risk does 
not mean eliminating it. At DHS our goal with regard to risk management 
is to continually improve our ability to understand and recognize those 
risks, while developing the processes and methods that allow us to use 
that information to make better decisions. Those decisions govern how 
we invest our efforts in increasing preparedness, protection, and, 
ultimately, homeland security.
    Thank you for holding this important hearing. I would be happy to 
respond to any questions you might have.

    Ms. Jackson Lee. Thank you, Secretary Jamison.
    Mr. Rabkin, we thank you for your testimony.

  STATEMENT OF NORMAN J. RABKIN, MANAGING DIRECTOR, HOMELAND 
     SECURITY AND JUSTICE, GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Rabkin. Madam Chairwoman, Mr. Bilirakis, and other 
Members of the subcommittee, thank you for inviting me to 
participate in today's hearing on the use of risk management 
principles in homeland security.
    The Congress, the President, and the Department all 
recognize that the Federal Government can never assure complete 
security, and it certainly can't afford to invest unlimited 
resources trying to do so. Using risk as a basis to 
intelligently allocate relatively limited resources makes 
sense. How to do it is much more difficult.
    Even before September 11, 2001, GAO was looking at how 
Federal agencies could make investment decisions based on risk. 
We created a conceptual framework for this decision process. We 
have displayed that in this graphic to my right and your left. 
This begins with identifying a program's goals, then assessing 
the risks, evaluating potential alternatives to mitigate the 
risks, deciding which alternatives in which to invest, and 
finally implementing the decision and monitoring the results of 
the investment, as well as any changes in goals and risks.
    As you mentioned, last year we invited about two dozen 
international experts to the GAO to discuss how to strengthen 
the use of risk management principles in homeland security. My 
written statement summarizes the results of that session. Here 
are some of the highlights.
    The participants first identified effective public and 
private sector risk management practices. For example, 
participants discussed the private sector's use of a chief risk 
officer, an executive responsible for focusing on understanding 
information about risks and reporting this information to other 
senior-level managers.
    They also discussed examples of public sector organizations 
that have effectively integrated risk management practices into 
their operations, such as the U.S. Coast Guard, and compared 
and contrasted public and private sector risk management 
practices.
    Then the participants identified four key challenges to 
applying risk management to homeland security. Many 
participants agreed that improving risk communication posed the 
greatest challenge to using risk management principles. More 
specifically, they cited the need to first establish a common 
lexicon for discussing risk; second, educating policymakers and 
the public about risks and engage in public discourse to reach 
consensus on acceptable levels of risk; and third, developing 
new risk communication practices to alert the public during 
emergencies.
    The second challenge they cited were political obstacles to 
risk-based resource allocation. They discussed the reluctance 
of politicians and others to make risk-based funding decisions. 
Participants noted that elected officials' investment 
priorities are informed by the public's beliefs about which 
risks should be given the highest priority--beliefs that are 
often based on incomplete information.
    As a result, the participants felt that there was less 
incentive for officials to invest in long-term opportunities to 
reduce risk, such as investing in specific border security 
assets or transportation infrastructure, when the public may 
not view these investments as addressing a perceived risk.
    The third challenge is in the area of strategic thinking. 
They commented that a better national strategic planning 
process is needed to guide Federal investments in homeland 
security, one that more explicitly involves discussions of 
tradeoffs of investing in programs that protect against one 
risk rather than another. They also suggested that fragmented 
approaches within and across the Federal Government be 
addressed by developing Government-wide guidance on using risk 
management principles.
    The final challenge they discussed was related to 
developing public-private partnerships. They believe that risk 
management is the responsibility of both the public and the 
private sectors. They suggested that public-private 
collaboration would be improved if representatives from State 
and local governments, as well as the private sector, were more 
involved in public risk assessments and had more access to the 
Federal Government's information about threats, vulnerabilities 
and consequences, and this information being used to assess 
these various risks.
    The challenges that our participants cited are consistent 
with the goals and strategies of the National Infrastructure 
Protection Plan. Our sense is that DHS also recognizes them and 
is organizing itself to deal with them.
    This concludes my statement. I would be pleased to answer 
any questions you or the subcommittee Members may have.
    [The statement of Mr. Rabkin follows:]
                 Prepared Statement of Norman J. Rabkin
                             June 25, 2008
                             gao highlights
    Highlights of GAO-08-904T, a testimony before the Subcommittee on 
Transportation Security and Infrastructure Protection, Homeland 
Security Committee, House of Representatives.
Why GAO Convened This Forum
    From the terrorist attacks of September 11, 2001, to Hurricane 
Katrina, homeland security risks vary widely. The Nation can neither 
achieve total security nor afford to protect everything against all 
risks. Managing these risks is especially difficult in today's 
environment of globalization, increasing security interdependence, and 
growing fiscal challenges for the Federal Government. Broadly defined, 
risk management is a process that helps policymakers assess risk, 
strategically allocate finite resources, and take actions under 
conditions of uncertainty.
    GAO convened a forum of 25 national and international experts on 
October 25, 2007, to advance a national dialog on applying risk 
management to homeland security. Participants included Federal, State, 
and local officials and risk management experts from the private sector 
and academia.
    Forum participants identified: (1) What they considered to be 
effective risk management practices used by organizations from the 
private and public sectors; and (2) key challenges to applying risk 
management to homeland security and actions that could be taken to 
address them. Comments from the proceedings do not necessarily 
represent the views of all participants, the organizations of the 
participants, or GAO. Participants reviewed a draft of this report and 
their comments were incorporated, as appropriate.
risk management: strengthening the use of risk management principles in 
                           homeland security
What Participants Said
    Forum participants identified what they considered to be effective 
public and private sector risk management practices. For example, 
participants discussed the private sector use of a chief risk officer, 
though they did not reach consensus on how to apply the concept of the 
chief risk officer to the public sector. One key practice for creating 
an effective chief risk officer, participants said, was defining 
reporting relationships within the organization in a way that provides 
sufficient authority and autonomy for a chief risk officer to report to 
the highest levels of the organization. Participants stated that the 
U.S. Government needs a single risk manager. One participant suggested 
that this lack of central leadership has resulted in distributed 
responsibility for risk management within the administration and 
Congress and has contributed to a lack of coordination on spending 
decisions. Participants also discussed examples of public sector 
organizations that have effectively integrated risk management 
practices into their operations, such as the U.S. Coast Guard, and 
compared and contrasted public and private sector risk management 
practices.
    According to the participants at our forum, three key challenges 
exist to applying risk management to homeland security: improving risk 
communication, political obstacles to risk-based resource allocation, 
and a lack of strategic thinking about managing homeland security 
risks. Many participants agreed that improving risk communication posed 
the single greatest challenge to using risk management principles. To 
address this challenge, participants recommended educating the public 
and policymakers about the risks we face and the value of using risk 
management to establish priorities and allocate resources; engaging in 
a national discussion to reach a public consensus on an acceptable 
level of risk; and developing new communication practices and systems 
to alert the public during an emergency. In addition, to address 
strategic thinking challenges, participants recommended the Government 
develop a national strategic planning process for homeland security and 
Government-wide risk management guidance. To improve public-private 
sector coordination, forum participants recommended that the private 
sector should be more involved in the public sector's efforts to assess 
risks and that more State and local practitioners and experts be 
involved through intergovernmental partnerships.
    Madam Chairwoman and Members of the subcommittee: Thank you for 
inviting me to participate in today's hearing on the use of risk 
management principles in homeland security. As shown by the terrorist 
attacks of September 11, 2001, and Hurricane Katrina, homeland security 
risks vary widely. The Nation can neither achieve total security nor 
afford to protect everything against all risks. Managing these risks is 
especially difficult in today's environment of globalization, 
increasing security interdependence, and growing fiscal challenges for 
the Federal Government. It is increasingly important that organizations 
effectively target homeland security funding--totaling nearly $65 
billion in 2008 Federal spending alone--to address the Nation's most 
critical priorities.
    Using principles of risk management can help policymakers reach 
informed decisions regarding the best ways to prioritize investments in 
security programs so that these investments target the areas of 
greatest need. Broadly defined, risk management is a strategic process 
for helping policymakers make decisions about assessing risk, 
allocating finite resources, and taking actions under conditions of 
uncertainty. The Department of Homeland Security (DHS) has established 
a risk management framework to help the Department target its 
investments in security programs based on risk. This framework defines 
risk as a function of threat, vulnerability, and consequence, or, in 
other words, a credible threat of attack on a vulnerable target that 
would result in unwanted consequences.
    Our prior work has shown that using risk management principles to 
prioritize which programs to invest in and to measure the extent to 
which such principles mitigate risk is a challenging endeavor. For this 
reason, to assist both Congress and Federal agencies, including DHS, 
GAO convened an expert panel to advance the national dialog on 
strengthening the use of risk management principles to manage homeland 
security programs. Today, I'll discuss the highlights of our panel's 
thoughts on the issues we asked them to identify: (1) Effective risk 
management practices used by organizations from the public and private 
sectors; and (2) key challenges faced by public and private 
organizations in adopting and implementing a risk-based approach to 
manage homeland security programs and actions that could be taken to 
address them.
                                summary
    Participants identified effective public and private sector risk 
management practices. For example, participants discussed the private 
sector use of the chief risk officer. However, participants discussed 
but did not reach consensus on how to apply this concept of a chief 
risk officer to the public sector. They also discussed examples of 
public sector organizations that have effectively integrated risk 
management practices into their operations, such as the U.S. Coast 
Guard, and compared and contrasted public and private sector risk 
management practices.
    According to the participants at our forum, three key challenges 
exist to applying risk management to homeland security: improving risk 
communication, political obstacles to allocating resources based on a 
consideration of risk, and a lack of strategic thinking about managing 
homeland security risks. Many participants, 35 percent, agreed that 
improving risk communication posed the single greatest challenge to 
using risk management principles. Further, 19 percent of participants 
stated political obstacles to risk-based resource allocation was the 
single most critical challenge, and the same number of participants, 19 
percent, said the single most critical challenge was a lack of 
strategic thinking. The remaining participants identified other key 
challenges, for example, technical issues such as the difficult but 
necessary task of analyzing threat, vulnerability, and consequences of 
a terrorist attack in order to assess risk; partnership and 
coordination challenges; and the need for risk management education.
    The expert panel also identified ways to address some of these 
challenges. To better communicate about risks, participants recommended 
that we educate the public and policymakers about the risks we face and 
the value of using risk management to establish priorities and allocate 
resources; engage in a national discussion to reach a public consensus 
on an acceptable level of risk; and develop new communication practices 
and systems to alert the public during an emergency. To better allocate 
resources based on risk, participants recommended that public officials 
and organizations consider investing in protective measures that yield 
long-term benefits. In addition, to address strategic thinking 
challenges, participants recommended the Government develop a national 
strategic planning process for homeland security and Government-wide 
risk management guidance. To improve public-private sector 
coordination, forum participants recommended that the private sector 
should be more involved in the public sector's efforts to assess risks 
and that more State and local practitioners and experts be involved 
through intergovernmental partnerships.
                               background
    The Comptroller General convened this expert panel from the United 
States and abroad to advance a national dialog on strengthening the use 
of risk management principles to better manage homeland security 
programs. The forum brought together a diverse array of experts from 
the public and private sectors, including, from the public sector, a 
former Governor, a former DHS under secretary, a U.S. Coast Guard 
Admiral, and senior executives from DHS, the U.S. Army, and the 
National Intelligence Council, as well as State and local officials 
with homeland security responsibilities. From the private sector, 
participants included executives from leading multinational 
corporations such as Swiss Re, Westfield Group, JPMorgan Chase, and 
Wal-Mart. In addition, several of the world's leading scholars from 
major universities, the National Research Council, and the RAND 
Corporation participated in the forum. (See app. I for a list of 
participants.)
    Recognizing that risk management helps policymakers make informed 
decisions, Congress and the administration have charged Federal 
agencies to use a risk-based approach to prioritize resource 
investments. Nevertheless, Federal agencies often lack comprehensive 
risk management strategies that are well integrated with program, 
budget, and investment decisions. To provide a basis for analyzing 
these strategies, GAO has developed a risk management framework \1\ 
based on industry best practices and other criteria. This framework, 
shown in figure 1, divides risk management into five major phases: (1) 
setting strategic goals and objectives, and determining constraints; 
(2) assessing risks;\2\ (3) evaluating alternatives for addressing 
these risks; (4) selecting the appropriate alternatives; and (5) 
implementing the alternatives and monitoring the progress made and 
results achieved.
---------------------------------------------------------------------------
    \1\ For a description of this framework, see Appendix I of GAO, 
Risk Management: Further Refinements Needed to Assess Risks and 
Prioritize Protective Measures at Ports and Other Critical 
Infrastructure, GAO-06-91 (Washington, DC: Dec. 15, 2005).
    \2\ Risk assessment is the process of qualitatively or 
quantitatively determining the probability of an adverse event and the 
severity of its impact on an asset.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Our work has indicated that while DHS is making progress in 
applying risk management principles to guide its operational and 
resource allocation decisions, challenges remain. GAO has assessed 
DHS's risk management efforts across a number of mission areas--
including transportation security, port security, border security, 
critical infrastructure protection, and immigration enforcement--and 
found that risk management principles have been considered and applied 
to varying degrees. For example, in June 2005 we reported that the 
Coast Guard had developed security plans for seaports, facilities, and 
vessels based on risk assessments.\3\ However, other components had not 
always utilized such an approach. As we reported in August 2007, while 
the Transportation Security Administration has developed tools and 
processes to assess risk within and across transportation modes, it had 
not fully implemented these efforts to drive resource allocation 
decisions.\4\ Moreover, in February 2007, we reported that DHS faced 
substantial challenges related to strengthening its efforts to use 
information on risk to inform strategies and investment decisions, for 
example, by integrating a consideration of risk into annual budget and 
program review cycles.\5\ We also reported that while integrating a 
risk management approach into decisionmaking processes is challenging 
for any organization, it is particularly difficult for DHS given its 
diverse set of responsibilities. The Department is responsible for 
dealing with all-hazards homeland security risks--ranging from natural 
disasters to industrial accidents and terrorist attacks. The history of 
natural disasters has provided experts with extensive historical data 
that are used to assess risks. By contrast, data about terrorist 
attacks are comparatively limited, and risk management is complicated 
by the asymmetric and adaptive nature of our enemies.
---------------------------------------------------------------------------
    \3\ GAO, Strategic Budgeting: Risk Management Principles Can Help 
DHS Allocate Resources To Highest Priorities, GAO-05-824T (Washington, 
DC: June 29, 2005).
    \4\ GAO, Department of Homeland Security: Progress Report on 
Implementation of Mission and Management Functions, GAO-07-454 
(Washington, DC: Aug. 17, 2007).
    \5\ GAO, Homeland Security: Applying Risk Management Principles to 
Guide Federal Investments, GAO-07-386T (Washington, DC: Feb. 7, 2007).
---------------------------------------------------------------------------
    In addition to helping Federal agencies like DHS focus their 
efforts, risk management principles can help State and local 
governments and the private sector--which owns over 85 percent of the 
Nation's critical infrastructure--prioritize their efforts to improve 
the resiliency of our critical infrastructure and make it easier for 
the Nation to rebound after a catastrophic event. Congress has 
recognized State and local governments and the private sector as 
important stakeholders in a national homeland security enterprise and 
has directed Federal agencies to foster better information sharing with 
these partners. Without effective partnerships, the Federal Government 
alone will be unable to meet its responsibilities in protecting and 
securing the homeland. A shared national approach--among Federal, 
State, and local governments as well as between public and private 
sectors--is needed to manage homeland security risk.
  identifying effective risk management practices in the private and 
                             public sectors
    Participants discussed effective risk management practices used in 
the public and private sector. For example, they discussed the concept 
of a chief risk officer but did not reach consensus on how to apply the 
concept to the public sector. The participants also identified examples 
of public sector organizations that effectively integrated risk 
management into their operations and compared and contrasted public and 
private sector risk management practices.
Chief Risk Officer
    Participants said that private sector organizations have 
established the position of the chief risk officer, an executive 
responsible for focusing on understanding information about risks and 
reporting this information to senior executives. One key practice for 
creating an effective chief risk officer, participants said, was 
defining reporting relationships within the organization in a way that 
provides sufficient authority and autonomy for a chief risk officer to 
report to the highest levels of the organization. However, participants 
did not reach consensus on how to apply the concept of the chief risk 
officer to the public sector. Participants stated that the U.S. 
Government needs a single risk manager. One participant suggested that 
this lack of central leadership has resulted in distributed 
responsibility for risk management within the administration and 
Congress and has contributed to a lack of coordination on spending 
decisions.
    Another participant stated that the Secretary of DHS fills the 
chief risk officer role. Participants identified various challenges 
associated with appointing a chief risk officer within the public 
sector, including: (1) Balancing the responsibilities for protection 
against seizing opportunities for long-range risk reduction; (2) 
creating a champion but not another silo that is not integrated with 
other components of the organization; and (3) generating leadership 
support for the position.
Integration of Risk Management Principles into Public Sector Operations
    Participants identified examples of organizations that effectively 
integrated risk management into the operations of public sector 
organizations, including the U.S. Coast Guard, the U.S. Army Corps of 
Engineers, and the Port Authority of New York and New Jersey. 
Participants stated that the Coast Guard uses risk management 
principles to allocate resources, balance competing needs of security 
with the efficient flow of commerce, and implement risk initiatives 
with its private sector partners, for example, through Area Maritime 
Security Committees. According to another participant, the Army Corps 
developed flood risk management practices that he saw as notable 
because this information was used to digest and share critical 
information with the public. One participant noted that the Port 
Authority of New York and New Jersey developed and implemented a risk 
assessment program that guided the agency's management in setting 
priorities for a 5-year, $500 million security capital investment 
program. According to this participant, this methodology has since been 
applied to over 30 other transportation and port agencies across the 
country, and the Port Authority has moved from conducting individual 
risk assessments to implementing an ongoing program of risk management.
Comparing and Contrasting Public and Private Sector Risk Management 
        Practices
    Participants observed that while, in some instances, the public and 
private sector should apply risk management principles in similar ways, 
in other instances, the public and private sectors manage risk 
differently. One participant stated in both the public and private 
sectors the risk management process should include the systematic 
identification and assessment of risks through scientific efforts; 
efforts to mitigate risks; and risk adaptation to address financial 
consequences or to allow for effective transfer of risk. However, 
participants noted that the private and public sectors also manage risk 
differently. One participant said the private sector manages risk by 
``pre-funding'' and diversifying risk through insurance. In addition, 
the private sector creates incentives for individuals to lower the 
risks they face from, for example, a car accident or a natural 
disaster, by offering to reduce insurance premiums if the policy holder 
takes certain steps to mitigate these risks. Similarly, the public 
sector also plays a unique role in managing risk, for instance, 
regulating land use and establishing building codes; organizing 
disaster protection, response, and recovery measures; setting 
regulatory frameworks; and supplementing the insurance industry.
    In addition, participants noted that the private sector 
organizations have more flexibility than the public sector to select 
which risks to manage. For instance, participants stated that the 
private sector could avoid risks in cases where the costs of ensuring 
these risks are too high. Additionally, a participant noted that the 
private sector tends to naturally consider opportunity analysis--or the 
process of identifying and exploring situations to better position an 
organization to realize desirable objectives--as an important part of 
risk management. In contrast, participants observed, public sector 
organizations have less flexibility to select which risks to address 
through protective measures. Like the private sector, the Government 
has to makes choices about which risks to protect against--since it 
cannot protect the Nation against all hazards. Unlike the private 
sector, the Government has a wide responsibility for preparing for, 
responding to, and recovering from all acts of terrorism and natural or 
manmade disasters and is accountable to the public for the investment 
decisions it makes.
  identifying and addressing the most critical homeland security risk 
                         management challenges
    Participants identified three key challenges to strengthening the 
use of risk management in homeland security--risk communication, 
political obstacles to making risk-based investments, and a lack of 
strategic thinking. Participants also recommended ways to address them.
Key Challenges
    Many participants, 35 percent, agreed that improving risk 
communication posed the single greatest challenge to using risk 
management principles (see fig. 2 below). Further, 19 percent of 
participants stated political obstacles to risk-based resource 
allocation was the single most critical challenge, and the same 
proportion of participants, 19 percent, said the single most critical 
challenge was a lack of strategic thinking. The remaining participants 
identified other key challenges, for example, technical issues such as 
the difficult but necessary task of analyzing threat, vulnerability, 
and consequences of a terrorist attack in order to assess and measure 
risk reduction; and partnership and coordination challenges.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

Risk Communication Challenges
    Participants identified several risk communication challenges and 
recommended actions to address them as follows:
   Educate the public about risks and engage in public 
        discourse to reach consensus on an acceptable level of risk.--
        Participants said that the public lacks a fact-based 
        understanding of what homeland security risks the Nation faces. 
        Participants attributed these problems to media coverage that 
        undermines a fact-based public discussion of risk by 
        sensationalizing acts of terrorism that have dramatic 
        consequences but may be unlikely to occur. In addition, 
        participants stated that even though it is not possible to 
        prevent all disasters and catastrophes, public officials need 
        to engage the public in defining an acceptable level of risk of 
        a terrorist attack or natural disaster in order to make 
        logical, risk-based resource allocation decisions. To 
        communicate with the public about risks in a meaningful way, 
        participants recommended educating the public on how risk is 
        defined, providing fact-based information on what risks we face 
        and the probability they might occur, and explaining how risk 
        informs decisionmaking. One expert recommended the Government 
        communicate about risks through public outreach in ways that 
        calms the public's fears while raising awareness of risks. 
        Another participant recommended that the country engage in a 
        national public discourse to reach consensus on an acceptable 
        level of risk.
   Educate policymakers and establish a common lexicon for 
        discussing risk.--Participants emphasized the importance of 
        educating elected officials on risk management. Several 
        participants believed that the distinction between risk 
        assessment--involving scientific analysis and modeling--and 
        risk management--involving risk reduction and evaluation--is 
        not widely understood by policymakers. In addition, one expert 
        also noted that the Nation should do more to train a cadre of 
        the next generation of risk management professionals. Given 
        differences in education and levels of understanding about risk 
        management, the participants felt it would be important to 
        develop a common lexicon that can be used for dialog with both 
        the layman and the subject matter expert. Without a common, 
        shared understanding of risk management terms, communicating 
        about risks is challenging. Some members of our expert panel 
        recommended focusing specifically on educating elected 
        officials and the next generation of policymakers about risk 
        management. One participant pointed out that a new 
        administration and Congress will soon enter office with a new 
        set of policy objectives, and it will be important to highlight 
        the importance of risk management to incoming policymakers and 
        to persuade them to discuss it. Panelists also recommended 
        creating a common vocabulary or lexicon that defines common 
        risk management terms.
   Develop new risk communication practices to alert the public 
        during emergencies.--Participants said that Government 
        officials lack an understanding of what information to share 
        and how to communicate with the public during an emergency. 
        Participants said that risk analysis, including predictive 
        modeling, tends to neglect a consideration of how the public's 
        expectations and emotions can impact the effectiveness of 
        response efforts and affect the likelihood the public will 
        respond as predicted or directed by Government officials during 
        an emergency. According to one participant, Hurricane Katrina 
        demonstrated that the efficacy of emergency response efforts 
        depends on how the public behaves, as some people chose to 
        shelter in place while others followed directions to evacuate. 
        Participants recommended that governments consider what 
        information should be communicated to the public during a 
        crisis and how best to communicate that information. For 
        instance, one participant suggested that experts look at 
        existing risk communication systems, such as the National 
        Weather Service, that could be used as models for a homeland 
        security risk communication system. The participant noted that 
        the service provides both national and local weather 
        information, looks at overall risks, and effectively provides 
        actionable information to be used by both the public and 
        private sectors. Participants criticized the current color-
        coded DHS Homeland Security Advisory System as being too 
        general, suggesting that the public does not understand what is 
        meant by the recommended actions such as being vigilant.
Political Obstacles to Risk-Based Resource Allocation
    Participants said political obstacles pose challenges to allocating 
homeland security resources based on risk. Participants identified the 
reluctance of politicians and others to make risk-based funding 
decisions. Participants noted that elected officials' investment 
priorities are informed by the public's beliefs about which risks 
should be given the highest priority, beliefs that are often based on 
incomplete information. As a result, participants stated that there is 
less incentive for officials to invest in long-term opportunities to 
reduce risk, such as investing in transportation infrastructure, when 
the public does not view these investments as addressing a perceived 
risk. To better allocate resources based on risk, participants 
recommended that public officials and organizations consider investing 
in protective measures that yield long-term benefits.
Need to Improve Strategic Thinking
    Participants agreed that a lack of strategic thinking was a key 
challenge to incorporating risk-based principles in homeland security 
investments. In particular, participants noted that challenges existed 
in these areas:
   A national strategic planning process is needed to guide 
        Federal investments in homeland security.--Participants said 
        there is a lack of a national strategic planning process to 
        guide Federal investments in homeland security. Balancing the 
        security concerns of various Federal Government agencies that 
        have diverse missions in areas other than security, such as 
        public safety and maintaining the flow of commerce, poses a 
        significant strategic challenge, some participants stated. One 
        participant stated that the President had developed a strategy 
        to guide, organize, and unify the Nation's homeland security 
        efforts in the October 2007 National Strategy for Homeland 
        Security. However, several other participants said that a 
        better process is needed for strategic planning. For example, 
        to think strategically about risk they recommended that 
        stakeholders discuss tradeoffs, such as whether more resources 
        should be spent to protect against risks from a conventional 
        bomb, nuclear attack, biological attack, or a hurricane. 
        Another participant noted that the purpose of risk assessment 
        is to help answer these strategic questions. One participant 
        also recommended that the short-term goal for a national 
        strategic planning process should be identifying the big 
        problems that strategic planning needs to address, such as 
        measuring the direct and indirect costs of reducing risk.
   Fragmented approaches to managing security risk within and 
        across the Federal Government could be addressed by developing 
        Government-wide risk management guidance.--Some participants 
        agreed that approaches to risk management were fragmented 
        within and across the Federal Government. For example, one 
        participant said that each of the Department of Defense 
        combatant commands has its own perspective on risk. According 
        to this participant, this lack of consistency requires 
        recalculations and adjustments as each command operates without 
        coordinating efforts or approaches. Three participants also 
        said that there is a lack of Government-wide guidance on using 
        risk management principles to manage programs. To address this 
        problem, participants said Government-wide guidance should be 
        developed. Two participants suggested that OMB or another 
        Government agency should play a lead role in outlining goals 
        and general principles of risk assessment and getting agencies 
        to implement these principles.
Partnership and Coordination Challenges
    Participants agreed that risk management should be viewed as the 
responsibility of both the public and private sector. They identified 
challenges related to public-private collaboration:
   Private sector should be more involved in public risk 
        assessments.--Participants said that public-private 
        partnerships are important and should be strengthened. One 
        reason partnerships may not be as strong as they could be is 
        that the private sector may not be appropriately involved in 
        the public sector's risk assessments or risk-based decision-
        making. Participants agreed that the private sector should be 
        involved in developing risk assessments because when these 
        stakeholders are not sufficiently involved they lose faith in 
        Government announcements and requirements related to new risks 
        and threats. To this end, DHS has established coordinating 
        councils for critical infrastructure protection that allow for 
        the involvement of representatives from all levels of 
        Government and the private sector, so that collaboration and 
        information sharing can occur to assess events accurately, 
        formulate risk assessments, and determine appropriate 
        protective measures.
   Increase the involvement of State and local practitioners 
        and experts.--Participants observed that intergovernmental 
        partnerships--between Federal, State, local, and tribal 
        governments--are important for effective homeland security risk 
        management. They recommended that more State and local 
        practitioners and experts become involved in applying risk 
        management principles to homeland security.
    This concludes my prepared statement. I would be pleased to answer 
any questions you and the subcommittee Members may have.
                    Appendix I: List of Participants
Moderators
    Cathleen A. Berrick: Director, Homeland Security and Justice, 
Government Accountability Office; Sallyanne Harper: Chief 
Administrative Officer and Chief Financial Officer, Government 
Accountability Office; Norman J. Rabkin: Managing Director, Homeland 
Security and Justice, Government Accountability Office.
Participants
    Michael Balboni: Deputy Secretary for Public Safety, State of New 
York; Esther Baur: Director, Group Communications, Head of Issue 
Management & Messages, Swiss Re; Baruch Fischhoff: Howard Heinz 
University Professor, Department of Social and Decision Sciences and 
Department of Engineering and Public Policy, Carnegie Mellon 
University; George W. Foresman: President, Highland Risk & Crisis 
Solutions, Ltd., Former Under Secretary for National Protection and 
Programs, Former Under Secretary for Preparedness, U.S. Department of 
Homeland Security; Tina W. Gabbrielli: Director, Office of Risk 
Management and Analysis, National Protection and Programs Directorate, 
Department of Homeland Security; James Gilmore: Partner, Kelley Drye & 
Warren, LLP, Chairman, Advisory Panel to Assess Domestic Response 
Capabilities for Terrorism Involving Weapons of Mass Destruction, 
Governor of Virginia, 1998-2002; Corey D. Gruber: Assistant Deputy 
Administrator, National Preparedness Directorate, Federal Emergency 
Management Agency, Department of Homeland Security; Brian Michael 
Jenkins: Senior Advisor to the President, RAND Corporation; RDML Wayne 
E. Justice: Rear Admiral, Director of Response Policy, United States 
Coast Guard; Kenneth L. Knight, Jr.: National Intelligence Officer for 
Warning, National Intelligence Council, Office of the Director of 
National Intelligence; Howard Kunreuther: Cecilia Yen Koo Professor, 
Department of Decision Sciences and Public Policy, Wharton School, 
University of Pennsylvania, Co-Director, Wharton Risk Management and 
Decision Processes Center; Peter Lowy: Group Managing Director, 
Westfield Group; Thomas McCool: Director of the Center for Economics, 
Government Accountability Office; Susan E. Offutt: Chief Economist, 
Government Accountability Office; John Paczkowski: Director, Emergency 
Management and Security, Port Authority of New York and New Jersey; 
John Piper: Senior Security Consultant, Talisman, LLC; William G. 
Raisch: Director, International Center for Enterprise Preparedness, New 
York University; Joseph A. Sabatini: Managing Director, Head of 
Corporate Operational Risk, JPMorgan Chase; Kenneth H. Senser: Senior 
Vice President for Global Security, Aviation and Travel, Wal-Mart 
Stores, Inc.; Hemant Shah: President and Chief Executive Officer, Risk 
Management Solutions; Steven L. Stockton: Deputy Director of Civil 
Works, U.S. Army Corps of Engineers; William F. Vedra, Jr.: Executive 
Director, Ohio Homeland Security; Detlof von Winterfeldt: Professor, 
Industrial and Systems Engineering Viterbi School of Engineering, 
University of Southern California, Professor of Public Policy and 
Management, School of Policy Planning, Director, Center for Risk and 
Economic Analysis of Terrorism Events, University of Southern 
California; Scott T. Weidman: Director, Board on Mathematical Sciences 
and Their Applications, National Research Council; Henry H. Willis: 
Policy Researcher, RAND Corporation.

    Ms. Jackson Lee. Thank you very much, Mr. Rabkin.
    Thank you both for your testimony.
    As I proceed on this question, there are many variables 
that come to mind when we think about risk. One of the most 
striking, beyond the horrific tragedy of 9/11 that caused the 
organization of the Department of Homeland Security and this 
committee, of which I was one of the early members of the 
Homeland Security Steering Committee, the organizing committee, 
was the lack of risk assessment that played into our response 
during Hurricane Katrina--less so with Hurricane Rita, but 
certainly the tragedies of what occurred were enhanced or 
worsened because it seemed as if we had no understanding of how 
you project risk.
    As we watch levees standing or falling in the recent 
episode of flooding that has created a great deal of tragedy in 
many parts of the United States, we wonder whether or not we 
have even improved. So my questions go in the context of 
reality. That is why we are holding this hearing. Certainly, as 
all of us have expressed our sympathy to Mr. McInnis, we know 
that tragedies, incidents can result in loss of life.
    Let me start, Secretary Jamison, as I yield myself 5 
minutes, to ask you quickly, and your answers please, I have a 
number of questions. In our letter to Secretary Chertoff dated 
May 15, 2008, the committee requested quarterly briefings by 
the Office of Risk Management and Analysis to ensure that it 
was staying focused on its core mission. Will the Department 
commit to this request?
    Mr. Jamison. Yes, I would be glad to come up and brief you 
quarterly or as frequently as you would like to keep you up to 
speed on our progress.
    Ms. Jackson Lee. We just wanted to get that on the record 
so we can get that scheduled and to make sure that we have 
gotten that answer.
    The Office of Risk Management and Analysis has asserted to 
this committee that among its major functions is the 
construction of a risk lexicon. Many of us think that this is 
work already done. I assume this is part of a baseline that we 
are trying to work on. Can you tell us how far along they are 
on this project, and when can we expect to receive a copy of 
this particular report?
    Mr. Jamison. We are actually very far along in the process 
and have been working on it through the risk management working 
groups within the Department for several months now. We have 
identified I believe about 80 terms for the lexicon. We expect 
it to be completed by the end of the summer. Hopefully, that 
will play a much larger portion role in the broader framework 
that we are trying to put together in addition to a lexicon, 
best practices and other strategic frameworks of guidance that 
needs to be delivered across the Department and to be 
implemented down into the national infrastructure protection 
plan in that framework.
    Ms. Jackson Lee. That would be helpful. I think these 
quarterly meetings that you will have with us will be 
important, but we would like to see minutes of the meetings 
that you are having and try to find out how often these 
meetings are going on. I have tried to give this hearing a 
sense of urgency. So how often are these meetings going on in 
the Department?
    Mr. Jamison. We have meetings at different levels, so we 
have an integrated framework. We have a steering committee that 
is at a higher level, an executive level at the under secretary 
and the assistant secretary level. We also have working group 
levels that are meeting. I believe the working group levels 
have met more than 40 times already on trying to work on these 
strategic issues such as the lexicon, the integrated framework, 
and RAPID.
    Ms. Jackson Lee. We know the United Kingdom has already 
organized itself around a national risk assessment for homeland 
security. It outlines the Nation's risk assessment in Great 
Britain strategy and framework. Have we done so? Why have we 
not done so? Or if we haven't done so, why not?
    Mr. Jamison. I think there has been a lot of work that has 
been done, as you mentioned earlier, in the standup of the 
Department and all the individual agencies, whether it is TSA 
or Coast Guard or even the Infrastructure Protection Division.
    Ms. Jackson Lee. But do we have something similar to the 
one in Great Britain?
    Mr. Jamison. That is what we are working toward.
    Ms. Jackson Lee. We don't have it yet?
    Mr. Jamison. No.
    Ms. Jackson Lee. All right. What about a position for a 
chief risk officer?
    Mr. Jamison. I think that we have in fact got a chief risk 
officer as the director of the Risk Management Directorate. The 
way I have read the report that GAO recommends, you need one 
person that is in charge of that guidance, and one person that 
is in charge across DHS in providing that consistency. That is 
the Risk Management Directorate. It is located within the 
headquarters and NPDD.
    Ms. Jackson Lee. While I would commend you, Secretary 
Jamison, and we know that people are hard working, I don't 
think that office even has a strategy or strategic plan. I 
would also say that is something that we need to have. But let 
me continue because I want to ask Mr. Rabkin some questions. I 
think we are going to make a good start by having these 
quarterly meetings.
    In terms of risk assessment and management, what kinds of 
communications are being given to State and county and local 
government which really would have impact on the tragic 
incident of Goodyear? What kind of directives are coming out 
for those entities to be conscious of risk and risk assessment 
and risk management?
    Mr. Jamison. I think there are several ways that we can 
address that question. I think, as Mr. Rabkin alluded to, the 
national infrastructure protection framework that we put out to 
the infrastructure sector and the sector coordinating councils 
and government coordinating councils is the mechanism by which 
we communicate with those sectors.
    Ms. Jackson Lee. Government coordinating councils?
    Mr. Jamison. The sector coordinating council process, so 
for the individual infrastructure sector, for example, the 
chemical sector has representation from private industry, and 
communication portals where we provide best practices and 
provide risk assessments.
    Ms. Jackson Lee. Is that overlapping secretariats? Is that 
overlapping assistant secretaries that address that within DHS?
    Mr. Jamison. It does overlap because it is critical 
infrastructure sectors. For instance, TSA has a role in the 
transportation sectors of critical infrastructure.
    Ms. Jackson Lee. But are you all coordinated? Why don't I 
just jump to this steering committee concept and ask you how 
often you all are meeting.
    Mr. Jamison. The working group steering committees are 
meeting very frequently. We have had strategic executive-level 
committee meetings as well. We are waiting for the next level 
of work to be pushed up by the working group level--the 
lexicon, the framework guidelines--before our next meeting. We 
have a commitment from Secretary Chertoff to drive this 
consistency. We also have the commitment from the executive 
committee of this steering committee to move forward and to get 
a framework integrated by the end of the year.
    Ms. Jackson Lee. Mr. Secretary, I appreciate it. Glean from 
my tone a sense of urgency to move forward. We are talking 
about 2008. I think I heard you clearly that we don't have a 
chief risk officer, if I am not mistaken. It is long overdue. I 
am not sure whether we are communicating to local, State and 
county government--long overdue.
    So let me just put on the record that we need these 
quarterly meetings. We would like to see the work of the team 
that you have in place, the steering committee, as well as the 
meetings that are going on. I think time is of the essence and 
we are urgently in need of trying to understand to protect 
ourselves. I thank you for answering my questions.
    Mr. Rabkin, you mentioned the word ``communication.'' It 
seemed like that just jumped out at me. It really did because I 
used the backdrop of Hurricane Katrina. We certainly were not 
communicating there. That is just one example.
    But tell me what progress the Department of Homeland 
Security made in implementing its risk management framework? In 
a more important sense, what are the challenges that remain?
    Mr. Rabkin. There is progress that has been made. I think 
the Department has outlined where they want to go. They have 
communicated that through the national infrastructure 
protection plan and some of the internal operations that 
Secretary Jamison has been talking about.
    But certainly they have many different components that are 
all considering risk as they make their own investment 
decisions, as they make recommendations to the secretary of how 
much budget they should get and where it should be invested. 
These kinds of decisions ought to be guided by some common risk 
principles. I think that is what this Office of Risk Management 
and Analysis is planning to do is to get some commonality 
across.
    I understand that they all have individual missions and 
they should have some flexibility in how they apply the 
principles, but once the principles are straight and we have 
some confidence that they are being applied equally, then the 
secretary can make informed judgments as to which of these 
various investments get priority and where the next dollar 
ought to go.
    Ms. Jackson Lee. So what you are saying is this work is 
crucial in terms of putting these guidelines, these directives 
in place, to give guidance to the secretary, to give guidance 
on how we move forward in the Department.
    Mr. Rabkin. Absolutely. I think it is only reality that 
these decisions have been made in the past and some have been 
more risk-informed than others. They have to be made. Budgets 
have to be submitted and acted upon.
    Ms. Jackson Lee. Let me ask the obvious question. Does our 
Government need a national risk assessment? If so, who should 
lead it? How quickly should we get it?
    Mr. Rabkin. If we are talking about homeland security only, 
then obviously it does. I think it gets it through both the 
secretary and the Homeland Security Council in the White House 
that can look across departments and across issues. If we are 
talking about more than homeland security, if we are talking 
about risk assessment for all the issues that the Federal 
Government has to deal with, I think OMB is in a better 
position to ensure that risk management principles are applied 
to all the departments, and that the consolidated Federal 
budget is based on these principles so that decisions about 
investing in homeland security or any other need--national 
defense or education or environment--are made based on the same 
guidelines.
    Ms. Jackson Lee. Since we are starting here in DHS, I think 
my focus will be getting our shop in order and using the 
internal mechanisms. Do you think, then, there is great 
validity in a chief risk officer for DHS?
    Mr. Rabkin. I agree with the discussion that took place at 
our forum, that by identifying someone as a chief risk officer 
puts credibility and focus on that issue and raises it to the 
same level as chief information officer, chief management 
officer, chief human capital officer. That is what the 
Department deals with all the time, and I think it is 
appropriate.
    Ms. Jackson Lee. Thank you so very much.
    It is my pleasure to yield to the distinguished gentleman 
from Florida, Mr. Bilirakis, for his questioning.
    Mr. Bilirakis. Thank you, Madam Chairwoman.
    This question is for both panelists. Are there metrics or 
performance measures that can help determine whether risk-based 
resource allocation and Federal homeland security programs are 
in fact actually reducing risks to critical infrastructure and 
key resources? Can you provide specific examples of how such 
risk-informed decisionmaking has brought down risk to certain 
sectors? For both panelists, please.
    Mr. Jamison. I will take a first shot at that. I think that 
there has been a lot of work across the Department trying to 
prioritize risk and to try to incorporate it into the 
individual areas that we are trying to mitigate risk in, for 
instance the aviation sector or the maritime sector. There has 
been a lot of work in trying to prioritize the grant process to 
make sure we are capturing the threats, vulnerabilities and 
consequences to effectively give out resources to manage that 
risk.
    We are in the process of trying to get better metrics to 
determine how that funding and how those resources have driven 
down and mitigated that risk. The Coast Guard has done some 
work in that area. FEMA has undertaken that work for their 
management process. We have a ways to go.
    It is a difficult problem to be able to determine how 
individual pieces of that system of systems of security have an 
impact that you can bring back and quantifiably measure. But it 
is definitely the direction that we are going to try to make 
sure that those investments are having an impact in the State 
and local communities that we are trying to protect.
    Mr. Rabkin. I would like to put a little different twist on 
it, and perhaps lower your expectations about how much we can 
quantify risk across the board. When we talk about assessing 
the risk that is inherent in any of these problem areas or 
components of homeland security, we are talking about a 
combination of threat and vulnerability and consequences. So we 
are talking about how well can we measure what the threat is. 
Threat, as best I can tell, generates from the intelligence 
community and is to a certain extent subjective.
    Second, we talk about the vulnerabilities of various 
sectors to attack, either by terrorists or some natural 
disasters. The vulnerabilities can be better measured. I think 
we have in the various sectors checklists of things to look 
for, whether they have closed-circuit surveillance cameras or 
not, for example; whether the perimeters are secure.
    The consequences of any bad event are also quantifiable, 
but there is a lot of judgment that goes into how far you go 
and what kind of results you are trying to quantify. If 
something bad happens, what are the consequences? Well, if a 
chemical plant is attacked and there is an explosion, there are 
immediate consequences to the workers and to the immediate 
community. There are also downwind consequences as the 
chemicals spread, and you have to try to measure that. There is 
also the psychological effect of a terrorist attack being 
successful. That is much more difficult to measure.
    Mr. Bilirakis. Okay. In your written testimony, Mr. 
Secretary, you noted that the Department is still working to 
implement an integrated framework of risk-informed 
decisionmaking. How far off is DHS from developing a 
methodology for cross-sector risk analysis? Are you confident 
that DHS is allocating resources in the most effective manner 
in the absence of the ability to measure cross-sector risk?
    Mr. Jamison. Well, there are two different efforts that are 
ongoing that get at the intent of your question, I believe: one 
within the National Infrastructure Protection Directorate, Bob 
Stefan's directorate. They are working at a cross-sector 
methodology across those sectors to aggregate that information 
and are looking at about five different methodologies to be 
able to roll up a more comprehensive risk picture. We 
anticipate that we will have a lot of that work done by early 
next year.
    There is also the effort across the Department to roll up 
the risk not only from infrastructure protection, but also from 
TSA, from the other components into a much broader framework. 
There has been a lot of work done applying the different 
program that we have, the well over 120 programs that we have 
focused on risk mitigation and how they stack up against our 
priorities.
    We are currently going through a methodology called the 
RAPID process to be able to run some prototypes on different 
scenarios and to try to give a quantification to how well we 
are managing risk against those different scenarios. We hope to 
be able to prototype them in the fall.
    Mr. Bilirakis. Mr. Rabkin, what are some of the ways that 
the public and private sectors should apply risk management 
principles similarly? Are there ways they should manage risk 
differently? What do you mean when you say that risk 
communication is the single greatest challenge to using risk 
management principles?
    Mr. Rabkin. I think the participants at our forum focused 
on risk communication because the decisionmaking process is so 
inexact as a science. It is an art that is developing. In the 
absence of solid ways to make these decisions, what really 
works best is an informed public, sharing of information 
between people that have it and people that need it.
    In the case of the transportation sector, for example, 
sharing between TSA and the airlines or TSA and railroad 
operators, passenger rail or freight rail. I think the 
witnesses on the next panel can talk very well about that kind 
of interaction between the locals who need to take actions and 
make investments to take specific actions. Those investments 
may be funded by DHS. They may be funded locally. To the extent 
that they have better information and there is more 
communication that takes place, the more confidence they have 
that they are making wise investments.
    Mr. Bilirakis. One more question, Madam Chair? Is that all 
right? Okay.
    During GAO's forum last year on applying risk management in 
homeland security, participants concluded that the public needs 
to be educated about acceptable levels of risk and better 
understanding of the homeland security risks facing our Nation. 
How did the forum participants propose doing that?
    Mr. Rabkin. There were a couple of ideas that were 
suggested. I don't have them at my fingertips. I can certainly 
provide them for the record.
    Mr. Bilirakis. We would appreciate that. Thank you.
    Thank you, Madam Chair. I appreciate it.
    Ms. Jackson Lee. The gentleman's time has expired.
    Let me thank the witnesses. There being no further 
questions for our first panel, I thank Mr. Jamison and Mr. 
Rabkin for appearing before the subcommittee today for this 
very important hearing.
    I am going to request, Mr. Jamison and Mr. Rabkin, that we 
have a briefing that may come in short order in the month of 
July, when we have more extensive time of trying to understand 
where the Department of Homeland Security is in particular, the 
chief risk officer's status, and the level of performance in 
getting to the baseline. We really need to have an 
understanding both by this committee and the Department of how 
and what risk means.
    Risk means urgency. I frankly believe that we have not 
captured that as we have moved forward. So I believe that a 
briefing would be appropriate. So I will look forward to 
extending an invitation to you, as I thank you for appearing 
before this committee on this important hearing. The Members of 
the subcommittee may have additional questions for you, and we 
ask that you respond to them expeditiously in writing. You are 
now dismissed.
    We now welcome our second panel to take their seats at the 
witness table.
    Let me thank you both very much.
    It is my pleasure to welcome the second panel of witnesses. 
Our first witness, Mr. John Paczkowski, has worked for the Port 
Authority of New York and New Jersey since 1978, holding a 
variety of executive-level positions in planning, policy and 
operations. In September, 2001, he was the assistant director 
for operations and managed the agency's emergency operations 
center following the 
9/11 attacks on the World Trade Center.
    In 2002, he worked in partnership with the Office for 
Domestic Preparedness to develop and implement a risk 
assessment program that guided the setting of priorities for a 
5-year, $500 million security investment program. This 
methodology has been applied at over 30 other transportation 
and port agencies across the country.
    Mr. Paczkowski is also a member of the board of directors 
for the Security Analysis and Risk Management Association. 
SARMA is a nonprofit professional association serving those 
responsible for formulizing and managing security risk to 
systems, structures, operations and information systems from 
manmade threats. Welcome to you.
    Our second witness, Dr. James Carafano, is an expert in 
defense affairs, military operations and strategy, and homeland 
security at the Heritage Foundation. Dr. Carafano's research 
focuses on developing the national security needed to secure 
the long-term interests of the United States, protecting its 
citizens, providing for economic growth, and preserving civil 
liberties.
    Dr. Carafano was an assistant professor at the U.S. 
Military Academy in West Point, New York. He served as director 
of military studies at the Army's Center of Military History. 
He has also taught at Mount Saint Mary College in New York and 
served as a fleet professor in the U.S. Naval War College. He 
is a visiting professor at the National Defense University and 
Georgetown University. He is a graduate of West Point, and also 
has a master's degree and a doctorate from Georgetown 
University and a master's degree in strategy from the U.S. Army 
College. You are welcome.
    Our third witness is Mr. Raymond McInnis. Mr. McInnis 
recently lost his wife, Gloria McInnis, on June 11, when a 
chemical explosion blast occurred in the heat exchange unit of 
the Goodyear plant in Houston. Gloria had worked at the plant 
for 31 years as a faithful and dedicated and committed worker.
    Mr. McInnis retired from the Goodyear chemical plant in 
Houston after working there for 38 years as a committed and 
dedicated and knowledgeable worker, where he rose to the rank 
of shift foreman. Ray and Gloria McInnis were married for 18 
years. In his grief, we are very honored and respectful of his 
presence here today. Welcome, Mr. McInnis.
    Our fourth witness is Mr. John Morawetz. Mr. Morawetz has 
worked for the International Chemical Workers Union Council, 
which is part of the United Food and Commercial Workers 
International Union, since 1988. The ICWUC was founded in 1944 
and represents more than 20,000 chemical workers in 32 States, 
including many of them in the State of Texas.
    In 1988, Mr. Morawetz was hired as the founding director of 
the Council Center for Worker Health and Safety Education in 
Cincinnati, Ohio. In 2005, he was named the director of the 
union's Health and Safety Department. The center is part of a 
union consortium made up of six unions. It trains 2,000 
participants each year in industrial, hospital and school 
chemical emergency response and disaster preparedness, and has 
an extensive worker training and development program which 
develops rank-and-file workers as educators.
    Without objection, the witnesses' full statements will be 
inserted in the record.
    I also want to acknowledge Ms. Sue Davis who has traveled 
here with Mr. McInnis. Welcome.
    I now ask each witness to summarize his statement for 5 
minutes, beginning with Mr. Paczkowski. Again, we welcome you. 
Thank you.

STATEMENT OF JOHN P. PACZKOWSKI, DIRECTOR, EMERGENCY MANAGEMENT 
    AND SECURITY, PORT AUTHORITY OF NEW YORK AND NEW JERSEY

    Mr. Paczkowski. Thank you, Madam Chairwoman, Ranking Member 
Bilirakis and Members of the subcommittee. Thank you for the 
opportunity to testify here today.
    I am John Paczkowski, director of emergency management and 
security for the Port Authority of New York and New Jersey, and 
a member of the board of directors of the Security Analysis and 
Risk Management Association, also known as SARMA. I will be 
speaking with you from both perspective today.
    My organization, the Port Authority of New York and New 
Jersey, is a bi-State public agency responsible for operating 
some of the New York region's most significant critical 
infrastructure, to include its major airports, its largest 
marine cargo terminals, and its network of interstate tunnels 
and bridges.
    The World Trade Center was our flagship facility and 
headquarters for over 30 years. Among the nearly 3,000 lives 
that perished on 9/11, the agency lost 84 of its corporate 
staff, to include 37 port authority police officers. Having 
been twice the victim of significant acts of terrorism, and as 
the operator of transportation facilities that are lucrative 
terror targets, no other organization is more aware of the 
importance of homeland security than the port authority.
    Following the 9/11 attacks, we conducted a comprehensive 
series of security audits performed by expert consultants. The 
results were staggering, with over 20 individual reports, 1,100 
recommendations, and potential costs of just over $1 billion. 
Management's reactions were predictable. No. 1, do we really 
need to do it all? No. 2, what is most important to do first? 
No. 3, how do we know what will return the greatest security 
benefit? And No. 4, how will we be able to measure performance?
    Beginning in 2002, we partnered with DOJ and later DHS to 
develop and implement a risk assessment methodology to guide 
security planning and priorities for our initial 5-year, $500 
million security investment program. Since then, we have 
implemented an ongoing program of security risk management 
where new assessments are compared against prior results, 
allowing us to measure the risks as a measure for security 
program performance.
    Unfortunately, as successful as we have been, our results 
are unique to our agency and not compatible with other efforts 
on a regional, State or national level, and are therefore of 
limited value to DHS when assessing overall homeland security 
risk. Nonetheless, I think our success proves that new 
approaches to security risk management do work and this should 
reinforce DHS, the administration and Congress to continue to 
advance risk management as a national homeland security policy.
    Before this body considers what to do next, it is important 
to note that risk assessment approaches are not being applied 
in a range of industry sectors at different levels of 
government, using different methods and with different 
objectives. As a new field, this is to be expected and to some 
degree beneficial.
    However, we are now at an important crossroads, and in the 
view of SARMA, stronger and more unified Federal leadership is 
urgently needed. The focus on homeland security that emerged 
after 9/11 produced significant new funding for security risk 
management efforts. Unfortunately, those efforts are not 
necessarily coordinated or compatible in their approach.
    As a result, almost 7 years after 9/11, the Nation has yet 
to achieve a consistent and well-integrated risk management 
framework providing decisionmakers at all levels with the 
ability to intelligently manage homeland security risk. In 
SARMA's view, this is largely the result of the following 
factors. Security risk management is an immature discipline 
that has developed independently and unevenly across the 
Federal Government and private industry.
    There is no national system of governance to guide risk 
practitioners and ensure collaboration and interoperability in 
the development or risk management approaches. There is no 
comprehensive documented body of knowledge on the current state 
of the discipline from which to implement new security risk 
management efforts. There is currently no capability to train 
or certify the knowledge and technical skills of security risk 
management professionals and bring new entrants into the field.
    These factors notwithstanding, SARMA believes there are a 
few practical steps within existing authorities that can be 
taken now to remedy the situation. Most significantly, we 
believe the Federal Government should create a national 
security risk management program. Under that program, Federal 
departments and agencies should be required to create a chief 
security risk officer appropriately positioned and empowered to 
synchronize, coordinate and monitor all security risk 
management efforts within their organizations.
    A DHS chief security risk officer would harmonize homeland 
security risk management policies and programs to ensure 
consistency, compatibility and integration, not only within 
DHS, but also with State and local governments and the private 
sector. Moreover, the program would create a risk management 
governance structure to span the interagency community and 
bring standardization and rigor to the assessment of security 
risks, while increasing overall confidence in the process and 
the decisions that result.
    In closing, a more uniform and coordinated approach to 
security risk management will greatly enhance our Nation's 
ability to understand and manage the multitude of threats we 
face now and well into the future. That will lead to improved 
decisionmaking and more efficient prioritization of resources 
by not only Congress and the White House, but by the thousands 
of State and local government and private sector leaders that 
make up the fabric of our national homeland security effort.
    This challenge is beyond the scope of DHS alone, and 
therefore SARMA encourages the Congress, the White House, 
Federal departments, State and local governments, and the 
security profession to join forces and achieve a risk 
management framework that will provide the Nation with the 
security it needs at a price it can afford. The members of 
SARMA stand ready to assist in whatever way we can to help 
advance this important initiative.
    Thank you.
    [The statement of Mr. Paczkowski follows:]
                Prepared Statement of John P. Paczkowski
                             June 25, 2008
    Chairwoman Jackson Lee, Ranking Member Lungren, and Members of the 
subcommittee, thank you for the opportunity to testify on ways the 
Federal Government can build on the efforts of the Department of 
Homeland Security (DHS) and others in applying risk management 
practices to better secure our Nation. I am John Paczkowski, Director 
for Emergency Management and Security at The Port Authority of New York 
& New Jersey and a member of the Board of Directors of the Security 
Analysis and Risk Management Association.
    The assessment and management of risk enables and supports the full 
spectrum of our national security and homeland security efforts, 
including decisions about when, where, and how to invest limited human 
and financial resources. In the face of multiple and diverse threats 
and hazards, we must accept that security risk--a function of threats, 
vulnerabilities, and consequences--is a permanent condition, but one 
that can be better managed through the creation of a well-integrated 
national framework.
    As an emergency management and security professional that has 
successfully applied risk management practices at an agency level and 
across multiple transportation sectors, I have experienced the value of 
using these tools to support homeland security decisionmaking first 
hand. This experience, as well as my leadership role with SARMA, has 
provided me with broad exposure to the range of national efforts 
undertaken in the wake of the 9/11 terror attacks. I will be speaking 
with you from both perspectives today.
                     the port authority experience
    The Port Authority is a bi-State public agency responsible for 
operating some of the New York/New Jersey region's most significant 
critical infrastructure. We manage all of the areas major commercial 
airports (Newark Liberty, John F. Kennedy, LaGuardia, Stewart, and 
Teterboro); its largest complex of marine cargo terminals (Port Newark 
and Elizabeth, Howland Hook, and Brooklyn Piers); and its network of 
interstate tunnels and bridges (the Lincoln and Holland Tunnels; the 
George Washington, Bayonne, and Goethals Bridges; and the Outerbridge 
Crossing). The agency also operates the Port Authority Bus Terminal, a 
major transit hub near the heart of Times Square and the largest 
facility of its kind in the world. Our PATH rail transit system is a 
vital trans-Hudson commuter link and was the target of a serious terror 
plot foiled by the FBI not long after the London and Madrid metro 
bombings.
    The World Trade Center was our flagship facility and headquarters 
for over 30 years. We still own that site today and are responsible for 
its redevelopment. Among the nearly 3,000 lives that perished on 9/11, 
our agency lost 84 of its corporate staff, to include 37 Port Authority 
Police Officers. Having been twice the victim of significant acts of 
terrorism and endured numerous potential threats that thankfully never 
materialized, and as the owner and operator of vital transportation 
infrastructure that remain lucrative terror targets, no other 
organization is more acutely aware of the importance of homeland 
security than the Port Authority.
    Following the 9/11 attacks, the Port Authority conducted a 
comprehensive series of security audits at all of it facilities. 
Performed by expert consultants, the results were staggering. Over 20 
individual reports, 1,100 recommendations, and a potential cost, by 
staff's estimate, of just over $1 billion to implement. Moreover, there 
was no sense of priority among the recommendations. Management's 
reactions were predictable, and not unlike those of the Congress for 
the Nation at large: (1) Do we really need to do all of the things 
recommended?; (2) Assuming we do, if we can't pay for it all, what is 
most important to address first?; (3) How do we know what types of 
solutions will return the greatest security benefit given what we have 
to invest?; and finally, (4) How will we be able to measure the 
performance of those investments after they have been implemented?
    Believing these to be the fundamental questions that would 
ultimately drive homeland investment going forward, we reached out for 
assistance to pursue our own security risk management program. 
Beginning in 2002, we partnered with DOJ, and later DHS, to develop and 
implement a risk assessment methodology to guide security planning and 
priorities for our initial 5-year, $500 million security investment 
program. The methodology permitted the agency to examine an array of 
potential security threats, assess the criticality of its assets, 
estimate the potential consequences of successful attacks, and make 
cross-sector comparisons of risk. Under a DHS technical assistance 
program, it has since been applied to 36 other transportation agencies 
across the country.
    Following completion of our first assessment in 2002, we have 
subsequently repeated the process on a 2-year cycle, updating security 
priorities, plans, and budgets in two successive iterations. In so 
doing, we have moved the agency from conducting individual risk 
assessments to implementing an ongoing program of security risk 
management. As each risk assessment is conducted, the results are 
compared against the prior one and the change in relative risk is 
calculated. This comparison shows not only the improvement in the 
agency's risk profile as the result of new investment but also any 
changes arising from adjustments to our infrastructure portfolio or the 
overall threat picture. In this way, we can measure the ``buy-down'' in 
risk as a metric for security program performance.
    In addition to measuring risk reduction performance, we have worked 
with DHS consultants to implement a cost-benefit analysis component to 
the methodology that facilitates comparisons of competing high-cost 
security alternatives. This tool permits us to evaluate which security 
improvements or, more importantly, which sets of improvements will 
provide greatest risk reduction ``value'' for the money invested and 
risk reduction potential to be achieved. We recently used this tool 
with great success in evaluating complex, high-cost alternatives for 
securing our PATH rail transit system, and will be applying it to the 
development of our long-range security investment plan going forward. 
The next evolution of the Port Authority's risk management program will 
go beyond security risks and examine a range of additional man-made and 
natural threats in an agency-wide, cross-sector, ``all hazards'' 
assessment.
    To my knowledge, no other organization at the State and local level 
has advanced security risk management practice to the degree that we 
have at the Port Authority. Unfortunately, as successful as we have 
been, our risk assessment results are unique to our own agency and not 
compatible with other similar efforts on a regional, State or national 
level, and are therefore of limited value to DHS when assessing overall 
homeland security risk. Nonetheless, our success proves that new 
approaches to security risk management do work, and this fact should 
reinforce efforts by DHS, the administration, and the Congress to 
advance risk management as a fundamental element of national homeland 
security policy.
    Before the administration and the Congress consider what to do 
next, it is important to note that risk assessment approaches are now 
being applied within a range of industry sectors, at different levels 
of government, by different agencies, using different methods, and with 
different objectives. As a new field, this is to be expected and to 
some degree necessary. However, we are now at an important crossroads 
and, in the view of the Security Analysis and Risk Management 
Association (SARMA), stronger and more unified Federal leadership on 
this issue is urgently needed to lead and coordinate the numerous 
duplicative and conflicting efforts in DHS and across the Federal 
Government.
                         the sarma perspective
    SARMA is an all-volunteer, non-profit, professional association 
serving those responsible for analyzing and managing security risks to 
individuals, structures, systems, operations, and information. SARMA 
was founded in April 2006 by career security analysis and risk 
management professionals dedicated to fostering more effective public/
private partnerships to advance consistent, risk-based approaches that 
provide decisionmakers with measurable results for intelligently 
reducing security risks. The span of SARMA interest includes terrorism, 
intelligence collection, cyber crime, and natural hazards. SARMA 
fosters an open collaborative and non-partisan environment to promote 
the further development, standardization, and professionalization of 
the security analysis and risk management discipline for the benefit of 
the American public, the Nation's security, and the security profession 
in general.
    SARMA's mission is to elevate the practice of security analysis and 
risk management to a mature, standardized, and consistent discipline 
among a growing cadre of formally trained and certified professionals, 
all working together to make the Nation more secure and resilient. 
SARMA provides a vital link between the Government, the private sector, 
academia, and individual practitioners. Without this link, homegrown 
risk methods and theories tend to proliferate, making it even more 
difficult to coordinate protective efforts between all levels of 
government or with the private sector.
    Over the years, significant resources have been expended by Federal 
departments and the private sector to implement security risk 
management processes and methods. However, despite the considerable 
sums spent to effect improvement, security risk management efforts 
remained largely unchanged until the terrorist attacks of September 11, 
2001. The focus on homeland security that emerged after 9/11 resulted 
in considerable numbers of new analysts and consumers of security risk 
information, and also produced significant new funding for security 
risk management efforts. Nonetheless progress to advance a well-
integrated national framework still lags.
    DHS, other Federal agencies, academia, and the private sector have 
used newly available homeland security funding to develop and implement 
a wide array of new security risk methodologies, which are not 
necessarily coordinated or compatible in their approach. In addition, 
various homeland security directives and plans either provide 
conflicting guidance or remain silent on the security risk assessment 
methods to be used by Federal agencies, State and local government, and 
the private sector. As a result, almost 7 years after 9/11, the Nation 
has yet to achieve a consistent and well-integrated risk management 
framework providing decisionmakers at all levels with the ability to 
intelligently manage homeland security risk.
    In SARMA's view, this is largely the result of the following 
factors:
Security risk management is an immature discipline that has developed 
        independently and unevenly across the Federal Government and 
        private industry.
    DHS correctly seized on the applicability of security risk 
management to its mandate of protecting the homeland, but it has not 
taken steps to ensure the structure, processes, and cadre of qualified 
risk analysts are in place as necessary to effectively serve the 
mission. Accordingly, there is still no formal system or framework to 
standardize technical and professional development or to otherwise 
build the professional infrastructure required.
There is no national system of governance to guide risk practitioners 
        and ensure collaboration and interoperability in development of 
        risk management approaches.
    Absent interagency coordination, an advisory board, and/or a 
recognized standard-setting body, there is no way to synchronize 
divergent methods, arbitrate disputes, or resolve crosscutting issues. 
As a result, risk practitioners often develop new methods rather than 
adopt or adapt an existing approach. Because the underlying methods 
currently in use are not based on commonly recognized or compatible 
standards, the resulting data is often less than useful to others who 
must then collect similar data using another methodology.
There is no comprehensive, documented body of knowledge on the current 
        state of the discipline from which to implement new security 
        risk management efforts.
    There are no common references that practitioners can consult when 
considering how to best meet their security risk analysis needs. 
Without such a body of knowledge, there is no way to determine where 
adequate methods already exist, decide where to focus additional 
research and development, or ensure existing efforts are not 
duplicative and wasteful. Moreover, without this collection of 
knowledge, it will be difficult to train the next generation of 
security risk analysts and managers in a consistent manner.
The lack of a common professional language for security risk analysis 
        and risk management divides practitioners and makes 
        collaboration difficult.
    This ``language deficit'' serves as a significant impediment to a 
cooperative approach on security risk analysis and management between 
the Federal Government, State and local governments, and the private 
sector. While attempts to set standards within individual Federal 
departments and agencies have been made, conflict with similar efforts 
elsewhere only exacerbates the problem. Without a common language for 
use by practitioners, future progress will remain frustratingly slow.
There is currently no capability to train or certify the knowledge and 
        technical skill of security risk management professionals and 
        bring new entrants into the field.
    Given the huge investments being made in homeland security, coupled 
with the central role of risk management, it would seem logical that 
training and certification of risk practitioners should be a national 
requirement. Unfortunately, there is no recognized approach to risk 
management training in Federal, State, and local government agencies, 
or in the private sector. Absent this, it is difficult to imagine that 
risk management will ever be done with the degree of reliability and 
compatibility that decisionmakers require.
                         sarma recommendations
    There are a few practical steps that can be taken within existing 
authorities, and the support of the Congress, to remedy the current 
situation and more fully realize the vision of more effectively 
managing security risks to the American homeland. Accordingly, SARMA 
recommends that the administration:
Issue a joint National Security Presidential Directive (NSPD) and 
        Homeland Security Presidential Directive (HSPD) to create a 
        ``National Security Risk Management Program.''
    The joint NSPD/HSPD should establish a national program for 
security risk management, complete with funding for a system of 
governance over all Federal efforts to implement supporting risk 
management policies, programs and practices across the interagency 
community. Such a program would accelerate progress, reduce duplication 
of effort, and eliminate organizational conflicts and other barriers to 
implementation.
Require Federal departments and agencies to create a Chief Security 
        Risk Officer (CSRO) appropriately positioned and empowered to 
        synchronize, coordinate, and monitor all security risk 
        management efforts within their organizations.
    The Chief Risk Officer (CRO) concept has been in widespread use by 
the private sector for decades. Implementing such a position within key 
Federal departments and agencies would elevate the importance of 
security risk management and end debates over who creates necessary 
policies and procedures and leads security risk management initiatives 
at the department and/or agency level. Though we believe that the 
initial focus of this position should be on coordination of security 
risk activities, the ultimate goal should be a convergence of all risk 
management activities within a consolidated CRO portfolio.
Establish a DHS CRSO and harmonize homeland security risk management 
        policies and programs to ensure consistency, and as needed, 
        compatibility and integration, not only within DHS but with 
        State and local governments, and the private sector.
    In addition to reconciling and ensuring coordination among all 
homeland security risk management policies and programs across the 
Department, the DHS CSRO should identify appropriate DHS agencies and 
offices to serve as homeland security risk management advocates to 
State and local governments and the private sector. This would extend 
the benefits of a common risk management framework to industry and all 
levels of government as part of a truly integrated and ``national'' 
effort.
Create a security risk management governance structure to span the 
        interagency community and bring standardization and rigor to 
        the assessment of security risks, while increasing overall 
        confidence in the process and the decisions that result.
    To this end, two essential elements of this structure are 
recommended:
    A Chief Security Risk Officer (CSRO) Council.--The CSRO Council 
would be officially recognized as the authoritative body for Federal 
security risk management strategy, policy, and standards. The CSRO 
Council should include security risk management officials from all 
agencies with significant homeland security and national security 
responsibilities. In addition, the CSRO Council would:
   Oversee the implementation of the joint HSPD/NSPD for a 
        National Security Risk Management Program;
   Coordinate and set direction for national security risk 
        management efforts; and
   Analyze and broker resolution of disagreements between 
        Federal departments and agencies over security risk management 
        issues.
    An Interagency Security Risk Management Staff.--This interagency 
staff function would serve as a security risk management Center of 
Excellence, providing program development support, technical expertise, 
and training to Federal, State, and local governments, as well as the 
private sector. The staff would address the shortage of qualified risk 
methodologists and trainers by centralizing that expertise and making 
it available to support practitioners in achieving the national goal of 
a mature, unified, and broadly accepted approach to security risk 
management. The staff would:
   Provide technical assistance in carrying out security risk 
        assessments and implementing security risk management programs;
   Provide security risk management training, establish minimum 
        training and certification standards, and produce associated 
        training materials; and
   Maintain public/private partnerships to support the use of 
        risk management in the implementation of national security and 
        homeland security policies and strategies.
                               conclusion
    Homeland security efforts since the terrorist attacks of September 
11, 2001 have highlighted the difficulty of protecting an almost 
infinite number of targets with finite human and financial resources. 
The use of security risk management is the approach correctly chosen by 
our Nation's leadership to address this enormous challenge. In 
response, considerable work is underway. Yet, in order to ensure the 
effectiveness of these efforts, the development and implementation of a 
well-integrated national framework for security risk management is 
needed.
    The refinement and application of a more uniform and coordinated 
approach to analyzing security risks will greatly enhance our Nation's 
ability to understand and manage the multitude of threats we face, now 
and well into the future. That will then lead to improved 
decisionmaking and more efficient prioritization of resources by not 
only Congress and the White House, but by the thousands of State and 
local government and private sector leaders that make up the fabric of 
our national homeland security effort.
    The creation of a national system of governance and standards for 
security risk management is beyond the mission and authorities of any 
one agency. The development of security risk management, as both a 
process and a profession, is a national priority that cannot be 
achieved by DHS acting alone. A well-integrated national security risk 
management framework will require a broad-based partnership with State 
and local government, private sector industry, academia, and related 
professional associations. Even with visionary leadership and direction 
it will not be easy, as the Government Accountability Office and others 
have noted. Yet such a framework is necessary if we are to protect the 
people, infrastructure, and economic prosperity of the United States.
    SARMA encourages Congress, the White House, Federal departments and 
agencies, State and local governments, and the security profession to 
join forces and collaborate to achieve a national security risk 
management framework that will help provide the Nation with the 
protection and response capabilities it needs at a price it can afford. 
The members of the Security Analysis and Risk Management Association 
stand ready to assist Congress, the administration, and DHS in whatever 
way we can to help advance this important initiative.

    Ms. Jackson Lee. I thank you for your testimony.
    I now recognize Dr. Carafano to summarize his statement for 
5 minutes. Dr. Carafano.

    STATEMENT OF JAMES JAY CARAFANO, THE HERITAGE FOUNDATION

    Mr. Carafano. Thank you.
    Homeland security, and indeed the functions of all 
Government, is to enable Americans to live their lives in 
freedom, safety and prosperity. The key is that it is 
Government's responsibility to ensure that its measures support 
all three of those goals equally well. Nowhere is that task 
more difficult than the issues that we are talking about today, 
which is managing basically the tools of everyday life that 
Americans use to go to work, to govern themselves, to take care 
of their family and their children.
    So I would like to offer three brief recommendations. The 
observations that I am going to offer are based on my 25 years 
of experience in the Army and issues dealing with national 
security for over a half-decade working on homeland security 
issues here in Washington, and being a proud member of a family 
of first-responders that is filled with nurses and cops and 
firemen and folks like that.
    As a prelude to my comments, I would just like to offer 
this observation. We live in a great and powerful Nation. That 
means we live in a Nation with infinite number of 
vulnerabilities. If you do the math and you want to spend--you 
pick a number, $25 billion, $30 billion, whatever, taking one 
vulnerability off the table, you then live in a Nation with 
infinity-minus-one. It doesn't get you very far.
    So you have two options. The one option, which I think 
everyone here would uniformly agree to, is that we do need a 
risk-based approach, a rational, not non-political because you 
can't depoliticize a risk assessment. That is part of the risk 
management process, but a functional integrated process, as 
opposed to the opposite which is fundamentally what we 
generally have now, which is policies are really being driven 
by constituents and stakeholders that speak out the loudest and 
get the most attention.
    That is a problem because at the end of the day, you just 
put money where you want, as opposed to where it really needs. 
It can actually make you less safe. You get less return for 
your dollar. You actually distract people from doing useful 
things. You actually undermine the competitiveness of the 
American economy and the industry, all of which at the end of 
the day make you less able to withstand a terrorist threat or a 
natural disaster.
    Quite frankly, my grade for the Department of Homeland 
Security and its ability to move forward on risk assessment and 
risk management techniques, given the stage it is in its 
development, is not bad. On the other hand, I would actually 
grade the Congress much more poorly in its ability to deal with 
risk management. I think if you look across congressional 
mandates in border security, container security and mass 
transit and others, Congress has actually done a very poor job 
in the sense of trying to use a risk-based approach.
    Fundamentally, I think the problem is generally what 
politicians tend to do, and what we gravitate toward, is 
focusing on protection. The Government's job is to protect 
things, as opposed to what I really think the function of 
Government is, which is to be much more concerned about the 
resiliency of the Nation, the Nation's ability to move and 
withstand and deliver goods and services regardless of the 
political and the economic conditions and different kinds of 
disasters it might face.
    I would argue this is really a product because we really 
lack a common doctrine and common understanding between 
Congress and Federal agencies about who does what in risk 
assessment. I really think that threat assessments and threat 
reduction are fundamentally a Government's responsibility. It 
is Government's job to get rid of terrorists. It is 
Government's job to go after malicious actors.
    Criticality or consequence is really a joint 
responsibility. Government can't do it alone because the 
private sector has most of the information, most of the 
knowledge. On the other hand, Government is the only person who 
can give the broad perspective about what really is a national 
priority. So that is really a joint function.
    I argue that vulnerability assessments, both the assessment 
of vulnerability and the reduction of vulnerability is really 
the responsibility of the people who own and use the 
infrastructure, so it is largely a private sector 
responsibility. We have really failed to kind of stick to that 
adherence of responsibilities, so we have really kind of been 
all over the map.
    So very quickly, just three recommendations. One is, 
Government's role is enormous in the threat reduction area. I 
think that is primarily where its focus should be. In terms of 
vulnerability reduction, I think primarily for most 
infrastructure, the answer from Government is reasonable 
measures that are largely performance-based that are very 
similar to the kinds of requirements that we do in public 
health and safety and environmental.
    I think GAO is exactly right. Risk communications and 
managing expectations are a vitally important job that we 
really do very poorly. For example, I think it is a very 
unrealistic expectation to think that Government or the DHS is 
going to do a risk assessment for the entire country. That 
means it is going to assess risks and manage the reduction of 
risks and threat criticality and vulnerability. I think it is 
unrealistic and unachievable and quixotic.
    Third, I think there are some very practical measures that 
if Government wants to incentivize and move the private sector 
forward on the vulnerability reduction side, there are some 
interesting things I think that can be done in terms of 
liability protections and incentives. I would put the SAFETY 
Act out as an excellent model of the kind of legislation that 
could incentivize the private sector to take risk management 
seriously and to incorporate it into its business practices and 
adopt realistic and cost-effective means to have a reasonable 
measure of vulnerability in the infrastructure.
    Thank you. I look forward to the questions.
    [The statement of Mr. Carafano follows:]
                Prepared Statement of James Jay Carafano
                             June 24, 2008
  risk and resiliency: developing the right homeland security public 
                     policies for the post-bush era
    My name is James Jay Carafano. I am the Assistant Director of the 
Kathryn and Shelby Cullom Davis Institute for International Studies and 
a Senior Research Fellow for the Douglas and Sarah Allison Center for 
Foreign Policy Studies at The Heritage Foundation. The views I express 
in this testimony are my own, and should not be construed as 
representing any official position of The Heritage Foundation.
    Thank you for the opportunity to appear before the committee today 
to discuss the subject of this hearing ``Ensuring our Nation is secure 
by developing a risk management framework for Homeland Security: How 
are they measuring risk? Are the risk management principles being 
followed uniformly?''
    My testimony today will focus on the point that risk management is 
interwoven with the concept of resiliency. The current paradigm of 
``protecting'' infrastructure is unrealistic. We should shift our focus 
to that of resiliency. Resiliency is the capacity to maintain 
continuity of activities even in the face of threats, disaster, and 
adversity. The concept recognizes that we cannot deter all threats or 
prevent all natural catastrophes. Effective resiliency strategy should:
   Focus on more than just physical infrastructure.--Resiliency 
        works with the goal of resilient communities and reflects the 
        geography, culture, economy, politics and other societal 
        factors of the United States.
   Recognize initiatives must be national in character and 
        international in scope.--Recognizes that America is part of the 
        global marketplace with a global industrial base.
   Remain proactive.--It is a bad idea to wait until 
        catastrophe strikes to discover our resilience, in terms of 
        both humanitarian concerns and Government legitimacy.
   Manage public expectations.--Out-of-scale expectations 
        greatly undermine the legitimacy of a national response effort. 
        We must inform the public about what it should reasonably 
        expect in the face of disaster or disruptions. Unreasonable 
        expectations are fueled by both media and political posturing.
   Define expectations of public-private partnerships.--Despite 
        the focus on homeland security since 9/11, 5 years after the 
        event the appropriate public and private rolls in dealing with 
        transnational terrorist threats are still poorly understood.
   Pay greater attention to the development of public and 
        private infrastructure.--Developing more robust national 
        infrastructure that both enhance the competitiveness and 
        capacity of the United States to withstand catastrophic threats 
        should be a priority.
    Resiliency and Risk.--Risk assessments and risk reduction are at 
the heart of a sound resiliency strategy. Although there are a number 
of risk assessment methodologies, they all consist of common 
components.
   Threat Assessment.--Examines what our adversary can 
        accomplish and with what degree of lethality or effect.
   Criticality Assessment.--Evaluates the effect that will be 
        achieved if the adversary accomplishes his goals. This examines 
        both physical consequences, social and economic disruption and 
        psychological effects. Not all consequences can be prevented. 
        So in order to assist in prioritization, there is a process 
        designed to identify the criticality of various assets: What is 
        the asset's function or mission and how significant is it?
   Vulnerability Assessment.--Looks at our vulnerabilities and 
        how they can be mitigated including weaknesses in structures 
        (both physical and cyber) and other systems/processes that 
        could be exploited by a terrorist. It then asks what options 
        there are to reduce the vulnerabilities identified or, if 
        feasible, eliminate them.
    Since 9/11, however, the nature of shared public-private 
responsibility for risk assessment and risk reduction has been poorly 
understood. Establishing a common appreciation of rolls and 
responsibilities must be a priority.
   Assessing and reducing transnational terrorist threats is 
        fundamentally a Government responsibility, an inherent 
        obligation derived from the preamble of the Constitution that 
        obligates Government to ``provide for the common defense.'' 
        Threat appreciation and effective counter-terrorism programs 
        that identify, quantify, and reduce threats is not only 
        primarily Government's responsibility, it is arguably the most 
        essential component of risk management. Taking the offensive 
        against terrorist threats is both the most effective and cost-
        effective means to respond to transnational terrorism.
   Criticality is an activity that must be conducted jointly by 
        the public and private sectors. They equally share 
        responsibility for determining what is most vital to protect 
        the public good. There is no practical alternative to this 
        shared obligation. Most national infrastructure is private 
        hands. The private sector understands best how systems function 
        and impact the economy. On the other hand, only the national 
        Government can offer the national ``perspective'' of 
        prioritizing needs and obligations in times of national 
        emergency. Thus, criticality can only be determined by sharing 
        information and joint assessments made in trust and confidence 
        between the public and private sectors.
   Assessing vulnerability, determining the best risk 
        mitigation means, managing and providing the resources to 
        reduce vulnerability are largely the responsibility of the 
        entity that owns and operates infrastructure. Most often the 
        consumers and users of the infrastructure and the services they 
        provide bear the fiscal responsibility for implementing 
        measures to reduce vulnerability. These measures should be 
        ``reasonable.'' Vulnerability reduction is an ``economy of 
        force'' measure, an additional and supplementary line of 
        defense designed to supplement not supplant addressing threats 
        and criticality. Over-emphasis on vulnerability reductions 
        threatens the competitiveness of private sector activity, which 
        in turn could represent a far greater threat to the resiliency 
        of the American economy than any terrorist threat.
    Understanding this fundamental division of labor between the public 
and private sector is fundamental to developing sound public policies.
    In order to achieve the goal of ``resiliency'' as well as to ensure 
effective risk management, Congress should focus on four initiatives:
    1. Promote public-private models for risk management by developing 
        doctrine defining reasonable roles for Government and industry.
    2. Encourage bilateral cooperation addressing liability issues.
    3. Develop national and international forums for collaboration on 
        resiliency issues.
    4. Promote the development of resilient 21st century public 
        infrastructure.
    1. Public-private models for risk management.--Public-private 
models for risk management are essential to the concept of resiliency. 
A model public-private regime would: (1) Define reasonable roles for 
both Government and industry through clear performance measures, (2) 
create transparency and the means to measure performance, and (3) 
provide legal protections to encourage information sharing and 
initiative.
    Both Government and industry must be given reasonable roles in 
order to ensure the effectiveness of these models. Understanding, 
communicating, and reducing threats is primarily a national 
responsibility, fundamentally a responsibility of Government to ensure 
public safety and provide for the common defense. It is not the job of 
the private sector to defeat terrorists. It is the responsibility of 
the Federal Government to prevent terrorist acts through intelligence 
gathering, early warning, and domestic counterterrorism.
    National Security and Resiliency.--In terms of what is reasonable 
for the Government, the role of national security instruments should be 
treated with caution. National security is not about trying to child-
proof a country against every potential misfortune. It is the task of 
protecting people from their mortal enemies--that means other people. 
These enemies may be from states, trans-states or no states. They may 
be abroad or homegrown. What they have in common is that they are 
humans--and that they threaten the Nation by preparing to attack its 
people for a political purpose.
    We should be careful not to dilute the definition of national 
security to include a plethora of threats or use the proliferation of 
threats to scope a national resiliency strategy. The Government has 
many resources to deal with all kinds of problems. Resources, however, 
are not infinite. National security instruments should be reserved for 
the critical task of battling those people who plot how to kill 
citizens, undermine the society and destroy our individual freedoms.
    A second reason not to label every ``danger du jour'' as a national 
security threat concerns protecting the civil society. In times of 
peril, the Nation should rely on the Government to provide the common 
defense--providing the leadership and resolve needed to deal with 
threats to the Nation. That's why, for example, in the United States 
the President is vested with the authority to conduct foreign policy 
and act as commander-in-chief. The U.S. Constitution envisioned an 
executive who could wield significant power to act decisively in time 
of war or crisis. That said, the President's national security powers 
should be reserved only for serious, imminent dangers from America's 
enemies. Elevating other issues like global warming, pandemics or 
energy supplies, to the level of national security, only encourages 
Government to bring the extraordinary powers of the Executive branch to 
bear on the problem. For the most part, the parts of Government 
involved in national security should stick to hunting terrorists, 
thwarting rogue states, and dealing with the other serious enemies who 
spend their days and nights plotting against the state. In most cases a 
strategy of resiliency should rely primarily on other instruments.
    Criticality as a Shared Activity.--Criticality, on the other hand, 
has to be a shared activity. In many cases the private sector owns or 
is responsible for managing both private and public infrastructure that 
provide the vital goods and services for the society. Meanwhile, only 
the national Government has the overall perspective to determine 
national needs and priorities in the face disasters and catastrophic 
threats. Thus, they must work together to determine what is truly 
critical to keep the heart beat of the Nation beating in the face of 
adversity.
    Not all infrastructure should be deemed critical. Indeed, the 
national designations of ``critical'' infrastructure and key assets 
have been detrimental to the effort to prioritize national efforts. The 
``failure is not an option'' mentality with regards to protecting 
infrastructure has led to an over-zealous approach to ``critical'' 
infrastructure. The designation has become increasingly pointless 
driven by politics and stakeholder interests rather than rational 
assessments.\1\ If everything is critical, nothing is critical.
---------------------------------------------------------------------------
    \1\ See, for example, the debate over container security in 
``Container Security at U.S. Ports: The Heritage Foundation's 
Research,'' WebMemo No. 1260, November 27, 2006, at http://
www.heritage.org/Research/HomelandSecurity/wm1260.cfm.
---------------------------------------------------------------------------
    Vulnerability as a Private Sector Function.--Vulnerability should 
be largely the responsibility of the entity that owns, manages, and 
uses the infrastructure. It is largely the private sector's duty to 
address vulnerability and to take reasonable precautions, in much the 
same way as society expects it to take reasonable safety and 
environmental measures.
    Resiliency and its role in protecting society actually transcend 
homeland security and other national security concerns. Resiliency is 
about building strong, cohesive societies in that can prevail in the 
face of many challenges whether the malicious acts of terrorists or the 
heartless whims of Mother Nature.
    Indeed, rather than national security instruments, the most common 
tool to be used in building resiliency is establishing an appropriate 
legal regime the will allow the private sector and the market place 
adapt and innovate, to provide a robust, redundant capacity to provided 
goods services everyday--and especially in times of crisis.
    Armed with these assessments and a common sense division of roles 
and responsibilities, public-private partnerships can set about 
instituting practical measures that will reduce risk and enhance 
resiliency.
    2. Encourage bilateral cooperation addressing liability issues.--
Addressing concerns of liability may be the most vital contribution 
Government can make to implement a strategy of resiliency. The recent 
bitter debate in the United States between Congress and the 
administration over extending immunity against civil suits to 
telecommunications companies that cooperated with a classified 
Government surveillance program highlights one of the knotty challenges 
in promoting public-private cooperation in combating terrorism.\2\ 
Congress can promote private sector participation and alleviate 
liability concerns by:
---------------------------------------------------------------------------
    \2\ See, James Jay Carafano, Robert Alt, and Andrew Grossman, 
``Congress Must Stop Playing Politics with FISA and National 
Security,'' Web Memo No. 1791, January 31, 2006, at http://
www.heritage.org/Research/LegalIssues/wm1791.cfm.
---------------------------------------------------------------------------
   Providing ``safe harbors'' for sharing critical information;
   Promoting cooperative joint action for public-private 
        partnerships;
   Collaborating with other nations, such as the Technical 
        Cooperation Program (TTCP), an international organization that 
        collaborates in defense scientific and technical information 
        exchange and shared research activities. Promoting liability 
        protection regimes could be the centerpiece of a facilitating 
        global bi-lateral participation in promoting resiliency 
        strategies.\3\
---------------------------------------------------------------------------
    \3\ For specific recommendations, see James Jay Carafano, Jonah J. 
Czerwinski, and Richard Weitz, ``Homeland Security Technology, Global 
Partnerships, and Winning the Long War,'' Heritage Foundation 
Backgrounder No. 1977, October 5, 2006, at www.heritage.org/Research/
HomelandSecurity/bg1977.cfm.
---------------------------------------------------------------------------
    The Safety Act as a Model for Liability Concerns.--A great example 
of the ability of Government to handle these concerns over liability 
decisively and with good effect was addressed in the Support 
Antiterrorism by Fostering Effective Technologies (SAFETY) Act. This 
Act lowered the liability risks of manufactures that provide products 
and services for combating terrorism. Passed in 2002, the Act protects 
the incentive to produce products designated as ``Qualified Anti-
terrorism Technologies'' (QATTs) by the Secretary for Homeland 
Security. The Department of Homeland Security (DHS) has made a 
concerted effort to implement the program and a number of companies 
have availed themselves of the opportunity to obtain SAFETY Act 
certification.
    By addressing liability concerns, Congress intended the SAFETY Act 
to serve as a critical tool for promoting the creation, proliferation 
and use of technologies to fight terrorism.\4\ The act provides risk 
and litigation management protections for businesses that produce QATTs 
and other providers in the supply and distribution chain. The act 
included a limitation on liability with regards to third parties claims 
for losses resulting from an act of terrorism where the technologies 
were deployed to help prevent or mitigate the danger of a terrorist 
attack. In turn, the promotion and deployment of new technologies help 
make the society more resilient in the face of terrorist threats.
---------------------------------------------------------------------------
    \4\ U.S. Department of Homeland Security, Final Rule of the 
Implementation of the SAFETY Act, Vol. 71, June 2006, at http://
a257.g.akamaitech.net/7/257/2422/01jan20061800/edocket.access.gpo.gov/
2006/06-5223.htm (March 2008).
---------------------------------------------------------------------------
    3. Develop national and international forums for collaboration on 
resiliency issues.--Both within the United States and with 
international partners, the United States should begin to establish 
regular forums to promote the resiliency concept, share best practices 
and facilitate joint action.
    State-Based Regional Response Network.--Within the United States, 
these forums could be structured around a regional homeland security 
structure that promotes voluntary cooperation among States, local 
communities, and the private sector. The Homeland Security Act of 2002 
mandated that DHS set up a regional structure--though the Department 
did follow through on this mandate. State-based regional programs would 
focus on ensuring that States are prepared to sustain themselves. 
Successful regional programs would focus not on Federal structures in 
each region, but rather on regional emergency management programs and 
capabilities that are developed, coordinated, and managed by the 
States. Similar small-scale programs that use a regional model, such as 
the Emergency Management Assistance Compact (EMAC), have already proven 
successful. DHS regional offices should be required to strengthen State 
and local preparedness capabilities; facilitate regional cooperation 
among Governments, the private sector, and non-Governmental 
organizations; and plan and exercise with Federal entities that support 
regional disaster response. Such offices would enable regions to access 
and integrate their capabilities quickly and improve preparedness and 
resiliency initiatives.\5\
---------------------------------------------------------------------------
    \5\ See, Jill Rhodes and James Jay Carafano, ``State and Regional 
Responses to Disasters: Solving the 72-Hour Problem,'' Backgrounder No. 
1962 (August 21, 2006) http://www.heritage.org/Research/
HomelandSecurity/bg1962.cfm.
---------------------------------------------------------------------------
    Internationally, the United States can use both current 
international institutions and new multi-national and bilateral 
partnerships to create resiliency forums. For example, the NATO 
Industrial Advisory Group (NIAG) solicits industry advice on how to 
promote public-private and transnational cooperation in defense 
production. This group or other NATO forums might serve as 
opportunities to discuss resiliency issues.
    4. Resiliency's Building Blocks.--Promote the development of 
resilient 21st century public infrastructure. In the end, public-
private partnerships must produce the kind of infrastructure necessary 
to sustain 21st century societies against 21st century threats. Within 
the United States much of the national infrastructure is aging and not 
keeping up with the demands of a growing population. Additionally, for 
all of the focus on U.S. critical infrastructure, equally vital is the 
resiliency of the global economy.
    What is required is more innovation and experimentation as a means 
of speeding the development of modern infrastructure. One option to 
consider is encouraging public-private partnerships (PPP) that invest 
in public infrastructure. The United States has utilized the PPP model 
for its public highways and other infrastructure projects. Creating 
opportunities for governments and private firms to work together on 
improving the infrastructure should be further explored.
    Rather than relying heavily on subsidized public funding of 
infrastructure, investments should focus on ``project-based'' financing 
that shifts the risks and rewards to the private sector. Project-based 
financing focuses on obtaining stand-alone investment from private 
investors and could include multiple investors, each with a different 
level of investment, varying rate of return, and different timelines 
for realizing those returns. Such strategies not only shift risk to the 
private sector, but should also lead to improved decisionmaking about 
needed infrastructure investments.
    Resilience is the right strategy.--Resiliency is the right strategy 
for the United States and its allies in facing the dangers of the 21st 
century. Congress and the administration can promote this approach both 
within American communities and across all free nations by means of the 
initiatives mentioned in my testimony. These initiatives offer a more 
reasonable and cost-effective means for ensuring the continuity of 
services and processes, but all for building a more resilient civil 
society, one prepared to face the future with confidence and surety.

    Ms. Jackson Lee. Mr. Carafano, thank you very much for your 
statement.
    I now recognize and welcome and offer my sympathy to Mr. 
McInnis, and ask him to summarize his statement for 5 minutes. 
Mr. McInnis.

   STATEMENT OF RAYMOND MCINNIS, PRIVATE CITIZEN, WIDOWER OF 
                  VICTIM OF GOODYEAR EXPLOSION

    Mr. McInnis. Good afternoon, and thank you for inviting me. 
My name is Raymond McInnis. I live in Houston, Texas. I am a 
former employee of Goodyear, a retiree of 12 years now and 
employed for 38 years.
    My wife of 18 years, Gloria, has worked at the plant for 31 
years--a very knowledgeable person in that plant. She was 
killed in an explosion at that plant 2 weeks ago today, June 
11. It is not easy for me to come here today, but I come here 
because I want changes made in the workplace. There are so many 
things that are wrong today that are just sloughed over by 
OSHA, companies. I have a lot to say. I can't get it done here, 
believe me. I have heard a lot.
    Ms. Jackson Lee. Mr. McInnis, you can take your time to 
explain what you are trying to say to us.
    Mr. McInnis. I just want things to change for her, change 
the workplace for the people that are working there today and 
in the future, so that place will be there where people can 
have a job.
    My wife's title at that plant was latex coordinator. She 
did not work in the part of the plant. It was not her primary 
duty. Because of the shortage of leadership and supervision, 
she was there. That was one things she always did. We discussed 
it. ``Why? You don't have to go there. Make them supply 
supervisors.'' Well, if they don't have them, somebody has got 
to do it, and she always went there.
    She did not have to be at that place. The thing is, it just 
lacks supervision and supervisors with training and knowledge. 
There is a way they go about picking supervisors now that you 
don't have to know the job. You just take a test and you are a 
supervisor in a chemical plant. That is what creates these 
situations.
    I would like to go into the story of how this went down and 
how I found out about my wife's death. On the morning of June 
11, I had taken her dog to get groomed, the dog she loved. I 
went by Goodyear on 225 which I don't ever do, but I saw all 
the fire trucks and ambulances and what have you, and I figured 
well, they are having a FEMA drill.
    I went on to my home and a friend of my son's, who is a 
fireman in the city of Houston, made a call to me and asked me 
how my wife Gloria was. I said, well, I guess all right. He 
said, well, there was an explosion. I said, well, I will get on 
the phone, and I will call you back and let you know. I made 
calls time and time again, and got a recording. The recording 
was ``leave a message.'' I left messages and called other 
numbers that I could remember in that plant.
    I finally got through to the gatehouse, and one of the 
security guards told me that she was all right. I asked that 
question, ``Have you seen Gloria?'' She said she is all right. 
So I felt relieved, and I wait for the 11 o'clock news, local, 
to find out what really happened. I saw the statement by the 
plant manager that everything was clear. They had six minor 
injuries, and everybody was going back to work.
    Well, that made me feel much better. I had to call family 
back and give them all the information--our wife, their 
daughter, grandmother, mother, and my wife was all right, which 
made everything all right until that time. Then about 1:45 p.m. 
that day, I received a call from the same woman that I had 
talked to at the gatehouse, asking me ``Was my wife at home?'' 
I said, ``You mean you don't know?'' This goes back to the 
accountability. Where in the heck was it? Nobody is counting. 
Who is responsible?
    Anyhow, I went to the plant. Nobody would tell me. They 
just passed me from one person to another and led me to the 
front office. I already had an idea that there had to be 
something like that, and I ran across one of my former 
associates at the plant. He told me, ``He said, I am sorry, 
Mac,'' and I knew then that I had lost my wife.
    That was the only notification I had. Nobody would tell me 
nothing else. All they wanted to do was take me home. I wanted 
information. I couldn't get any information about anything. All 
they wanted me to do was go home. So I went. I have had no 
details of what transpired, what caused the explosion, the 
people involved. All I know is my wife is gone.
    I want changes, the type of changes I want are that the 
people that work at that plant are trained, supervisors are 
trained on the job and know the job. Can you imagine in school, 
every one of us in school, a teacher at some time during your 
progress, she was there. What was the first thing that woman 
did? You count your people. You account for them. You want to 
know where they are at.
    This place has no plan like that. They have no supervision 
to properly set up such a plan for an incident. There is no 
plan, one man, a foreman with no leaders, and lieutenants in 
every part of that plant cannot run a proper incident. That is 
why my wife was not found. Nobody looked. That is why. That is 
the sad part.
    There is a proper way. It has been done, but because of the 
cuts by the company, to save the dollar, supervision and 
leadership is gone from that plant. There is no leadership at 
all. You just can't operate that way.
    Where is the script? I am sorry. I just get carried away. I 
am sorry. I am angry. I want to get back to covering what I 
came to talk about.
    What I found out, and this is the story I found out to go 
along with that. I found out how they found my wife. After the 
fire department of Houston was turned away from that plant, 
because Goodyear gave the all-clear and everybody was accounted 
for, they had a meeting, calling the supervisor and the people 
that were involved in this situation. So they were going to 
have a meeting, a debriefing, and go over what they had. They 
ordered lunch and somebody happened to say, well, where is 
Gloria?
    Now, that tells you how their accountability system works. 
They have no idea what is going on in that plant. I am telling 
you. Please do something about it. I am pleading with you. 
Check it. I know every time OSHA comes to that plant, we know 
about it. Everything is covered up. Everything is prettied up. 
Everything, for any kind of inspection. This is wrong.
    I just want to make sure that everything gets done to help 
the people of that plant. It is too late, I know, but I want it 
done for the people there. They need jobs. That is what our 
economy is about, people working. We are not taking care of 
them.
    I would like at some point for you to ask me questions 
about how the incident command system should be set up, how it 
should work. I would be glad to go over that or any other 
questions you may have for me.
    Thank you.
    [The statement of Mr. McInnis follows:]
                 Prepared Statement of Raymond McInnis
                             June 25, 2008
    Good afternoon. My name is Raymond McInnis. I live in Houston and 
am retired after working 38 years at the Goodyear Chemical Plant in 
Houston.
    My wife of 18 years, Gloria, had worked at the Goodyear plant for 
more than 31 years before she was killed in an explosion at that plant 
2 weeks ago today, June 11, 2008. This is not easy for me but I came 
here today to talk about what happened to Gloria because I don't want 
this to happen to anyone else. Neither would Gloria. This may sound 
corny to you but it's the truth.
    Gloria was a Latex Coordinator. She loved her job. But it had 
gotten harder because of all the cuts at the plant. They didn't have 
enough supervisors with experience, so Gloria was always willing to 
help out the team wherever and whenever she could. Her motto was 
``Somebody's got to do it.''
    As bad as it is losing a loved one like this, one thing that still 
haunts me is that after the explosion I was originally told by a 
Goodyear employee that Gloria was safe. You cannot believe how relieved 
my family and I were to get that good news. Later, I was shocked when I 
found out that she was dead and that she had lain there for 7 hours 
before she was found. How could Goodyear have not known one of their 
own was missing? Even though I know now that Gloria was killed in the 
explosion, my first thought was: Would Gloria be alive and at home 
today if they had realized that she was missing and tried to find her 
right away?
    The explosion occurred at 7:36 a.m. I saw some fire trucks outside 
the plant at 8 a.m. but because there seemed to be no activity, I 
assumed it was a drill. A friend of my son's who works in the Houston 
Fire Department called me later that morning and asked if Gloria was 
all right. That was the first I had heard of the explosion. I 
repeatedly called Gloria's office phone but only got her voice mail. I 
called the Goodyear office with the same result. I called the gatehouse 
but got no answer. At 10 a.m., I finally reached Jackie at the 
gatehouse and asked about Gloria. Jackie told me ``She's all right.''
    At that point, I felt relieved. Friends and relatives were calling 
and I told them Gloria was okay. I watched the TV news around 11 a.m. 
The plant manager said everyone was okay, only six minor injuries, that 
the ``all clear'' was being given. Again, I felt relieved. I kept 
trying Gloria's office phone and kept getting voice mail. I assumed 
she'd be out in the plant helping clean up, because ``someone had to do 
it.'' Gloria's shift was from 6 a.m. to 2 p.m., so I was expecting her 
home soon.
    At 1:45 p.m., Jackie called and asked me ``Is Gloria home?'' I 
said, ``You mean, you don't know?'' That's when I knew. Another woman 
came on the phone and told me to stay put and they would call me back. 
I just threw down the phone and rushed to the plant.
    The Goodyear plant people kept telling me to go to the office. I 
didn't want to but finally did. On the way, I ran into a Goodyear 
employee that I had known when I worked at the plant. He said ``I'm so 
sorry, Mac.'' That was my official notice from Goodyear. The people in 
the office kept telling me they were sorry, offering me water, 
insisting on driving me home. I asked what happened; they said they 
didn't know. I said I want to see Gloria; they said no, the 
investigators won't let you. I never spoke with the plant manager, Mr. 
Lockwood--he talked to the reporters, but he didn't talk to me.
    Goodyear drove me home. They later drove Gloria's truck home with 
her purse.
    I ask you ladies and gentlemen of Congress, how can you leave one 
of your own behind? Why don't you make sure everyone is safe? Who was 
supposed to count? Who was supposed to report?
    When I was a shift foreman, we knew who reported to whom. We knew 
our responsibilities. We wouldn't have left anyone behind.
    Our son is a Marine serving in Iraq. And I want to thank you, 
Congresswoman Jackson Lee for your help and Congressman Gene Green's 
help cutting through red tape and getting him home quickly to be with 
his family at this terrible time. Ask him about leaving anyone behind 
and he'll tell you a Marine never leaves one of his own behind.
    I did not understand why the Houston Fire Department did not go 
into the plant and search for employees. But my son's firefighter 
friend explained that the department had considered going in and told 
Goodyear several times they were willing to go in but Goodyear was 
adamant that everyone was accounted for. The department weighed that 
against the danger to their rescue crews and decided it was not worth 
the risk since Goodyear told them everyone was safe. The fire 
department left the plant and then had to be called back after Gloria 
was found by plant workers.
    This plant was a disaster ready to happen and its people are not 
safe today. The plant has done away with its fire department. EMS crews 
are trained 2 days a year only. The total number of employees has been 
cut. Contract workers who are unfamiliar with the plant have been hired 
in their place. Supervisors used to be experienced in all plant 
operations. Now, you can apply to be a supervisor after working at the 
plant for 90 days. Equipment is patched up again and again rather than 
replacing it with new equipment.
    Industrial plants are too interested in promoting themselves by 
giving lip service to safety rather than actually trying to cut the 
risk of injury to their workers. Worker safety is taking a backseat. 
Gloria's case shows you that there are failed systems in these plants 
for accounting for the safety and welfare of the individual workers.
    Here is another example. My attorney, Terry Bryant, has represented 
a number of injured plant workers. He has been told that some 
subcontractors are so concerned about reporting a good safety record 
that they confiscate an injured worker's ID card and swipe it at the 
plant as if the employee were on the job, even though the employee is 
recuperating at home. They do this just so they can report so-many 
injury-free work days. You can imagine the situation. If something bad 
happens at that plant and family members were told their loved ones are 
unaccounted for. Additionally, first responders could be putting their 
lives in danger searching for workers who were never there in the first 
place! Mr. Bryant suggests OSHA should audit these plants to make sure 
that they have reliable systems in place to know who's really at work 
and where at any given time and that they have the proper amount of 
supervision.
    Sure, OSHA sets minimum guidelines. But that's all the plants seem 
to do--the minimum. No one seems to care until someone dies. Then OSHA 
puts a fine on a company, the company pays it and life for them 
continues as before. The lives of my family will not continue as 
before. Do fines really mean anything to these companies? Perhaps if 
you changed the system to put someone in jail when their greed drives 
their safety decisions, then they'll pay attention.
    The men and women who work at these chemical and petroleum plants 
do dangerous jobs that are necessary to keep our country functioning. 
The least we owe them is to do what we reasonably can to ensure that 
they are safe in view of the risks of their assignments and to make 
sure that we never again leave one of our own behind.
    I was told by one of Gloria's friends that she was with her in the 
storeroom that morning when they heard about trouble in that part of 
the plant. She said Gloria told her ``I better go over there and see if 
I can help.'' Her friend told her she didn't have to do that but my 
Gloria said her usual, ``Someone's got to do it.''
    Gloria was a wonderful wife, mother, friend and an exceptional 
employee. If she could have a legacy for her sacrifice, she would want 
for these plants to be safer for everyone working in them. I thank the 
Members of the Homeland Security committee for their attention to this 
problem. I hope a significant improvement will come out of Gloria's 
death. This is what Gloria would have wanted. God bless you.
    I would be pleased to entertain any questions you may have about 
any statements I have made. Because of the time limit, I could not go 
into much detail. If you want any more information, you can contact me 
or my attorney Terry Bryant.

    Ms. Jackson Lee. Mr. McInnis, thank you so very much for 
your testimony, particularly in this very difficult time in 
your life. I thank you for being our hero today.
    The bells have rung, but Mr. Morawetz, I would like for you 
to have the opportunity to begin and end your testimony, so we 
will return and ask questions. Mr. Morawetz will be recognized 
for 5 minutes. Thank you very much.

  STATEMENT OF JOHN S. MORAWETZ, DIRECTOR, HEALTH AND SAFETY, 
       INTERNATIONAL CHEMICAL WORKERS UNION COUNCIL/UFCW

    Mr. Morawetz. Thank you, Chairman Jackson Lee, 
Representative Bilirakis, and Members of the subcommittee, for 
holding this important hearing.
    I am here today representing the National Chemical Workers 
Union Council of the United Food and Commercial Workers Union. 
I would also like to take a moment to offer my sincere 
condolences to Mr. McInnis and his family on the loss of his 
wife.
    While we do not represent these workers, we have been 
active for years in safety issues with hazardous materials and 
support strong laws to protect both workers and the public. Our 
members are tragically well aware of these dangers and have a 
real interest in their facility's safe operation.
    In 1971, we represented workers at a Georgia facility that 
manufactured magnesium trip flares. The facility was evacuated 
after several small fires broke out, but flares ignited and the 
plant blew up. Horribly, the evacuation distance was not 
sufficient and 27 workers were killed. We can and must learn 
from any event, large or small or from near-misses. This 
accident served as a valuable lesson in learning what must be 
done, just as the recent Goodyear explosion hopefully will.
    It is far too early to know the full facts and key failure, 
and most importantly, what the root cause of the explosion was. 
We believe the explosion took place in a reactor vessel cooled 
by ammonia that also uses a number of very hazardous and 
explosive raw materials.
    Where the Thiokol explosion led to a better understanding 
of safe evacuation distances, Goodyear management probably 
needs to have better training, drills for proper evacuation, 
vulnerability assessments, and methods for accounting for its 
entire workforce. These vessels are protected usually from 
excess pressures by release systems. If an over-pressure 
situation occurs, a relief valve will relieve the pressure, but 
often directly into the atmosphere.
    I am familiar with this type of failure. In 1990, a BSF 
facility in Cincinnati where I live exploded. Two workers died 
and 17 others were seriously injured. I still remember driving 
down Dana Avenue and seeing the cracked foundations of houses. 
That explosion was caused by excess pressure that blew a relief 
valve. The fumes spread around the vessel, found an ignition 
source, and exploded. Luckily, this release was recognized 
before the explosion. People were evacuated and a much worse 
disaster averted.
    The Federal Chemical Safety Board is responsible for 
investigating these incidents and issues excellent reports on 
their root cause. The CSB visited the Goodyear facility last 
week, but doesn't have the funds to launch a full 
investigation. The board also has issued generic CSB reports on 
nitrogen asphyxiation and chlorine releases. If we are serious 
about protecting our Nation's chemical industry infrastructure, 
the question of the proper and improper use of relief valves 
should be a subject of a future CSB report and CSB must be 
fully funded.
    Chemical workers know first-hand how a plant works, what 
chemicals are used, any particular facility's weaknesses, and 
are responsible for loading and unloading chemical cars. These 
make chemical workers the first line of defense and explain why 
we believe employee involvement in the implementation of a 
plant's chemical security plan is crucial.
    Proper and sufficient training is necessary. My union has 
run training programs and collected data on how much training 
workers received in the last year in 10 specific areas. Since 
there is no mandate for refresher training, the vast majority 
of workers have had none. Effective training needs resources 
that can be easily understood. New Jersey has written readable 
chemical fact sheets, that I have provided the committee, for 
the substances that we believe were involved in the Goodyear 
explosion.
    There are a number of other changes to make chemical 
facilities safer. First, there must be clear statements and 
laws to defend workers' jobs if they face disciplinary 
procedures for reporting any significant security weaknesses. 
Workers who bravely come forward to protect themselves should 
not fear losing their jobs when they speak out.
    Second, while OSHA standards might be beyond the 
jurisdiction of this committee, they are a useful model. The 
process safety management standard mandates that if companies 
reach a threshold amount of certain substances, there must be 
operating procedures, process hazard analysis, pre-startup 
safety reviews, hot work permits, training, and emergency 
planning. There must be inspections and investigations to make 
sure that these laws are being followed and enforced. It is 
fine to have laws and standards, but far too often facilities 
only act when there is enforcement.
    Third, releases that affect thousands of people calls for 
technology to reduce the risk. These include better-designed 
containers, reducing quantities, and reinforcing vulnerability 
sections. Although this committee's mandate is the protection 
of all facilities from terrorist attacks, I applaud the 
recognition that we are also discussing natural disasters or 
so-called accidents.
    The chemical workers support the work of this subcommittee 
to ensure the safety of all and strongly support legislation 
that has the protections that you have embodied in H.R. 5577. 
There is no guarantee that any legislation will prevent 
tragedies like the one at Goodyear, the 27 who died at Thiokol 
in 1971, the hundreds who died in 1947 in the Texas City 
freighter explosions, the Bhopal disaster that killed 
thousands, or future terrorist attacks. But the chemical 
workers believe stronger laws and enforced regulations will 
make them less likely.
    There is much work to be done to reduce risk and protect 
workers and communities, and we urge you to act. We look 
forward to working with this committee to address this crucial 
problem. Thank you for your time. I am pleased to answer 
questions.
    [The statement of Mr. Morawetz follows:]
                 Prepared Statement of John S. Morawetz
                             June 25, 2008
    Thank you Chairwoman Jackson Lee, Ranking Member Lungren, and 
Members of the subcommittee for holding this important hearing and for 
the opportunity to testify. I am here today representing the 
International Chemical Workers Union Council (ICWUC) of the United Food 
and Commercial Workers Union (UFCW). The ICWUC, which was founded in 
1944, represents more than 20,000 chemical workers in 32 States. In 
1996, we merged with the UFCW and this mutually beneficial partnership 
continues to serve our members well.
    I would like to take a moment to offer my sincere condolences to 
Mr. McInnis and his family on the loss of his wife in the Goodyear 
explosion. While we do not represent the workers at the Goodyear plant 
in Houston, where the explosion occurred on June 11, we have been 
active for many years in a variety of health and safety issues which 
relate to workers in facilities where chemicals are used, especially 
those with extremely hazardous materials. The ICWUC has supported 
strong and effective standards and laws to protect both our members and 
the public.
    Unions have a proud history of fighting for the right to a safe 
workplace and for the basic right for workers to return home after a 
day on the job as healthy as when they left. From workers who are 
concerned about their safety and health, to union negotiators seeking 
health and safety contract language, to unions investigating health 
hazards or testifying in support of legislation, we are actively 
involved in making our workplaces safer. It is therefore an honor for 
me to appear before you to address the safety and health of our members 
who work in chemical plants.
    As to my background, in the early 1980's, I investigated 
occupational health hazards for the National Institute for Occupational 
Safety and Health. In the mid-1980's, as the Director of Health and 
Safety for the Molders Union, I investigated a number of traumatic 
injuries and deaths and worked to get new standards on the well-
documented hazards of confined spaces and failure to lock out 
equipment. In 1988, I was hired by the Chemical Workers Union as the 
Director of their Training Center in Cincinnati, Ohio and in 2005, I 
was asked to also serve as the Director of Health and Safety for the 
union. I am testifying today in that capacity.
    UFCW chemical workers work in many different manufacturing 
industries including petroleum and coal products, fertilizers, 
pharmaceuticals, pesticides and other agricultural chemicals in 
smelters and refineries as well as natural gas distribution and power 
plants. Our members work with extremely hazardous substances and have a 
real interest in their facilities safe operation for their own health 
for their coworkers' health and for their communities' well-being.
    The manufacturing of chemical substances involves the handling of 
highly hazardous materials. The dangers of that work are well known to 
all workers involved. In a strange irony, the site of one of ICWUC's 
most tragic loss of lives was a Thiokol facility near Woodbine, 
Georgia, in 1971. This company started the original manufacturing of 
synthetic rubber like in the Goodyear plant. The Woodbine plant 
manufactured magnesium trip flares for the U.S. Army during the Vietnam 
War.
    On February 3, 1971, the Thiokol facility was evacuated after 
several small fires broke out inside the plant. These fires caused the 
flares to ignite and the plant was destroyed. Horribly, the evacuation 
distance was not sufficient and 27 workers were killed when the plant 
blew up.
    This accident served as a valuable tool in learning what must be 
done to protect workers--just as the recent Goodyear explosion 
hopefully will. We can and must learn from any event, large or small, 
or from near-misses. The Thiokol explosion led to a better 
understanding of the full danger of the materials in that plant and 
what a safe evacuation distance should be. Clearly, Goodyear management 
must also look into what needs to be corrected including better 
trainings and drills for proper evacuation. In addition, given the long 
delay of knowing what was happening with the workers inside the plant, 
Goodyear management must improve its methods for accounting for its 
entire workforce. We have expressed time and time again how important 
it is to mandate annual training for workers as well as other crucial 
changes needed to improve workers' safety.
    It is far too early to know what the full facts are from the 
Goodyear explosion--what the key failures were that lead to the 
explosion and most importantly what the root cause of the explosion 
was. But after a full analysis, there will likely be a root cause and 
that is where we can learn our most important lessons. From what little 
we know, the explosion took place in a reactor vessel, which was cooled 
by ammonia, a very dangerous substance by itself. In addition, the 
reactor handles a number of very hazardous and explosive chemicals. The 
dangers of these chemicals are also very significant and well known. 
After the explosion, a number of workers were hospitalized due to 
exposure to ammonia.
    In this synthetic rubber operation, as in others, the pressure 
vessels such as reactors, storage tanks and process vessels are 
protected from excess pressures by pressure relief systems. These 
systems consist of one or more relief valves that are pre-set to a 
certain level if an over-pressure situation occurs the valve will 
relieve the pressure until it again drops to the regulated amount. The 
problem with the relief systems at many facilities is that they relieve 
directly into the atmosphere. In the 1970's and 1980's, many States 
passed legislation that required the relief systems to relieve into an 
internal closed system. This system can be a recovery system, flare 
stack or some other way of not having the explosive or flammable vapors 
relieve to the atmosphere. Most of the legislation provided that the 
companies were not required to install the closed systems if it was not 
feasible. Companies could be exempted if they thought changing the 
system would be too expensive.
    I am very familiar with this type of failure. On July 19, 1990, a 
BASF facility in Cincinnati, where I live and a facility that my 
neighbor retired from, exploded. Two workers died, 17 others were 
seriously injured and there was extensive damage to houses in the 
neighborhood. I still remember driving down Dana Avenue and seeing the 
cracked foundations of people's houses. The analysis of that explosion 
pointed to a reactor vessel that over pressurized and blew a relief 
valve. These valves were designed historically to vent steam to the 
atmosphere, a significant heat hazard but not explosive. The releases 
we are talking about today however are very explosive substances. In 
Cincinnati, the fumes spread around the vessel, found an ignition 
source and exploded. Luckily, the hazard of the over-pressurized vessel 
was recognized, people were evacuated and a much worse disaster was 
averted. But again, there are lessons to learn from this explosion.
    Many, if not the majority, of these chemical facilities never 
installed the closed systems. The danger associated with this 
technology is that if there is a terrorist event that results in a fire 
and subsequent evacuation, reactions will go wild. When reactors build 
excessive pressure, their relief systems will vent to the atmosphere. 
Since many of these chemicals are heavier than air, they will drift to 
the ground and find an ignition source. As a result, more explosions 
will take place.
    Prior to the Goodyear plant opening in Houston, there was another 
Goodyear facility in Akron, Ohio that produced the same product. One of 
the main reasons for moving the production was the Houston plant had 
much larger reactors that could produce larger quantities of the 
product. Yet, the Akron facility, unlike the Houston facility, had 
relief systems that vented to a closed system such as a flare stack or 
recovery system. It is reported that the Texas facility's largest tank 
could release up to 18,500 pounds of ammonia in a single event 
endangering 35,000 people at a distance of up to 1.7 miles. The largest 
single event of 1,3-Butadiene, a powerful carcinogen and reproductive 
hazard, could release up to 1.1 million pounds endangering 4,300 
people. There is also a chronic risk to the community with releases of 
these chemicals.
    Clearly, this type of release that can affect thousands of people 
calls for safer technologies in these plants including chemical 
substitution and safer process systems. While the Houston plant has 
relief systems, it is likely to be an atmospheric relief system. Closed 
relief systems can mitigate an accidental event, terrorist activity or 
natural disaster. This Goodyear facility serves as a strong reminder of 
why vulnerability assessments of these facilities are required; why 
workers should be involved in those assessments; why annual drills 
should take place; and why workers need to be better trained.
    The Chemical Safety Board (CSB) is the Federal agency which is 
responsible for investigating incidents like that at the Goodyear 
facility. In the past, the CSB has issued excellent reports that get to 
the root cause of an incident and then publish recommendations for 
preventing future similar events. The CSB did in fact visit the 
Goodyear facility in Houston recently but did not have the funds to 
launch a full investigation. In Cincinnati this last weekend, a worker 
died from what looks like overexposure to hydrogen sulfide that was 
released when some chemicals reacted in a wastewater treatment 
facility. CSB had a team at the scene but does not have the funds to 
fully investigate.
    These national tragedies need to be fully investigated, the causes 
determined, reports written and then the results must be widely 
distributed. The CSB must have the resources to do its job. In 
addition, the Board must be able to research all individual releases, 
evaluate the generic problems and then offer solutions. There are CSB 
reports on nitrogen asphyxiation, chlorine release from large 
containers and combustible dust. If we are serious about protecting our 
Nation's chemical industry infrastructure, the question of the proper 
and improper use of relief valves should be a subject of a future CSB 
report.
    Reviewing what happened and learning from all accidents including 
the Goodyear explosion is crucial to protecting chemical workers. 
Besides accidents that can injure and kill workers, chemical plants can 
also become the targets for terrorists' attacks. Whether it is from a 
terrorist attack, accidents, or from natural disasters, the result 
threatens the safety of workers and surrounding communities. This 
vulnerability is well documented and has resulted in many important 
legislative discussions.
    Currently, the Department of Homeland Security (DHS) has addressed 
a National Risk Management Framework to protect our critical 
infrastructure and key national resources. This DHS Risk Management 
Framework identifies a number of key steps, one of which is 
``Implementing Protective Programs.'' Much of what the current CFATS 
regulations require in collecting Top Screen information and assigning 
facilities to tiers remains in place. What will be different is the 
implementation of these protective programs as well as what should be 
included in the programs. Crafting well-thought-out legislation and 
regulations is no easy task and we appreciate the subcommittee's 
efforts to draft legislation that will address the problems. As you 
know, the current DHS regulations expire in October, 2009. It is 
important that chemical workers and their management have as much time 
as possible to plan for any final rule. It is critical that we have the 
time to address our concerns and hope you will move legislation that 
will help us resolve these concerns.
    In order to improve the safety of chemical plants, it is crucial 
that we also concentrate on worker involvement in security plans, 
effective training requirements, strong whistleblower protection, 
strong OSHA standards and use of methods to reduce the consequences of 
a catastrophic release.
    A key element in enhancing chemical plant security is worker 
involvement and participation. Chemical workers know first-hand how a 
plant works, what chemicals are used, how those chemicals react to one 
another and any particular facilities' weaknesses. We know the exact 
location of hazardous materials and we know if our training is really 
effective. We also know if backup systems will work when the power goes 
out. We are responsible for off-loading and loading chemical railway 
cars and transferring them around the plants. It has long been known 
that workers have direct and current knowledge and experience of plant 
operations that is invaluable in solving site-specific problems. All 
these responsibilities make chemical workers the first line of defense 
and explain why we believe employee involvement in the drafting and 
implementation of a plant's chemical security plan is crucial. It is a 
vital national resource that workers' expertise--the same expertise 
that operates these plants everyday--be utilized. All plants should 
take heed of its workers' expertise and concerns--prior to an explosion 
occurring. Including chemical workers in this process will enhance 
facility security and protection.
    Proper and sufficient training is also crucial in protecting 
workers. My union has run training programs and collected data on how 
much training our members received in the last 12 months in ten 
specific areas. Since the primary OSHA training mandate, the Hazard 
Communication Standard, only requires training on initial assignment, 
the vast majority of workers have had no recent training in Engineering 
Controls, Air Monitoring, Decontamination, Toxic Effects, Emergency 
Response Procedures, OSHA Regulations, or Hazard Recognition (the 
actual percentage ranges from 69 to 89 percent with no training). About 
half of these workers did not receive ANY training in ANY of these 
areas. Although I do not know what kind of training the workers at 
Goodyear had, I do know that there is really no such thing as too much 
training. The Government and companies must increase the amount and 
type of training to all workers inside these plants.
    Let me add that to conduct effective training you need resources 
that can be easily understood. It is no coincidence that New Jersey, a 
State that has taken a strong interest in the security of their 
chemical plants, has devoted a considerable amount of time and effort 
over the last 30 years to write readable and valuable resources on 
these key issues. I have provided some of those fact sheets to the 
Chairwoman on substances we believe were involved in the Goodyear 
explosion including ammonia, 1,3-Butadiene and styrene.
    Another key element of improving the safety in plants must include 
a clear statement and defense of workers' jobs if they face 
disciplinary procedures for reporting any significant security 
weaknesses at their facility. Fear is a fact of life at all too many 
workplaces and jeopardizing one's job by blowing the whistle is a risky 
thing to do. Defending members' jobs is regrettably all too common a 
task unions are forced to do. Workers, who bravely come forward to 
protect themselves, their co-workers, and communities around the plant, 
should not fear losing their jobs when they speak out. Whistleblower 
protection is vital in assuring the free exchange of ideas, improves 
security and ensures that effective measures are actually implemented. 
Workers must have the ability to come forth and communicate program 
deficiencies without fear of retribution.
    Occupational Safety and Health Act (OSHA) standards are beyond the 
jurisdiction of this subcommittee but they serve as a useful model and 
one that needs to be considered. Many, but by no means all, hazardous 
chemicals are already part of the standards that have improved our 
facilities. There are also broad standards that apply to many 
workplaces that improve the ability to investigate health hazards and 
make further improvements. We have a relatively easy time getting 
Material Safety Data Sheets (MSDS) on substances our members are 
exposed to, thanks to OSHA's Hazard Communication Standard. I worked in 
a wire and cable factory before this law went into affect and we did 
NOT know the contents of containers or what the chemicals could do to 
us. This Communication Standard changed that and is an invaluable tool 
in health investigations. Recently, I left a message for a company's 
health and safety representative about our members getting sick working 
around a new product line. Within 2 days, I received the MSDS for the 
substances and an industrial hygiene report on a sampling that was 
done--all without ever talking to this staff person.
    It is also possible that lists of chemicals and threshold amounts 
from one standard can dovetail with another. One standard that probably 
applies at Goodyear is the Process Safety Management Standard (PSM), 29 
CFR 1910.119. If companies reach a threshold amount of these 
substances, this standard mandates investigation of their processes, 
clear operating procedures, regular inspections, process hazard 
analysis, procedures for contractors, pre-startup safety reviews, 
procedures for mechanical integrity, hot work permits, mandatory 
training, incident investigations, emergency planning, compliance 
audits and written procedures for any process changes. Ammonia is 
covered by this standard but from what I can tell, the raw materials, 
1,3-Butadiene and styrene are not.
    I do not know the PSM procedures in place at this Goodyear facility 
but nationally there needs to be inspections and investigations at 
chemical plants to make sure that this law is being followed and 
enforced. It is all well and good to have general recommendations and 
laws but far too often facilities only take note when a law is actually 
enforced. Unfortunately, laws mean little if everyone knows that they 
will never be enforced. Even in the best of our facilities there is 
always room for improvement. One facility that comes to my mind is 
actually trying to implement the right procedures but after careful 
review, I realized that all the drills were taking place on the first 
shift. This is probably because that is when the salaried employees 
work. Yet, this facility has three shifts and operates continuously. At 
the end of the day, only a fraction of the workers are being drilled 
for these types of events.
    There are many steps and measures that could and should be taken to 
improve chemical plant safety and security. Substituting less dangerous 
formulations, different size and better designed containers, or various 
engineering steps, can minimize the consequences of an accident or 
attack at a chemical plant. This safer technology can significantly 
reduce the risk of a catastrophic release of chemicals from intentional 
attacks or unintentional disasters. Although safer processes may not be 
feasible in all circumstances, either technologically or economically, 
safer solvents or formulations should be substituted for more dangerous 
ones. The quantities can be reduced, stronger containers can be used, 
vulnerable sections can be reinforced and maintenance schedules must be 
reviewed.
    It is invaluable to devote time and funds to develop technologies 
and practices to decrease threats, vulnerabilities, and consequences of 
any event. I recently toured a facility, located just outside a major 
urban area, which utilizes a significant amount of chlorine in its 
operation. In discussing the potential danger with management and the 
union representatives, they explained that they had analyzed ways to 
minimize the risk including using smaller containers. They concluded, 
rightly I think, that given the volume they use, that smaller 
containers would have to be changed out so frequently that the risk of 
releases would be that much greater by using the smaller containers. 
When I suggested that perhaps these large tank cars could be designed 
better to minimize the consequences of any failure, they agreed that 
might be a partial solution. Clearly, we must put on our thinking caps 
and consider every possibility to make these facilities safer.
    Although this subcommittee's mandate is the protection of our 
facilities from terrorist attack, I applaud the recognition that the 
measures that you are discussing will protect us not only from a 
terrorist attack but will also minimize a hazardous release from a 
natural disaster or so called ``accidents.'' The dangers we face in a 
chemical release come from a variety of directions, but these changes 
as outlined in my testimony will mitigate the consequences and risks of 
a release regardless of the cause of that release.
    Homeland Security Presidential Directive No. 8 on National 
Preparedness stated that we must ``strengthen the preparedness of the 
United States to prevent and respond to threatened or actual domestic 
terrorist attacks, major disasters, and other emergencies by requiring 
a national domestic all-hazards preparedness goal.'' Worksite measures 
and improvements will result in changes that go beyond a possible 
terrorist attack and will address a wider range of hazards as stated in 
this Directive. They will minimize the threat of not only attacks, but 
catastrophic events and releases which are a reality that chemical 
workers and the public living around plants experience frequently.
    The International Chemical Workers Union Council supports the work 
of this subcommittee to ensure the safety of our chemical workers, the 
communities around the facilities and all Americans. We strongly 
support legislation that has the protections embodied in H.R. 5577. 
There is no guarantee that any legislation will prevent tragedies like 
the one at Goodyear, the BP explosion in 2005 where 15 contractors 
died, the 27 who died at Thiokol in 1971, the hundreds who died in the 
1947 Texas City freighter fire and explosions, the Bhopal disaster that 
killed thousands, or a terrorist attack but the ICWUC believes it is 
necessary to make these changes in law and regulations. There is much 
work to be done to reduce risk and protect workers and communities. You 
have heard today of the real risks and you have the opportunity to take 
significant steps forward. On behalf of the ICWUC, I urge you to act 
now to protect America--to protect all workers and their families--by 
reducing the consequences of any release, be it intentional or 
unintentional.
    The ICWUC looks forward to working with every Member of this 
subcommittee and the House of Representatives to address this crucial 
problem. Again, I thank you for your time and would be pleased to 
answer any questions that you may have.

    Ms. Jackson Lee. Mr. Morawetz, I thank you for your 
testimony.
    I thank all the witnesses for their testimony. As you have 
been hearing a number of bells, I hope that by being here in 
the Capitol you realize that Members have been called to vote. 
I am going to now yield myself 5 minutes for questioning. I am 
going to start with Mr. McInnis, and then we will recess 
probably midway in the middle of the questions, Mr. McInnis. We 
ask the witnesses to in essence, Mr. Carafano, stand down. We 
will come back as quickly as possible to proceed with our 
questioning.
    This is an enormously important hearing, and we thank you 
gentlemen for your testimony. But I think, Mr. McInnis, you 
have crafted the overall and broad theme of this hearing. That 
is why it is so important for you and the other witnesses to be 
here. It is risk assessment and it is the ability to respond to 
that risk.
    This is an incident that occurred, and at this point of the 
investigation, we don't know, if you will, the genesis. We will 
not define this as a terrorist act. We make it very plain. But 
this committee has the responsibility of risk assessment for 
the Department of Homeland Security. It covers a number of 
ranges of parameters that may occur. We must protect against 
what might be.
    So you made a very important point, and I want to go back 
to that. That is the de facto search. That is the lunch meeting 
where lunch is ordered, meeting is gathered, and then a de 
facto search occurs by some humble soul asking, ``Where is 
Gloria?''
    I will ask Mr. Paczkowski the same question, having been 
present during 9/11. One of the major issues was the logistics 
of search and accounting for persons.
    So Mr. McInnis, would you please tell us I think what you 
wanted to, the line of command, or what you thought of in a 
situation of a de facto search, where a meeting was called, 
lunch was ordered, and all of a sudden someone said, ``Where is 
Gloria?''
    Mr. McInnis. Yes. There is a plan for that and an incident 
command set up. That is why I say they are short of personnel. 
You have a plan, I think all these plants have it, and all 
these people know. You have a supervisor in each area who has a 
responsibility for his people to keep count in an evacuation or 
any incident.
    Because of the lack of supervision to do this and lead, 
they don't have that. It is just everybody run for themselves.
    Ms. Jackson Lee. So there is no one, you are saying, that 
paused for a moment and counted one, two, three, four, five, 
six, seven, eight, and knew that all persons were out.
    Mr. McInnis. It is obvious they didn't, ma'am. One was 
still missing for 7 hours and they didn't know it. I hate to 
say it that way, but no, it doesn't work. They have no idea 
what they are doing. They haven't set it up. If they did, it 
would have been fine, but no. How do you think everybody felt 
in the family when we find out they were going to have lunch 
and go over what happened, and somebody says, ``Where is 
Gloria?'' You know? They don't know. They don't have any idea 
what is going on out there.
    I am sorry. I got expounded on that, and I forgot the 
second half of what you asked me.
    Ms. Jackson Lee. I will ask that question when I return, 
but what I was asking is, do you know if there is a plan where 
there is a chain of command that would have someone be 
responsible for all the persons and it is a known plan?
    Mr. McInnis. There was when I was there 12 years ago. They 
have cut the force so much, I don't know what the plan is, or 
do they have it in writing. I am sure they have it in writing, 
but can they implement it properly with the people they have? I 
am sure they have a plan.
    Ms. Jackson Lee. Let me, Mr. McInnis, we are now going to 
declare that the hearing is in recess. I have to go vote, along 
with other Members who have been in markup. We will return in 
short order.
    The hearing is now recessed to be convened in a very short 
moment.
    [Recess.]
    Ms. Jackson Lee. I call this meeting back to order.
    As we recessed, we were questioning Mr. McInnis. I am going 
to allow Mr. McInnis to give us any thoughts that he may 
desire, and then yield to the distinguished acting Ranking 
Member, who had a meeting and who is now here, for his 5 
minutes.
    I do want everyone to be aware of the enormous sacrifice 
that Mr. McInnis is making. I know that other witnesses 
certainly respect that. We respect their presence here. I 
frankly want to place on the record, Mr. McInnis, that you are 
doing a remarkable job, and we thank you because you are making 
a sacrifice. We appreciate it.
    So right now, I am going to yield to you. I don't want to 
gavel, but to allow you to finish your thought that you may 
have had as I was leaving. Then I am going to yield to Mr. 
Bilirakis.
    Mr. McInnis. Thank you very much.
    First off, I want to make a comment. The people at 
Goodyear, the employees who work there, these are not the 
guilty people. I think when I rant and rave, I may have said 
things, but it is not the people that work at that plant. It is 
the company that developed by the hierarchy of Goodyear itself 
to set this kind of operation in motion. They have to follow 
the procedures that Goodyear sets for them. So I just want to 
make that clear. The people and employees of Goodyear itself in 
that plant are not guilty of anything. It is the culture and 
the set-up by the hierarchy of Goodyear itself that created 
that situation.
    So thank you.
    Ms. Jackson Lee. Let me quickly ask Mr. Paczkowski in my 
time remaining, how important, upon reflection, is the 
knowledge and the acceptance of the responsibility of 
establishing a risk assessment on any number of infrastructures 
we have? What is the level of importance of having a logistical 
plan that provides for accountability or accounting of all 
those that would be under your command?
    Mr. Paczkowski. Well, Madam Chairwoman, I think that 
accountability of personnel, both before and after an incident, 
is extremely important. I had the unfortunate experience of 
living through both the 1993 bombing of the World Trade Center 
and the 2001, and I can tell you that one of the things we did 
in the emergency operations center was not only accountability 
of Port Authority personnel, but also everyone else who was 
either working in or visiting the World Trade Center complex on 
9/11.
    Of course, the tremendous amount of effort that went into 
accountability right after that event, we have established 
those as standard operating procedures in our emergency plans. 
The change of command that exists even pre-event doesn't stop 
post- of that, once the evacuation begins. Our supervisors are 
trained to make sure that they account for those persons. In 
every evacuation drill at our facilities, we practice personnel 
accountability, so it is extremely important in terms of the 
planning that we do.
    Ms. Jackson Lee. Let me thank you. We will have a second 
round.
    I now recognize the distinguished gentleman from Florida 
for 5 minutes.
    Mr. Bilirakis. Thank you, Madam Chairwoman. I appreciate 
it.
    Again, Mr. McInnis, thank you for appearing. I, too, would 
like to give you some time if you wanted to add anything else 
that you haven't already stated.
    Mr. McInnis. I would like to take this opportunity to the 
whole committee, but I also want to extend my thanks to Mr. 
Gene Green and Sheila Jackson Lee for helping me get my son 
back in a difficult situation from Iraq. We struggled with 
that. I had a lot of problems, and the kid sat on a tarmac for 
3 days not being able to get home. Through your efforts, he got 
home very quick, and I appreciate you all doing that very much. 
You don't know how much it means to the family. Thank you both, 
and the committee.
    Mr. Bilirakis. Mr. Carafano, you argue that resiliency is 
the right strategy for homeland security. Do you not believe 
that the Federal Government currently considers resiliency as 
part of risk management? How do you believe the Federal 
Government should focus on resiliency?
    Mr. Carafano. I think the problem is we never start--we 
used the term ``risk management'' from the beginning, but we 
also talked about protecting critical infrastructure. What has 
overwhelmingly kind of driven the train is really this notion 
of protecting critical infrastructure.
    Well, there are two problems with that. One is, protection 
is a strategy. Again, when you live in a society with an 
infinite number of vulnerabilities, it is much more cost-
effective to reduce threats than it is to try to eliminate 
vulnerabilities. The second notion is, the term ``critical'' 
quickly became politicized. Pretty soon, everybody wanted to be 
``critical.'' So we have an overwhelming abundance of critical 
infrastructure now.
    So in a sense what we have is a lack of focus. Again, I 
think it is largely not driven by DHS, which I think if left to 
their own devices would want to not just impose risk management 
philosophies, but to focus the resources on what is truly the 
responsibility of the Department, which is dealing with 
transnational terrorist threats and coordinating national 
response in the face of catastrophic disasters.
    Again, I think a big challenge here is to Congress. If you 
think about it, if Congress wants to be a player in risk 
management, it has to do business differently. It has 
Congressional Research Service. It can say this is the state of 
the debate. It has the CBO, and that can tell you this is what 
it is going to cost. And it has GAO, which can tell you this is 
how effective the processes are.
    What they don't really have is they don't have an 
investigative arm or an assessment arm themselves that assesses 
outcomes, that really looks at whether this makes sense. This 
is traditionally what is called operational research, which 
just doesn't look at the process itself, but looks at the 
outcome this produces.
    So once Congress has some kind of mechanism similar to, for 
example what the Government relies on, in terms of FFRDCs, 
federally funded research and development centers, like RAND 
and MITRE and these kinds of corporations, but until they have 
some kind of in-house capability to do risk assessments to both 
be a check on Government, and to do assessments of what is 
reasonable, Congress is just kind of taking a stab at what they 
think kind of sounds intuitively right. I think the record so 
far shows that Congress doesn't really get it very right very 
often.
    Mr. Bilirakis. Okay.
    Mr. Paczkowski, do you believe there should be a national 
standard for risk methodology that could be used at both the 
public and private levels? Who do you believe should be 
responsible for developing such a standard? Has any group in 
the private or academic arena attempted to develop such a 
standard?
    Mr. Paczkowski. Well, I think there is no one standard. I 
think that risk management is both a process and a profession. 
We are advancing improvements in process all the time, but we 
are not developing the professional infrastructure to make that 
happen. A piece of that is standardizing terminology, 
standardizing process, much in the same way like other 
professional disciplines would do in engineering or accounting.
    Where it should reside in the Federal Government, I am not 
really sure, except it should be in a position where it could 
influence the development of risk management across the 
interagency community, wherever that is best placed. 
Organizations like OMB come to mind, but I am not necessarily 
certain whether that is the right place or not.
    Certainly, I believe that risk management in the way we 
have talked about it is larger than the Department of Homeland 
Security alone, and it requires a kind of interagency 
perspective that I am not sure the Department alone can 
provide.
    Mr. Bilirakis. Thank you, Madam Chairwoman.
    Ms. Jackson Lee. I thank the gentleman.
    We will now begin a second round.
    Let me ask Mr. Morawetz, your testimony was very moving. As 
you well know, we have authored in this committee the chemical 
security bill, H.R. 5577, that really is applicable to any 
incident that occurs in the course of a chemical plant's 
responsibility to its employees and also to the issues of 
safety and security.
    For example, the bill, H.R. 5577, which we are looking to 
move as quickly as we can in light of the dual jurisdiction 
that occurs, has a provision, the role of employees in 
vulnerability assessments and site security plans, which means 
these are overlapping responsibilities, that if you secure a 
plant for the potential of a security risk, it also I think 
spills over, if you will, into securing the plant for it to be 
safe.
    You have mentioned several incidents, which I would like 
you to go forward and use, the present state of affairs as 
possibly contributing to companies not having risk assessment 
plans, processes for accounting for employees, certainly safe 
handling of chemicals, which we found lacking.
    If you would answer that question, then would you explore 
the point you made about the Chemical Safety Board not having 
enough funds to investigate, which I frankly believe is an 
appalling, outrageous posture and position to have heard in a 
hearing room in the U.S. Congress of a committee that deals 
with homeland security.
    So if you would, Mr. Morawetz, approach those two questions 
for us.
    Mr. Morawetz. Let me start with the second one. From what I 
know, and I am not an expert on the Chemical Safety Board, is 
they are a relatively new Federal agency. They are modeled 
after the FAA. When there is an accident, they go investigate 
it. I think that that is a good role model and one that is 
deserving, but it is interesting that it is recent. There 
wasn't such a body before 10 years ago.
    They are relatively small. They have a budget of I believe 
about $9 million. They have a small staff of 40 employees. As 
much as I would like them to investigate this incident, I hope 
it is not at the sacrifice of another town in another part of 
the country which can't get an investigation. For instance, in 
my written testimony, I think it was there, in Cincinnati last 
weekend we had an employee die in a wastewater treatment 
facility from hydrogen sulfide exposure. I believe again that 
the Chemical Safety Board was going to go, but I am not sure 
whether they can investigate it.
    That dovetails for me into more these generic problems. It 
is not the only wastewater treatment facility. Goodyear in 
Houston isn't the only synthetic rubber facility. CSB has done 
these generic reports which I think are very valuable. The 
recommendations they make can apply to a number of facilities, 
and as I said, the relief valve. So that is what I know about 
the Chemical Safety Board.
    Ms. Jackson Lee. It is funded, I think for the record, it 
is a federally funded entity?
    Mr. Morawetz. Yes. It is a Federal agency.
    Ms. Jackson Lee. So when you speak of funding, I just want 
to make sure the record is clear, you are suggesting that there 
has been a short-changing or a difficulty in funding the 
agency.
    Mr. Morawetz. I don't think they have enough funds. I would 
defer to other people. You probably know much more about the 
Federal budget and how that works. But it is relatively small 
and has a relatively small amount of a budget.
    Ms. Jackson Lee. Well, you can feel perfectly free to 
suggest, if that is what you believe, that there is not enough 
funding. Yes, we do have to make budget decisions, but we also 
have to make risk assessment decisions, and we have to 
prioritize decisions. So is your testimony that you would 
believe that there needs to be more funding for the Chemical 
Safety Board?
    Mr. Morawetz. Yes, that is correct.
    Ms. Jackson Lee. And that there is a greater need than what 
is imagined with a budget that may be $9 million, maybe a 
little bit more, and with 40 employees?
    Mr. Morawetz. Yes, that is correct.
    Ms. Jackson Lee. You may continue.
    Mr. Morawetz. The other one, you raised some points about 
homeland security, H.R. 5577, which I am familiar with, but 
also what comes to mind is the Goodyear situation. It is very 
interesting having this hearing because when I look at risk 
management in the context of this committee, it is one answer. 
When I look at risk management as I do for these facilities, 
all of them, what comes to mind to me, and it is part of my 
testimony, is that, wait, what we really need is enforcement of 
the standards that are in existence.
    If those standards were enforced better, I think there 
would be a bottom level that would be more protective for a lot 
of facilities, that then we would have to undoubtedly do more 
on for terrorist threats and other threats. But without that 
bottom line, that basic level of protection, we are in a very 
difficult situation. I don't want to just think about the 
terrorist threat, and then those facilities for instance with 
the current CFAS rules that don't have the threshold, fall 
through.
    Ms. Jackson Lee. Do you think that threshold is the 
responsibility of the Federal Government, whether it be the 
Department of Homeland Security or another agency, to establish 
a baseline of risk or a baseline of what is necessary to 
protect critical infrastructure that may be subject to 
incidents like Goodyear and what you have mentioned, and 
obviously, unfortunately some untoward action that may be 
premeditated?
    Mr. Morawetz. In general, I support the CFAS regulations, 
that idea of a threshold amount. I do equally support the idea 
of the process safety management threshold amounts. What also 
comes to mind are other standards like hazard communications in 
my field that do not have a threshold amount. If you have that 
chemical, if you work around ammonia, butadiene and styrene, 
you have a right to know what the hazards of those chemicals 
are. You have a right to get trained in it. You have a right to 
get access to the material safety data sheet.
    So sometimes you might not need a threshold. For our 
purposes, risk management I think you do need a threshold 
amount. I do not believe, as we have actually put in writing to 
the Department of Homeland Security, in the original appendix 
say that it had any amount. We thought that was going too far.
    Ms. Jackson Lee. Without knowing all the facts that Mr. 
McInnis has spoken of, but you heard him speak to the facts as 
he knows them: Do you believe a basic level of risk analysis, 
risk assessment, risk planning, proactive planning, training 
and accountability would have been helpful in the Goodyear 
incident?
    Mr. Morawetz. I hesitate to go very far there, but just to 
say that something clearly went wrong. My guess is that that 
will be identified in the investigation, especially with the 
hearing that you have here today, but I don't know what that 
is.
    Ms. Jackson Lee. Well, simply, do you believe that 
something went awry to not be able to account for all 
employees?
    Mr. Morawetz. That is certainly, and I think Mr. McInnis's 
testimony is very clear. You should have that procedure in 
place. If an incident happens, you should have a check-off 
procedure. Clearly, the situation went much too long without an 
adequate procedure to account for all employees.
    Ms. Jackson Lee. Would you make the argument, or at least 
make the suggestion, that in plants that deal with chemical 
elements, that such a plan and also a risk plan is very 
important?
    Mr. Morawetz. Yes.
    Ms. Jackson Lee. Mr. Carafano, are you aware, or can you 
help us describe for the committee any Federal department that 
you may be aware of--agency or office--that has created an 
effective risk management framework? You gave us three points. 
Do you have any knowledge of that?
    Mr. Carafano. Well, risk management is increasingly 
proliferating throughout the Federal Government. In the Army, I 
was actually taught risk management as a young officer. We did 
convoy operations and in all our military operations, we were 
actually given a matrix that explained how to asses risk and 
how to reduce risk. This was in the early 1980's. So it is not 
as if there aren't risk processes going on in various parts of 
the Federal Government.
    The point is two things. I totally agree with the comment 
that the professionalization of risk management as a business 
practice in the United States is absolutely important, not just 
from a disaster preparedness perspective, but from a resiliency 
and from a sound business practice and business continuity 
perspective. So it is vitally important that we do that.
    But I think the approach that we have to take is this is a 
new competency that we have become aware of actually as we have 
basically developed analytical tools and the ability to do this 
in a very kind of sophisticated way. It has to be ingrained 
throughout the professional development of our entire workforce 
in the Federal Government and in the private sector.
    So this is kind of a ``bigger than a breadbox'' problem. It 
is not a point of creating risk offices and risk managers in 
agencies. It is about taking risk management skills, in 
coordination with having a professional risk management force, 
but in ingraining basic risk management methodologies in 
professionals and managers and leaders throughout the Federal 
Government and the private sector.
    Ms. Jackson Lee. Let me, Mr. Paczkowski--your experience, I 
think, framed as you have given it in your testimony, can be 
very instructive for how we communicate locally, and when I say 
that, take what local entities unfortunately have done through 
tragedies that have been experienced, and begin to question or 
help frame how we do this at the Department of Homeland 
Security.
    So tell us again how effective a risk management program 
that has been implemented at the Port Authority really is, 
whether or not it has grown in light of 1993 and 9/11, and to 
suggest whether you can do so with the backdrop of no further 
acts to date, but how has it mitigated, if you will, the risks 
that might come about because of where the Port Authority is 
and what it represents to those who might wish to do it harm.
    Mr. Paczkowski. I will echo Mr. Carafano's remarks about 
individual corporations and folks in the private sector, but 
also in the private sector agencies, taking responsibility for 
risk mitigation. I think it is very important. We did that at 
the Port Authority. We saw it as a responsibility of our agency 
regardless of what was done by others. We certainly began very 
early after 9/11 to understand the magnitude of what we were 
dealing with, and that risk management was the only approach we 
could take.
    We have ingrained that process into our ongoing planning 
and budgeting cycle now. It is part of our education in 
management to really think in terms of risk mitigation. In 
fact, I will be in discussions later this week about an 
enterprise-wide risk management program to look at all kinds of 
corporate risk, not just those in terms of security or all 
hazards.
    Ms. Jackson Lee. Did you say ``enterprise-wide''?
    Mr. Paczkowski. Enterprise-wide risk management. That is a 
practice that is common in----
    Ms. Jackson Lee. So you will be involved with the private 
sector?
    Mr. Paczkowski. Absolutely. In fact, as we move forward 
with our all-hazard risk assessment, one of the things that is 
essential for the Port Authority is our ports and our airports 
do not operate without our private sector partners. We have a 
very small professional cadre of public sector folks at those 
facilities.
    Involvement of the private sector in assessing risks to 
those operations at those facilities is absolutely critical. 
How we do that, how we introduce them to the process, and how 
we make them partners is certainly something we are going to be 
cutting our teeth on in the next couple of years, but we see it 
as absolutely essential.
    That partnership extends not only at the local level, but 
all the way up to the national level. DHS has done a lot in the 
national infrastructure protection plan to create a sector 
partnership model. We need to work across industry sectors to 
help coordinate risk management, and in the way that those 
sectors take responsibility for the security of their 
operations. I think DHS can facilitate that process much in the 
way it is done in the rest of critical infrastructure 
protection policy.
    Ms. Jackson Lee. Has the Department of Homeland Security 
looked closely at some of the aspects of what has been done in 
the private sector and utilized those? Can they do it more 
effectively?
    Mr. Paczkowski. I think they could do it much more 
effectively, to be honest with you. Being what I often refer to 
as the 9/11 agency and having spent so much effort on risk 
assessment, I have been rather surprised by the lack of 
attention we have gotten from DHS. We spend more time, frankly, 
with GAO in discussing our approaches to risk management.
    I think that there are good models out there, not only in 
the public sector like the Port Authority, but also in the 
private sector about security risk that could very well be 
instructive to DHS as it advances this program.
    Ms. Jackson Lee. So we need to try to push that 
collaboration between DHS and the private sector?
    Mr. Paczkowski. Yes, ma'am.
    Ms. Jackson Lee. Let me reserve for a moment, and yield to 
Mr. Bilirakis for a second round.
    Mr. Bilirakis. Thank you, Madam Chairwoman. I have a couple 
of questions.
    Mr. Morawetz, in my opinion, much of your testimony is 
outside of the scope of this hearing, and many of the policy 
issues you raise are under the jurisdiction of other 
congressional committees. Explain how do safety incidents that 
you describe and discuss in your written testimony relate to 
developing a risk management framework in homeland security? 
Are these lessons that you believe policymakers can learn from 
these incidents that you describe, that will help in the 
formulation of risk-based methodologies in homeland security? 
If so, what are they?
    Mr. Morawetz. It is a good question, but one that is a 
little bit difficult to answer. Let me take a step backward, 
though, and this is in my written testimony, and mention one of 
the homeland security Presidential directives, No. 8, which 
mentions specifically an all-hazard approach that I know some 
of the other members of the panel here are familiar with, that 
homeland security should look at all hazards, should look at 
terrorist threat as well as disasters such as Katrina or the 
flooding--I was in Cedar Rapids last week actually--or these 
disasters.
    Maybe I got it wrong, but it seemed to me that this hearing 
clearly was part of it, and it was a question of the Goodyear 
explosion. I like to look at the field as holistically as how 
do we protect the infrastructure from all the hazards. The 
other way to look at it is I think that the very measures that 
you have put in proposed legislation, and some of the actions 
in the existing rules and regulations at DHS, of CFAS, I think 
can be protective of the infrastructure, whether it is a 
terrorist attack or whether it is a natural disaster.
    I think there are things that you can put in place to 
minimize the effects so no matter why an incident happens--and 
let's take Goodyear--that you can account for all employees. 
That would be helpful whether it is a terrorist attack on a 
chemical plant or whether it is the Goodyear explosion or 
whether it is a facility that a tornado hits through Oklahoma.
    In terms of jurisdiction of this committee, I would defer 
to the committee. I am not an expert on that.
    Mr. Bilirakis. Thank you, Madam Chairwoman.
    Thank you, sir.
    Ms. Jackson Lee. I just have a couple more questions. I 
thank you, gentlemen, and I thank the acting Ranking Member, 
Mr. Bilirakis, for both his contributions and his interest, and 
I look forward to collaborating with him on a number of 
important issues that we have discovered in this hearing. Thank 
you very much, Mr. Bilirakis.
    I have a few more questions. I want to pursue your answer, 
Mr. Morawetz, because I think it gets somewhat muddy between 
safety and the word ``security.'' I think the best way this 
Congress can function is to recognize that they are two very 
valid terms that overlap, frankly. A safe facility may be 
prepared for the worst, because it has all of the four corners 
of being prepared in place.
    So let me ask you, with your experience, which reflects 
very importantly on security issues, can you assess how safe 
America's chemical plants currently are? An unsafe plant, 
obviously--and this is my interpretation--certainly is a great 
conspicuous target for terrorists. You also have the concern of 
chemical plants being launched, located in neighborhoods, 
usually residential communities are nearby.
    So I would appreciate it if you would assess how safe you 
believe America's chemical plants currently are, and I would 
like you to assess whether or not you think the private sector 
is doing everything it can to mitigate the risk, whether it 
comes in the form of an unsafe incident or they come in the 
form of something premeditated.
    Mr. Morawetz.
    Mr. Morawetz. It is a good question, but not that easy to 
answer. I don't believe in painting with this huge paint brush 
that says this is where we are, or that we can judge it easily 
on a scale from one to ten.
    From the facilities that I have been to, on the initial 
look at guns and gates, I think that the facilities are really, 
the ones I have seen are doing a pretty good job. I think they 
are looking at them. They are seeing room for improvements. I 
just talked to a local this week in preparation of coming that 
talked about gates that they were improving, the spaces, gates 
under railway lines, and an interesting one where at some gates 
that they would stop somebody and remotely let them in, but 
they realized that a car could easily hide behind the truck, 
and so they wanted to get double gates.
    So there is room for improvement. I talked to a member, he 
said everything is going very well, but I pushed him a little 
bit further, and they do a lot of drills. They do a couple a 
year, far beyond what the mandates of any regulation is now or 
even proposed. But I asked him further, well, what about all 
the shifts? It turns out since salary, of course, is mainly on 
first shift, the drills were only on first shift. I think that 
is a point he will bring back to management, and I think it is 
a process back and forth.
    So my impression is of the facilities I have seen is that 
they are somewhat secure. Does that mean that all the 
procedures are in place that can minimize the risk? I am not 
sure. I would say that clearly from my example there is room 
for improvement, but it is hard otherwise to paint the broad 
brush.
    Ms. Jackson Lee. Would you just, if you will, philosophize 
or stretch your analysis that a safe plant would also have 
procedures in place that would be equally responsive in light 
of a potential terrorist attack? If a plant had risk procedures 
in place, accountability, accounting, evacuation procedures in 
place, that would translate potentially if the incident was 
provoked by an accident or provoked by something premeditated?
    Mr. Morawetz. I think that is exactly correct.
    Let me just add one other point, beyond my direct 
experience, you mentioned before the Chemical Safety Board. 
There still are these accidents. There still are these 
investigations. It is not just Goodyear that happened or 
hydrogen sulfide in Cincinnati. These incidents do happen.
    So the question is, is it just that they are going to 
happen? Or are there steps that we can take reasonably to 
protect them?
    Ms. Jackson Lee. Mr. McInnis, you have served in this 
industry for some I believe 38 years. Is that accurate?
    Mr. McInnis. Yes, ma'am.
    Ms. Jackson Lee. Certainly, your service pre-dates the 
horrific tragedy of 9/11, meaning that you started working 
before we had an idea of terrorist attacks in the United 
States. Is that right?
    Mr. McInnis. Yes, ma'am.
    Ms. Jackson Lee. This is an appropriate moment to thank 
your son for his service in Iraq. We thank the sergeant very 
much, and we honor him, and we offer our sympathy to him and 
other family members. But I am glad you recounted the story of 
how hard it was for him to get back and how he needed to get 
back for is mom. It was our honor and pleasure, I know.
    Mr. McInnis. He thanks you both very, very much. I am 
relaying that message from his heart and mine, the family.
    Ms. Jackson Lee. We are honored with his service.
    So let me just go back to having been in this business for 
38 years. Can you tell us how worker security and safety has 
changed since you started telling about training and staff cuts 
and things that might have impacted? What do you see are the 
missing elements? What is missing in what you have seen since 
you came into the plant?
    Mr. McInnis. Well, in the past every facility that had 
manpower in it had a supervisor, which I say would be the 
leader in charge. The day shift had a lot more supervision. 
They had more personnel, and the fire department was fully 
loaded. Everything was proper. They had a procedure. I don't 
think we had too much. It was small drills, little fires, and 
everything went smooth.
    But in the past 14 years, I would say, before I started to 
leave, this was Goodyear's goal to cut everything. They used 
this threat for contracts. They were going to do away with jobs 
or they were going to shut the plant down. So the people who 
needed a job took these cutbacks in wages and jobs so they 
could have a job to support their families. They would sign 
these.
    Take for instance the fire department. I will tell you how 
it is staffed now. Before, it was staffed 24 hours a day. Now, 
they have two to three firemen per se each day, and the 
backshift, which is anything after 3 o'clock, they have none, 
they have nobody. Then because of the cuts you go to the EMS or 
emergency response teams, there is no set pattern on those. You 
may run across a shift that may have eight individuals working 
in the medical, and another shift may only have one or none.
    So what I am saying is now, with just a shift foreman 
himself running the plant on backshift, he is by himself. So if 
he had a disaster by himself, it would be worse than what 
happened 2 weeks ago.
    Ms. Jackson Lee. Did you make the point that your wife, who 
was also a dedicated employee, was in essence stretching 
herself helping out somewhere else where it seems that you said 
she didn't have to be there, but she was helping out. Could you 
explain that?
    Mr. McInnis. Yes, ma'am. Like I said, we discussed that 
many times, and that was one of the things we talked about, 
that she would come home exhausted because her job was in one 
end of that plant, and they would call her or she would 
volunteer to go up. I spent many a day talking to her on the 
phone, and I would hear them calling and saying, ``Can you come 
help us?'' They don't have the personnel.
    The supervision has been cut to a bare minimum, and that is 
why she went to those areas. She didn't have to go. What I am 
saying is these cuts by the company has caused--you know what I 
am talking about. It just caused this incident itself because 
she wouldn't normally be there.
    Ms. Jackson Lee. So the worksite where she normally works, 
was that impacted by the incident? Or would she have been in a 
safe area or been able to evacuate? Do you know?
    Mr. McInnis. I am sorry, ma'am. I missed the first part.
    Ms. Jackson Lee. The area where she traditionally worked, 
where she had to leave and go to that part of the plant, would 
she have been away from the incident if she had been where she 
traditionally worked?
    Mr. McInnis. Yes, ma'am. There is another plant between 
where this explosion occurred and where she worked. So there 
was a whole other plant between that situation where her job 
really was.
    Ms. Jackson Lee. Thank you, Mr. McInnis.
    Dr. Carafano, in your testimony you mentioned that it is 
not necessary for issues pertaining to pandemics or energy 
supplies to be elevated to national security status. Can you 
please elaborate on this? How should the Government then 
address these issues?
    Mr. Carafano. Yes, ma'am. The problem with labeling things 
as national security issues is that automatically does two 
things. When you say something is a national security issue, it 
means that we intend to invest our Federal authorities with 
enormous power and responsibility. The preamble of the 
Constitution says that providing for the common defense is 
fundamentally the Government's job.
    So when you do that, you have a tendency to over-
Federalize, over-centralize and make Government very intrusive 
in your life. So we do that for basically threats of other 
malicious actors, whether they are state or non-state actors, 
threatening the United States. It doesn't mean there aren't 
other problems and they don't rise to the level of national 
importance, but when you start to call them national security 
issues, you are in a sense ceding all kinds of authority to the 
Federal power, and I think we want to be very cautious about 
doing that under any circumstances.
    The second thing is when you call something a national 
security problem, the tendency is to look for a national 
security solution, so the tendency is to default to national 
security instruments such as the military or such as, again, 
having DHS do this. So I think we should be very cautious in 
what we call a national security issue. In my mind, the only 
thing that rises to the level of a national security issue is a 
state or non-state external threat who is threatening the 
stability and the coherence of the Nation. Other issues are 
national issues which we should certainly address, and they can 
be national issues and national priorities, but we shouldn't 
call them national security issues.
    If I could just follow up very quickly, I just wanted to go 
back to the excellent point that you made, and I think a point 
that we all should account for, and that is what is the most 
effective way to instill risk assessment in the private sector 
and the public sector. You brought up a really excellent point 
about employee involvement in disaster planning and business 
continuity.
    The data on this is absolutely really clear. There is a 
tremendous researcher up in New York, Roz Lasker, who has done 
a lot of work on this. She has compared emergency planning for 
communities where it is done by professionals, and then where 
it is done with the input of people in the community. The 
answer is exactly the same in the workplace. When the people in 
the workplace participate in the planning, No. 1, you get much 
better buy-in because they are part of the planning process; 
and No. 2, you get much, much better plans.
    So emergency and disaster planning which integrally 
includes the workforce and the people in the planning process 
is infinitely better and stronger. We know that. The data 
suggests that. So how do we get people to start doing this? I 
go back to the point I made before about the SAFETY Act. For 
example, one of the things you can do under the SAFETY Act is 
you can give SAFETY Act protections to risk management 
processing, management and planning.
    So for example, a good company that has a good risk 
management product, they would include in that risk management 
assessment, did you bring the workforce into making that plan? 
Then a company that would use that risk management, that got 
SAFETY Act protection, you know, a company might be 
incentivized to use that risk management process and to 
integrate it into their business practices and a business 
continuity plan. Then you get a stronger, better plan for that.
    So I do think we need to look at things like the SAFETY 
Act, where we can really incentivize people to adapt best 
practices, which are in the end going to save lives, prevent 
tragedies like this from happening, allow businesses to operate 
better and more efficiently, and be more resilient in the face 
of disasters.
    Ms. Jackson Lee. Well, let me say, I appreciate the 
importance of both my question and your answer, which is that 
we need collaboration. We need to be able to focus on ensuring 
that the private sector is in tune with risk assessment and 
risk management.
    But let me tell you why we need to be sensitive to the 
question of national security. I don't believe that the 
solution to national security is always the military, but I 
would like to think that it is preparedness and that it has 
some home in the Department of Homeland Security. My example is 
such. Prior to 9/11, our focus was not on the vulnerability per 
se of tall skyscrapers. We admired them. We toured them. We 
didn't have much of a focus on them.
    In fact, as my recollection serves me, the towers built in 
the 1970's had a different approach in terms of how they were 
structured. They thought they were meeting the test of what 
could happen. They could not predict or did not predict a 
forceful missile coming in with how many tons of fuel. So in 
essence, entities have now come under the umbrella of national 
security, i.e. airports, because we have been awakened to the 
possibility of a national security through airports and 
airplanes.
    So I think we cannot limit our thinking in that. I will 
give you a chance to answer it, but I am going to go to Mr. 
Paczkowski. Do you see where I am going on that? I think you 
have lived in the World Trade Towers, or you really know them. 
Doesn't our risk assessment, and particularly from local 
governments and local entities, have to take into consideration 
the risk, if you will, of non-threatening entities becoming 
unfortunately a tool of terrorism? Do we have to take that into 
account in our preparedness and our risk assessments?
    Mr. Paczkowski. I think we have become a lot smarter, that 
we need to take a more holistic look at a full range of 
threats. I think when we think about risk assessment, and I 
agree with Mr. Carafano that a lot of the dialog has been on 
mitigating a vulnerability. We have focused an awful lot of 
attention on the very moment we think someone is going to show 
up with a bomb at our facility, and not enough attention on all 
the things that might in fact prevent that from happening, so 
focus on prevention, and also building into in particular our 
infrastructure and our key resources the kind of ability to 
withstand an impact over the long term, the resilience that we 
need to build into our systems.
    Ms. Jackson Lee. But don't we need to look at ports and 
airports and trains with a different eye than we previously 
look at them?
    Mr. Paczkowski. Absolutely. I mean, if you were to ask 
questions of the Port Authority in 1990, let's say, you know, 
you would get a very different answer than you would get today. 
We certainly do feel that we are on the frontlines, if you 
will, of this security challenge.
    Ms. Jackson Lee. Let me ask Mr. Morawetz just a question 
about helping employees to be part of the safety. Is it helpful 
that employers give to employees both risk assessment plans, 
but also records of previous incidents? You may be a new 
employee or you may be a longstanding employee, but you have 
the ability to access those records.
    Mr. Morawetz. Well, in terms of incidents, there is the 
OSHA log, so certainly any serious injury or fatalities would 
be part of the OSHA log that is posted and the union has a 
right to it.
    Ms. Jackson Lee. But this would be incidents that may not 
have resulted in injury, but it occurred. Should employees have 
the ability to have access to that?
    Mr. Morawetz. I think they should, and I think that that 
can be invaluable information as part of the communication back 
and forth, as Dr. Carafano said. Two things happen. No. 1, you 
get additional information from a wide variety of people who 
work at an institutional workplace, but No. 2, you get the buy-
in, you get the ownership. So I think people will then 
implement the plan.
    Ms. Jackson Lee. You may get ideas on how you can avoid it.
    Mr. Morawetz. Yes.
    Ms. Jackson Lee. What about whistleblower protection for 
employees?
    Mr. Morawetz. I think that is a fact of life, that people 
feel scared on the job. It was part of my testimony, and I 
think that having whistleblower protection is important. It may 
never be used, but in an instance where people need it, it 
should be in place.
    Ms. Jackson Lee. I hope that that translates to making, in 
your opinion, a safer plant.
    Mr. Morawetz. Yes, it does, because the information won't 
come forward. If the information or weakness doesn't come 
forward, then the weakness may not be seen and won't be 
corrected.
    Ms. Jackson Lee. Dr. Carafano--we call you ``doctor,'' and 
I see ``mister.'' I want to correct the record.
    Mr. Carafano. [OFF MIKE]
    [Laughter.]
    Ms. Jackson Lee. And humor. Are you a doctor?
    Mr. Carafano. I am a doctor.
    Ms. Jackson Lee. All right. We will correct the record. It 
is Dr. Carafano.
    Did you want to comment briefly? I am going to let Mr. 
McInnis have the last word.
    Mr. Carafano. Thank you, Madam Chairwoman.
    You know, you made an absolutely excellent and critical 
point. Before 9/11, we grossly underestimated vulnerabilities 
in this country. That is true. The point is, we also grossly 
underestimated threats, and we also grossly underestimated 
criticality. If you want to walk the walk of risk assessment, 
you have to have a holistic discussion that balances all three.
    Today, we focused on a lot of really valuable issues, but 
we virtually only talked about mitigation and vulnerabilities. 
We really didn't have a discussion about criticality and about 
threat reduction. You have to combine all three of those if you 
really want to do serious risk assessments.
    Ms. Jackson Lee. My answer to that, Dr. Carafano, is the 
first panel. That is what we were proposing to the Department 
of Homeland Security. That is their responsibility. That is the 
necessity of a chief risk officer. That is a need for getting a 
baseline and for quarterly meetings, for giving us their 
minutes, to get where you need us to be.
    We had to highlight what happens, unfortunately. Mr. 
Paczkowski is an example of what happens when we were, in 
essence, not informed. I will put quotes around ``asleep at the 
wheel'' because I know there are many hard-working people in a 
certain instance. So your testimony and what you have just 
allowed us to understand is a guidepost for what we believe the 
Department of Homeland Security must do to impact on our plants 
as it relates in all instances security, but we have to also 
overlap on safety, because any vulnerability projects us into 
the 21st century for what we know can happen as it relates to 
terrorism.
    So you are very right and you have just posed the questions 
that we are demanding of the Department of Homeland Security as 
evidenced by my earlier questions to that panel. We do thank 
you.
    Mr. McInnis, I will pose the last question to you. I am 
giving you the last word, inasmuch as you have come in this 
time of need and also a time of concern.
    How much concern should we have? You are an experienced 
plant worker. You are not all over America, but how much 
concern should we have for the plants in America if the trend 
that you have discussed, the losing supervisors and losing 
employees and lack of training prevails? How much concern 
should this committee have?
    Mr. McInnis. Ma'am, there should be plenty for the simple 
reason, as I mentioned earlier, all these things are slid by. I 
sat back and watched years ago when OSHA would come by with a 
small slap on the wrist. It is posted and everybody knows it. 
But these things don't bother people.
    Getting to the accidents happening, and security as far as 
that goes: If you are cutting the personnel, you are cutting 
your own throat. You have these people sitting up there in 
Akron, as I said, making these changes, and these poor 
individuals down here happen to work under those conditions. It 
affects the safety and security of the plant.
    Like I mentioned, the fire department, the EMS or emergency 
response teams, and the security is--I know we don't have time, 
ma'am. I can go over issues of those things that happened over 
the years that I personally tried to change myself. But there 
again, it comes from up above what goes on.
    My thought on this particularly, and I thought about this 
today, Enron goes to jail for fraud of the people. What happens 
when somebody is killed in a plant because of unsafe conditions 
and everything? What happens to them? I think these people need 
to go to jail. Forget the fines. Let's put them in jail and see 
if this will change their philosophy as opposed to wanting 
greed and wanting money. It might slow them down and do the 
right thing.
    Ms. Jackson Lee. Well, Mr. McInnis, you may have just made 
yourself a consultant to this committee as we go forward for 
the many issues that you know about. I think all the witnesses 
have made this hearing a good first start, or a continuing of 
what we are trying to achieve in the Department of Homeland 
Security, which is the understanding of risk assessment, risk 
management, and the roadmap that we need to take, Mr. 
Paczkowski, to make your job easier and to create that 
collaboration that you have spoken of, and certainly for Dr. 
Carafano to ensure that we do reach those aspects that you 
mentioned, and to Mr. Morawetz, that we have the kind of plant 
system across America that is befitting of this 21st century 
Nation.
    I thank all of the witnesses for their testimony. If you 
would just wait a moment so that I can get the appropriate 
language into the record for my committee Members. I want to 
thank the witnesses for their valuable testimony and the 
Members for their questions. The Members of the subcommittee 
may have additional questions for the witnesses. We would 
appreciate it if you would answer them expeditiously, and we 
ask that they come both expeditiously and in writing.
    Hearing no further business, the subcommittee stands 
adjourned.
    [Whereupon, at 5:33 p.m., the subcommittee was adjourned.]

                                 
