05/09/12 EMForum.org Transcript: Threat and Hazard Identification and Risk Assessment (THIRA)

EM Forum Presentation — May 09, 2012

Threat and Hazard Identification and Risk Assessment (THIRA)

Donald M. Lumpkins, Esq.
Executive Director, PPD-8 Program Executive Office
Branch Chief, National Planning Coordination and Assistance
National Preparedness Directorate, FEMA/DHS

Amy Sebring
EIIP Moderator

This transcript contains references to slides which can be downloaded from http://www.emforum.org/vforum/FEMA/THIRA.pdf
A video recording of the live session is available at http://www.emforum.org/pub/eiip/lm120509.wmv
An audio podcast is available at http://www.emforum.org/pub/eiip/lm120509.mp3

[Welcome / Introduction]

Amy Sebring: Good morning/afternoon everyone and welcome to EMForum.org. We are very glad you could join us today. I am Amy Sebring and will serve as your Moderator.

Today’s topic is the recently published Threat and Hazard Identification and Risk Assessment (THIRA) Guide, CPG 201. This is one of the major components for implementing Presidential Policy Directive 8, also known as PPD-8, that we featured during this past January. There are several related links posted on today’s Background Page.

[Slide 1]

Now it is my pleasure to welcome back Donald "Doc" Lumpkins. Doc Lumpkins established the Program Executive Office charged with coordinating the implementation of Presidential Policy Directive / PPD-8 on National Preparedness, and currently serves as its Executive Director. He also serves as Branch Chief for National Planning Coordination and Assistance, National Preparedness Directorate (NPD), FEMA. Please see today’s background page for further biographical detail.

Welcome back Doc, and thank you very much for taking the time to be with us today. I now turn the floor over to you to start us off please.

[Presentation]

Donald Lumpkins: Thank you for everybody who has joined in on the call. I see some questions have cropped up already so I’ll keep an eye on those and see how many I answer in the briefing. You can certainly ping me afterwards to tell me what I forgot to do.

I apologize that this a little bit denser than my usual presentation. What we are going to do today is talk through the THIRA process. As was mentioned, I am with the PPD program office. We are not the grants office—we are the ones charged from the programmatic side with implementing the directive.

You’ll forgive me in advance if I tap dance on grant related questions. On the other hand if you need help writing a plan or conducting some sort of bizarre field operation then I am your guy. With that in mind let’s talk a little bit about THIRA—Threat and Hazard Identification and Risk Assessment.

[Slide 2]

You’ll see up on this slide for background on PPD-8, where THIRA fits in. It is part of the National Preparedness System. It is the skills and processes we use, which include risk assessment, planning, training, exercise and assessments—all those things in order to build, sustain and deliver capability.

THIRA is one of the early pieces of that effort focusing on how we take particular existing efforts in risk assessment whether those are the things you do for critical infrastructure or hazard mitigation or you name it and bring them together using a common process that helps us ultimately get to a set of capability targets, Those are the things we want to achieve.

[Slide 3]

As I mentioned, this is part of the National Preparedness System. There are a number of components to this and we are focusing on identifying and assessing a risk.

[Slide 4]

First things first—let’s talk through the basic elements or steps of THIRA writ large and then we’ll go piece by piece with this. As you can see on this slide it is a relatively straightforward process. When we talk to people about this, obviously conducting risk assessments can be very complex. But this particular process we have been developing—working with some colleagues across not only the federal family but the state and local government—is to take a fairly straightforward effort to identify the threats and hazard of concern based on data and information you already have. Give context to those, perhaps winnow down the list a little bit, to something manageable, and use it as a way to examine the core capabilities so you can begin identifying not only the targets for those capabilities but also understand and provide. Let me rephrase that—to upload the impact and the outcomes on these capabilities and ultimately set the target there in step four.

The THIRA guide does not really get into application. We decided first to focus on getting people to the point where they had a set of targets or information and use that to set the stage for their activities—whether that is an effort to analyze and estimate your capabilities—what you have, what you need—whether that is fed into the hazard and mitigation planning, benefit cost analysis activities and that sort of thing—whether it feeds into strategic planning—we left that to the discretion of the user.

This is really focused on the front end. What you’ll see on the chart in front of us is that when we built this, we built this in mind to the fact that there is already a reporting requirement out there on states in particular dealing with the state preparedness report. We wanted to be sure that whatever we were doing would feed into that. We think we have been able to strike that balance.

[Slide 5]

Let’s have some fun. Let’s talk through each of these steps. I have mentioned the core capabilities a few times. This is just to refresh your recollection. They are listed in the National Preparedness Goal. There are 31 unique core capabilities but certainly they replicate in a number of mission areas. Taken together they represent the combined efforts of the whole community to actually address threats and hazards.

[Slide 6]

THIRA process—let’s go step by step through this. This is the process itself. In order to support the process we wanted to make sure you a number of tools at your disposal.

[Slide 7]

Beyond the guide there is a toolkit out there that provides a bibliography which has a list of data sources that you can draw from, the templates you would use in order to collect information whether that is for description statements or the things that provide context, desired outcomes you might have, estimated impacts of capabilities and ultimately the core capability targets.

It’s not just guidance dumped out there, but also providing some of the tools you need to complete the effort.

[Slide 8]

I mentioned that bibliography. It’s got strategy sources, policy sources and it contains where you can get data on different threats and hazards to make sure you have reasonable access to that information. One thing to be aware of when we talk about data sources throughout this—this process is designed to be as simple or as complex as you like.

Somebody pushed me on it and I saw Carver and some others on here—folks that I’ve worked with over the years when I was with the State of Maryland. We could take a very simple approach and put this information together in an afternoon. We had a good hazard mitigation program, we had a REP program, and we had an understanding with our fusion center and our joint terrorism task force—we could go through many of these front-end steps fairly quickly.

Or, we could have called in scientists and researchers and conducted surveys and everything else and really done an expanded process. These sources are here to help you make this as accessible as you wish so you can focus on the primary effort, which is defining those targets.

[Slide 9]

THIRA step by step—number one is identifying threats and hazards of concern to you. What does this mean?

[Slide 10]

First, there are three types of hazards. Natural are things that just happen through Mother Nature—hurricanes, tornados, earthquakes, fires, disease outbreaks—all the wonderful things that come with living here on Planet Earth. Again, no particular trigger by person or adversary involved.

The second is technological. Think of dam failures, hazardous material spills, nuclear power plant issues and that sort of thing—they are often technological hazards. They are the result of man’s activities but again there is no ‘bad’ guy.

On the other hand things that might be considered threats that are human caused definitely involve the intentional actions of an adversary. Often people go to different terrorism events which are certainly true. A large scale civil disturbance involves an adversary. Even school violence involves an adversary.

It is a really broad spectrum of things that involve intentional actors and perhaps more importantly actors that can react to our planning and preparedness efforts and adjust. It is a slightly more complicated list.

[Slide 11]

On the next slide you’ll see some examples. This is not an exhaustive list. One of the things we get pinged on on when people see this box, whether it is CPG 101, the planning guidance, 201 with THIRA, or in the National Preparedness Document is "Why isn’t X or Y on the list?"

This is not an exhaustive list and this is not a restrictive list. This is simply a set of examples. When you take a look at this you can get a sense of the scope of things you might consider when you are identifying potential threats and hazards.

[Slide 12]

I suspect many of you could sit down and come up with a list of threats and hazards right now but if you needed to you could look at existing assessment and previous incidents. Look at your plans. Historically what have you planned for and what have jurisdictions around you planned for?

Remember risk doesn’t just exist within your borders. Some of the risks you face exist outside of your jurisdiction but you would be impacted should an event occur. We see this a lot in industrial areas, power generating facilities and even major sporting venues that draw from a region or entire state. That impact might be more than just the borders of the country, city or state where the event occurred.

Also there are all sorts of online data sources. We know there are private data sources out there. We are the federal government and we have to be careful about endorsing anything. You’ll see that our lists point to publically accessible lists or sources that are available to you.

[Slide 13]

Some other sources—hazard mitigation plans—my favorites, my go-to, start right there. A lot of work and research has been done. After action reports from previous incidents can also help you gather information about that. All your subject matter experts—the people you work with day in and day out—so in this step all you are doing is making a list.

We have to worry about tornados and earthquakes. We don’t have to worry about hurricanes. We have to worry about flooding but we don’t have a big issue with a chemical event in our jurisdiction, like a chemical plant. We are worried about bombings. We are less worried about a nuclear device.

You are not even really prioritizing. You’re just deciding that if you make a list of the ten or fifteen things you are concerned about, what would that list be? As you do that there comes a point where making the list is not enough. We now have to give that list of threats and hazards context.

[Slide 14]

When we talk about context you want to take that original list of threats and hazards and begin to refine and reduce it to those of greatest concern. I’ll give you an example in a minute but in my case I often say "The worst most probable". You can consult your hazard mitigation plan, you can look at SME reviews, policy directives, historical data, risk maps—all those things that help bubble that list.

[Slide 15]

There is no prescribed number. We are not going to tell you that you must have at least five or ten, or whatever. What you want is a comprehensive list of threats and hazards that is reflective of you concerns and you think will adequately stress the full suite of core capabilities—the 31 capabilities that you need to consider when you build.

[Slide 16]

As you are winnowing that down and focusing on that you want to be able to explain how a threat or hazard can affect your jurisdiction. If your jurisdiction has a nuclear power plant you may want to consider the implications of having an incident during the day versus during the night. If you are worried about terrorism you might want to consider different target types—hard or soft, government versus areas of public gathering, etcetera.

That statement that you want to build should provide context for the area that is of greatest concern. If you think about hazard mitigation planning and I go to that because that is where we have a lot of history—things that help define contexts, location and where the risk might occur, the extent of it, prior occurrences and expected frequency as well as impact or expected damages.

Another way to consider this as you think about it and as you look through these threats and hazards is—what about them keeps you up at night? So a couple of examples to provide context to the context discussion, if I am in a state and I am worried about hurricanes, it is not enough to say that I am worried about hurricanes.

The reality is that is based on the worst most probable (not the absolute doomsday scenario because we want you to be able to build capability that can deal with those worst most probable things and be manageable at the end of the day) so if I think about my hurricane threat, most of the time when I am facing hurricanes they are a one or two category. Category five has never happened, not that they couldn’t, but has never happened in my jurisdiction.

Based on my experience, projections, and weather patterns for my hurricane statement, my description statement might be, "A high-end level three hurricane making landfall during the height of tourism season in a beachfront community". That helps narrow down what it is exactly you are worried about when it comes to a hurricane.

If you are thinking about terrorism and improvised explosives, you may look at that and say that you are not just worried about IEDs, you are worried about is a bombing attack against a stadium during the height of college football season against a rival team. I went to Georgia Tech so I know which game I’m thinking of and I’ll give you my opinion about the Bulldogs later. But each of you can think of those kinds of scenarios and you want to take those statements and put them down on paper. That will give you a sense and you might want to look at more than handful. You might want to look at the same threat two or three different ways or how it can cascade. What you’re doing is taking those threats and hazards and giving them context.

First you are making make a list of things you are worried about and then by giving them context you begin winnowing down that list. You will probably end up in an area where you have a half a dozen or maybe more statements to stress different capabilities across you jurisdiction.

[Slide 17]

Now that you’ve gotten to this point the next step in the process if examining those core capabilities. This is where most people probably have the most challenges in understanding the process because we are asking you to take some things that you would normally mix together and break them into distinct processes.

Two, we are now asking you to think about numbers. I don’t know if you’re like me but I always get a little nervous when I start putting numbers on paper. From a planning standpoint as a planner I know I have to have some rough order of magnitude in order to understand the kind of equipment I need, training, personnel, and etcetera. Step three is what gets us into that arena.

[Slide 18]

Step three—examining the core capabilities using threats and hazards—this is when you’ll begin making decisions about how these threats and hazards will actually impact the community through the lens of the core capabilities. You’ll begin to set goals with desired outcomes focusing on the accomplishment of the capabilities.

But you’ll be doing so in a way that uses the scenario that is plausible and credible and considering what is relevant and urgent. Some of these scenarios and threats that you’ll be using are are day-to-day incidents that are large that could happen. Some of them are very infrequent events that might stress the core capabilities of the state, region or even the nation.

This is broken up into two parts—first, identifying desired outcomes, and second, identifying impacts. Desired outcomes—what do we mean by that?

[Slide 19]

I want you to think of a desired outcome as how you would define success. For example, here at FEMA when it comes to our response capabilities, our desired outcome is to stabilize an event within the first 72 hours. If you think of it, it is a big shift. Before a lot of people were thinking about the first boots on the ground in 72 hours but as part of our policy here we want to begin reorienting our efforts so that we have put the resources in place to stabilize in 72 hours.

Seventy-two hours may not be the outcome you pick. This is something you decide and you may not even like that outcome. You might pick something different. The intent here is you want to begin the discussion about your capabilities with the end in mind—what does success look like? I want to be able to scan 25 percent of cargo, or maybe I want to be able to scan 100 percent of people entering a special event.

What are the big outcomes that you want to be able to achieve at the end of the day?

[Slide 20]

On the next slide you’ll see some examples of those for a couple of different capabilities. These are examples. We are happy to work with jurisdictions to get through this process. These are some ideas we have thought about. You can see whether that is on prevention, protection, mitigation, response and recovery—we gave you an example from each one.

Where possible these should be quantitatively measurable but sometimes they can’t be. Sometimes it is a qualitative analysis. Sometimes it is seeking a change. For example, if you look at the long-term vulnerability reduction, we want to be able to achieve a decrease. It is not a 100 percent thing or a 72 hour thing; it is in this case a measurable decrease in vulnerability.

That is what the outcome is that we are after for that particular capability. If you use the Reese’s cup approach to the situation, that is sort of the chocolate half—the desired outcomes. The estimated impacts then become the peanut butter. You can all yell at me later for using a candy reference and I probably owe them money now.

[Slide 21]

For estimated impacts you want to think about what a threat or hazard means to a particular capability. This is where some of that research and work you’ve done in hazard mitigation planning and other things will begin to become really handy because you don’t want to recreate the wheel if you don’t have to.

There may be modeling we’ve done that can assist you or modeling you can do that can assist you in this effort. First things first—not every core capability is going to apply to every threat or hazard. You are going to have some that you just put "Not Applicable". You are not going to do a lot of screening, search and detection for bad guys under the prevention mission when it comes to hurricanes—I’m going to guess. (Not a lot, but an argument could be made that under a really big hurricane maybe there are some activities there we’d be working on.)

That is one piece. In some cases because you are going to do prevention and protection as well, we talk about impact and I don’t mean impact to be something that is just response driven. We want to think about some of the actions you would take so it is that impact on the capability, not impact on the notion of post event, what we are doing.

[Slide 22]

Some estimated impacts could be displaced households, intelligence requirements, disruptions to infrastructure. This is one of the times you want to be able to bring all your partners to the table and certainly at different levels of government to get an idea of what some of these impacts look like. I can talk about it a lot or I can show you, so let’s put up a table.

[Slide 23]

Here is an example of estimated impacts for three different types of threats and hazards—human caused, technological and a natural. As you can see we looked at these capabilities in a couple of different mission areas—whether it is screening, search and detection in prevention, access control and identity verification in protection, and mitigation, response and recovery as well.

Notice these have no context to them yet. These are purely the impacts. This is the peanut butter side of the equation. We project a certain number of fatalities and certain number of casualties. A question we are already getting from people is, "What if my numbers are wrong?" This is an estimate. These are estimated impacts.

There are data sources that can help you understand and address what these numbers might be. The reality is that they are estimated numbers so they might be a little high or a little low. I always err on the side of caution but I am not suggesting people inflate their numbers. If you are not sure there are a lot of data sources that can help you. You would be surprised.

Our folks in the FEMA regions, our federal preparedness coordinators and their staff, can help you get access to those resources whether that is getting you in contact with another agency or getting you access to data. We want to keep this thing operating in an unclassified world. There are plenty of sources out there to help you estimate what these impacts might be for different capabilities.

I encourage your local jurisdiction to work with state government. I would also encourage states to work with federal partners or bringing an estimator to assist a local jurisdiction, what have you. There are a stunning amount of resources out there available to help you get your arms around these estimates.

What is in front of you is one way to display this. As long as there is a matrix that helps you understand what these estimates might be and their impacts, I think you’ll be in a good place. As you can certainly see some of the threats and hazards here affect a lot of capabilities. There are some that have no bearing on prevention or protection capabilities. A cyber scenario would be slightly different in what it affects.

That is a lot but again let’s reset real quick. In step one you are making that list—earthquakes, tornados, bombings. In step two you are giving those threats and hazards context. In other words, what is it about that threat or hazard that worries you or keeps you awake at night—where it might occur, how big it might be or something like that?

In step three you are identifying desired outcomes—what success look like—and what the impacts are of those threats and hazards you identified on your capabilities.

[Slide 24]

In step four we bring it all together, setting capability targets.

[Slide 25]

Since you’ve identified the greatest impact of a threat or hazard and the impacts on capabilities that result from the threats or hazards, and you have identified overall definitions of success—your desired outcomes—you can combine this information to get a capability target.

When we focus on this process, our primary focus is on greatest impact. The goal here is to get you to a place where you understand the kind of capability you need that would be viable for any threat or hazard. The goal is to not simply understand it by a single threat or hazard but to look across the matrix you are building and determine what are those greatest impacts.

In determining the greatest impact you would look at the tables and determine what most stresses your capabilities. There could be impacts from multiple hazards that need to be considered. It doesn’t need to be limited to one hazard.

For example, for public warning you might have three different targets—one dealing with a notice event like a hurricane, a limited notice event like a tornado, and one dealing with a no notice event like a terrorist attack or an earthquake or dam failure. They all might be the greatest impact for different reasons.

You have the option to define more than one topic for public information and warning. You may however just choose one. This is also the opportunity to revisit your desired outcomes. You may look at your final impacts and say you wanted to be able to stabilize an event in 72 hours, but revisiting these numbers, maybe it needs to be 96. Maybe we can reduce it to 48.

This is a chance to revisit that desired outcome. The other thing is that in impacts as percentages should be translated to actual numbers if possible. You may not be able to do that. Your number of critical infrastructure might be fuzzy. You might have to say 25 percent of critical infrastructure instead of saying 126, or something like that.

For some of the more complex capabilities you may want multiple targets. You also may want a target depending on the mission. One last thing to keep in mind, and then we’ll throw up some examples to get an idea of what I’m talking to, not every core capability is going to be applicable in the same way at each level of government.

There might be capabilities that you might not necessarily build or build to any significance at a city or county level that the state might be taking on. There might be certain capabilities, in particular in forensics attribution, that the federal government may have most of the capability for that and the state may not build a lot of capability in one particular area or another. So these are some things that should come from engaging the whole community, including your partners in the process to understand how these pieces come together.

[Slide 26]

What do targets look like? There are a couple of examples up on the slide in front of you. Some of these ten to be federalized, but they are examples. The desired outcome for screening, search and protection was to screen 100 percent of cargos, and etcetera, based on the threats and hazard in the community that we looked at earlier.

Let’s go back real quick [returns to Slide 23]. You’ll see here under screening, search and detection—a lone actor deploys an IED in an indoor concourse of a stadium during a sporting event—67,000 spectators are involved in that. The desired outcome is to screen 100 percent. The 67,500 is the highest impact for that particular capability, so you bring the two together.

Screen 67,500 people associated with an imminent terrorist threat or act using technical, non-technical, intrusive or non-intrusive means. That seems like a high number but if you have an NFL football or especially college football in your jurisdiction you know that number might be on the low side, depending on the size of the stadium. Don’t be overwhelmed by the numbers.

That is the projection for that jurisdiction. You can see now that based on that target, I can use that in a number of different ways going forward. Access and control—remember in that stadium example there are 25,000 vendors. That was the high number to look at access control for the capability target of the stadium.

For long term vulnerability reduction it was the technological hazard that drove them to the high mark and that is one target they have identified. And so on down the line. You can see that this one here for fatality management during the first 72 hours of an incident—conduct operations to recover 375 fatalities.

I think you can begin to get the picture of what a target looks like. Obviously someone can jump to the end of the process and lay this stuff out. We’re asking you to go through the process because we think it is a good thinking and analytical exercise to understand what your greatest concerns are and more importantly to engage beyond your own office.

I won’t kid you—if I got this task when I was in state government I probably would have sat down and worked through it with a couple of people in the office first and then used that to go out and talk to other people. You can do that, but I think it has greater value if you engage beyond your office early on in step one and do this exercise together and work through those targets.

This is the end of the game for the THIRA process—to lead you to a point where you have identified your threats and hazards, provided them context, set desired outcomes for your jurisdictions, and bringing all that together you are able to understand the impacts of those threats and hazards and develop a set of capability targets.

This is the same thing we’ll be expected to do here and which we have already begun, and you can see that in the National Preparedness Goal. It will be the same thing that is ultimately occurring in the FEMA regions as well—working across all the states and federal partners to develop links. This process is the same process we will be using as well.

[Slide 27]

Once you get to those targets there are a lot of things you can do with them. That is the last step—applying the results.

[Slide 28]

You can use those targets as part of a report or requirements, for example, the state preparedness report. You can find that you see these targets and say that you can switch to a sustainment mode on some of our capabilities. We’ve peaked at where we need to be and that allows us to focus funding, personnel and other additional resources in areas where we have gaps or shortfalls, so it becomes a budgeting tool.

You can use it for hazard mitigation planning. We continue to refine with our colleagues in mitigation how this information can shape and inform hazard mitigation plans. There is a number of ways this information can ultimately be leveraged for you going forward. It can also inform other assessments.

I mentioned as an example that our FEMA regions will be conducting their own risk assessment and we have the requirement to conduct a national strategic risk assessment. We’ve done one already. We’ll have to do an update in the future. Being able to work with you using a common process, but recognizing that your threats and hazards and what you are concerned about may not be the concerns of your neighbor, or a multi-state region, or the concerns of a nation.

That does not make them less important. By using a common process we are able to talk to each other in the same way. We are able to understand where we are in the process. We are able to share information but to provide each level of government the flexibility it needs to address its threats and hazards and its capability targets.

[Slide 29]

Going forward to some wrap-up thoughts and then we have time for some questions. I noticed we have some already. Where are we at with the THIRA process? The guide and the toolkit are out there. We are in the process now—we started this week—of conducting a full one-day training (a little more than one day) with representatives from states around the country.

It is very much an abbreviated training but it goes through all this stuff and provides an opportunity for some practical exercises. The slides I am using today are actually from that course but without the practical—without stopping for 10 minutes and letting everyone do something.

We are also having our training folks along with us on that delivery so they can develop an independent study course to support this. We will make technical support available through the FEMA regions to jurisdictions throughout the country for those who need a little more help going through the process once they have gone through the initial training.

We are here to answer questions, take emails so that people understand how the process works or are searching for a data source or need a point of contact. There are a lot of mechanisms to help you work through the process.

I’ll speak briefly on the grant programs. One of our folks is online and will shoot me an email if I screw this up. Yes there is certainly a requirement for grantees in the FY12 grant program to complete the THIRA by December 31. That is for grantees.

There is not a federal requirement on sub-grantees, but obviously as each grantee, in particular states, choose to implement the THIRA, the expectation is that they are working with their local jurisdictions to participate in that process. How they choose to do that, we would defer to them.

In some cases that means bringing you in and in some cases they may ask you to go through the process as well. The intent is that you can make this as simple or complex as you wish. You can work with your trusted partners, the experiences you’ve had, the plans you have in place, the mitigation planning you have already conducted and go through this process fairly straightforward and fairly easily.

Or you could start looking at complex probabilistic information, conducting massive modeling and all those things to help drive this effort. That flexibility is in your hands. The reason that in this process we are asking you to identify targets it that through the years of talking to and listening to folks we learned that it didn’t make sense for the federal government to set those targets.

You understand your threats and hazards the best. You understand what you face. The power to set the targets ought to lie in your hands. Part of the outcome of this process is to provide the tools necessary to do that in a manner that is consistent across the country.

That is it for my 45 minutes of speech on the THIRA process. This is a set of slides we would often use over the course of seven or eight hours along with some practical exercises to help you understand this. So take this as an introduction to the topic and recognize that there are opportunities coming up not only for technical assistance but also for independent study.

With that, Amy and Avagene, I will hand it back over to you.

Amy Sebring: Thank you very much Doc. I hope folks will have a better general idea of the process now. We already have some questions for you. We will also put up your contact information for follow up.

[Slide 30]

[Audience Questions & Answers]

Question:
John Biddy: Implementation of PPD-8 is a DHS and EMA function. Have the two departments developed an actual data collection tool to conduct the THIRA? Or, will localities develop their own tool based on the sample given in the guide?

Donald Lumpkins: First things first—despite sometimes our public behavior, we are actually one happy department. The issue I think gets to the crux of the matter of the connectivity between what is considered traditional protection and response, recovery and mitigation.

The short answer is yes. This process is designed to account for all of that. The toolkit that was issued with 201 contains those tools that you can use to capture the information for each step of the process.

Question:
Patty Rueter: Are there national standards for certain core capabilities that you can identify, and how do you verify the numbers? Where are the data sources you are talking about?

Donald Lumpkins: Some of them—there are data sources contained in that toolkit that will help folks get to a standard source. Obviously if you are working with a threat or hazard, the hazard mitigation plan—certainly for natural—in some states they do a really fantastic job of covering technological and human caused to a great extent as well—can serve as sources for those data points and that is identified in the toolkit as well.

In terms of the National Standards piece—sure, some of that is identified in the bibliography. Our ultimate goal to take standards to the nth degree is we want to be able to apply the resource typing model that we used for a number of response related capabilities and ultimately see how we can apply that model or structure to all 31 of the core capabilities.

That is a long term goal. We are certainly not there yet. PPD-8 effort is only over a year old and the core capabilities list if younger than that. That is our ultimate goal. Where standards exist, if there is a particular capability you are concerned about you can email us and we can help you identify a particular standard.

The email address is PPD8-NationalPreparedness@fema.dhs.gov

Question:
Chris Snyder: Is the THIRA intended to be a PROCESS or a PRODUCT or both?

Donald Lumpkins: It is a process that leads to a product, that product being your capability targets. That’s the short answer.

Real quick to visit an answer I gave to an earlier question—the toolkit is up and available electronically and I will confirm—if not, I can make it happen—that the spreadsheets that go with that toolkit are also posted as spreadsheets. Someone was asking about the electronic versions of the forms so we will make sure those are up.

Question:
Jason Baldwin: When should we apply the content of DHS's MGT-310/315 v. FEMA’s hazard mitigation risk assessment guidance v. CPG:201? Is the requirement based on which Mission Area the data is being applied to? When they are all called THIRA it is quite confusing.

Amy Sebring: Also, could you address the relationship between THIRA and the mitigation framework?

Donald Lumpkins: Management 310/315, which I believe is the risk assessment course and also gets to the risk management fundamentals and the hazard mitigation guidance are not mutually exclusive to the THIRA. The course itself will be updated to reflect the THIRA pieces but there is nothing in here that is inherent contradiction. It is rather just a process of application.

Same thing with the hazard mitigation guidance—the intent here is that when you complete the THIRA you can take that information and actually feed it into the hazard mitigation process. Now you have a robust set of information that is not just related to terrorism which has honestly been a gap in some of the mitigation planning.

That is the thought process behind this. You’ll see some of that in the messaging from our deputy administrator, Mr. Manning, that is out on THIRA. You will also see some joint messaging soon from Mr. Manning and Mr. Dave Miller, who heads up the Federal Insurance Mitigation Administration here at FEMA, to talk about in greater detail the connectivity between the THIRA efforts and overall mitigation planning.

Question:
Ric Skinner: THIRA seems to duplicate in concept the HVA that, for example, hospitals have been using for a number of years. How are THIRA and HVA similar and different? Do you envision THIRA replacing HVA? (hazard vulnerability assessment)

Donald Lumpkins: HVA which is one methodology and methodologies similar to it are really effective when you are talking about a constrained system. That could be a single facility or the transit system or things like that where you have a defined area with specific points of attack or points of exposure to hazards, that sort of thing.

What THIRA does is borrow from those processes but it is applied in a way that it lets us look at a geo-political environment. What we found is that if you took some of the traditional models that were used for critical infrastructure or key resources and try to overlay them on a full size county, or city, township or state, they didn’t work right. They weren’t designed for a diffuse environment.

We took some lessons learned from that process and used them to help shape the THIRA but THIRA is designed more for the geo-political construct. The theory is that you are still doing HVA and looking at critical infrastructure and things like that. Another perfect example is MISRAM which is the tool used for ports that a number of you participate in. That information can help feed into the THIRA process.

When you look in the toolkit and the guide where we talk about data sources, in a number of places we talk about using these existing efforts to feed into, as data sources, in this process and vice versa—the THIRA may feed into other assessments.

Ultimately we would like to reduce the number of assessments but one of the lessons I’ve learned in the last eight years having joined the federal government that it is kind of like trying to reduce the number of screwdrivers you have. It gets to a point where there are different kinds of jobs that have to be done so you need a set of screwdrivers. One screwdriver just won’t do it.

Question:
Dave Carlson: Will THIRA be an annual requirement?

Donald Lumpkins: A loaded question—I will speak to it from a THIRA process standpoint. I believe what the person is a actually asking is from a grant standpoint. The short answer is I don’t have that answer and I don’t know that any of us have that answer yet.

From a process standpoint—I don’t even know that I can claim being a former state guy—it has been eight years and I don’t know if I’m allowed to play that card anymore—I would personally revisit my results every year, not necessarily redo. I would revisit every year and see if something has happened in that last year that would cause me to change my answers.

Maybe we’ve always said we were worried about this size events and come to find out we have had two events in the past year that were bigger than that. Or maybe a new threat has emerged that causes me great concern that was not accounted for. From a pure process standpoint and not speaking to the grant programs or other requirements that may be out there I would encourage everybody to revisit their results on an annual basis and assess whether they need to be updated or not.

Question
Amy Sebring: We have a link to a memo that has to do with the grant guidance and I gather the grantees are going to be submitting them to the FEMA regions. Will you be providing training and/or publishing the guidance that you will be providing to the FEMA regions for evaluating the THIRA?

Donald Lumpkins: The FEMA regions will be using 201. What they are looking at is how the process was used. We don’t want to get into the position where we are caught up in some bizarre circle or flow back and forth with jurisdictions. The ideal situation is that we are all participating in this process and the region serves as an excellent source of data and information and support.

When it comes time for that submittal that focus is on consistency with the process in 201 which I believe is outlined in the bulletin that was issued with 201 to provide some high points of what would be looked at when the THIRA is submitted by the states. Take a look to that. But 201 is much like in the past when we’ve done reviews on planning we’ve reviewed using the guide. So 101 was the source when reviewing the plans, so we would use 201 to review the THIRA.

[Closing]

Amy Sebring: Time to wrap for today. On behalf of Avagene, myself, and all our participants today, thank you very much Doc for joining us once again and making the time to share this information. We wish you success as you move forward with the challenge of implementing PPD-8, and hope you will stay in touch in the future.

We are very pleased to announce a new EIIP Partner today, all the way from Australia, the First 24 Hrs Foundation represented by its founder Eddy Andrews. Please look them up on our Partners list, and check out their very nice public preparedness resources http://first24hrs.org/

If your organization is interested in partnering with the EIIP, please see the link from our home page or in our email announcements.

Until next time, thanks to everyone for participating today. We are sorry we couldn’t get to all your questions today. We will put the corrected email address in the slides when they are posted so you can follow up as needed. [PPD8-NationalPreparedness@fema.dhs.gov]

Have a great afternoon everyone. We are adjourned.