Since the terrorist attacks of September 11, 2001, and the subsequent creation of the Department of Homeland Security (DHS), the federal government has provided DHS with more than $130 billion in budget authority to make investments in homeland security. However, as GAO has reported, this federal financial assistance has not been guided by a clear risk-based strategic plan that fully applies risk management principles. This testimony discusses the extent to which DHS has taken steps to apply risk management principles to target federal funding for homeland security investments (1) in making grant allocations, (2) in funding transportation and port security enhancements, (3) in other DHS mission areas, and (4) at a strategic level across DHS. This testimony summarizes previous GAO work in these areas.

Risk management, a strategy for helping policymakers make decisions about assessing risk, allocating resources, and taking actions under conditions of uncertainty, has been endorsed by Congress, the President, and the Secretary of DHS as a way to strengthen the nation against possible terrorist attacks. DHS has used risk management principles to invest millions of dollars at the state and local level as part of its Urban Area Security Initiative (UASI) grants. For fiscal year 2006, DHS adopted a risk management approach to determine which UASI areas were eligible for funding. For the fiscal year 2007 grant process, DHS made substantial changes to its 2006 risk assessment model, simplifying its structure, reducing the number of variables considered, and incorporating the intelligence community's assessment of threats in candidate urban areas. The fiscal year 2007 model considers most areas of the country equally vulnerable to attack; its analysis focuses on the expected impact and consequences of successful attacks occurring in specific areas. DHS and the components of DHS responsible for transportation and port security have taken steps to apply risk management principles with varying degrees of progress. The Transportation Security Administration has not completed a methodology for assessing risk, and until the overall risk to the entire transportation sector is identified, it will be difficult to determine where and how to target limited resources to achieve the greatest security gains. The progress of each of DHS's three components responsible for port security varies according to organizational maturity and the complexity of its risk management task. The Coast Guard, created in 1915, was the most advanced in implementing a risk-based approach. Meanwhile, the Office for Domestic Preparedness (responsible for grants) and the Information Analysis and Infrastructure Protection Directorate (responsible for all sectors of the nation's critical infrastructure) were brought to or established with DHS in 2003 and lagged behind the Coast Guard in applying risk management to port security. Other DHS mission areas GAO has assessed include border security, immigration enforcement, immigration services, critical infrastructure protection, and science and technology; the extent to which a risk management approach has been implemented in each area varies. While DHS has called for using risk-based approaches to prioritize its resource investments, and for developing plans and allocating resources in a way that balances security and freedom, DHS has not comprehensively implemented a risk management approach--a difficult task. However, adoption of a comprehensive risk management framework is essential for DHS to assess risk by determining which elements of risk should be addressed in what ways within available resources.