Monday, July 16, 2012

Conducting THIRAs

The Threat and Hazard Identification and Risk Assessment (THIRA) is a new process that, according to FEMA, allows a jurisdiction to understand its threats and hazards and how the impacts may vary according to various community factors. The idea behind a THIRA is that this knowledge will help a jurisdiction establish informed and defensible capability targets. Unlike the previous Target Capabilities List (TCL) which prescribed national levels of preparedness, the THIRA process uses the new Core Capabilities and a process which lets a local jurisdiction or state "right size" the capabilities to a level which they feel is prudent to prepare for.

In other words, how bad of a disaster do you want to prepare for, and how prepared do you need to be?

FEMA released its Comprehensive Preparedness Guide 201 (CGP 201) in April 2012; the guide, and related technical assistance, describe how to conduct a THIRA.  The THIRA must be submitted by December 31, 2012 using the FEMA PrepCAST (Compliance Assessment System Tool) system to enter THIRA data as part of the State Preparedness Report (SPR).

While the CPG 201 document is straightforward, it leaves some aspects of the process up to interpretation by the jurisdiction performing the THIRA.  Having just gone through the process twice, I thought that I would share some thoughts on the subject.

Not Rocket Science         

The prescribed process is not that complicated. While some have criticized the lack of any scientific process, FEMA did make it easy relatively for us.  I restated the process steps in a recent presentation as follows:

1.  Assesses your threats and hazards of concern.
2.  Describe you vulnerability to those hazards by giving them context.
3.  Estimate the consequences of those threats and hazards impacting the community.
4.  Establish capability targets based on these consequences .
5.  Use the THIRA and apply its results it to update your Homeland Security Strategy.

THIRAs Make Sense

Most states and large urban areas have been doing threat assessments, capability assessments, analyzing gaps, and updating their Homeland Security Strategies for almost 10 years now as part of FEMA's Preparedness Grants program.  While there may have been varying degrees of success and some room for improvement, grantees were or should have been doing this work as part of sound project management.  Now FEMA has given us a process to use in carrying out these important responsibilities.

Your THIRA should include the capability estimation and gap analysis that is part of the approach.  This will provide a sound basis for annual updates to grantee's Homeland Security Strategies which in turn guide grant expenditures.

Based on this, it makes sense for the THIRA to be part of the grant lifecycle.

Validating THIRAs

FEMA will be validating THIRAs and combining them into regional and national assessments.  As stated in a recent THIRA FAQ, FEMA Regions will review all THIRAs through a collaborative effort with the states, territories, and urban areas. The Regional Federal preparedness Coordinator (FPC) will review all grantee THIRA submissions in their area of responsibility. This review is intended to ensure that the submitted THIRAs were developed in alignment with CPG 201. The FAQ states that the FPC will be seeking to answer the following questions to test the alignment of the submissions to the guidance:
  1. Did the jurisdiction provide description statements of the threats and hazards of concern?
  2. Did the jurisdiction provide outcome statements for all 31 core capabilities from the National Preparedness Goal?
  3. Did the jurisdiction provide estimated impacts for all threats and hazards of concern in relation to the 31 core capabilities?
  4. Did the jurisdiction provide capability targets for all 31 core capabilities?
  5. Did the jurisdiction provide an affirmation that their submittal is in alignment with CPG 201?

While there is a toolbox available, the process leaves room for some interpretation and creative approaches as long as the key points above are addressed.


Let's break this down. The validation points, and a suggested approach for accomplishing each, are described below.

1. Provide description statements of the threats and hazards of concern. 

This is simple enough, you should look at your local Hazard Identification and Risk Assessment (HIRA) to gauge the natural hazards of concern, this should already be done for you for the most part.  

But what about terrorist threats?  The best approach is to meet with those "in the know" and discuss the current threats that you are aware of and gauge each threat to see which are areas of concern. This later step will be somewhat subjective as there is no historical record to base probability on but your experts will know what it is you should be preparing for.

There are additional data sources mentioned in the CGP 201 and its companion toolbox. You can also use the measures from the 2011 SPR as a basis to select a target level for each threat/hazard selected.

2. Provide outcome statements for all 31 core capabilities from the National Preparedness Goal.

You are asked in Step 2 to give each of these threats and hazards context. A table is provided in the toolkit for this purpose. Step 3 asks each jurisdiction to use the descriptions developed in Step 2 to assess how each threat and hazard may impact the community and what level of the core capabilities will be needed to meet those impacts (your desired outcomes).

The impacts, along with core capabilities and desired outcomes, should be used to gain an understanding of what is needed to manage your jurisdiction's risk. Desired outcomes are required for each core capability.  The CPG 201 Guide and Toolkit offer example outcome statements.

3. Provide estimated impacts for all threats and hazards of concern in relation to the 31 core capabilities.

Being responsive to this requirement is simply a matter of charting out the impacts against the core capabilities and examining the capabilities using the Threats and Hazards. (In other word, assess capabilities based on threat.) The toolbox includes a chart that is pretty hard to work with. You can build a  matrix that includes all of the capabilities charted against the highest threats and hazards to be responsive to this requirement.

4. Provide capability targets for all 31 core capabilities.

The desired outcomes should explain what the jurisdiction wants to achieve for each core capability. This will need to include setting targets levels for each core capability. This is not a numerical rating, this is a narrative description of what your jurisdiction will need to be able to accomplish based on your estimation of threats and hazards.  Establish the level of capability that you believe that you need to achieve based on the threats and hazards identified.

5. Provide an affirmation that their submittal is in alignment with CPG 201.

The only thing missing at this point is that you need to "apply the results."  You should use the results to update your Homeland Security Strategy and to drive spending decisions. Look at your gaps based on your desired vs. your current capabilities.  Analyze how close you are to having the capabilities needed to address the threat and hazards that you have identified.

You should make this a part of your annual grant lifecycle as the THIRA must be used to support Investment Justifications. If an Investment Justification is not linked to THIRA results, projects may not be funded. And, you should use this process to measure improvements in capabilities over time, something that is a critical factor in grant programs.