Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
4 Future Plans I n addition to evaluating Reclamationâs security-related processes, working relationships, and expertise, the committee was asked to evaluate Reclamationâs future plans for its security program. In the nearly 7 years since the September 11, 2001, attacks, Reclamation has had to develop a security program starting from almost nothing. While it has made significant progress in doing so, some fundamental issues need to be resolved for Reclamation to develop a culture of security as strong as its culture of dam safetyâthat is, one in which the policies, practices, and procedures for dam security are well developed and reflected in Reclamationâs decision making and routine operations. Developing a culture of security and a program that is sustainable over the long term will require the following: ⢠Senior management support and commitment, ⢠Adequate resources, ⢠Performance measurement and evaluation, ⢠A system for capturing and disseminating lessons learned, and ⢠A vision and a long-term plan for a sustainable program. Chapter 4 focuses on these elements and the committeeâs observations and findings related to Reclamationâs plans for its security program. 71
72 ASSESSMENT OF THE BUREAU OF RECLAMATIONâS SECURITY PROGRAM SENIOR MANAGEMENT SUPPORT AND COMMITMENT Building commitment and support for the security program is pri- marily the responsibility of the senior executives within Reclamationâthe commissioner, deputy commissioners, regional directors, and the director and program managers of the SSLE. Support, commitment, and leadership should begin with the commissioner and the deputy commissioners and continue uninterrupted down through the regional, program, and area office directors to the facility operators and line personnel. Reclamationâs senior managers are responsible for establishing the vision and objec- tives for the security program, establishing Reclamation-wide policies and procedures, determining priorities for resource allocation, selecting personnel in key positions, and communicating why a security program is critical to achieving Reclamationâs mission. Establishing metrics for progress in achieving security-related objectives and outcomes, assigning responsibilities clearly to key individuals, providing adequate resources to meet program objectives, and holding their staff accountable for results are also responsibilities of senior managers. The federal governmentâs Office of Personnel Management (OPM) has developed a set of executive core qualifications (ECQs) needed to achieve a federal corporate culture that motivates for results, serves cus- tomers, and builds successful teams and coalitions within and outside the organization (OPM, 2007). The ECQs defined by the OPM include these: ⢠Leading change . . . the ability to bring about strategic change, both within and outside the organization, to meet organizational goals [and to] establish an organizational vision and implement it in a continuously changing environment. ⢠Leading people . . . the ability to guide people to meet the organization's vision, mission, and goals [and to] provide an inclusive workplace that fosters professional development, facilitates cooperation and teamwork, and supports constructive resolution of conflicts. ⢠Results driven . . . the ability to meet organizational goals and customer expectations [and to] make decisions that produce high-quality results by applying technical knowledge, analyzing problems, and calculating risks. ⢠Business acumen . . . the ability to manage human, financial, and information resources strategically. ⢠Building coalitions . . . the ability to build coalitions internally and with other federal agencies, state and local governments, nonprofit and private-sector entities, foreign governments, or international organizations to achieve common goals.
FUTURE PLANS 73 The committee devoted significant time and energy to observing, discussing, and evaluating senior managementâs understanding and com- mitment to the security program. Committee members met with senior executives and managers at Reclamationâs Washington, D.C., office and its Denver headquarters, at regional and area offices, and at individual sites. It was clear to the committee that Reclamationâs personnel at all levels are committed to the dam safety and emergency management programs. The relationship of these programs to the achievement of the BORâs mission of delivering water and power seems to be consistently communicated from the top down through all levels of the organization and is well understood by all. In contrast, discussions on dam security did not convey the same level of support and commitment from senior management or field personnel. Nor was the link between security and mission achievement consistently recognized or communicated. Personnel at all levels clearly understand that the NCI facilities and some other highly visible dams constitute attractive targets for terrorists, and they support actions to protect those facilities. However, the commitment to providing security for the majority of Reclamationâs dams was not consistent. Because many dams are not icons, are located in rural areas, or are smaller, they seem less likely to be targets of terrorists, which has led to thinking âit wonât happen here.â In some instances, staff clearly felt other priorities were higher than security, and they resented the redirection of resources from other program areas to security. SSLEâs director and program managers understand the security programâs purposes and requirements. However, the organizational and communication issues described in Chapter 3 have limited the effective- ness of SSLE staff in helping to develop a culture of security. At the regional offices, the committee observed a range of attitudes regarding the need for a robust security program, from committed to indifferent to resentful. Often the attitude exhibited by a regional direc- tor was reflected by area office managers and facility operators. Frustra- tion and confusion were most evident among those area office managers who were clearly committed to providing security but who reported to regional office directors who were not as committed. Finding: Creating an effective security program and a culture of secu- rity requires the dedicated support and commitment of Reclamationâs m  anagers at all levels of the organization. Currently, such support and commitment are uneven. Some managers clearly understand the link between Reclamationâs mission and security, and they are spearheading efforts to implement effective security procedures and programs. Others
74 ASSESSMENT OF THE BUREAU OF RECLAMATIONâS SECURITY PROGRAM regard security as an unwelcome intrusion into other activities and resent the redirection of resources from other activities to security. Finding: Building commitment and support for the security program is primarily the responsibility of Reclamationâs senior executivesâthe com- missioner, deputy commissioners, and regional directors and the director and program managers of the SSLE Office. RESOURCES An effective security program must be staffed with enough people possessing the necessary competencies to carry out assigned tasks and must be funded accordingly. Reclamation is attempting to operate a secu- rity program to protect 450 facilities distributed across 17 states with fewer than 50 full-time-equivalent positions. The responsibilities of this group include developing Reclamation-wide policies and operating pro- cedures, conducting security assessments, managing risks, identifying risk mitigation projects and prioritizing them across an inventory of facilities, conducting background checks on staff and contractors, designing and implementing physical security improvements, identifying and analyz- ing suspicious and criminal activities through liaisons with other federal agencies and local law enforcement, developing security response plans, conducting exercises, and responding to malicious acts. Reclamationâs field personnel and its partners also participate in some aspects of the security program, which leverages the resources available to the SSLE. Nonetheless, a situation in which each regional special agent (RSA) is responsible for an area covering portions of between three and nine states suggests that additional staff resources are required if the SSLE and Recla- mation are to meet their security-related responsibilities effectively. Current funding is inadequate to hire additional staff and to imple- ment other activities that are needed to improve the security program. Reclamation has a backlog of risk-mitigation projects that have not been implemented, in part because there are not enough resources for design- ing and installing them. Very few full-scale exercises have been conducted, also, in part, because of resource limitations. Furthermore, additional training for SSLE staff in communication, negotiation, and other behav- ioral skills is required to develop the sound working relationships that are fundamental to Reclamationâs activities. Reclamation has attempted to leverage its available funding by m  aking some security-related operation and maintenance costs fully reimbursable. This initiative, however, has created additional tension between the BOR and some of its stakeholders, particularly water and power authorities. Designating projects that benefit a specific set of stake-
FUTURE PLANS 75 holders as reimbursable is a well-established and accepted procedure in Reclamation and on the part of its stakeholders as well. However, since security-related projects also provide benefits to the public at large, it is not unreasonable for Reclamationâs partners to object to fully funding security guards or other activities that also benefit the general public. Reclamationâs dam safety program also seeks to protect the general public. However, some dam safety projects are partially reimbursable: Reclamation pays for 85 percent of the project, and a stakeholder who benefits from the project pays 15 percent. Criteria have been developed for determining which dam safety projects are partially reimbursable. The dam safety program may serve as a model from which to develop crite- ria, a process, and a percentage for reimbursement of the costs of some s  ecurity-related operations and maintenance activities. Whatever process is used to resolve the issue of reimbursability for security-related projects, the current allocation of resourcesânumber of staff, expertise, fundingâis not sufficient, in the committeeâs opinion, to operate and sustain a program for protecting Reclamationâs assets and people. Continuing to redirect funds from other programs will undermine other Reclamation programs and the condition of its facilities. However, from its discussions with senior Reclamation managers responsible for the security program and the briefings it received from them, the committee found the managers apparently reluctant to fight for additional resources and funding. Finding: The resourcesânumber of staff, expertise, fundingâÂcurrently available for Reclamationâs security program are not sufficient to operate and sustain an effective program. Finding: Security improvements benefit the public at large and are not limited to specific set of stakeholders. Reclamationâs proposal to make some security-related costs fully reimbursable causes tension with its stakeholders. The safety of dams program, in which reimbursable project costs are split between Reclamation and its stakeholders, may serve as a model for developing criteria, a process, and a cost-sharing percentage for reimbursing the costs of some security-related operations and main- tenance activities. PERFORMANCE MEASUREMENT In the years since the passage of the Government Performance and Results Act of 1993, measuring the outcomes of federal programs has become an established and accepted process. Key components of a per- formance measurement system include these:
76 ASSESSMENT OF THE BUREAU OF RECLAMATIONâS SECURITY PROGRAM ⢠Clearly defined, actionable, and measurable goals that cascade from organizational mission to management and program levels to individual performance; ⢠Cascading key performance indicators that can be used to measure how well mission, management, program, and individual goals are being met; ⢠Established baselines from which progress toward attainment of goals can be measured; ⢠Accurate, repeatable, and verifiable data; and ⢠Feedback systems to support continuous improvement of an organizationâs processes, practices, and results (outcomes) (FFC, 2004). Performance measures help to identify where objectives are not being met or where they are being exceeded. Managers can then investigate the factors or reasons underlying the performance and make appropriate adjustments. Ultimately, an effective performance measurement system should inform decisions about the allocation of resources within an orga- nization (FFC, 2004). As noted in Chapter 1, Reclamation has established elements of a performance measurement system in response to the OMBâs PART evalu- ation process. The stated objective of Reclamationâs site security effort is to reduce security-related risks through a combination of prepared- ness, prevention, protection, and response. The outcome is measured as the number of assets that are rated high risk. Changes in the risk rating will be determined over the long term as security improvements are implemented and risk assessments are repeated (OMB, 2007). Table 4.1 describes the performance measures that are being tracked. These measures represent the start of a performance measurement system for Reclamationâs security program. However, the actual measures focus on the risk assessment element and do not address law enforcement, intelligence gathering and dissemination, training and exercises, protec- tion maintenance, or incident response. The committee did not ask Reclamation managers specifically about their future plans for a performance measurement system, and it may be that additional measures are being developed by Reclamation or by DOIâs OLESEM. In all events, the system should link directly to Reclamationâs mission. For example, a stated goal of the security program might be to ensure that there are no serious disruptions to the delivery of power and water as the result of a malicious act. The program objectives would include preventing, deterring, mitigating, or responding to malicious acts. The performance measures developed could be used to measure the mitigation actions taken.
FUTURE PLANS 77 TABLE 4.1â Performance Measures for Reclamationâs Site Security Effort Performance Measure Description Cost per active background Tracks the efficiency of the background investigation investigation and national security processes, including the ability to implement and maintain electronic methodologies for completing and submitting background investigation forms, verifying the status of investigations and clearances, and maintaining personnel security records. Number of updated regional Tracks whether threat assessments are updated threat assessments annually in each of the five regions and coordinated with state, local, and other federal entities. Number of periodic security Tracks progress in assessing risks and identifying risk assessments conducted protective measures needed at critical facilities. annually on critical or project-essential facilities Percentage of risk assessment Tracks implementation (funding, installation, recommendations that have and operation) of individual protective measures been completed identified in the risk assessment process. Developing effective measures for all aspects of Reclamationâs secu- rity program will be difficult. For example in reviewing the FBIâs intel- ligence program, the OMB concluded as follows: It is difficult to define outcomes for a program that produces intelligence. In some cases, good intelligence analysis will lead to a physical outcome, such as a terrorist attack that is averted or a foreign intelligence pen- etration that is avoided, but this is not always the case. Productive and useful analysis may merely serve to enhance the governmentâs body of knowledge on a particular topic. (OMB, 2008a, pp. 7 and 8) Measuring for deterrence and response, in contrast, might involve tracking suspicious incidents using Reclamationâs database and tracking the actions taken to investigate and respond to them. The National Park Service Police, for instance, tracks the number of incidents that pose a serious potential threat to selected national monuments. As noted by the OMB, the utility in this measure is not in tracking the total number, but in moni- toring (and responding to) the types of incidents, when they occur, and possible trends. This output measure is used as a proxy outcome mea- sure because measuring the desired outcome (i.e, undamaged national monuments) would be both self-evident and of little use to managers. If
78 ASSESSMENT OF THE BUREAU OF RECLAMATIONâS SECURITY PROGRAM a national icon were attacked, a PART target would be the least of USPP concerns. More relevant for managers is tracking the number of incidents that pose potential threats and working to understand why those inci- dents occur. (OMB, 2008b, p. 2) The number of tabletop, functional, or full-scale exercises conducted, the number of identified areas requiring improvements, and the percent- age of improvements implemented might also be tracked to evaluate response capability. In developing a more complete set of measures for its security pro- gram, Reclamation could begin by looking at the performance measures used by similar programs of other federal or quasi-federal agencies, including the Federal Protective Service, USACE, the Tennessee Valley Authority, and the Western Area Power Authority. Finding: Reclamation has developed some performance measures for evaluating the risk mitigation component of its site security program. Additional measures are needed to evaluate processes related to deter- rence of and response to security-related incidents. METHODS FOR CAPTURING, DISSEMINATING, AND IMPLEMENTING LESSONS LEARNED A lesson learned has been defined as âknowledge or understanding gained by experience,â both positive and negative (GAO, 2002). Lessons learned programs are established to identify which actions or procedures worked and which did not work in a particular situation so that successes can be repeated and failures avoided. The U.S. General Accounting Office (now the Government Accountability Office) has stated that use of lessons learned is a principal component of an organizational culture committed to continuous improvement. Lessons learned mecha- nisms serve to communicate acquired knowledge more effectively and to ensure that beneficial information is factored into planning, work processes, and activities. Lessons learned provide a powerful method of sharing good ideas for improving work processes, facility or equipment design and operation, quality, safety, and cost-effectiveness. (GAO, 2002, p. 13) Most formal lessons-learned processes include a searchable lessons- learned database, a method using subject experts to verify the correctness and applicability of the lessons submitted, and a process that can dissemi- nate lessons learned to the appropriate users. Dissemination may also be accomplished by incorporating lessons learned into policies, guidelines,
FUTURE PLANS 79 or processes through training and seminars, meetings, and conferences or through publications in the form of alerts, newsletters, and the like. Less-formal programs may simply send documents such as after-action reports from a full-scale exercise or from important events, such as errors, accidents, and near misses, to managers and staff who could benefit from them. Tabletop and functional exercises or other forms of simulation could also be vehicles for developing lessons learned. Lessons can also be learned from other organizations that have security programs deemed to be excellent. A visit to such an organization might include on-the-spot discussions of that organizationâs experiences in developing its security program. Reclamation personnel visiting these organizations might also hold after-visit, in-depth discussions of the security-related activities and processes they observed. Reclamation does not appear to have a process in place to collect and disseminate lessons learned or to use them for making appropriate changes in policies and procedures. Such a process could be especially valuable in a decentralized organization, where the staff does not regularly meet to share information. Reclamation might consult with other federal orga- nizations that have well-established lessons-learned programs, including the Department of Energy, the Aviation Safety Reporting System (housed at Battelle), the Armyâs after-action review, the U.S. Navyâs Aviation Train- ing Exercise program (lessons learned are included in after-action âhot wash-upsâ), and NASAâs astronaut training program. Finding: Lessons-learned processes can be useful for sharing Âexperience- based information in an organization and for continually improving organizational processes, knowledge, and standards. Sources of lessons learned include after-action reports from training exercises, other forms of simulation, and other organizations. Finding: Reclamationâs security program does not appear to have a Âformal lessons-learned program in place. Where after-action reports followed major exercises, they were not disseminated to all the regions or the area offices that could have benefited from knowing the exercise results. A Vision and a Long-Term Plan for a Sustainable Program Vision and leadership are crucial for all aspects of an organizationâs activities. Typically, an organizationâs senior executives establish the vision DOEâs lessons-learned Web site can be accessed at http://tis.eh.doe.gov/ll.
80 ASSESSMENT OF THE BUREAU OF RECLAMATIONâS SECURITY PROGRAM based on the organizationâs mission, set goals and priorities, and then communicate the vision and implementing strategies to the staff and the organizationâs stakeholders (GAO, 1998). Mission and vision statements and plans are all important because they are meant to inspire and motivate employees and stakeholders alike to meet the organizationâs goals. As stated on its Web site, the mission of the Bureau of Reclamation is to âmanage, develop, and protect water and related resources in an environmentally and economically sound manner in the interest of the American public.â Reclamationâs Vision Statement reads as follows: Through leadership, use of technical expertise, efficient operations, r  esponsive customer service and the creativity of people, Reclamation will seek to protect local economies and preserve natural resources and ecosystems through the effective use of water. The commissionerâs plan for how Reclamation will attain its vision includes the following: ⢠Directing our leadership and technical expertise in water resources development and in the efficient use of water through initiatives including conservation, reuse, and research. ⢠Protecting the public and the environment through the adequate maintenance and appropriate operation of Reclamation's facilities. ⢠Managing Reclamation's facilities to fulfill water user contracts and protect and/or enhance conditions for fish, wildlife, land, and cultural resources. ⢠Working with Reclamation's customers and stakeholders to achieve mutual objectives. ⢠Assisting the secretary in fulfilling Indian Trust responsibilities. ⢠Implementing innovative, sound business practices with timely, cost-effective, measurable results. ⢠Promoting a culturally diverse workforce that encourages excellence, creativity, and achievement. Reclamation has also outlined four overarching goals that emphasize its mission to deliver water and generate power while addressing other water use requirements and planning for future water needs to avoid crisis and conflict: ⢠Ensure the reliable delivery of water under Reclamation contracts. ⢠Optimize power generation, consistent with project purposes. ⢠Incorporate other considerations, such as recreation, fish and wildlife, environment, and Native American trust responsibilities, into our water and power operations.
FUTURE PLANS 81 ⢠Identify and plan for future consumptive and nonconsumptive water supply needs by identifying unmet needs in the next 25 years. None of the statements above explicitly addresses the security of Reclamationâs facilities or its people. Protecting the public is mentioned in conjunction with the adequate maintenance and appropriate operation of Reclamationâs facilities, but it reflects a dam safety perspective as opposed to a security perspective. If security were a well-established program embedded within Rec- lamationâs culture, the lack of an explicit reference to it in Reclamationâs mission, vision, and goals statements might not be significant. After all, there is no direct mention of emergency management in the statements above, yet emergency management is clearly embedded in Reclamationâs programs and culture. However, security is a relatively new program that is not consistently supported by Reclamation personnel. The failure to mention security explicitly in the mission statement, the vision, plan, or overarching goals signals that it is not a priority within Reclamation and conveys a lack of support and commitment from senior management. Reclamation does not appear to have a plan for creating a robust, mature, and sustainable security program. When asked about their goals for the security program, senior managers focused on tactical issues such as addressing the backlog of identified risk mitigation projects, finding ways to lower the costs of site security guards, and periodically con- ducting threat assessments and training exercises. Strategic issues, such as how security is to be embedded in Reclamationâs culture and how regional security coordination is to be improved, were not identified. Finding: Among their other objectives, organizational mission and vision statements, plans, and goals are meant to inspire and motivate Âemployees and stakeholders. Typically, they are driven by an organizationâs senior executives and reflect their priorities and values. Infrastructure security does not appear explicitly in Reclamationâs mission statement, vision, plan, or goals. The failure to mention it conveys the idea that infraÂstructure security does not have the support and commitment of senior manage- ment, nor has it been given priority. Finding: Reclamation does not appear to have a plan for a security pro- gram that is robust, mature, and sustainable. When asked about their goals for the security program, senior managers focused on tactical issues. Strategic issues, such as how security is to be embedded in Reclamationâs culture and how regional security coordination is to be improved, were not mentioned.
82 ASSESSMENT OF THE BUREAU OF RECLAMATIONâS SECURITY PROGRAM REFERENCES Federal Facilities Council (FFC). 2004. Key Performance Indicators for Federal Facilities Portfolios. Washington, D.C.: The National Academies Press. General Accounting Office (GAO). 1998. Leading Practices in Capital Decision-Making. Wash- ington, D.C.: GAO. GAO. 2002. Using Strategic Human Capital Management to Drive Transformational Change. Washington, D.C.: GAO. Office of Management and Budget (OMB). 2007. Program Assessment: Bureau of  eclamationâSite Security. Available at http://www.whitehouse.gov/omb/expectmore/ R summary/10003701.2005.html. OMB. 2008a. Program Assessment: FBI Intelligence. Available at http://www.whitehouse. gov/omb/expectmore/summary/10003811.2006.html. OMB. 2008b. Program Assessment: National Park Service-Park Police. Available at http://www. whitehouse.gov/omb/expectmore/summary/10003727.2006.html. Office of Personnel Management (OPM). 2007. Ensuring the Federal Government Has an  ffective Civilian Workforce. Available at http://www.opm.gov/ses/qualify.asp. E