Threat Assessment: How to Build Exercises and Evaluate Performance

How to Utilize the Homeland Security Exercise and Evaluation Program (HSEEP) Framework, Part 2

Last week, I addressed what threat assessment is, and considerations when forming a team. This article will suggest a training framework, the Homeland Security Exercise and Evaluation Program (HSEEP) to both build capability and target areas that should be improved.

Homeland Security Exercise and Evaluation

Threat assessment, much like any other organizational function, needs to be actively managed and continuously improved. The HSEEP framework offers a strategy for both novice and seasoned teams to monitor progress through documented training.

HSEEP was developed by the Federal Emergency Management Agency (FEMA). It provides a framework for exercise programs, a common approach for exercise management, design, conduct, evaluation and continuous improvement. The basis of the HSEEP program is to provide a framework to test and evaluate capability through training, progressively increasing the complexity of training over time to add realism. A staple of the HSEEP program is to evaluate the results of training through an After-Action Review and Improvement Plan (AAR/IP). This efforts help organizations that employ an HSEEP strategy to improve plans, build and increase capability, and maintain operational readiness.

A three-year training plan should be created that is driven by threat information and current capabilities. Once these criteria are understood, exercises should be progressively complex to achieve realism, test current plans and functions. There are discussion-based exercises and operational-based exercises, which are listed below.

Discussion-Based Exercises

Seminar – Seminars are purely instructional in nature. They are used to provide an overview of authorities, strategies, plans, policies, procedures, protocols, resources, concepts and ideas. Seminars increase awareness.

Workshop – Workshops are based on building a product such as a new standard or policy.

Tabletop Exercise – Tabletops are used to generate conversation and to validate plans and procedures. A tabletop is less expensive to facilitate than an operational exercise, and is a great option especially when stakeholders have limited knowledge or interaction together. A tabletop is a facilitated discussion that walks stakeholders through a scenario and gauges responses.

Operational-Based Exercises

Drills – Drills are used to evaluate one function or evaluate equipment needed to accomplish a task.

Functional Exercises – These types of exercises are conducted in real time in a realistic environment. Activities are planned in advance, and evaluation criteria are established. Functional exercises are focused on exercising plans, and add realism to better understand action.

Full-Scale Exercises – Full-scale exercises differ from functional exercises in that they involve multiple agencies. These exercises are the most expensive, require lengthy planning, and are the most comprehensive.

The benefit to implementing a HSEEP-compliant training program within an organization is that senior decision-makers may realize the importance of mitigating threats, but may not realize current capability or impact of events which the associated documentation and lessons learned would provide. Additionally, by organizing the documentation in a gap analysis, information can be presented to senior decision-makers in business terms, which may increase a positive light on costly protection programs. Moreover, this analytical process will provide substantial proof and detail action to establish due care in the event of a violent event.

Threat Assessment and HSEEP

Threat assessment is a prevention activity, and aimed at identifying possible violent actors before they act. This effort not only safeguards victims, but also offers an opportunity to supply the possible violent actor with help through intervention. Additionally, threat assessment – if successful – will mitigate reputational damage to the organization, and decrease the chance of liability.

Threat assessment may be a new function or not developed at all in many organizations. To develop capability, testing and exercise is needed to validate policy and build capability of staff who are tasked to carry out this important function. HSEEP offers a framework and a guide to manage and monitor the proficiency of a threat assessment program.

Organizations that do not have established programs first need to develop policy. A workshop offers a format to get all stakeholders in a room to produce a product or in this case policy. Once policy is developed, it needs to be tested. It is advisable to move from a workshop to a tabletop instead of rushing into an operational-type exercise so that plans can be refined to avoid costly expenditures. Additionally, a tabletop will help the team to become familiar with each other and develop the confidence to act.

After each stage, an after-action review should be drafted to capture lessons learned and areas for improvement. The areas for improvement should be captured on an improvement plan. The improvement plan should assign responsibility to action and contain project completion dates. A best practice is to have senior management sign off on all improvement plans so that they are aware of gaps. This also helps to hold those assigned accountable to achieving improvement tasks. Additionally, the improvement task may be dependent on funding, so providing documentation of what is needed to accomplish threat assessment functions to senior managers may increase the likelihood of funding.

In the next installment a case study format will be used to illustrate application of threat assessment at the Harris County Appraisal District in Houston, Texas. Additionally, recommendations will be provided of how this program could benefit from following the HSEEP framework.

Cody Mulla has a distinguished 20-year career as an expert in emergency and crisis management. He is currently Director, Security Risk Management at Hillard Heintze. Mulla is finishing his Ph.D. in Organizational Development at the University of Texas and holds three Masters Degrees (Human Resource Development/Lean Six Sigma, Master of Science, Industrial Organizational Psychology, and a Master of Science, Leadership & Crisis Management). He also holds a number of certifications including Certified Protection Professional CPP, ASIS; International Association of Emergency Managers AEM; Master Police Officer, TCOLE; Certified Healthcare Protection Administrator CHPA, IAHSS; and Certified Homeland Protection Professional, NDPC. Mulla serves on the ASIS School Safety and Security Council and the Utility Security Council.

Glen Reed has 18-years of experience in many facets of security and law enforcement. Currently he is the new Security Manager for the Harris County Appraisal District (HCAD). Prior to joining HCAD, Reed had a 10-year career at the University of Texas System Police at Houston, where he held progressively responsible positions, starting as a commissioned Texas Peace officer, Criminal Investigator, and Threat Management Investigator. Reed holds a Bachelor’s Degree in Sociology from the University of Alaska in Fairbanks, and a Master’s Degree in Administration of Justice & Security from the University of Phoenix.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.