Wednesday, June 16, 2010

Reader Comment 06-14-10 Updating COI

J Stebbins posted an interesting comment to my blog from last week about adding anhydrous ammonia as a Theft-Diversion COI. He made two points; one looking at updating DHS information and the second about planning versus response. Both points are well worth reading in their entirety. Updating COI List J Stebbins reported on his(her) experience in suggesting that DHS update some information on their Commercial Facilities Sector portion of the National Infrastructure Protection Plan (NIPP), writing about their reply; “we [DHS] conduct reviews every three years and this information will be updated shortly”. In the business community this is not considered a very responsive answer, but DHS operates under a different set of rules. We have to remember that sovereign power does not rest with the government in this country. This means that the government has to involve the public in their decision making process. There are laws and regulations governing that process. For example, let’s look at my proposal to add a theft-diversion security risk to the current listing for anhydrous ammonia in Appendix A to 6 CFR part 27. To get this relatively minor regulatory change completed they would first have to draft and publish an Notice of Proposed Rule Making (NPRM) in the Federal Register and allow a public comment period on the proposal. Before that is done, however there would be a great deal of research that would need to be done, including making an estimate of the cost of the regulatory change and its effect on small businesses, state and local governments, and other regulatory agencies. If any of those effects were determined to be large enough there would have to be a variety of regulatory and political reviews conducted in DHS and with OMB before the decision was made to go ahead with publishing the proposed regulation. After the NPRM was published and the comment period ran out, then DHS would have to review each of the comments received. They would need to determine if any changes needed to be made because of the comments received. Then they would need to prepare the justification for the changes that were and were not made and the final rule would be drafted. This would then go through a more formal review process in DHS and would then be formally submitted to the Office of Information and Regulatory Affairs at OMB for their review. Once all of those formal reviews took place and appropriate modifications were made and re-reviewed then the final rule would be published in the Federal Register. Now completing this process is time and resource intensive. Regulatory changes are not made lightly and in this example would not be made for a single minor change. Either multiple small changes would be made at one time, or the agency would simply wait until the next major change was made to that regulation to include the minor changes previously identified. Having said that, why did I recommend making this change? Well, it has been three years now since Appendix A was first proposed and it would seem reasonable that it is time for a review of that document. In fact, I have been hearing rumors of just such a review taking place with ISCD talking to various groups about what appropriate changes should be made to Appendix A. So, while we’re talking about this, does anyone have any suggestions for changes to the list of COI? Planning versus Response J Stebbins also looks at the difference between recognizing and planning for potential problems versus waiting for them to happen and then responding to the results of the problem, writing:
“Cost is always going to be a stickler when it comes to this, however, what is the cost of not doing something to prevent a catastrophe from occurring, versus cleaning up after the catastrophe has occurred.”
He then points to the current problem of crude oil blowing into the Gulf of Mexico as an example of why planning is preferable to reacting. I certainly agree with this in principle. Being an ex-military man I am well aware of the adage about ‘proper prior planning prevents piss poor performance’. But, the problem of cost cannot be ignored. This is the reason that ‘risk based planning’ has become such an important buzz phrase. A manager in a modern business is just like any other employee, he holds his job only as long as he demonstrates that he can do it well; maximizing profits and minimizing risk. Since evaluation cycles are relatively short, any low probability risk will probably not get serious attention as it would be unlikely to come to pass within time that the manager is in charge of the facility, project, or product line. This is where the Government comes into the business decision process. Congress determines what risks that the people have determined to be unacceptable to the majority of the citizens. They then establish laws specifying what actions business must take to minimize or mitigate those risks. The Executive Branch then implements rules and regulations to enforce those laws and ensures that business complies with those rules. A problem arises when the Government must rely on the expertise of the regulated community to identify how to regulate the risks. When knowledge only comes from practical experience in the field, then the Government needs to draw upon that knowledge to effectively regulate. The problem comes when the agency responsible for the regulation becomes so dependant on the industry information that they abdicate their responsibility to enforce the regulations. It looks like that is what happened in the MMS-BP case.

No comments:

/* Use this with templates/template-twocol.html */