Download eBook for Free

FormatFile SizeNotes
PDF file 0.4 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Research Questions

  1. What are the challenges and opportunities related to use of the NCF risk assessment framework?
  2. How might the framework be improved?

The Homeland Security Operational Analysis Center (HSOAC) was tasked with using the National Risk Management Center's (NRMC's) National Critical Function (NCF) risk assessment framework to assess risk to each NCF and complete individual risk analyses for the 55 NCFs. The NRMC also requested that HSOAC perform additional tasks, including providing a report on emerging lessons learned from risk management efforts to limit the impact and disruption that coronavirus disease 2019 (COVID-19) had on the 55 NCFs.

This report presents insights into best practices in risk assessment; challenges in the implementation of the NCF risk assessment framework to characterize risk to critical infrastructure associated with the COVID-19 pandemic; recommendations for improving the framework; and suggestions for further characterization of NCFs' interdependence, vulnerability, and geographic variation that could improve risk assessment processes.

Key Finding

  • Challenges in implementing the framework include persistently high risk ratings, difficulty in assessing risk to some NCFs in isolation from other NCFs, separating out national from regional impacts, and identifying NCFs that are especially vulnerable to disruption from COVID-19.


  • Recommendations for improving the framework in future iterations include opportunities to review and refine the drivers of risk examined, the indicators used to monitor risk, and the time scale used in assessing risk. The NRMC might also consider stress-testing the framework against other potential threats.
  • Future risk assessments can also be enhanced through a better understanding of interdependence, vulnerability, and geographic variation among NCFs. Finally, the NRMC might consider opportunities to enhance dissemination by documenting successful mitigation activities and improving the two-way flow of risk information for different audiences.

This research was sponsored by the National Risk Management Center in the Cybersecurity and Infrastructure Security Agency at the U.S. Department of Homeland Security (DHS) and conducted within the Strategy, Policy and Operations Program of the Homeland Security Operational Analysis Center (HSOAC).

This report is part of the RAND research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.