Common Integrated Risk Analysis Model

Transcription

1 Common Integrated Risk Analysis Model a comprehensive update version 2.0

2

3 Common Integrated Risk Analysis Model a comprehensive update version of 52

4 Frontex official publications fall into four main categories: risk analysis, training, operations and research, each marked with a distinct graphic identifier. Risk analysis publications bear a triangular symbol formed by an arrow drawing a triangle, with a dot at the centre. Metaphorically, the arrow represents the cyclical nature of risk analysis processes and its orientation towards an appropriate operational response. The triangle is a symbol of ideal proportions and knowledge, reflecting the pursuit of factual exactness, truth and exhaustive analysis. The dot at the centre represents the intelligence factor and the focal point where information from diverse sources converges to be processed, systematised and shared as analytical products. Thus, Frontex risk analysis is meant to be at the centre and to form a reliable basis for its operational activities. European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union Rondo ONZ Warsaw, Poland T F frontex@frontex.europa.eu Warsaw, December 2012 Risk Analysis Unit Frontex reference number: OPOCE Catalogue number: TT EN-C ISBN: DOI: /28552 ACKNOWLEDGMENTS The Common Integrated Risk Analysis Model has been prepared by the Frontex Risk Analysis Unit. During the course of its developing, many colleagues at Frontex and outside contributed to it and their assistance is hereby acknowledged with gratitude. 2 of 52

5 Table of contents 1. Summary #5 2. Background #7 3. Scope of the document # Guiding objectives of the CIRAM # The update of the CIRAM #11 4. Risk analysis model # Objectives of risk analysis # Threat assessment # Vulnerability Assessment # Impact Assessment #30 5. Methodology for risk analysis # Establishing the framework # Intelligence cycle # Monitoring systems #41 6. Outputs, products and reports #47 Bibliography #49 3 of 52

6 Frontex Common Integrated Risk Analysis Model version 2.0 Graph 1 CIRAM diagram Source of information Third countries Cooperation agreements Border control Area of free movement Processing of information Threat assessment Vulnerability assessment Impact assessment Dissemination of risk analysis Third countries Cooperation agreements Border control Area of free movement 4 of 52

7 1. Summary The Common Integrated Risk Analysis Model (CIRAM) was originally developed in 2002 by a European Council Expert Group, and resulted in the Helsinki Risk Analysis Centre (RAC) being established and tasked with compiling joint risk assessments at the European level. Following the establishment of the European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the EU (Frontex) in 2004, the task of compiling joint risk assessments passed from the RAC to Frontex, as well as responsibility for developing and applying the CIRAM. While the contents of the CIRAM have evolved over time to reflect the requirements and mandate of EU external border management, its fundamental purpose remains to establish a clear and transparent methodology for risk analysis which should serve as a benchmark for analytical activities, thus promoting harmonisation and the preconditions for efficient information exchange and cooperation in the field of border security. The objective of the current update of the CIRAM is to develop a conceptual framework to assist Frontex and Member States in the preparation of risk analyses. It seeks to promote a common understanding of risk analysis while simultaneously explaining how this tool can contribute to greater coherence in the management of the external borders. The update also accommodates the 2011 amendments to the Frontex Regulation, such as the development of the capability to conduct capacity assessments and to deploy liaison officers in third countries. An inclusive design that encourages heightened collaboration with partners, the latest CIRAM uses the four-tier access control model a concept that combines measures in third countries with information sharing between authorities and state actors within the Schengen area of free movement, at the external borders as well as in neighbouring countries. The model was formulated in close consultation with Member States; its widespread implementation aims to be equally applicable at both EU and national level. 5 of 52

8 Frontex Common Integrated Risk Analysis Model version 2.0 A key development in the current CIRAM update is the adoption of a management approach to risk analysis that defines risk as a function of threat, vulnerability and impact. Such an approach endeavours to reflect the spirit of the Schengen Borders Code and the Frontex Regulation, both of which emphasise risk analysis as a key tool in ensuring the optimal allocation of resources within constraints of budget, staff and efficiency of equipment. According to the model, a threat is a force or pressure acting upon the external borders that is characterised by both its magnitude and likelihood; vulnerability is defined as the capacity of a system to mitigate the threat; and impact is determined as the potential consequences of the threat. In this way, a structured and systematic breakdown of risk provides for an assessment of the relative overall risks posed by different threats as a function of the relevant vulnerabilities and impacts, and therefore will be of much use to decision-makers in setting priorities, in formulating counter-measures and in designating operational targets. Finally, through its presentation and review of different types of existing monitoring systems, the updated CIRAM strives to offer guidance and to generate a clear path for improvement and harmonisation of techniques for capturing, filtering and verifying a wide range of data and intelligence sources. It therefore represents the first major step in the process to upgrade Europe-wide monitoring of cross-border activities that will involve dialogue with and input from Member States. 6 of 52

9 2. Background The development of the Schengen acquis established risk analysis as the corner-stone of the management of the external borders. The central role played by risk analysis in border management was again put forward by the European Council of Seville in 2002, stressing the importance of concerning create an integrated risk analysis model on which to base the development of cooperation, Joint Operations and training related to the management of the external borders. With this political support, an initial model for carrying out a Common Integrated Risk Analysis was prepared in 2003 and led to the creation of a Risk Analysis Centre in Helsinki. With the strengthening of an EU approach to border management, the task of carrying out risk analysis for the management of the external borders was transferred to the Risk Analysis Unit of the European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union (Frontex). Frontex was established in 2004 by a Council Regulation.* In its introduction, the Regulation mentioned that, based on a common integrated risk analysis model, the Agency should carry out risk analyses in order to provide the Community and the Member States with adequate information to allow for appropriate measures to be taken or to tackle identified threats and risks with a view to improving the integrated management of external borders. Article 4 of the Regulation is entitled Risk analysis and stipulates that the Agency shall develop and apply a common integrated risk analysis model. By calling for the development of a common model, policy-makers aim to provide Member States and the EU with a tool to contribute to greater management coherence of the external borders. The Regulation establishing the Schengen Borders Code** in 2006 sets the common rules for crossing the external borders. The Code places risk analysis at the heart of border controls by defining border controls as comprising not only checks on persons at border crossing points and surveillance between these border crossing points, but also an analysis of the risks for internal security and an analysis of the threats that may affect the security of external borders.*** It * Regulation (EC) 2007/2004, OJ L 349/1. ** Regulation (EC) 562/2006, OJ L 105/1. *** Paragraph 8 of the introduction of Regulation (EC) 562/ of 52

10 Frontex Common Integrated Risk Analysis Model version 2.0 * Article 12 of Regulation (EC) 562/2006. further emphasises that surveillance between border crossing points shall be carried out by border guards whose numbers and methods shall be adapted to existing or foreseen risks and threats.* In 2006, the Justice and Home Affairs Council not only defined the concept of Integrated Border Management but also called on Frontex and the Member States to improve the effect and uniformity of border control, in particular by further developing the common integrated risk analysis. ** 2768th Council Meeting of December The Council s conclusion** defines the concept of Integrated Border Management as being composed of the following five dimensions: 1 border control, including relevant risk analysis and crime intelligence; 2 detection and investigation of cross-border crime in coordination with all competent law enforcement authorities; 3 the four-tier access control model (measures in third countries, cooperation with neighbouring countries, border control, control measures within the area of free movement, including return); 4 inter-agency cooperation for border management (border guards, customs, police, national security and other relevant authorities) and international cooperation; 5 coordination and coherence of the activities of Member States and Institutions and other bodies of the Community and the Union. While the request to develop and apply a model is part of the Frontex Regulation, and thus applies to Frontex, the reference to a common model implies that its development and implementation should be shared and applied at national level as well. When preparing this document, this aspect was underlined by the Commission and by the participants from Member States. It is thus expected that national risk analysis entities will apply this model. Similarly, the emphasis on an integrated model implies the systematic gathering and sharing of information among all national authorities and relevant EU agencies. Thus, as will be further developed, the information that feeds the model, and the analytical products that come out of it, should not be limited to Border Guard authorities but should include all relevant authorities dealing with the management of the borders as illustrated in the CIRAM diagram on page 4. 8 of 52

11 Intelligence was introduced as part of risk analysis in the initial model of the Common Integrated Risk Analysis Model. Frontex s mission of coordination of intelligence-driven operational cooperation at the EU level to strengthen security at external borders is at the core of the model, drawing information from all tiers of the four-tier model as described in the Integrated Border Management definition. The Frontex Risk Analysis Unit implemented this model by analysing data and information from Member States Border Guard Services and statistics from Member States compiled at EU level, and developing analytical networks with third countries, but also using open sources to produce intelligence for making decisions at European level. In 2011, the amended Frontex Regulation reinforced the role of Frontex in the management of the external borders. Concerning risk analysis, the amendment includes the possibility to assess the capacity of Member States to face challenges, a development that is taken into account in the model presented here under the vulnerability assessment. Other amendments, such as the use of personal data for the purpose of risk analysis, excluding their use for the purpose of investigation, will also fit into the model. Finally, the obligation for Member States to provide Frontex with all necessary information regarding the situation and possible threats at the external borders will increase the volume of information available to carry out risk analysis at a European level. 9 of 52

12 3. Scope of the document 3.1. Guiding objectives of the CIRAM * Regulation (EC) 2007/2004, OJ L 349/1, point 6 of the preamble, Based on a common integrated risk analysis model, the Agency should carry out risk analyses in order to provide the Community and the Member States with adequate information to allow for appropriate measures to be taken or to tackle identified threats and risks with a view to improving the integrated management of external borders. From the EU legislation and the policy guidelines noted in the introduction, risk analysis emerged as the main tool for the management of the external borders. The Frontex Regulation* emphasises that the objective of risk analysis is to provide Member States with adequate information to allow for appropriate measures to be taken or to tackle identified threats and risks with a view to improving the integrated management of external borders. The CIRAM is applicable not only by Frontex but also by the border control authorities of the Member States. The application of the CIRAM is explicitly referred to in the Frontex Regulation, and it is also to be used for risk analysis at Member State level. While using the same model, Frontex and the Member States will produce different types of analytical products because they manage different resources and have different mandates. Risk analysis carried out by Frontex will be geared towards the management of operational cooperation at the external borders, whereas risk analysis carried out by Member States will aim at a finer operational outcome, including investigations. Risk analysis is the key tool to ensure the optimal allocation of resources for border checks and surveillance and an efficient, high and uniform level of control along the external borders. The Schengen Borders Code also sets the focus of the analysis on the risks for internal security and on the threats that may affect the security of external borders. This focus sets the end goal of risk analysis, which is to guarantee internal security and the security of external borders. The 2006 Council conclusions on Integrated Border Management further emphasise the objective of guaranteeing internal security and the security of the external borders by adding intelligence as a regular tool for border controls.

13 However, the management of the external borders is not limited to security purposes. The amended Frontex Regulation also draws the attention of border control authorities to take into account situations that involve humanitarian emergencies and rescue tasks. Thus these aspects have to be included when carrying out risk analyses. Equally important is the mention in the Schengen Borders Code* of avoiding excessive waiting time at border crossing points. This widens the objective of the management of the external borders to include the management of bona fide border crossings. * Regulation (EC) No 562/2006, point 9 of the preamble The update of the CIRAM The objective of this update of the CIRAM is to develop a conceptual framework to assist Frontex and Member States when preparing risk analyses. It aims to promote a common understanding of risk analysis and to explain how this tool can contribute to greater coherence in the management of the external borders. Each section of chapter four starts with a definition of a key term. Since law enforcement activities cover a wide range of issues and specialities, it is not surprising that several definitions, sometimes contradictory, can be found for one term. The definitions presented here correspond to choices. These choices do not mean that other definitions are incorrect, but rather it means that choices have been made to improve interoperability between Member States and Frontex risk analysts. The CIRAM treats the notion of risk as a function of threat, vulnerability and impact. This approach comes from standard management practices where threat is opposed against opportunity and vulnerability is opposed against strengths in seizing opportunity. For law enforcement activities, as for many non-business activities, the emphasis is placed on threat and vulnerability. 11 of 52

14 Frontex Common Integrated Risk Analysis Model version Risk analysis model 4.1. Objectives of risk analysis The purpose of risk analysis is to provide information and analysis that will enable decision-making on how to reduce and mitigate risk where resources and capabilities are limited. While it will never be possible to completely eliminate risk, by enabling decision-makers to take informed decisions, risk analysis will contribute to closing the largest gaps between risk and capabilities. During the risk analysis process, the analyst will aim to: (a) assess the risk; (b) assess any uncertainties in its measurement and identify any intelligence gaps; (c) recommend priorities where multiple threats exist; (d) contribute to prevention by analysing post-incident reports; (e) present this information to decisionmakers who take appropriate action based on the analysis. For the management of the external borders, risk is defined as the magnitude and likelihood of a threat occurring at the external borders, given the measures in place at the borders and within EU, which will impact on the EU internal security, on the security of the external borders or on the optimal flow of regular passengers, or which will have humanitarian consequences. Risk in the context of the management of the external borders can thus be viewed as having three components: (1) the threat that will be assessed in terms of magnitude and likelihood; (2) the vulnerability to the threat in other words the level and efficiency of response to the threat; and (3) the impacts in other words the impacts, should the threat occur, on EU internal security on the security of the external borders, as well as the humanitarian impacts and the consequences for the efficient management of bona fide border crossings. From this definition of risk, risk analysis is defined as the systematic examination of threats, vulnerabilities and impacts, the outcome of which is recorded in the form of a risk assessment. 12 of 52

15 Graph 2 Risk analysis diagram risk Threat Vulnerability Impact Magnitude and likelihood Level of vulnerability (EU, Member State of entry/destination) Level of impact of the threat (EU, Member State of entry/destination) Modus operandi Who, where, when Trends and predictions (increase, decrease, stable, historical) Border permeability (terrain, infrastructure, capabilities, flows) Operational activities (staff, training, interoperability) Effectiveness of countermeasures Border and internal security Ability to manage legitimate passenger flow at border Humanitarian impact Push factors Pull factors Routes (difficulty and distance), access to facilitation Defining risk as a function of threat, vulnerability and impact (Risk = f (T,V,I)) subject to the constraints of budget and resources is a pragmatic way of structuring the information concerning risk. There are different ways of combining threats, vulnerabilities and impacts. The three components are not isolated, and are not to be assessed in rigid sequence. Rather, each component is seen as a different angle from which to study the risk, the assessment of one component providing material and ideas for the assessment of the other two components. The risk level can be determined by using a mathematical formula including the measurements of threat, vulnerability and impact. However, the measures employed for assessing threats, vulnerability and impact can be crude, simplistic and misleading. Expressing risk level numerically is likely to convey a false sense of precision to the decision-makers. Quantitative estimates of risk levels will only 13 of 52

16 Frontex Common Integrated Risk Analysis Model version 2.0 apply for particular cases where a large amount of data is available and outcomes can be validated over time. In most cases, it is recommended to rely on qualitative assessments and to classify risks in categories of significance. It is the responsibility of the analyst to choose the number of levels of risk and document her/his judgements on risk. In a risk assessment, the analyst s judgement on identified risk can be displayed in a structured format, for example by using a table. Such a format is suitable when only one risk is being analysed. Table 1 Example of table for risk 1. Name of risk Normally taken from the threat 2. Threat Qualitative description of the events, their size, type, number and dependencies (taken from threat description) 3. Vulnerability Primary means by which the risk is currently managed, levels of confidence in existing control, identification of protocols for monitoring and review 4. Impact Potential impact of the threat on the security of the border, on internal security, as well as on humanitarian aspects and on the management of bona fide border crossing 5. Measurement of risk Significance taking into account the threat, the vulnerability and the impact 6. Potential action Recommendations for improvement If several risks are to be compared, it is useful to present the outcome of the risk analysis in a table showing simultaneously the judgement on threat, vulnerability and impact, as well as the final risk level. 14 of 52

17 Table 2 Example of risk matrix, presenting simultaneously threat, vulnerability and impact of multiple risks Risk name Threat Vulnerability Impact Risk level Risk 1 High Low Low Low Risk 2 Low Medium High High Risk 3 High High Low Medium The four-tier access model The four-tier access control model* includes measures in third countries, cooperation with neighbouring countries, border control and control measures within the area of free movement, including return. It forms the core of Integrated Border Management. In simplified terms, the model requires that a set of complementary measures be implemented in the different tiers. For risk analysis the four-tier access model indicates the different areas in which the analysts will seek information. The same model indicates that the analytical products will be useful for all the authorities having activities in the field of one or more tiers. In this sense, the four-tier access control model is a powerful reference to the integrated dimension of risk analysis. * As explained in the document of the Council on the Updated Schengen Catalogue on External Borders Control, Return and Readmission, 15250/2/08, REV 2, LIMITE Graph 3 The four-tier access model Measures in third countries Cooperation with neighboring countries Border controls Measures in the area of free movement The first tier represents the measures taken in third countries, especially against illegal migration in countries of origin and transit. These measures include advice and training from liaison officers and document experts with regard to the visa process for consular officials at consular posts and for carrier company personnel in third countries of origin or transit. The second tier consists of cooperation with neighbouring countries. Agreements with neighbouring countries on cooperation in the field of border man- 15 of 52

18 Frontex Common Integrated Risk Analysis Model version 2.0 agement are an efficient tool for increasing border security. This tier includes working mechanisms such as exchange of information, appropriate communication channels, central, regional and local contact points, emergency procedures, procedures for handling incidents, etc. Border control, as the third tier of the model, guarantees systematic border checks for every person entering or exiting the Schengen area. It also ensures an adequate level for exposing illegal border-crossings in areas between border crossing points or via sea, using false documents or hiding inside means of transport. Border control is part of national crime prevention, as it detects and reveals human smuggling, stolen property and other cross-border and border-related crimes as well as contributing to the detection of serious crime. The fourth tier comprises control measures within the area of free movement, including return. These measures prevent illegal immigration and cross-border crime inside the territory of the Schengen states by means of enhanced searches, checks and surveillance measures based on national information, and in accordance with national law. Regarding illegal migration, the fourth tier implies that Member States define minimum standards for control measures within their territory together with other relevant authorities of places known as critical for third-country nationals staying illegally, cross-border traffic connections, etc. The role of intelligence gathering and the intelligence cycle Intelligence is placed at the heart of risk analysis by defining it as any information, received or generated, that is related to one of the components of the risk, i.e. related to a threat, vulnerability or impact. Thus, a structured intelligence process that comprises the elements of collecting, analysing and distributing applicable information will be the foundation of the assessment of threat, vulnerability and impact. The structured intelligence process is referred to as the intelligence cycle, a definable cycle that ensures the efficiency of law enforcement activities through a system of checks and balances. The intelligence cycle is described in detail in the chapter on methodology. 16 of 52

19 Graph 4 Intelligence cycle 1. Tasking 8. REVIEW 2. collection 7. DISSEMINATION 3. EVALUATION 6. REPORTING 5. ANALYSIS & INTERPRE TATION 4. collation Taking into account that risk analysis will gather information from the four tiers, will manage the information in a structured way and will decompose risk into threat, vulnerability and impact to inform decision-making, the whole process can be represented as follows. 17 of 52

20 Frontex Common Integrated Risk Analysis Model version 2.0 Graph 5 CIRAM diagram Source of information Third countries Cooperation agreements Border control Area of free movement Processing of information Threat assessment Vulnerability assessment Impact assessment Dissemination of risk analysis Third countries Cooperation agreements Border control Area of free movement From operational to strategic risk analysis Although there is no clear rule distinguishing strategic and operational threat assessment, strategic risk analysis will commonly be concerned with a broad range of modi operandi and the main border types. It will inform strategic decisions re- 18 of 52

21 lating to an organisation s medium- and long-term priorities. Judgements will rely heavily on factors beyond quantitative and probabilistic models. Operational decisions are generally informed by higher volumes of quantitative data. Strategic decisions projecting several years tend to have great uncertainty, while operational decisions to be taken within a more immediate time frame will have less uncertainty. The uncertainty that may have existed for strategic decisions is often removed from consideration for more operational decisions, based on knowledge gained from previous operational decisions. For example, determining the proportion of trucks to inspect for clandestine migrants is a decision assumed to have a fairly long time scale (i.e. a strategic decision having an impact on the number of staff and type of activities to be performed on a regular basis at the border control points), and it is followed up by a more targeted decision (and perhaps shorter-lived operational decision, often taken on the spot) about how to inspect, such as using only the vehicle documents, using a detector or physically opening the vehicle. Graph 6 Type of decisions to be informed and their time horizon 0-12 months Maximum reliance on data Quantitative and objective inputs Decision made with short-term horizon Project decisions 1-3 years Some reliance on data Annual programme of work 3+ years Minimal reliance on data Qualitative or subjective inputs Longer time frame, review possible EU and national policies Patrols Directorate decisions Multi-annual plans Passenger checks Evaluations Programmes Vehicle search Deployment of assets Deployment of protective devices 19 of 52

22 Frontex Common Integrated Risk Analysis Model version Threat assessment Threat is defined as a force or pressure acting on the external borders. It is to be characterised by its magnitude and likelihood. The analyst should describe which processes or factors both inside and outside the EU affect the magnitude and the likelihood of the threat. The purpose of a threat assessment is to identify, describe and measure the threat in terms of magnitude and likelihood. By nature, most threats will be related to border areas or border types, although some threats can be associated with processes for checks and surveillance. The threat assessment should ideally be tailored to a geographic area, border type and based on detailed local intelligence. The assessment should have a clearly defined scope and purpose. It should cover a specific period of time and assess the threat over a specified future period of time. Only those threats at the external borders that may have an impact on EU internal security, the security of the external borders and the treatment of the flow of regular passengers are to be considered. When the impact entails a humanitarian aspect, the image of a force acting on the external borders is still valid, but the term pressure should be preferred to threat. The impacts of the threat are described in more detail in a dedicated section. Threats that may have an impact on EU economic performance, social conditions or any other European policies are not to be considered, unless specifically requested. Identifying the threat At the core of the risk analysis is the identification of threat, actual or potential. Identifying threats means being able to summarise, in the most appropriate form for decision-making, the incidents, data and information that have been communicated to or collected by the analysts. There are many techniques to identify threats. Some techniques are, for example, expert elicit ation, delphi and scenario analysis. These techniques are not mutually exclusive; several techniques complement each other. Any technique might also be used for vulnerability or impact assessments. The choice of tech- 20 of 52

23 niques will largely depend on the type of decision to inform, the resources available (time, staff, budget) and the analyst s knowledge of particular techniques. Describing the threat An exhaustive description of all threats to which the external borders are exposed would be too long to assist decision-making. It is preferable for a maximum of five to ten of the most significant threats to be brought to the attention of the decision-makers, while some risk analysis will focus on one threat only. The threat should be described in simple and short wording style. The analysts may insert judgements but will provide their full argumentation and resources used to elaborate them. The analyst should also inform decision-makers about uncertainties surrounding the judgement made. In any case, the assessment should refrain from including recommendations for action which require resources beyond the scope of the decision-maker. Describing the threat will often involve references to historical data. Any limitation of the data should be described. Similarly, it is the responsibility of the analyst to check the accuracy of the information and convey his/her conclusion to decision-makers. The description of the threat should not be an inventory of incident reports. While the incident reports ought to be detailed and thorough, the description of the threat should be short and focus on the most salient points for decisionmakers. The details of incident reports will be most useful for investigation purposes, while a summary of recurring patterns among incident reports will be most useful for risk analysis. The description of the threat typically includes the description of the modus operandi, the perpetrator s goals, motives and capabilities (who, where, when, how many), the trends and predictions, and the push factors affecting its magnitude and likelihood. For illegal migration, references to routes and facilitation services should also been made. Two characteristics of the threats should be measured: magnitude and likelihood. 21 of 52

24 Frontex Common Integrated Risk Analysis Model version 2.0 Measuring the threat Threats should be measured so that they can be compared and priorities can be established. When precise measurements are not possible, relative scales or levels can be used. Measuring the magnitude of a threat means first determining the unit of measurement for the threat. The choice of the unit will depend on the threat. For threats related to immigration, the units may be the number of migrants illegally crossing the border, or the number of persons refused entry. For threats related to drug control, the units may be kilograms of drugs seized. For counterterrorism, the units may be the number of suspected terrorists. All measurements should refer to a certain period of time (for example month, quarter or year). Expressing the magnitude of the threat forces the analyst to select the most appropriate indicator for subsequent monitoring. It also gives the decision-maker an indication of the level of the threat. Administrative data is useful for measuring the magnitude of a threat. Rather than a simple single indicator, unlawful activities are often better measured with a range of administrative data. Administrative data often contains statistical limitations that can be referred to as uncertainties. It is the responsibility of the decision-makers to deal with uncertainties and it is the responsibility of the analysts to reduce these uncertainties and acknowledge the remaining ones. When dealing with administrative data related to unlawful activities, the analysts should be cautious when examining trends. For example, an increase in the number of detections of unlawful activities is not necessarily a sign of failure. Indeed, enhanced capacity might increase the number of detections while the amount of actual unlawful activity may not change. When law enforcement authorities scrutinise a poorly understood phenomenon, for example regarding victimisation of minors in trafficking in human beings, the statistical records are likely to show an increase due to detections of previously undetected criminality. The likelihood of the threat is understood as the probability of its occurrence within a certain period of time. Methods to measure the likelihood of threat can 22 of 52

25 be quantitative, semi-quantitative or qualitative depending on the availability of reliable data and the decision-making needs. Quantitative methods estimate probabilities and produce values of the level of threat in specific units. Quantitative analysis may not be possible or desirable due to insufficient information, lack of data, influence of human factors or because the effort is unwarranted. While quantitative methods might facilitate the work of the analysts, the use of uncertain data is likely to convey a misleading sense of precision and knowledge about the threat. Quantitative methods should not ignore uncertainties surrounding data and information but rather present these uncertainties to the decision-makers. The main sources for measuring the magnitude and likelihood of the threats are intelligence, historical analysis and expert judgement. These sources of information support only crudely quantitative outcomes. For the time being, more research is needed before quantitative methods are successfully used for measuring threats. Hence, the analyst will often turn to semi-qualitative or qualitative assessment of the magnitude and likelihood of threat. Semi-quantitative methods use numerical rating scales and are often supported by the analysis of historical and contextual data. Analysts should thoroughly document how the rating has been established. Semi-quantitative methods are by nature less precise than quantitative methods and the rating should take that lack of precision into account by using a cardinal rating scale (i.e. not decimal). Qualitative ranking by experts might be effective. A clear explanation of the significance levels should be provided and the basis for the criteria should be recorded. An odd number of levels allow for a neutral stand point, whereas an even number of levels will force the scaling to its upper or lower parts. Whatever the choice of measurement methods, a single measurement of the threat, combining magnitude and likelihood, may be required. In this case, magnitude and likelihood can be combined to form a level of threat. A matrix table can be used to summarise and describe the different levels of threat, and a colour code may be used to communicate an assessment of the level of threat from low to high. 23 of 52

26 Frontex Common Integrated Risk Analysis Model version 2.0 Table 3 Example of assessment of level of threat combining a three-level scale for magnitude and likelihood Level of threat Magnitude High Medium Low Almost certain High High Medium Likelihood Possible High Medium Low Unlikely Medium Low Low Table 4 Example of qualitative estimates of level of threats Level Description Indicators / Sources of information High High number of significant instances that exposed the borders to this threat Indicator chosen from data collected regularly Medium More than one significant instance that exposed the external borders to this threat Incident reports, reports from operational areas at the border Low No previous instances that exposed the external border to this threat External indicator (to be described) When it is not possible to assess threats either quantitatively or qualitatively, an alternative may be to develop scenarios. Depending on the threat, one rule of thumb is that a maximum of five scenarios should be presented to decision-makers. 24 of 52

27 An example of measuring threat with a semi-qualitative method: the External Borders Fund threat assessment Frontex s annual threat assessment for the External Borders Fund is based on data sent by Member States, border control authorities to Frontex within the framework of the Frontex Risk Analysis Network (FRAN). The statistics concerned are as follows: a. the number of third-country nationals refused entry at the external borders (FRAN indicator 4); b. the number of third-country nationals apprehended when crossing or attempting to cross the external borders illegally; this number is best accounted for by FRAN indicators 1A and 1B, i.e. detections between border crossing points (BCPs) at the green and blue border (1A), and detections at BCPs (clandestine entries such as persons hiding in lorries) (1B); c. number of facilitators intercepted who have intentionally assisted the unauthorised entry of third-country nationals (FRAN indicator 2); d. number of forged or false travel documents (FRAN indicator 6) and the number of travel documents and visas issued on false grounds which have been detected at BCPs in accordance with the Schengen Borders Code. The External Borders Fund Decision identifies in Article 15(3) the following threat levels and weighting factors by border type (land and maritime). External land border: factor 1 for normal threat; factor 1.5 for medium threat; factor 3 for high threat. External maritime border: factor 0 for minimum threat; factor 1 for normal threat; factor 3 for medium threat; factor 8 for high threat. 25 of 52

28 Frontex Common Integrated Risk Analysis Model version 2.0 An example of measuring threat with a semi-qualitative method: the External Borders Fund threat assessment (cont.) The threat levels were identified by applying a common formula to statistics (a) to (d) mentioned above for all Member States. The formula adds up the annual totals of the statistics while applying the following illegal migration event weighting coefficients to them: illegal border-crossings and detections of false travel documents and visas were weighted with factor 1.0; the number of apprehended facilitators was multiplied by the factor 5.0, due to the fact that one facilitator usually represents a higher threat level in terms of being on average likely to have facilitated the entry of a number of undetected irregular migrants during the same year; refusals of entry were weighted with a factor of 0.5, due to the fact that a significant number of refusals do not represent real risks for illegal migration (such as data on refusals of persons who simply forgot relevant travel documents or who are related to non-compliance with technical safety standards of vehicles, etc.). For the 2009 threat assessment, Frontex set thresholds in order to identify and group the results of the mathematical calculation. A value greater than weighted illegal migration events qualifies the threat level as high and a value between and qualifies it for the medium threat level. For land borders, values lower than qualify for the normal threat level. For sea borders, an additional interval had been introduced at the lower end: the normal threat applies only to values between and 5 000, and an additional minimum level to all values below. The results of the mathematical formula developed by Frontex were then further assessed for each Member State in terms of additional qualitative information gathered from other sources such as Frontex Joint Operations. The end result contributed to the risk analysis required under the External Borders Fund. 26 of 52

29 4.3. Vulnerability Assessment Vulnerability is determined by the capacity of a system to mitigate a threat. Vulnerability is understood as the factors at the borders or in the EU that might increase or decrease the magnitude or likelihood of the threat. Here, vulnerability is not the vulnerability of the criminal, a definition of vulnerability that can be found in criminal intelligence, nor the vulnerability of an asset, a definition of vulnerability that can be found in counter terrorism models. Among the prime factors that will affect vulnerability are the geographical attributes of the border areas. The analysis of vulnerability will also include the analysis of operational activities, including the capabilities to mitigate the threat, such as numbers of staff and their skills, the deployment of equipment and the management of priorities and policies. To assess the vulnerability at the border, the analyst should seek to answer the following key questions: Are there physical factors that could be exploited by a particular threat? What are the existing measures in place for a particular threat? Are those measures capable of adequately mitigating the threat so that it is controlled to a level that is tolerable? In practice, are the controls operating in the intended manner and have they demonstrated that they are effective? Assessing the vulnerabilities also includes assessing possible legal responses, for example the existence and implementation of return agreements with third countries. More generally, vulnerabilities also include pull factors such as significant diasporas in Member States, employment opportunities or access to social systems. For border control, the presence of pull factors in one Member State can actually shift the flow of migrants, legal or not, through the external borders of other Member States. 27 of 52

30 Frontex Common Integrated Risk Analysis Model version 2.0 Measuring vulnerability to a threat Vulnerability may be expressed qualitatively, semi-quantitatively or quantitatively. In general, vulnerability measurements achieve a higher level of certainty than threat measurements. Vulnerability concerns matters that can, in principle, be carefully studied and for which estimates can be reasonably accurate, for example relying on staffing records at border crossing points, on inventory of equipment to detect fraud, on the activity report of sensors for illegal border- crossing, on the technical characteristics of fences, etc. In practice, a high level of assurance in measuring vulnerability is not warranted. If absolute numbers are not available, some indications of change over time may suffice to indicate in which direction the measures in place are evolving. In addition, it is valuable to record a level of effectiveness of the measures in place so that judgements can be made by decision-makers regarding optimum allocation of resources (such as whether effort is best expended on improving existing measures or on providing alternative treatment). A description of each border section in the form of a permeability assessment, including its natural and border crossing characteristics as well as the capacity in place to conduct checks and surveillance, is an effective tool against which to assess and measure vulnerability to specific threats. The analyst should have the tools to indicate to decision-makers which border sections are most vulnerable to specific threats so as to enable a swift response to events. 28 of 52

31 Table 5 Example of qualitative estimates of level of vulnerability Level Border permeability Operational capacities and legal responses Pull factors Very high vulnerability High vulnerability Medium vulnerability Low vulnerability Terrain or natural conditions of the external borders are exploited by the threat Terrain or natural conditions of the external borders are favourable to the threat Terrain or natural conditions do not favour the development of this threat No competencies or legal responses are available to address this threat A very limited number of competencies or legal responses are available to address this threat A moderate number of competencies or legal responses are available to address this threat Terrain or natural conditions Sufficient number of prevent the development of competencies or legal this threat responses are available to address this threat All these factors present: High unemployment rate, large communities in Member States, perceived easy access to international protection status and social welfare benefits Several of these factors present: High unemployment rate, large communities in Member States, perceived easy access to international protection status and social welfare benefits One of these factors present: High unemployment rate, large communities in Member States, perceived easy access to international protection status and social welfare benefits None of these factors present: High unemployment rate, large communities in Member States, perceived easy access to international protection status and social welfare benefits 29 of 52

32 Frontex Common Integrated Risk Analysis Model version Impact Assessment Impact is defined as the effects of a threat on the internal security and on the security of the external borders. Impacts can also be analysed in terms of the effects on the optimum flow of passengers at the borders, and in terms of humanitarian consequences. To assist in the identification of impacts on internal security, reference to internal security is useful. In 2010, the EU Council adopted the Internal Security Strategy for the European Union that highlighted challenges the EU is facing, including terrorism, organised crime, cyber crime, drug and arms trafficking, trafficking in human beings, sexual exploitation of minors and child pornography, economic crime and corruption, and even youth violence. Besides the impacts on security, a threat may also have an impact on the flow of passengers at border crossing points. The impact of the threat can be assessed by reporting on the degree of disruption of border-control services as a result of the threat. It is helpful to use historical data on passenger flows and average waiting times as a baseline when comparing levels which may indicate stress. The impact of the threat may also be assessed for humanitarian consequences such as loss of life. For example, in 2008 sea crossings in the Atlantic or in the Mediterranean on unseaworthy vessels may result in casualties when they capsize. Humanitarian impacts also include cases of trafficking in human beings. However, this is difficult for border guards to assess as even the victims themselves may not know about their destiny at the time of crossing. The Schengen Borders Code should be applied in accordance with the Member States obligations with regards to international protection and non-refoulement. The objective is here for border guards to ensure the rapid provision of protection for those third-country nationals with legitimate claims. This is done by collaborating with national and international asylum agencies and by providing these agencies with information related to unfounded asylum applications which dilute resources allocated for those who require protection. 30 of 52

33 Measuring impact Quantifying impacts will often be difficult, as impact modelling requires large sets of data and important data collection efforts, often spanning long periods of time in order to allow for validation. The measurement of impacts will depend on the threat identified. For example, impact can be expressed in terms of fatalities, injuries when crossing the external borders, third-country nationals detected crossing the borders illegally, impairment in conducting regular border-control duties, third-country nationals staying illegally within the EU, victims of trafficking in human beings, etc. Alternatively, levels of impact can be described qualitatively, using for example a five-level system: insignificant, minor, moderate, major, critical, although each level would need to be defined clearly. For impact on passenger flow, it is proposed that regular qualitative reporting be set up through which the utilisation of border services can be characterised in three levels: low for passenger flow below usual levels, moderate for passenger flow above usual levels but still below maximum capacity and high for passenger flow exceeding control capacity. If quantitative or qualitative assessments are not available, impact can be measured through the description of outcomes arising from inductive analysis (sometime referred to as educated guess or informed estimation ) or scenario analysis. Impact assessment will include consideration of both immediate impacts and those that might arise later. Consideration should also be given to small incidents which, taken individually, do not have large impact, but when aggregated might amass a volume which may have detrimental effects on the internal security of the EU and on the security of the external borders. 31 of 52

34 Frontex Common Integrated Risk Analysis Model version 2.0 Table 6 Example of qualitative estimates of level of impact related to illegal migration Impact Critical Very high High Low Border security OR Border section(s) representing more than 20 % of instances at EU level and increasing more than 50 % compared to previous period Border section(s) representing between 10 % and 20 % of instances at the EU level and a 20 % to 50 % increase compared to previous period Border section(s) representing less than 10 % of instances at the EU level and a 10 % to 20 % increase compared to previous period Border section(s) representing less than 10 % of instances at the EU level and less than 10 % increase (or decrease) compared to the previous period Internal security Impact on internal security affecting the majority of Member States Impact on internal security affecting up to five Member States Impact on internal security in one Member State Localised impact on internal security in one Member State OR Loss of human lives A majority of instances (e.g. > 75 %) put human lives at risk A high number of instances (e.g. 20% < x < 75%) put human lives at risk A moderate number of instances put human lives at risk (< 20 %) Human lives are not affected 32 of 52

35 5. Methodology for risk analysis The intelligence cycle needs to be implemented within a conceptual framework that provides for a situational picture and effectively defines the problems at hand. The framework delineates the domains where the information can be gathered and the mechanism for monitoring trends, and relies on practical tools for implementation which can be referred to as technical assessment Establishing the framework To categorise the information that will be used to establish the framework, reference to the four-tier access control model is useful. This model refers to measures in third countries, cooper ation with neighbouring countries, border control and control measures within the area of free movement. The analyst should assess how measures in any of the four tiers may influence the movement of passengers across the external borders and cross-border crimes. For illegal migration, a general understanding of push and pull factors will also enable the analysts to establish its framework. Factors influencing migration are commonly referred to as push and pull factors. Push factors are conditions prevailing in third countries that impel or stimulate emigration. Conditions in the EU that attract immigrants are classified as pull factors. Understanding these factors enables explanations to be provided for variations detected in movements across the borders and expert judgements on their future developmentto be better documented. Establishing the framework also implies knowledge of key drivers and trends having an impact on cross-border crimes. Collaboration with police authorities at the national and EU (Europol) level will improve border control authorities awareness of cross-border criminality. 33 of 52

36 Graph 7 Movement of persons across borders (based on UKBA flow chart, adapted to the Schengen Borders Code) Non-Visa third-country nationals Visa third-country nationals Persons enjoying the Community right of free movement Return to: country of nationality; country where journey originated; or safe third country Apply at Consulate for visa Refusals of entry Refused visa Granted visa Return or departed voluntary Apply for asylum at the border Thorough check Minimum check Surveillance EU external borders Detained and/or granted temporary admission while processing granted entry unauthorised border crossing Refused asylum or international protection Granted asylum or international protection Stay in the EU Apply for extension of stay Overstay Return home / further travel Illegally stay Detection of illegal stay Apply for asylum in country Enforcement / return action initiated Persons enjoying the Community right of free movement Return Check on exit EU external borders Return to: country of nationality; country where journey originated; or safe third country EXIT 34 of 52

37 It is also important to develop the understanding of the capabilities of the border-control authorities in terms of role, resources, knowledge, information flow and decision-making processes, as well as standards and reference models. Knowledge of the existing resources of the border-control authorities, such as staff members and equipment, is a pre requisite for the analysts to inform decision-makers controlling the deployment of these resources. Understanding the capabilities of the border control authorities in terms of knowledge means that the analyst is aware of the regular data collection processes and is familiar with their definitions and their limitations. Depending on the tasking, establishing the framework involves defining the extent of the risk analysis to be carried out (the terms of reference), including specific inclusions and exclusions; defining the risk analysis activity in terms of time and resources; defining the relationship between the specific risk analysis request and the other risk analysis activities of the organisation; defining the risk assessment methodologies and criteria; and identifying and describing the decisions and actions that have to be made. As a summary of the framework regarding movement of persons across the borders, the flow chart for control of immigration to the EU is presented on the next page and includes measures taken in third countries, at the EU borders and in Member States. 35 of 52

38 Frontex Common Integrated Risk Analysis Model version Intelligence cycle In every organisational setting, the intelligence activities which lead to the development of analytical products follow a recognisable standard cycle or process chain. A key role for Frontex and Member States border authorities is to use intelligence processes, skills and techniques to increase their probability of success when operating along the external borders. This role is achieved by adopting a structured intelligence process that comprises the elements of collecting, analysing and distributing applicable information. The process contributes to success by producing appropriate and timely products (such as reports, assessments, charts and forecasts) that, in addition to their use in identifying criminals, will enable targeted and effective risk analysis. The basic premise of the intelligence process is that the systematic exploitation of intelligence information will lead to a high-quality product which can be referred, if appropriate, for further investigation. For this reason all intelligence products are based on applying the intelligence cycle. The intelligence cycle itself is made up of eight connected functions. Each of the following steps is an important contribution to the whole process: i. tasking ii. collection iii. evaluation iv. collation v. analysis and interpretation vi. reporting vii. dissemination viii. review. Intelligence officers will employ the process in its entirety without negating any steps in order to avoid creating deficiencies or weaknesses at any point in the chain of activity. The following diagram shows the way in which the intelligence process can be visualised as a flow chart to demonstrate the progression of activities more clearly. 36 of 52

39 Graph 8 The intelligence cycle as a flow chart source reliabilty collection evaluation collation analysis reporting dissemination information validity information segregation information SOURCES index and storage periodic reports decisionmakers conclusions / predictions / estimates tasking review Individual steps in the intelligence process In the following paragraphs, outline guidance is provided to explain what each of the eight steps involves. Tasking Other than routine basic functions, all intelligence tasking that will result in data collection and analysis should be authorised and recorded when resources and priorities are being allocated. For major projects (ones that may take several weeks), managers and analysts are advised to jointly plan how to apply the intelligence process. The intelligence project plan that results will focus on issues including data required, sources likely to be of help, analytical techniques and approaches that can usefully be employed, reporting deadlines and distribution of reports. The overall goal to produce a risk assessment does not, in any way, affect or reduce the need for the application of proper intelligence processes for preventing crime. These proper processes will produce further intelligence that will, in turn, provide beneficial inputs for risk analysis. 37 of 52

40 Frontex Common Integrated Risk Analysis Model version 2.0 Collection The need to collect intelligence-related information is fundamental. To be effective, the collection effort must be planned and focused and needs to be directed at a target (person, group) or topic (for research purposes). Collection planning takes into account the information that is already available to the Member States or Frontex analysts, and examines the need for additional collection efforts directed at gaps in the information. Evaluation Evaluation is: (1) assessing the truthfulness and reliability of the source of information; and (2) measuring the validity of a particular piece of information. Analysts need to be aware of whether they can rely on individual pieces of information when analysing and interpreting data. Thus each piece of information ideally must be evaluated as it is being recorded and filed for later analysis and interpretation. Collation Collation is the sifting out of spurious, non-relevant information. It includes also the orderly arrangement of the remaining information so relationships between apparently disconnected elements can be established. A computerised system will automatically collate and amalgamate information in a way that will facilitate efficient consideration by the intelligence analyst. The key to the intelligence programme s success is the storage of collected information in either manual and/or computerised systems in such a manner that data items can be cross-indexed, related to other information and easily retrieved on demand. 38 of 52

41 Analysis and interpretation The core of the intelligence process is the analytical function, which converts bits and pieces of information into an interpreted product that has meaning. The goal of analysis is to develop the most precise and valid inference possible from available information. Without analysis, a piece of information remains a piece of information. Target intelligence (combining the ideas of strategic and operational intelligence) contributes directly to an immediate objective and is focused on specific criminal activities with the goal of neutralising them. It may be the supplying of a lead, the compilation of a list of potential surveillance subjects or some small fact about the activities of a certain suspect, but all this information and primary analytical thought contributes to the development of intelligence products. Strategic intelligence, by contrast, is a blending and analysis of data to produce an informed judgement about a targeted group s capabilities, vulnerabilities, trends and patterns with conclusions,and forecasts. Alternatively, it may focus on a particular phenomenon such as push/pull factors driven (for example) by changing situations in specific locations, and describe these in a way that enables the development of an overall risk assessment concerning irregular migration. Interpretation is always based on knowledge plus new information, blended together to form a reasonable but nonetheless speculative opinion on its meaning. Until that opinion becomes fact, there is always the possibility that circumstances will change or that data has been misled or even misread and misunderstood. It is essential that intelligence analysts (as well as risk analysts) be competent to determine the balance between fact and speculation, and can speak confidently and informatively about the pros and cons of their opinions, citing probability statements in support. Moreover, by developing a commitment to critical thinking and re appraisal of the data- interpretation picture, the analyst will be able to guard against rushing to quick - and often safe - judgements, to the detriment of the intelligence quality. 39 of 52

42 Frontex Common Integrated Risk Analysis Model version 2.0 Reporting Intelligence reports are the culmination of all functions in the process. They summarise the results of the collection and analysis process and state the findings of the intelligence process. Reports must be as objective as possible and written in such a manner that there is a clear connection between the facts and judgements and the conclusions and forecasts. Intelligence writing is a special application of normal writing skills and warrants either additional training of the analysts or close mentoring by more experienced supervisory staff, or both. Dissemination distribution Dissemination is the technical term used in intelligence to describe the act of distributing credible and timely intelligence information to officials and consumers within and outside of one s organisation. Given that all intelligence products are derived at source from data provided by others, it is reasonable to expect that sources will expect some feedback on how useful their input was. Indeed, where the source organisation is a stakeholder in some form, then it is highly advisable to ensure that the report is copied to them as recognition of their assistance and interest. This approach often ensures enhanced cooperation in future instances in which that source needs to be approached again for data assistance. Ultimately, information that remains locked in the intelligence system fails to fulfil its primary role which is to provide information, insight and leads that will assist in intervention. Review There are two types of review that are meant to take place at the completion of the intelligence analysts work. One relates to efficiency measurement of the analyst s work consideration of how the intelligence unit and 40 of 52

43 its analysts did their work, and what lessons can be learned from their success or failures. The second review focuses on effectiveness, that is, whether the intelligence products (be they operational or strategic) assisted the client reader and decision-maker. This sort of review is more difficult to conduct and relies on honest exchange and discussion between the intelligence staff and the readers to explore (i) what level of additional insight was provided, and (ii) whether it was, in the reader s opinion, reliable and timely. Without such a review mechanism in place, intelligence units and analysts will continue to function in a relatively self-satisfied manner. Only by holding the products and functions up to peer and executive review can intelligence staff learn to do better Monitoring systems Monitoring systems can be defined as the activities related to the early identification of potential threats, their verification, assessment and investigation. Monitoring systems can be divided into two categories: indicator-based systems and intelligence-based systems. Indicator-based systems focus on the collection, analysis and interpretation of regularly collected data. Indicator-based monitoring is used to provide information on potential threats by identifying abnormal events within the temporal distribution of routinely collected data. Intelligence-based monitoring systems focus on the capture, filtering and verification of events. Intelligence can be collected on a regular basis from border authorities and more generally from law enforcement authorities, as well as 41 of 52