THIRA stands for Threat and Hazard Identification and Risk Assessment — a structured framework developed by FEMA (CPG 201, 3rd Edition) to help communities identify what threats they face, how bad those threats could be, and what capabilities they need to survive them. ECHO adapts this framework for individual and group preparedness. The process starts here: build a complete list of every credible threat in your area before you rate or rank anything. Threats are organized into three categories — Natural (acts of nature: storms, floods, drought), Technological (system failures: grid down, water outage, fuel disruption), and Human-Caused (intentional actions or societal breakdown: civil unrest, supply chain collapse, attack). Cast a wide net. Think about your specific location, climate, and proximity to population centers. A threat that seems unlikely is still worth listing — you will rate probability in Module 02. Note that major threats rarely disable only one system: a pandemic simultaneously degrades transportation, banking, energy, communications, and emergency response. An EMP strike takes down every critical infrastructure sector identified by the federal government in a single second. The goal here is completeness — list everything, judge nothing yet.
Rate each threat on two axes. Probability (1–5): how likely is this threat to affect your AO within 5 years? Impact (1–5): if it occurred, how severe is the effect on your group? A Severity Modifier accounts for cascading effects and complexity — the 2019 National THIRA explicitly models that major incidents do not occur in isolation. Priority Score = Probability × Impact × Severity. Max = 75. High: 38+, Medium: 16–37, Low: 1–15. Calibration note: Koppel (Lights Out, 2015) documents that the US grid has no federal mandatory security standards and that NERC/FERC have repeatedly failed to require hardening. A single well-placed physical or cyber attack on 9 key substations could take down the eastern interconnect for 18 months or more. Rate grid-related threats accordingly — this is not a low-probability scenario. Skousen rates nuclear war as a long-term near-certainty; weight his probability estimates against your own assessment, but his target location data is reliable regardless of probability assigned.
The POETE framework (CPG 201 / SPR) evaluates capability across five dimensions: Planning (plans, procedures, mutual aid), Organization (team structure, roles), Equipment (gear, supplies, systems), Training (skills, knowledge), and Exercises (practice, drills). Rate 1–5 for each area per threat. 1 = critically deficient, 5 = full capability. Threats sorted by priority score. Set a Capability Target — what success looks like in specific, measurable terms.
A gap is a specific deficiency — not "we need more medical supplies" but "we have no trained tourniquet applicator and no hemostatic gauze." Specific gaps produce specific corrective actions. For each gap, identify the POETE area where the shortfall exists and assign a priority (High/Medium/Low) relative to the threat's priority score. Threats appear in priority order. Gaps feed directly into the Prep Roadmap.
Every gap gets a task, every task gets a responsible person and a target date. Prioritize by threat priority score × gap severity. The roadmap is what ECHO produces — it links back to every other module in the suite. Gaps in medical point to Trauma One. Gaps in comms point to Comms Matrix. Gaps in water point to Hydro. Describing an approach here creates no obligation to complete it within the timeframe — it is a planning tool, not a commitment.
All identified threats ranked by priority score with probability, impact, and severity ratings. Sorted high to low.
Prioritized list of preparedness shortfalls by POETE area with capability scores and gap priorities.
Action plan with assigned tasks, responsible persons, timeframes, and current status — sorted by priority.
Complete assessment document with all data — threat context, capability targets, gaps, and roadmap. Suitable for group briefing.
Synthesized view of your group's key vulnerability patterns across all threats — heat sources, medical dependencies, supply depth, location factors. The data collection payoff.