TheThreat and Hazard Identification and Risk Assessment (THIRA)is a specific, standardized process defined byFEMA in CPG 201. While maintaining and updating the document is a best practice for emergency managers, "Updating the threat list annually" (Option C) is a maintenance task or a requirement for grant compliance, but it is not one of the specific, analyticalstepsthat constitute the THIRA methodology itself.

The four steps of the THIRA process are:

Identify Threats and Hazards:Determine the specific natural, technological, and human-caused threats that could affect the community.

Give Threats and Hazards Context:Describe how those threats would affect the community at a specific time and place (e.g., "A magnitude 7.0 earthquake at 2:00 PM on a Tuesday").

Establish Capability Targets:Determine what the community needs to be able to do to manage that impact (e.g., "We must be able to rescue 500 people from collapsed buildings within 24 hours").

Estimate Resource Requirements:Determine the specific personnel and equipment needed to meet those targets.

For theCEDPexam, it is vital to distinguish between theprocessof doing the work and theadministrationof the document. Options A and B are the core "First" and "Third" steps of the analytical process. By confusing an administrative requirement (annual updates) with a process step, jurisdictions can fail to perform the deeper contextual analysis required by Step 2. The THIRA is designed to be a "risk-informed" foundation for the entireNational Preparedness System, and understanding its technical steps ensures that a community's preparedness goals are based on realistic, data-driven impacts rather than arbitrary list-making.