Skip Navigation Links.
Collapse IRMI OnlineIRMI Online
Expand How To Use IRMI OnlineHow To Use IRMI Online
My Paid Publications
Expand What's NewWhat's New
Expand DashboardsDashboards
Expand Commercial Liability InformationCommercial Liability Information
Expand Commercial Property InformationCommercial Property Information
Expand Commercial Auto InformationCommercial Auto Information
Expand D&O, PL, E&O, EPLI InformationD&O, PL, E&O, EPLI Information
Expand Workers Compensation InformationWorkers Compensation Information
Classifications and Cross-References
Collapse Risk Mgt. and Multiline InformationRisk Mgt. and Multiline Information
Expand Risk Management -- Why and HowRisk Management -- Why and How
Collapse Free Risk Management and Multiline CommentaryFree Risk Management and Multiline Commentary
Expand Brand Equity and Product RecallBrand Equity and Product Recall
Expand Catastrophe Risk ManagementCatastrophe Risk Management
Expand Corporate AviationCorporate Aviation
Expand Corporate Fraud PreventionCorporate Fraud Prevention
Expand Cyber and Privacy Risk and InsuranceCyber and Privacy Risk and Insurance
Expand Drafting and Interpreting Insurance PoliciesDrafting and Interpreting Insurance Policies
Expand Enterprise Risk ManagementEnterprise Risk Management
Expand Internal ControlsInternal Controls
Expand NanotechnologyNanotechnology
Expand Political RiskPolitical Risk
Expand Risk Management: A Systemic ApproachRisk Management: A Systemic Approach
Expand Risk Management TechnologyRisk Management Technology
Collapse SecuritySecurity
School Security: A Year after Sandy Hook (January 2014)
Thwarting Piracy and Terror on the High Seas (July 2009)
Key Personnel Protection (KPP) at the Enterprise Level (March 2006)
Katrina's Lessons (November 2005)
Traveling Soon? Be Alert and Prepared (September 2005)
A Magic Risk Calculator? (May 2005)
Due Diligence Is A Risk Manager's Best Friend (March 2005)
Hotel Security: The Missing Amenity (December 2004)
Restless in Riyadh (August 2004)
Managing Terrorism Risk (July 2004)
When Was the Last Time Your Organization Had a Security Checkup? (May 2004)
"Don't Let an Unwelcome Guest Take Advantage of a Total Lack of Awareness" (March 2004)
"A State of Normalcy" (February 2004)
Expand Terrorism Risk Management & InsuranceTerrorism Risk Management & Insurance
Expand IRMI InsightsIRMI Insights
Expand IRMI Update Newsletter ArchivesIRMI Update Newsletter Archives
Expand Risk Finance InformationRisk Finance Information
Expand Construction InformationConstruction Information
Expand Personal Lines InformationPersonal Lines Information
Expand Claims, Caselaw, LegalClaims, Caselaw, Legal
Expand Insurance IndustryInsurance Industry
Expand Glossary of Insurance & Risk Management TermsGlossary of Insurance & Risk Management Terms
Expand SearchSearch
Terms of Use
Privacy Statement
System Requirements

Managing Terrorism Risk

July 2004

With the increased threat of terrorism, public, private, and governmental agencies face an increased need to understand and manage the risk to their employees and organizational assets. A three-tiered terrorism risk management plan, which includes initial and detailed assessments and a variety of risk management techniques, can effectively reduce the terrorism risk.

by Nathan C. Gould, D.Sc., P.E., S.E.
ABS Consulting

Over the past decade, the changing political landscape has dictated that public, private, and governmental organizations not only understand terrorism risk, but also develop a proactive plan to assess and/or manage this risk. As demonstrated by the attack on the Alfred P. Murrah Federal Building in Oklahoma City in 1995, simply being located in a less populous city or region does not guarantee safety. In fact, it is the lower profile targets with lower levels of security awareness that may appear to be the "softer" target to a potential terrorist.

In addition to the terrible loss of life, the events in 2001 also highlighted the financial costs of terrorism. As with other natural and man-made hazards, financial coverage may not be available and or affordable to protect the financial assets of an organization when faced with a terrorism threat.

Developing a Terrorism Risk Management Program

Managing risk associated with the threat of terrorism can be a daunting task for companies. Some of the most common questions include how to begin a terrorism risk management program, what assets should be protected, and what are the most effective mitigation solutions. Similar to managing the risk from other hazards, a terrorism risk management program should provide a logical and systematic framework for identifying and dealing with potential terrorism threats. A three-phase terrorist risk management program, detailed in the following figure, can be used as a framework for establishing a terrorism risk management program.

Figure 1

Phase I—Threat Identification and Initial Site Assessment

Understanding the type, source, and probability associated with different threats is an important element in the program. The key elements of the threat identification phase include the following.

  • Threat Recognition and Identification
  • Threat Potential
  • Site Security Assessment

While many organizations have some knowledge of the various threats facing their facilities and employees, many do not recognize how vulnerable their sites actually are until a detailed assessment is performed.

As shown in the figure, one of the products that may result from the site security assessment is a detailed site survey that includes the determination of the effective standoff distance at all exposed sides of the building perimeter. Even for sites that are considered "secure," existing security measures are often found to be insufficient to deter a well-planned terrorist attack.

Phase II—Detailed Risk Assessment

The information gathered in the Phase I assessment can then be used to focus organizational resources to determine the impact of a particular terrorist event on the facility. Analyses that may form part of the detailed risk assessment include the following.

  • Blast and Explosion Analysis
  • Progressive Collapse (Structural Stability) Analysis
  • Chemical, Biological, and Radiological Threat Assessment

The Blast, Progressive Collapse, and Chemical/Biological analyses can provide a detailed assessment of the threat to the structures, nonstructural elements, and the employees. Examples of these analyses are shown in Figure 1: Three-Phase Terrorism Risk-Management Program. The graphic adjacent to the Phase II Assessment box depicts the varying pressure contours on the face of a building that result from an explosive charge placed at the location of the minimum defended perimeter. Software tools are available to estimate the impact and dispersion of toxic releases and produce similar types of contours as a result of a biological or chemical terrorist attack.

Phase III—Risk Management

Once the risks have been identified and assessed, putting a comprehensive risk management plan in place for terrorism risk is similar in many respects to understanding and managing the risks due to other hazards, such as extreme wind or earthquakes. Often, emergency planning and disaster recovery preparations that are in place for other types of hazards can be extended to prepare for and/or protect against terrorist attacks.

A comprehensive terrorism risk management plan should, at a minimum, include the following components.

  • Protection of the Facility and Its Occupants
  • Emergency Planning and Disaster Recovery
  • Reduction of Financial Risk

Protection of the building occupants through the implementation of physical or electronic security measures, the application of window film to reduce glazing hazards, and increased employee awareness is often a first step in many terrorism risk management plans. Reducing the financial risk associated with a terrorism event may be a more challenging issue. As with other natural and man-made hazards, the cost of insurance for losses associated with a terrorism event, if available, may have risen to a level that is no longer affordable. The financial exposure may need to be addressed though a combination of risk mitigation measures, alternate or back-up facilities, and insurance.

The risk management plan should have a capability for determining changes in risk due to threat information or changes to security operations and building protection. The regimented procedure will maintain a focus on effectiveness and prevent fragmented decision making for risk reduction.


With the increased threat of terrorism, both in the United States and abroad, public, private, and governmental agencies face an increased need to understand and manage the risk to their employees and organizational assets due to the terrorism risk. A three-tiered terrorism risk management plan, which includes initial and detailed assessments and a variety of risk management techniques, can be implemented to effectively reduce the risk from a terrorist attack.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

© 2000-2015 International Risk Management Institute, Inc. (IRMI). All rights reserved.