Skip to Content
Security Catastrophe Risk Management

Managing Terrorism Risk

Nathan Gould | July 24, 2004

On This Page

With the increased threat of terrorism, public, private, and governmental agencies face an increased need to understand and manage the risk to their employees and organizational assets. A three-tiered terrorism risk management plan, which includes initial and detailed assessments and a variety of risk management techniques, can effectively reduce the terrorism risk.

Over the past decade, the changing political landscape has dictated that public, private, and governmental organizations not only understand terrorism risk, but also develop a proactive plan to assess and/or manage this risk. As demonstrated by the attack on the Alfred P. Murrah Federal Building in Oklahoma City in 1995, simply being located in a less populous city or region does not guarantee safety. In fact, it is the lower profile targets with lower levels of security awareness that may appear to be the "softer" target to a potential terrorist.

In addition to the terrible loss of life, the events in 2001 also highlighted the financial costs of terrorism. As with other natural and man-made hazards, financial coverage may not be available and or affordable to protect the financial assets of an organization when faced with a terrorism threat.

Developing a Terrorism Risk Management Program

Managing risk associated with the threat of terrorism can be a daunting task for companies. Some of the most common questions include how to begin a terrorism risk management program, what assets should be protected, and what are the most effective mitigation solutions. Similar to managing the risk from other hazards, a terrorism risk management program should provide a logical and systematic framework for identifying and dealing with potential terrorism threats. A three-phase terrorist risk management program, detailed in the following figure, can be used as a framework for establishing a terrorism risk management program.

Figure 1: Three-Phase Terrorism Risk-Management Program

Three-Phase Terrorism Risk-Management Program

Phase I—Threat Identification and Initial Site Assessment

Understanding the type, source, and probability associated with different threats is an important element in the program. The key elements of the threat identification phase include the following.

  • Threat Recognition and Identification
  • Threat Potential
  • Site Security Assessment

While many organizations have some knowledge of the various threats facing their facilities and employees, many do not recognize how vulnerable their sites actually are until a detailed assessment is performed.

As shown in the figure, one of the products that may result from the site security assessment is a detailed site survey that includes the determination of the effective standoff distance at all exposed sides of the building perimeter. Even for sites that are considered "secure," existing security measures are often found to be insufficient to deter a well-planned terrorist attack.

Phase II—Detailed Risk Assessment

The information gathered in the Phase I assessment can then be used to focus organizational resources to determine the impact of a particular terrorist event on the facility. Analyses that may form part of the detailed risk assessment include the following.

  • Blast and Explosion Analysis
  • Progressive Collapse (Structural Stability) Analysis
  • Chemical, Biological, and Radiological Threat Assessment

The Blast, Progressive Collapse, and Chemical/Biological analyses can provide a detailed assessment of the threat to the structures, nonstructural elements, and the employees. Examples of these analyses are shown in Figure 1: Three-Phase Terrorism Risk-Management Program. The graphic adjacent to the Phase II Assessment box depicts the varying pressure contours on the face of a building that result from an explosive charge placed at the location of the minimum defended perimeter. Software tools are available to estimate the impact and dispersion of toxic releases and produce similar types of contours as a result of a biological or chemical terrorist attack.

Phase III—Risk Management

Once the risks have been identified and assessed, putting a comprehensive risk management plan in place for terrorism risk is similar in many respects to understanding and managing the risks due to other hazards, such as extreme wind or earthquakes. Often, emergency planning and disaster recovery preparations that are in place for other types of hazards can be extended to prepare for and/or protect against terrorist attacks.

A comprehensive terrorism risk management plan should, at a minimum, include the following components.

  • Protection of the Facility and Its Occupants
  • Emergency Planning and Disaster Recovery
  • Reduction of Financial Risk

Protection of the building occupants through the implementation of physical or electronic security measures, the application of window film to reduce glazing hazards, and increased employee awareness is often a first step in many terrorism risk management plans. Reducing the financial risk associated with a terrorism event may be a more challenging issue. As with other natural and man-made hazards, the cost of insurance for losses associated with a terrorism event, if available, may have risen to a level that is no longer affordable. The financial exposure may need to be addressed though a combination of risk mitigation measures, alternate or back-up facilities, and insurance.

The risk management plan should have a capability for determining changes in risk due to threat information or changes to security operations and building protection. The regimented procedure will maintain a focus on effectiveness and prevent fragmented decision making for risk reduction.


With the increased threat of terrorism, both in the United States and abroad, public, private, and governmental agencies face an increased need to understand and manage the risk to their employees and organizational assets due to the terrorism risk. A three-tiered terrorism risk management plan, which includes initial and detailed assessments and a variety of risk management techniques, can be implemented to effectively reduce the risk from a terrorist attack.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.