Managing Terrorism Risk

Developing a Terrorism Risk Management Program

Managing risk associated with the threat of terrorism can be a daunting task for companies. Some of the most common questions include how to begin a terrorism risk management program, what assets should be protected, and what are the most effective mitigation solutions. Similar to managing the risk from other hazards, a terrorism risk management program should provide a logical and systematic framework for identifying and dealing with potential terrorism threats. A three-phase terrorist risk management program, detailed in the following figure, can be used as a framework for establishing a terrorism risk management program.

Figure 1: Three-Phase Terrorism Risk-Management Program

Understanding the type, source, and probability associated with different threats is an important element in the program. The key elements of the threat identification phase include the following.

• Threat Recognition and Identification
• Threat Potential
• Site Security Assessment

While many organizations have some knowledge of the various threats facing their facilities and employees, many do not recognize how vulnerable their sites actually are until a detailed assessment is performed.

As shown in the figure, one of the products that may result from the site security assessment is a detailed site survey that includes the determination of the effective standoff distance at all exposed sides of the building perimeter. Even for sites that are considered "secure," existing security measures are often found to be insufficient to deter a well-planned terrorist attack.

The information gathered in the Phase I assessment can then be used to focus organizational resources to determine the impact of a particular terrorist event on the facility. Analyses that may form part of the detailed risk assessment include the following.

• Blast and Explosion Analysis
• Progressive Collapse (Structural Stability) Analysis
• Chemical, Biological, and Radiological Threat Assessment

The Blast, Progressive Collapse, and Chemical/Biological analyses can provide a detailed assessment of the threat to the structures, nonstructural elements, and the employees. Examples of these analyses are shown in Figure 1: Three-Phase Terrorism Risk-Management Program. The graphic adjacent to the Phase II Assessment box depicts the varying pressure contours on the face of a building that result from an explosive charge placed at the location of the minimum defended perimeter. Software tools are available to estimate the impact and dispersion of toxic releases and produce similar types of contours as a result of a biological or chemical terrorist attack.

Once the risks have been identified and assessed, putting a comprehensive risk management plan in place for terrorism risk is similar in many respects to understanding and managing the risks due to other hazards, such as extreme wind or earthquakes. Often, emergency planning and disaster recovery preparations that are in place for other types of hazards can be extended to prepare for and/or protect against terrorist attacks.

A comprehensive terrorism risk management plan should, at a minimum, include the following components.

• Protection of the Facility and Its Occupants
• Emergency Planning and Disaster Recovery
• Reduction of Financial Risk

Protection of the building occupants through the implementation of physical or electronic security measures, the application of window film to reduce glazing hazards, and increased employee awareness is often a first step in many terrorism risk management plans. Reducing the financial risk associated with a terrorism event may be a more challenging issue. As with other natural and man-made hazards, the cost of insurance for losses associated with a terrorism event, if available, may have risen to a level that is no longer affordable. The financial exposure may need to be addressed though a combination of risk mitigation measures, alternate or back-up facilities, and insurance.

The risk management plan should have a capability for determining changes in risk due to threat information or changes to security operations and building protection. The regimented procedure will maintain a focus on effectiveness and prevent fragmented decision making for risk reduction.

Summary

With the increased threat of terrorism, both in the United States and abroad, public, private, and governmental agencies face an increased need to understand and manage the risk to their employees and organizational assets due to the terrorism risk. A three-tiered terrorism risk management plan, which includes initial and detailed assessments and a variety of risk management techniques, can be implemented to effectively reduce the risk from a terrorist attack.