Athough the chance of a truck bombing or other major terrorist attack occurring at your enterprise is small, the consequences can be totally devastating in terms of loss of life, property and operations. With the federal government’s Terrorism Risk Insurance Act program (TRIA) expiring at the end of 2007, businesses will be exposed to potentially catastrophic losses and insurance companies are expected to absorb only a modest amount of this risk.

Some knee-jerk reactions to this situation may include ignoring the terrorist threat or adding ad hoc security measures. Ignoring the threat by assuming that there is nothing that you can do is a highly risky decision. It places the long-term health of your business in jeopardy. While implementing security measures without performing a comprehensive risk assessment may calm nervous CEOs in the short-term, ultimately impulsive, non-expert measures may actually not be effective. Or worse, the countermeasures may even increase the risk due to unintended consequences. How can this unquantifiable threat be managed in an effective way?

Managing risk

Traditionally, risk is managed through a combination of transfer, mitigation and retention.

A portion of the risk is transferred through insurance or alternatives, such as captives, hedge funds or securitization. Another part of the risk may be mitigated through effective countermeasures involving building structure, perimeter design, people flow or security detection systems. The remainder is retained through the use of cash, credit and assets to recover after an attack.

These three options may be optimized through a comprehensive risk assessment, which quantifies the overall risk as a Return on Investment (ROI) which may be directly compared to the ROI for other capital expenditures associated with the risk of natural hazards or other threats to business continuity. Some other benefits of a financially-based risk assessment include:

• reducing insurance premiums
• due diligence in support of the sale of a property
• support for loan requests from banks or government entities
• funding prioritization for risk mitigation measures.

There are many ways that businesses may reduce the chances of attack by making the property a less attractive target. This can be done by making it more difficult to effectively execute an attack.

Options include limiting access to the property by increasing the distance between the building and public roads or parking areas, or making the location of a critical asset less obvious. Further you would want to avoid placing VIPs in architecturally distinct areas of the building or announcing the location of critical areas through unnecessary signage.

Reducing the effect of an attack is not an all or nothing proposition.

Anti-terrorism experts can quantify the effectiveness of countermeasures, providing assessments of the potential damage to buildings and the associated injuries most likely to impact the people inside them. Although placing anti-ram barriers along a curb that is very close to a building may not seem very effective, a secured setback may mean the difference between a building collapsing or surviving a major truck bombing.

Likewise, many might place anti-shatter film on a building’s lower story windows to protect the people inside from injuries caused by a truck bomb attack. However, such injuries are most effectively reduced by placing anti-shatter film on all windows, with the greatest benefit to those furthest away from the explosion. Another solution requiring caution is the installation of blast resistant windows, which may impede firefighter emergency access.

In conclusion, by having a professional financial risk assessment of your property and operations, the risk associated with a major terrorist attack can be mitigated, enabling businesses to gain control of the terrorist threat.

SIDEBAR: Other Risk Analysis Methodologies

According to James F. Broder and Eugene Tucker, CPP, CFE, CBCP, in their book Risk Analysis and the Security Survey, 3rd Edition, Butterworth-Heinemann, a division of Elsevier, before Sept. 11, 2001, President Bill Clinton signed Presidential Directive 63, the Policy on Critical Infrastructure Protection. It identified eight (now 11) sectors of the economy considered critical to national security. Included are telecommunications, transportation, water supply, oil and gas production, banking and finance, electrical generation, emergency services and essential government functions. This directive, along with the Bio-terrorism Act and other implementing policies, assigned oversight of each function to a separate governmental agency. The protection of the water supply is the responsibility of the Environmental Protection Agency; the protection of the food supply is the responsibility of the Food and Drug Administration. These agencies are assigned the task of developing risk assessment and security protocols for the protection of the assets under their purview, with many using a different risk assessment methodology.

Many risk and vulnerability analysis methods exist. Although similar in nature, security professionals should be aware of the basics of these differing methodologies even if they are not involved directly in the function they assess.

VSAT

VSAT is an acronym for the “Vulnerability Self Assessment Tool,” and is both a methodology and software tool used to develop security systems capable of protecting specific targets from the acts of specific adversaries. As such, it can be considered a qualitatively based (asset-based) methodology. Its stated goals are to assess vulnerabilities, develop priorities based on the cost and feasibility of remediation, and determine potential solutions for the prioritized vulnerabilities. Although developed for water and wastewater systems, it can be used for assessing the vulnerability of other process-intensive systems. The software produces standardized reports and organizes the vulnerabilities into a color-coded threat matrix. The software also contains a library of typical water system assets, security threats, and countermeasures to help non-security professionals complete the analysis. It allows the user to modify and define additional threats and countermeasures.

1. Identify assets
2. Identify threats
3. Determine criticality
4. Identify existing countermeasures
5. Determine risk level
6. Determine the probability of failure
7. Assign vulnerability
8. Determine whether risk is acceptable
9. Develop new countermeasures
10. Perform risk-cost analysis
11. Develop a business continuity plan