30 July 2004

Terrorism Risk Management

Over the past few months’ 1SecureAudit LLC has conducted an independent online poll to determine the areas of Operational Risk that are the largest focus of organizations right now. The results are as follows:

People - 22%
Processes - 31%
Systems - 28%
External Events - 19%


Processes (31%) and Systems (28%) are the two areas that CxO’s have the most control over and are the two main areas that they are working on right now to help mitigate risks.

This means that they have transferred or accepted the risk in the other two areas of Operational Risk Management, People (22%) and External events (19%). The key mechanism for the transfer of risk of people (fraud) and external events (natural disaster) is through insurance. There is a tremendous amount of existing data that the insurance industry understands and therefore they can create the economical products to effectively serve the interests of the corporate organization to hedge these areas of risk, except one. Terrorism Risk.

Terrorism Risk Management

Terrorism Risk includes the risk from attackers both internal and external to the organization. These attackers are using conventional (incendiary explosive devices) and unconventional (digital worms) methods to disrupt the operations and economic well being of corporate organizations, the real estate finance industry and of our critical infrastructures.

The process and systems for managing Terrorism Risk are rapidly changing as the commercial real estate finance and building owners strive to establish new standards. Critical Infrastructure Protection is now a national priority. The key catalysts for change could further motivate infrastructure owners to implement new risk reduction programs and measures.

Some of the key catalysts for change are:

· Insurance – those institutions that are sharing risks that a building owner faces.

· Finance – banks, REIT’s (Real Estate Investment Trusts), and others such as pension funds that provide the capital for investments in commercial infrastructure.

· Regulation – Federal, State and Local jurisdictions that regulate building design, construction and operations.


Overall Terrorism Risk reduction begins with these key catalysts in concert with owners of critical infrastructure, whether that is a corporate office building, a hospital, subway, or a hotel. These soft targets are where the risk management decision-making is already taking new directions.

In order to introduce new changes in process or design that impacts the physical or operational aspects of critical infrastructures (to reduce terrorism risk), it is important to better understand how these change levers can provide the incentives for owners. Being forced is never as appetizing as being induced to do anything. In order for changes to take place, the environment must reward investments in preparedness and safety. Consistently the conversations are not about “if” something is going to happen, it is about “where” or “when” it is going to happen. Therefore, it is imperative we initiate a proactive hedge against the inevitability of a loss event occurring in the future. First however, we must understand the character of terrorism risk in critical infrastructure and some of the anti-terrorism tools currently available to help manage that risk.

The recognition by insurers that owners will continue to invest in terrorism risk reduction and building safety with the proper incentives is vital to overall risk management of critical infrastructures. The assessment of terrorism vulnerability in key structures identified as soft targets can be a key component of the rating of risk for a specific structure. In order for owners to benefit from the potential of reduced premiums from direct insurers they must be able to demonstrate a combination of risk mitigation measures and programs to help improve the survivability of the infrastructure or to reduce it’s vulnerability to certain threat profiles. These need to be exercised on a continuous timetable with extensive documentation, training and reporting.

No comments:

Post a Comment