How to Create a Terrorism Risk Management Plan

Over the past twenty years, the changing political landscape has dictated that public, private, and government organizations need to get to grips with the risks posed by terrorism by developing a proactive plan that both assesses and manages the potential for attack.

As far back as 1995, the attack on the Alfred P. Murrah Federal Building in Oklahoma City demonstrated that being located in a smaller city or region did not guarantee safety from terrorism. In fact, it is often targets like this that have lower profiles and lower levels of security that are attractive to terrorists as they present a softer target.

The events of September 2001 also highlight that, as well as loss of life, the financial cost of terrorism is extremely high. Just as with natural and other man-made hazards, financial cover may not be available or even affordable and this makes it increasingly difficult for an organization to protect its financial assets in the face of a terrorist threat.

Managing the risks posed by the threat of terrorism is a daunting task for companies. Questions that frequently come up include: how do we to start a terrorism risk management program, what assets should be protected, and what are the most effective mitigation solutions? Just like managing risks presented by other hazards, a terrorism risk management program needs to provide a logical and systematic framework for identifying and dealing with potential terrorist threats.

Below is a three-phase approach that can be used as a starting point for establishing a terrorism risk management program.

Phase I— Identify Threats and Undertake an Initial Site Assessment

Understanding the type, source, and probability of different threats is an important feature of the program. The key parts of the threat-identification phase include the following:

  • Identify and recognise different threats.
  • Assess the potential for specific threats.
  • Undertake a site security assessment.

While many organizations have some knowledge of the different threats facing their facilities and employees, it is not until a detailed assessment is performed that many recognize the degree to which their sites are vulnerable.

One result that can come from a detailed site security assessment is the extent of the standoff distance on all the exposed sides around the perimeter of the building. Even for sites that are considered “secure”, the existing security measures are often found to be insufficient to deter a well-planned terrorist attack.

Phase II—Conduct a Detailed Risk Assessment

The information gathered in Phase I of the assessment can be used to focus an organization’s resources in determining the impact of a particular terrorist event made on the facility. Part of the detailed risk assessment analysis may include the following:

  • Analysis of blast and explosion potential.
  • Analysis of the potential for progressive collapse (Structural Stability) of the building.
  • Analysis of the impact of chemical, biological, and radiological threats.

These assessments provide detailed information about the extent of the threat posed to the structural and non-structural elements of the organization, as well as to its employees. Software is available for estimating the impact and dispersion following the release of toxic chemicals and produce similar types of contours as a result of a biological or chemical terrorist attack.

Phase III—Risk Management

Once the risks of terrorism have been identified and assessed, putting a comprehensive risk management plan in place is similar to understanding and managing the risks presented by other hazards, such as extreme weather or earthquakes. In fact, emergency planning and disaster recovery preparations that are already in place for other types of hazards can also be extended to prepare for and/or protect against terrorist attacks.

However, as a minimum requirement, a comprehensive terrorism risk management plan should include measures that result in the following:

  • Protection of the facility and its occupants.
  • Emergency planning and disaster recovery.
  • Reduction of financial risk.

The first steps taken in the implementation of many terrorism risk management plans include:

  • The protection of the building’s occupants by implementing physical or electronic security measures.
  • The application of window film to reduce glazing hazards.
  • Raising the awareness of employees to potential threats.


These measures are relatively simple to implement, but reducing the financial risk of terrorism can be more challenging. As with other natural and man-made hazards, the cost of insurance for losses associated with a terrorism, (even if it is available), may have risen to a level that is no longer affordable. This means that financial exposure can be addressed through a combination of actions, such as taking measures that mitigate risk to the organization, alternative or back-up facilities so the organization can still operate in the event of an attack, and insurance.

Finally, a risk management plan needs to have the capacity for identifying changes in the level and type of risk the organization faces, including having procedures that ensure it is aware of changes to known threats, changes in security operations and changes required for the protection of buildings and employees.

Above all, the procedure for assessing risk needs to remain focused on the effectiveness of the procedures already in place in order to avoid a fragmented approach to decision making around managing the risk of a terrorist attack.