Terrorism risk strategies: mitigate, manage, transfer
Ed Butler, chief resilience officer at Pool Re, discusses how businesses can be better prepared and proactive to protect themselves against the risk of terrorism
We have come a long way over the past 40 years in our efforts to combat terrorism risks. Experiences gained by UK authorities and security agencies during the Troubles in Northern Ireland placed the UK in a stronger position than many other countries who had to deal with the chaotic aftermath of global Islamic terrorism post 9/11. Yet the counterterrorism experts and security organisations that work tirelessly to reduce the impact of terrorism are in a constant arms race with terrorist threat actors who employ a wide range of attack methodologies to inflict mass casualties. The constantly evolving threat landscape exposes new vulnerabilities for businesses, especially SMEs, during the ‘new age’ of terrorism which has emerged since 2014. It is therefore essential to adopt a rigorous, analytical, and realistic approach to this peril, one that minimises the full spectrum of the downside consequences.
A strategy comprising six components can be extremely effective when organisations are confronted with terrorism risk. An organisation may not be directly targeted by a terrorist group or an individual attack but may instead suffer the indirect consequences of a cordon set up after the attack, or loss of attraction following a nearby attack, or contagion risks associated with terrorist activities in another area. Variation in vulnerability now lies primarily in the degree of likelihood that a threat will manifest (a probability which, unfortunately, is frustratingly difficult to calculate). Therefore, all organisations should consider the potential impacts of any terrorist attack happening on their doorstep (and within their systems, since cyber terrorism is a growing threat), and how best to minimise them.
Six actions contribute to a comprehensive risk and resilience strategy for dealing with terrorism risk: understand; assess; mitigate; manage; transfer; and accept.
Developing risk awareness and knowledge are the critical first steps. Having a basic understanding of the threat an organisation might be exposed to goes a long way in protecting its assets, people, and shareholder value. Unfortunately, too many people still say ‘it will never happen here’. As has been demonstrated over the last four years, contemporary terrorists prefer soft and easy targets, and those which have little physical security in place. Increased protection of transportation hubs and iconic buildings has driven attackers towards urban markets, seaside promenades, and concerts for youth. Post-event reflections on ‘why were we caught up in all this horror’ do not form the basis of a sound security plan.
Risk assessment advances
Assessment is the second essential underpinning of any effort to manage terrorism risk. A general understanding of terrorist threats and their changing nature goes a long way, but these threats must be matched against a company’s vulnerability assessment. A comprehensive risk assessment will provide this. VSAT, Pool Re’s Vulnerability Self-Assessment Tool, provides an easy and simple way to assess potential terrorism exposures and business continuity threats. It delivers a risk score, alongside practical advice to treat identified risks and vulnerabilities. Other terrorism risk assessment tools include blast and explosion analysis (which considers the impact of bomb attacks on specific buildings); structural stability and progressive collapse analysis (an engineering-driven process); and assessment of chemical, biological, nuclear, and radiological threats.
Advances in blast modelling have made the assessment of specific buildings’ vulnerability to explosions much more accurate. Pool Re’s model, calibrated by experts at Cranfield University, uses Computational Fluid Dynamics to show where and how blast waves travel. The technique predicts the changing flow of blast pressure following an explosion as it radiates down roads and alleys, and swirls between and bounces off buildings. It allows much greater risk analysis than simple radial or 3-D line-of-sight modelling.