Friday, April 08, 2005

Terrorism Risk Management

In light of the fact that the insurance industry is still immature in their models due to a lack of actuarial data the real estate financiers are considering alternative approaches to risk mitigation and management. For example, tools for the assessment of terrorism vulnerabilities exist today that could be introduced into the cycle of due diligence. As these tools are adopted to assess and help reduce the risk of unknown man-made events, the lenders and the insurers will converge on these new models to help rate structures and critical infrastructure in terms of their exposure to terrorism risk.

Due diligence requires detailed property inspections and audits to provide sound advice to key decision makers on the state of a real estate property. Vulnerability to terrorist attack will become, if it isn’t already, a critical component of due diligence. The individuals and firms that provide these solutions must be multi-faceted in operations, security and building systems in order to provide a comprehensive and fair report. This assessment should include the operational procedures and hazard mitigation programs of the building to determine the overall vulnerability to a combination of both natural and man-made events.

Asset Identification & Valuation
Priorities for protecting both physical and information assets is obtained through a comprehensive process for enterprise risk management. You must identify the relative importance and value of assets whether they are people, processes, systems or facilities. Three primary actions must take place:

1. Identification and Definition of core business processes to sustain the organization in business (sales, customer service, accounting)

2. Identification of critical business infrastructure assets such as:
o Personnel to run the functions and facilities
o Information systems and data
o Life safety systems and safe havens
o Security systems

3. Assign a relative protection priority
o High – Loss or damage would have grave consequences for extended time
o Medium – Loss or damage would have serious consequences for a moderate time
o Low – Loss or damage would have minor consequences for a short period of time

Threat Assessment
Once this is completed a thorough threat assessment must take place. This is a continuous process of information gathering, analysis and testing. There are five key elements associated with threat profiles definition and analysis factors:

1. Existence – who or what are hostile to the assets
2. Capability – who or what weapons or means have been used in the past
3. History – what and how often has this occurred in the past
4. Intention – what outcomes or goals does the threat agent hope to achieve
5. Targeting – what is the likelihood that surveillance is being performed on the assets


Next a set of Event Profiles for the threat scenarios must be created. These detailed profiles describe the mode, duration and extent of an incident event as well as mitigating or exacerbating conditions that may exist.

The output of the threat assessment is the determination of threat rating to each hazard and to each asset in the priorities for protection. Assigning a threat rating could be as easy as using high, medium and low as long as you have specifically defined what each one is and also with the use of expert judgment.

As landlords and other interested real estate finance industry partners move towards new standards to mitigate terrorism risk and protect critical infrastructure, the necessity for state-of-the-art tools and systems to mitigate those risks is paramount. CxO’s in corporate enterprises are ever more concerned about emergency preparedness and the continuity of their enterprises. Now that threats to government and business operations are becoming more prevalent, organizations must plan for every type of business disruption from hardware and communications failures, to natural disasters, to internal or external acts of terrorism.

No comments: