A bomb explodes in the crowded downtown of a major city. Police, fire and emergency medical services personnel quickly respond to the scene. Office workers pour into the street as they evacuate their offices for “safety.” A second explosion–more powerful than the first–occurs minutes later.

A secondary explosion is always a concern for responding emergency services, but it is not their only concern. Radiological, chemical or biological material can be spread by explosive devices. Unwittingly, evacuees from buildings surrounding the initial explosion could walk into the path of the secondary device or risk exposure to life-threatening airborne hazards.

Risk managers must be prepared to promptly recognize a threat, decide quickly how to respond, and then effectively execute predetermined procedures to safeguard employees and protect both physical assets and business operations.

Terrorism is not new. A 1999 report by the FBI reported 327 incidents or suspected incidents of terrorism in the United States between 1980 and 1999. More than 200 people were killed and over 2000 injured in these attacks. Bombings have occurred around the globe:

A 1992 series of explosions in London resulted in damage to 200 buildings and multiple deaths.

The 1993 bombing of New York’s World Trade Center killed six and injured over 1,000.

The 1995 bombing of the Alfred P. Murrah Federal Building in Oklahoma City killed 168 and injured more than 600.

A series of bombings in Atlanta in 1996 and 1997 were perpetrated on Centennial Olympic Park, a nightclub and an abortion clinic.

Sept. 11, 2001 ushered in a new paradigm in terrorism–unimaginable acts resulting in catastrophic consequences. While the country was still reeling from the attacks on the World Trade Center and Pentagon, anthrax was posted to media outlets and government officials.

Although bombings have been the most frequent type of terrorist attack, there are many different threats that can and have occurred. Chemical weapons can be used, and one of the most notorious examples occurred in 1995, when sarin–a highly toxic nerve agent–was dispersed by the Aum Shinryko cult in a Tokyo subway.

Biological agents–especially those that are infectious–cause great concern because detection of an attack would be difficult and any delay in diagnosis would allow infectious disease to spread. Long before anthrax was used as a weapon, the Ragneesh cult contaminated Oregon restaurant salad bars in 1984 with salmonella to influence a local election.

Computer networks are critical lifelines for society and businesses today, and an attack could compromise critical infrastructure such as telecommunications systems, electrical power grids, or public safety communications. Penetration of a corporate network could also have dire consequences. Viruses, worms, denial-of-service attacks and other forms of cyberterrorism must be defended against.

Risk managers must be well-prepared to deal with all types of emergencies, including terrorism. The planning process includes risk assessment, mitigation where practical, organization of resources, and development of procedures for response and recovery.

Terrorism risk is measured by the probability of attack, vulnerability of people, assets and operations, and the magnitude of consequences. Risk managers need to understand whether their businesses are a target or whether they could be subject to collateral damage if an adjacent site is attacked.

Assess the vulnerability of people, buildings and operations to attack, and identify opportunities to mitigate the exposure. Site selection, placement of buildings on site, space management, physical barriers, operational security, and protection of critical utilities can all help mitigate exposure.

Understand the potential consequences of an attack to determine the investment warranted for mitigation, response and recovery. For example, financial services firms have traditionally budgeted a significant amount to ensure they can resume critical operations promptly. Comply with regulations such as OSHA standards that require emergency planning, and others–particularly for financial services and healthcare firms–that require recovery planning.

Effective response to a terrorist threat requires organization of teams and the development of procedures specific to each threat. An emergency response team led by a capable incident commander should be organized.

The emergency response team must be trained to recognize signs of potential attack, since evidence of a chemical or biological attack might not be readily apparent. The ERT must evaluate the threat and respond promptly to safeguard building occupants as well as physical assets and operations.

Procedures should include evacuation of building occupants to a safe location, or sheltering them inside if an airborne hazard exists outside. Accounting for evacuees is critical but very difficult. Updated information and multiple means of contact might be required to account for all employees after a major incident.

A corporate or executive-level crisis management team should be organized to assess the impact of the attack on the company as a whole, determine the most effective course of action, and communicate with internal and external stakeholders.

Recovery of critical functions should be assigned to a business recovery organization. Information technology and communication systems are critical, and most companies have recovery plans in place. However, plans should also address other critical functions, including supply chains, service and other functions.

Prompt and effective response requires response and recovery organizations to be so well trained that they can respond almost instinctively. Plans must also be kept up-to-date as personnel and operations change. Connect with police, fire, emergency medical services and emergency management officials to coordinate your plans with theirs. Establish conduits for effective communication–so you can receive official information promptly.

Today, risk managers must be prepared for terrorist acts–the welfare of employees, the protection of physical assets, and even the survival of the business itself might be at stake. Remember, the actions taken in the critical initial minutes will often determine the ultimate impact of the emergency.

(Mr. Schmidt is co-author of a new book, “Business At Risk: How To Assess, Mitigate and Respond To Terrorist Threats,” published by The National Underwriter Company. To order, call 1-800-543-0874.)

Donald L. Schmidt is senior vice president, managing consultant and operations manager within the Risk Consulting Practice of Marsh in Boston.


Reproduced from National Underwriter Life & Health/Financial Services Edition, April 22, 2002. Copyright 2002 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.