Even as companies protect themselves from ruin, business leaders have a broader responsibility to help safeguard the nations critical infrastructure and economy from terrorism and other disasters. This requires partnerships that cross the public-private sector divide. Here, too, the risk management community plays a critical role.

Risk managers have long promoted the need for enterprise-wide risk management. Sept. 11 made it painfully obvious that it must be a core governance issue.

Risk managers can provide the framework for managers in finance, security, information technology and human resources to work together to develop policies and procedures to minimize potential catastrophic threats, as well as to formulate backup contingency and disaster recovery plans.

Risk managers can also ensure that their organizations have the insurance needed to put such plans into effect, survive a prolonged period of business interruption, restore property, and return operations back to normal as quickly as possible.

Sept. 11 clearly demonstrated the risk managers credo: Companies that survive a catastrophe with a minimum amount of damage are inevitably those that plan ahead. Merrill Lynch, Morgan Stanley, Bank of New York and Deutsche Bank, among others, activated their comprehensive disaster plans and were back up and running almost immediately after the World Trade Center tragedy.

Their disaster plans were more than words on paper. Contingency planning and a determination to keep the business going under any circumstance must be woven into the fabric of the corporate culture. CEOs are acutely aware of this concept today, presenting a tremendous opportunity for risk managers to execute strategies that will foster change within their corporate culture.

Against the backdrop of Sept. 11, risk managers are better able to help senior managers plan for the previously unthinkable. For example, what would happen if members of senior management or the board were killed, missing, incapacitated or inaccessible–or, worse yet, what would happen if the entire board and senior management were suddenly wiped out?

No one wants to contemplate such horrible thoughts, but risk managers know that the first 72 hours after a disaster are vital for the survival of the enterprise. Having a backup chain of command and ensuring that key corporate decision-makers are protected will often make the difference between the organization recovering–or not.

It is not only important to protect human resources, as well as physical and financial assets from terrorists and other catastrophic exposures. Information technology security has also become a “mission critical” corporate concern.

Risk managers–not only IT managers–must ensure that their organizations take every measure necessary to secure their own networks and to address security-related concerns with consultants and vendors. The only way to effectively protect against a cyber attack is by establishing strong risk management policies and procedures that bridge gaps between units within the enterprise. The program must have unequivocal support from the top of the corporate ladder.

Since new vulnerabilities are evolving rapidly and the Web is a shared resource, the need to involve multiple disciplines in assessing and managing IT security goes beyond any one companys doors. Risk managers must encourage the sharing of “best practices” with others outside the organization, as well as the immediate reporting of any suspected criminal activity to law enforcement authorities.

Law enforcement officials can help companies minimize risk, yet many companies fear that reporting a cyber crime will harm their reputation. However, when a business fails to enlist the help of law enforcement, it leaves itself vulnerable to future crimes perpetrated by the same individual or others.

Information sharing among businesses within Corporate America, as well as with law enforcement and government officials will be key to fighting back against hackers and terrorists.

The events of Sept. 11 are forcing risk managers to think outside the box of traditional threat assessments. However, even the best minds among us might fail to uncover every conceivable threat. We are only human.

That raises the specter of a directors and officers lawsuit. Should a disaster interrupt the smooth and profitable running of an organization, shareholders and their attorneys might try to prove that business leaders were negligent in their management and hold them responsible for their loss in stock value. Or customers might hold a business responsible for their loss of revenues if it is unable to provide them with the product or service they need to continue their own operations.

Even if the pursuit of a D&O claim is unsuccessful, the cost of defending it can run into the tens of millions of dollars. Now is the time for risk managers to review the adequacy of their D&O liability coverage.

Clearly, in light of the interdependent nature of our economy, risk managers need to be concerned not only about how they will mitigate risks and prepare for disaster at their own companies, but also how their business partners do it. Such cross-sector cooperation is necessary to address threats to our nation's critical infrastructure and prevent a chain-reaction of disaster.

This issue goes beyond business. It is time for industry and government leaders to develop a coordinated approach to 21st century security between the public and private sectors. Risk managers can take the first steps by helping their organizations forge public-private sector partnerships with government agencies, including Tom Ridge's federal homeland security team, the Critical Infrastructure Assurance Office, the Federal Emergency Management Agency, and other federal and state emergency management agencies.

Today, risk managers have an unprecedented opportunity before them. The risk management community must use its collective knowledge, experience and leadership to help government and the private sector make security both a core governance and national economic issue.

Dean R. OHare is the chairman and chief executive officer of The Chubb Corp. in Warren, NJ.

Reproduced from National Underwriter Property & Casualty/Risk & Benefits Management Edition, April 15, 2002. Copyright 2002 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.