The probability of a terrorist action impacting their business.

The physical vulnerabilities of their premises, systems and connections to other businesses.

The financial impact of an attack on their business continuity.

When assessing the probability that a terrorist attack could affect their businesses, business owners and managers should consider the primary terrorist threats: nuclear, biological, chemical, incendiary, explosive and cyber.

They should realize that the damage caused by blowing up a tanker truck laden with chemicals or flammable liquids along a nearby highway could be just as devastating to an individual businessand undoubtedly more probablethan the release of biological or nuclear weapons.

Another often overlooked but realistic terrorist threat is that of a cyber attack. Hackers who have gotten into the game just for kicks or pure financial gain already have stolen thousands of credit card numbers and held various e-businesses hostage over personal client data. Add the possibility of terrorist motives, and the mix gets decidedly more lethal.

Yet companies still may refuse to acknowledge the possibility that their computer systems may be vulnerable. Too many businesses still are failing to invest in disaster recovery and business continuity plans for their e-business activities, according to cyberinsurance and risk management experts.

The second step of the assessment phasea vulnerability assessmentidentifies weaknesses in the physical security of not only individual buildings, but also computer and utility systems. Human factorshow people might be exposed and how they might respond in an emergencyshould be emphasized.

Included in a vulnerability assessment should be surveys of the property, interviews with building managers and security personnel, reviews of emergency procedures that already are in place, and evaluations of life-safety systems.

Three of the most critical areas that may be vulnerable are the emergency notification system for occupants, the actual means of egress from a building, and the emergency procedures that direct occupants to either evacuate or shelter in place until a threat passes.

Potential gaps in any of these provisions need to be addressed not only on paper but also with all managers and employees who need to be aware of and trained in their implementation and use.

For example, what is the procedure for people entering and leaving the building? Is there a system to record everyone who enters and when they leave? Is it enforced? If its an electronic system, would the information be available in the event of a power outage?

Are visitors accompanied during their stay? If the building were evacuated, would someone be prepared to account for the exit of all visitors and normal occupants? What about those with hiddenor even visiblephysical disabilities? Are they provided for in the plan?

Are facility managers prepared to decide whether building occupants should be evacuated and when they should remain within a building? Have plans been drawn up to shelter occupants in the safest location of the building during terrorist activity? Do they understand that, in the event of a chemical or biological threat, people need to go to an upper floor instead of following the normal human response to move down and out of a building?

Another consideration in the vulnerability assessment is the likely availability of public emergency response teams at the time of a disaster. If transportation is affected, or if the attack is widespread, businesses may have to rely on their own resourcesat least in the short term. Consider, for example, the drain on public resources that occurred during the anthrax scares of the immediate post-9/11 period.

The third phase is determining the potential impact of a terrorist act on business continuity. What will an attack cost the business?

This logically is an extension of the traditional business continuity assessment. However, the results of the threat and vulnerability assessments could cause an individual business to reconsider the type or length of potential business interruptions.

Interviews, questionnaires and surveys may be used to develop a comprehensive analysis of the potential business impact.

Included should be an analysis of the potential loss of critical personnel and experience if trained employees are either lost or unable to work; the impact of the loss of buildings and equipment, including suppliers that may not be able to provide needed materials or parts; the possible loss of public infrastructure, such as roads and bridges, and that impact on the business; and the interdependencies that today are so much a part of business.

Interdependencies include areas such as electronic networks, supply side vendors and distribution links in the business chain. A failure of any of these could seriously impact business continuity and, ultimately, survival from an attack.

Countless lives were undoubtedly saved on 9/11 because security measures were taken to revamp the evacuation plans for the World Trade Center complex after the initial 1993 bombing of the World Trade Center. A warning was received and people learned.

The entire country has received many warnings since then. Businesses that choose to ignore the potential for future terrorist attacks despite increasing world volatility are shirking their responsibility not only to their employeesbut also to their shareholders and customers.

Diana Reitz edited the National Underwriter Company book, Business at Risk: How to Assess, Mitigate, and Respond to Terrorist Threats, which is available at www.nationalunderwriter.com/nucatalog.

Reproduced from National Underwriter Edition, April 7, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.