Ed Butler, chief resilience officer at Pool Re, discusses how businesses can be better prepared and proactive to protect themselves against the risk of terrorism
We have come a long way over the past 40 years in our efforts to combat terrorism risks. Experiences gained by UK authorities and security agencies during the Troubles in Northern Ireland placed the UK in a stronger position than many other countries who had to deal with the chaotic aftermath of global Islamic terrorism post 9/11. Yet the counterterrorism experts and security organisations that work tirelessly to reduce the impact of terrorism are in a constant arms race with terrorist threat actors who employ a wide range of attack methodologies to inflict mass casualties. The constantly evolving threat landscape exposes new vulnerabilities for businesses, especially SMEs, during the ‘new age’ of terrorism which has emerged since 2014. It is therefore essential to adopt a rigorous, analytical, and realistic approach to this peril, one that minimises the full spectrum of the downside consequences.
A strategy comprising six components can be extremely effective when organisations are confronted with terrorism risk. An organisation may not be directly targeted by a terrorist group or an individual attack but may instead suffer the indirect consequences of a cordon set up after the attack, or loss of attraction following a nearby attack, or contagion risks associated with terrorist activities in another area. Variation in vulnerability now lies primarily in the degree of likelihood that a threat will manifest (a probability which, unfortunately, is frustratingly difficult to calculate). Therefore, all organisations should consider the potential impacts of any terrorist attack happening on their doorstep (and within their systems, since cyber terrorism is a growing threat), and how best to minimise them.
Six actions contribute to a comprehensive risk and resilience strategy for dealing with terrorism risk: understand; assess; mitigate; manage; transfer; and accept.
Understanding
Developing risk awareness and knowledge are the critical first steps. Having a basic understanding of the threat an organisation might be exposed to goes a long way in protecting its assets, people, and shareholder value. Unfortunately, too many people still say ‘it will never happen here’. As has been demonstrated over the last four years, contemporary terrorists prefer soft and easy targets, and those which have little physical security in place. Increased protection of transportation hubs and iconic buildings has driven attackers towards urban markets, seaside promenades, and concerts for youth. Post-event reflections on ‘why were we caught up in all this horror’ do not form the basis of a sound security plan.
Risk assessment advances
Assessment is the second essential underpinning of any effort to manage terrorism risk. A general understanding of terrorist threats and their changing nature goes a long way, but these threats must be matched against a company’s vulnerability assessment. A comprehensive risk assessment will provide this. VSAT, Pool Re’s Vulnerability Self-Assessment Tool, provides an easy and simple way to assess potential terrorism exposures and business continuity threats. It delivers a risk score, alongside practical advice to treat identified risks and vulnerabilities. Other terrorism risk assessment tools include blast and explosion analysis (which considers the impact of bomb attacks on specific buildings); structural stability and progressive collapse analysis (an engineering-driven process); and assessment of chemical, biological, nuclear, and radiological threats.
Advances in blast modelling have made the assessment of specific buildings’ vulnerability to explosions much more accurate. Pool Re’s model, calibrated by experts at Cranfield University, uses Computational Fluid Dynamics to show where and how blast waves travel. The technique predicts the changing flow of blast pressure following an explosion as it radiates down roads and alleys, and swirls between and bounces off buildings. It allows much greater risk analysis than simple radial or 3-D line-of-sight modelling.
Mitigate, manage
Each action taken in the treatment of an organisation’s identified risks will fall under one of the remaining four components of a terrorism risk programme. The four must be assessed and carefully balanced within the context of the organisation’s risk profile and appetite, its resources, and its goals.
Risk mitigation comprises essentially the avoidance of risks. Ocean-going vessels have long practised risk mitigation when piracy makes certain sea routes less safe than usual: they simply sail around high risk sea channels (in extreme cases this decade, passing the Cape of Good Hope rather than risk dangerous waters beyond the Suez Canal), or employ on-board armed security guards. Similarly, recent, possibly state-backed bombings of vessels in the Gulf of Hormuz have prompted some masters and owners to take alternate routes where possible. The potential to suffer terrorism at the hands of activists has led some companies to withdraw from certain activities, including vivisection. However, risk mitigation is often not an option.
Risk management is essential in the many cases where terrorism risk cannot be avoided through mitigating actions. It includes actions taken to reduce the likelihood that risk transform into loss events. Measures range from the installation of barriers that prevent vehicles from entering pedestrianised areas, to the development of emergency response plans intended to reduce the impact of an attack which has not been avoided or thwarted. Many activities lie in between, such as instructing staff on threat identification, and bag searches for anyone entering a building.
Risk transfer through insurance
Security agencies around the world have become highly proficient at averting terrorist atrocities, which has made them excellent anti-terrorism centre-forwards and goal keepers. However, they can never guarantee to interdict all terrorist plots, every time. Risk transfer – essentially, the purchase of insurance – is the next component. When risk mitigation and management measures fall short and terrorists are successful in their attacks, terrorism insurance is the underpinning backstop which ensures resilience. It allows organisations to get back to business within the shortest possible time, and with the minimum possible impact on their balance sheet.
Terrorism risk transfer is Pool Re’s business. We provide, indirectly through conventional insurance companies, the insurance backstop which provides cash indemnity and supporting services designed to ensure that organisations will have the resources necessary to recover as quickly as possible from a terrorist attack. We rely largely on our own capital and that of retrocessionaires – companies that provide reinsurance for reinsurers – but above that capital sits a loan facility from Her Majesty’s Treasury, which will cover reinsured terrorism losses that exceed the member retentions and our own capital pool (claims exceeding £9 billion).
In the past only the largest companies were able to acquire insurance against terrorism risks, but today, in the UK and many other countries, cover is easily obtained through the usual insuring channels due to the involvement of state-backed terrorism reinsurance risk pools such as Pool Re. Insurance is now an essential part of any company’s terrorism risk strategy and business continuity planning and is an acceptance that we live in a changing terrorism threat landscape.
In Britain terrorism insurance is now available and affordable for all organisations. Claims can be made for losses due to an act of terrorism even when a terrorist attack has done no physical damage. For example, customers were denied access to businesses trapped behind the police cordon at Borough Market for over a week following the London Bridge attack. Many small traders suffered considerable losses from a drop off in footfall and spoilage of consumables. Since the event, Pool Re has created affordable ‘non-damage business interruption’ coverage for terrorism related losses.
The threat of terrorism is persistent, and it isn’t just about London. Small and medium sized organisations across the country are equally likely to be affected, either directly or indirectly. Taking a risk by not buying terrorism insurance, and instead adopting the belief ‘it will never happen here’ is a high-risk strategy in a world where terrorism is now, sadly, part of everyday life. Companies, large and small, can reduce the impact of terrorism by having a comprehensive risk strategy which covers all aspects of this diverse and unpredictable peril. An intelligence-led approach and plan will ensure effective and enduring resilience. Transferring risk through appropriate insurance is a must.
