Question

Throughout the history of emergency management in the United States, the priorities set for government emergency management agencies have been driven by the most widely perceived threat or hazard. How do you think the new threat of terrorism and the hazards associated with terrorism will impact the practice of emergency management in the United States at all levels of government (federal, state, and local) and in the business sector?

Answer 1

TRANSITION 1: Understanding Threat Informs Risk Analysis

Determining which threats a department faces does not necessarily mean there is an equal risk associated with each of the threats. To develop appropriate response patterns to terrorist threats, a department must convert knowledge of threats into risk.

A formal process of conducting a risk assessment within a department is the initial step in developing plans, policies, and procedures to address operations within the current terrorist environment. Risk assessments use established protocols and algorithms in their analytical process. These protocols can be complex and/or proprietary in nature, depending on which of several available methodologies is selected. The following is a simplified review of the sequence of steps that a risk assessment may contain. It is not a detailed explanation of each of the elements involved in every step of the process, but rather an overview of the objective of the steps leading to an organized indication of risk. With this knowledge a department or organization can proceed to the development of response operations suitable to address the known and identified threats and risks. Without this knowledge a department will resort to guessing about the actual functional condition of their capabilities and counterterrorism profile.

Risk Assessment

The first step in the elimination of internal parochial planning concerns is conducting a risk assessment, and the first part of that is determining the nature of the threat scenarios the department is likely to encounter. The process described below focuses on the terrorist environment as the specific threat being addressed, as compared to ordinary or routine response circumstances. While it is recognized that the current interest in an “all hazards” approach to planning has significant utility and appeal, the array of situations an emergency department can find itself involved in may already include many, if not all of the naturally occurring, unintended, and accidental emergencies present in an all hazards approach to planning. Departments whose territory and response activity include blizzards, earthquakes, tornados, or other cyclically occurring emergencies may have become prepared and conditioned to manage such matters through years of response to such emergencies. However, large explosive charges, the use of chemical and radiological weapons, directly attacking department locations and personnel, etc., presents a much different set of circumstances for which departments are not as prepared. Existing natural hazard response plans may or may not need up-dating, but planning for and responding to terrorist activity is different than other emergencies. 12 Addtionally, plans based on terrorist risk assessments can bring benefit to departmental capabilities in responding to an “all hazards” environment.

The Risk Assessment process being discussed in this article consists of seven sequential sub-elements: 1) threat, 2) criticality, 3) vulnerability (likelihood), 4) response and recovery capabilities, 5) impact (consequence), 6) risk, and 7) needs.

The threat component permits a department to identify the types of terrorist weapons it needs to consider and protect against, as well as the means by which each of those weapons can be used against the department. A specific threat is dependent upon the terrorist’s objectives, motivations, and capabilities, as well as the target attractiveness of the department’s assets to the terrorists.

The criticality element permits the department to rate the relative importance of each of its assets in accomplishing the department mandate. Establishing this hierarchy of criticality also suggests which assets require protection from the terrorists’ methods of attack.

The vulnerability component evaluates the amount of security an asset has as compared to the possibility of a successful attack upon it. Noting the specific vulnerabilities per type of attack also suggests potential security enhancements to counter those vulnerabilities.

The response and recovery element measures the capability of the department to respond to and recover from each of the types of attack upon the department itself. This is not to be confused with response patterns for operations in the terrorist environment generally.

The impact (or consequence) part of the assessment measures the percentage of loss of the assets’ criticality to the department that would occur due to a successful attack. This metric also represents the relationship between the terrorists’ capabilities to achieve their objective and the department’s ability to protect against it.

The risk component demonstrates a hierarchical rating of the assets for each type of attack as a result of the threat, vulnerability, and impact analysis. Each of the department assets is compared to every other identified asset to demonstrate their relative risk.

The needs component permits a department to review various security and recovery solutions that would serve to reduce the level of risk the department faces from a terrorist event. 13

Threat

In this country, responding to terrorism is an experience limited to a very few emergency services departments. It should therefore be an area of concern for those departments that have not yet considered it as an issue. The range of terrorist threats to a department is identified by the types of weapons used or sought by terrorists. Emergency responders know them as Weapons of Mass Destruction, or WMD. Included in this category of weapons are: chemical, biological, radiological, and nuclear weapons, and explosives. In addition, an analysis of recent terrorist tactics and methods shows that more conventional types of weapons and tactics, associated with the “small unit type actions” displayed in the Mumbai attack, can also be devastating to emergency services. 14

The likelihood of a department encountering any or all of these forms of attack is a variable driven by the full range of conditions and circumstances unique to each department and its location. A departmental liaison to, or membership in, a regional Fusion Center or a Joint Terrorism Task Force can serve as the source for current and realistic threat information. 15

Note that the level of existing threat is entirely outside the control of a department when considering WMD’s. The amount of threat from these types of weapons is controlled by, and exists solely within, the terrorist element itself and the actual prevention of WMD use is not normally within the capacity of local first responders. Unless the department is capable of neutralizing the terrorist organization itself, or changing the beliefs, objectives, means, or capabilities that drive their attack motivations, the department will not be able to “prevent” an attack. The terrorist organization always retains the option to change the location of its attack to another, “softer” target in order to satisfy its objectives. Thus, that attack is not “prevented,” but only “deterred” onto another location.

Criticality

Every department has a mandate or reason for its existence. That reason may be found in enabling legislation, a charter, or mission statement. The initial process in doing a risk assessment answers the question, “What do we do?” The best answer is one that views the department mandate at a high level. For example, for a fire department the answer “We put out fires.” is not as comprehensive or accurate as “We prepare for and respond to emergencies that threaten life and property.” Opening the range of possibilities in this manner facilitates thinking about the development of a list of critical assets.

Few departments have assets and resources that are not necessary to some aspect of the department mandate, but not every resource or asset is critical to the mission. The criticality element of the assessment allows a department to evaluate which of its assets are the most important ones for accomplishing its mission.

All departments function as networks of assets and elements that interact with each other, either operationally or administratively or both. It is the linkage and the frequency of linkage between these elements that can define the networked structure of the department and the criticality of those elements.

The terms used for describing the different types of elements in a network are “nodes”, “links”, and “hubs”. A node can be a particular building, a piece or type of equipment, or part of a process, etc. The links are the elements and/or parts of a process that serve to connect nodes. This can be a physical, administrative, or operational “pathway” that connects or creates interaction between nodes. A hub is a node that multiple other nodes link to. The more links there are from other nodes to a particular hub, the more critical that hub becomes. 16

image

Diagram 1

In theory, the hub with the largest number of links is the most critical in the department network and each of the subsequent hubs have their hierarchy established in a similar manner. While network theory recognizes there are many factors available for use in this calculation, 17 for the purposes of this risk assessment discussion, Diagram 1 displays a notional example of a department’s assets on a chart based on the number of operational communication interactions between some of these elements in a department; many other criteria can also apply.

While each of a department’s assets is “critical”, it should be clear that each of them is not equally critical. Each critical asset’s importance to the range of different factors that make up the department mandate is an indication of its position in a hierarchy of criticality.

These assets, owned and operated by the department, each make an important contribution to achieving the department mandate. Their final position in the hierarchy will reflect an analysis using a common set of factors that make each of them critical to accomplishing the department mandate. Such factors can include the number of casualties that will occur from the loss of this asset, the percentage of the department’s ability to function that will be lost due to the loss of this asset, the cost of replacing the asset, etc., but these factors will not apply equally to each asset. Combining the ranked assets with these factors will result in a hierarchy of all the assets’ critical relationship to the completion of the department mandate.

Vulnerability

An array of attack weapons and methods are available to the terrorists for them to potentially use successfully against any asset. Clearly, not every weapon would be appropriate for use at each site or against each asset, yet an asset may have a wide spectrum of weapons and tactics that can be used against it.

Note that the use of a particular type of weapon is influenced by many factors external to the department. The objectives of the terrorist element, their chosen means for achieving these objectives, and their capacity for having and using a particular type of weapon are all factors that would be considered. There must be a corollary between the objectives of the terrorist organization, their capabilities and methods, the importance of an asset in achieving (or preventing) their objectives, and the security conditions at the asset to deter the terrorist. Diagram 2 below provides a notional example of how these conditions result in the different types of threat, weapon(s), and attack scenarios that a terrorist might choose to use against an asset, depending upon the particular vulnerabilities of each of the critical assets of the department.

image

Diagram 2

As revealed above, each of the identified department assets can have a vulnerability to multiple, selected types of attack. Understanding vulnerability consists of knowing both certain specifics about the attack method verses the security conditions that exist at the asset. Some elements of an asset might serve to deter an attack – i.e. the security procedures in place at the asset are believed to be sufficient to deny terrorist access (fences, card readers, etc.) – and such an attack could be detected before it is completed because of other procedures (CCTV, lighting, etc.). There is also the probability that once the attack is detected, it could be interdicted before it is carried out. Other aspects of an asset might be so lacking in security that it would attract an attack. In short, it is necessary for a department to look at itself as the terrorist would in order to determine its vulnerabilities.

It is the difference between the offensive aspects of an attack and the defensive abilities of the asset that provides an indication of the likelihood of a successful attack. If an asset is highly vulnerable to a particular type of attack, and attacking it with a selected type of available weapon would serve the terrorist’s objectives, then the probable vulnerability or likelihood of a successful attack at that asset might be high. Conversely, even if the asset is vulnerable but the terrorist element doesn’t posses that type of weapon and/or attack capability, or attacking that asset would not serve the terrorist’s objectives, then the probability of attack would be lower.

A department can be fully capable of deterring an attack through the introduction and use of security measures that counter specific types of attacks. It is of paramount importance that departments consider security measures to mitigate these types of attack in their planning procedures. It should also be noted that the department’s planning must be sensitive to the potential that improperly selected and/or applied security measures may only serve to “deflect” rather than deter an attack. For example, if a department so hardens its administrative building that the terrorists attack a less defended operational building within the same department, then the department has succeeded only in “deflecting” rather than “deterring” attack. In this case it cannot be said that the attack was “prevented”.

Response Capabilities

There are specific measures available for preparation for, defense against, and/or response to types of terrorist attack. The department’s internal capabilities across a wide range of areas of expertise and resources will be required in the wake of such an attack to continue performing the department mandate. Organizational structure and leadership, the existence of operational plans and procedures, the level of training and expertise, the availability and use of equipment and or systems, and the number and type of personnel and their availability are all primary issues for appropriate response and recovery. The gap between the current readiness condition within the department and a desirable level of readiness in order to continue departmental functionality equates to a department’s response needs. For example, if a department needs twenty SWAT trained officers when it currently has eight, or the department has one rescue company but also needs a Haz-Mat capability, such conditions reveal the gap between existing departmental resources and what the current threat environment requires them to have.

Some of the administrative and infrastructure elements of the department also contribute to its response readiness. These includes such things as the presence of administrative plans and procedures, the existence of alternate facilities, communication capabilities, the existence and continuity of vital information in databases, and a periodic use of training exercises. The combination of these operational and administrative elements can reveal the difference between current capabilities and terrorist incident response needs.

Impact

Impact (or consequence) can be described as the portion or fraction of an asset’s criticality that would be lost to the department in each of the attack types previously described. This impact is balanced to a degree by determining what fraction of that impact could be reduced or mitigated due to the identified response and recovery capabilities of the department. The combination of these various elements (the percentage of criticality of the assets destroyed, the percentage mitigated by recovery capabilities, and the amount of impact mitigated by response capabilities) has a direct relationship to the overall consequence to the department from these attacks and, by extrapolation, to the surrounding community.

Relative Risk

Relative risk means that assets of different types, with different purposes and functions, being similarly threatened by multiple types of weapons and attacks, can still be measured in direct comparison to each other’s level of risk exposure. This also means that all of a department’s critical assets can be evaluated as a group.

These risk calculations can be plotted on a graph, where the vertical axis represents vulnerability (likelihood) and the horizontal axis represents consequence (impact), by placing a point on the graph for each type of attack at each critical asset. Those points close to the axis junction (lower left) have less vulnerability and/or consequence than those at a distance from it (upper right). In practice, the assets and attack type combinations proceeding diagonally on the graph up and to the right from the axis point represent the highest level of risk and require the most immediate attention to secure. Since all the assets and attack types are measured against the same set of threats, and each asset has a point on the graph for each type of risk it faces, the plot points display the relative risk between all the assets.

Using this method, it is possible for a department to know that, given its circumstances, the greatest risk may be to their communications center from a vehicle borne explosive, or to their EMS center from a biological weapon, or their headquarters from a chemical attack, or to their rescue company quarters from a man-carried explosive, etc. Each attack type and location will have a position (node) on the graph in direct risk-relationship to every other type of attack at each of the other assets. The below graph displays a notional example of a typical relative risk assessment diagram; an asset can have multiple points on the graph representing each type of attack it could face, while some types of attack appear multiple times against different assets.

image

Diagram 3

Needs

Through extrapolation, Diagram 3 also informs department management and personnel of what corrective measures need to be taken in order to lower risk. Determining the reasons for a vulnerability rating suggests the lack of a defensive security measure (or a combination of security measures). Instituting such a security measure (or measures) would serve to lower an asset’s vulnerability to a particular type of attack. For example, where a vehicle bomb attack is indicated, the installation of vehicle barriers might serve as a deterrent and installing a type of public access control system could reduce the possibility of a man-carried explosive being used against another asset. Installation of such security measures would lower the risk profile of the involved asset.

Reduction in vulnerability (the vertical axis) is frequently thought of as being achieved through installation of “site-hardening” physical security measures. While this is a logical way to reach the risk reduction goal, other means are also available and must be considered. For example, one of the elements of ‘likelihood’ is the target’s attractiveness to the terrorist; changing that attractiveness is a means of reducing risk. Making a target too difficult to attack, or beyond the terrorist’s weapon and resource capability, reduces the target’s attractiveness and, therefore, “likelihood”. Changes in established operational procedures can also serve to lower risk by making various aspects of the asset less vulnerable.

Risk can also be reduced by making changes in consequence (the horizontal axis). This is frequently done through duplication and/or dispersal of the asset. If destruction of a particular asset represents a single potential point of failure in accomplishing the department mandate, then consideration can be given to duplicating that capacity and/or dispersing its functional purpose throughout multiple other elements or locations, in order to reduce that failure consequence. Measures that create duplication and dispersal of ability can extend the time during which an emergency service can continue to provide services in a crisis by ensuring a replacement or substitute capacity when a similar function is lost at another location. Note, however, that security measures which reduce consequence without changing the level of vulnerability of assets rely, in part, on the presumption that the terrorist element does not have the capacity to eliminate all of the vulnerable assets simultaneously or each in sequence. Thus, choosing mitigations that focus independently on reducing “likelihood/vulnerability” or “consequence/impact” alone can have the desired effect of reducing risk to the asset where they are applied; but a program that develops need-driven mitigations that reduce both these elements of risk (vulnerability and consequence), simultaneously and in coordination with each other, directly enhances overall security and supports the sustainability of the departmental services the asset provides.

Applied risk reduction measures that lower vulnerability can sometimes be dependent on various forms of technology. Departments must be sensitive to the degree of technological dependence created in addressing their risk reduction methods, particularly if the technology represents a single point of failure. If the technology fails or is overcome, the total consequence of the original vulnerability can occur immediately. The level of accrued technological dependency may not permit any time for initiating other measures to limit the full consequence.

In situations where technological dependency is acute, a program that trains personnel not to extend their operations to the extreme limits of the technology and/or provides alternate methods to achieve the objective, can serve to increase actual safety and available time to avoid the full consequences of any technological failure.

Whether the choice to reduce risk applies to vulnerability or consequence, or ideally both, it is important to remember that the mitigations and changes driven by the needs assessment should not be limited to physical and structural changes alone. Operational changes in routine functioning are often highly effective in reducing risk, usually involve less capital costs than physical changes, and can be applied more easily and often on a scale that varies according to the current local level of threat. It is often most effective to implement both physical and operational risk reduction efforts in a coordinated manner. It is in this area that changing response patterns as a result of specific terrorist conditions can be highly effective.

Return on Investment

Investments in counter-terrorism mitigations can be significant and as with all investments, must present a gain or positive return for the investor. The gain being sought in a risk assessment is the reduction of risk. It is that reduction which represents the return on this investment, and each mitigation must have a value in risk reduction with a direct relationship to the recognized threats. The cost of each mitigation method and/or a combination of mitigations, and their effectiveness and efficiency in gaining risk reduction per actual unit of cost, is a major issue for a department. By using pre- and post-mitigation installation assessments, a department will be able to evaluate its overall security profile at any given time and the return on investment of its mitigations. It should be understood that the assessment profile and all aspects of risk respond to the nature of the threats, which can change over time. It is therefore beneficial for a department to periodically reassess its threat and risk condition.

Additionally, department management must consider the concept of “acceptable risk” in selecting which asset(s) are chosen, and in what sequence for mitigation improvement. Presuming that available funding in any given year will be insufficient to address the totality of mitigation needs, a department must choose how and where those funds will be expended. Logic would seem to dictate that the asset determined to be most at risk (see Diagram 3, Rescue Co./Small Explosive) would be the first asset to receive corrective measures, and each subsequent asset in the hierarchy would be addressed in turn according to available funding. Another method could be to collectively fund partial mitigation for a selected group of assets, or all assets simultaneously, thereby giving some protection to a wider group of assets rather than in-depth security to one. Regardless of which process is chosen, the gap between the optimum obtainable security condition desired, and that which current funding, technology or expertise permits, is the amount of ‘acceptable risk’ a department will have until conditions allow further mitigations to be applied or the threat itself diminishes.

Similarly, a department must guard against selecting a method of mitigation simply because it has the highest return on investment. Expending funds for that reason only, on an asset that holds a lower position on the risk assessment graph, leaves those higher ranked assets wanting for attention.

TRANSITION 2: Risk Assessment Informs Security Mitigations

Security Mitigations

The vast majority of calls that fire departments and emergency medical services respond to are accidental. That is to say, they are not intentionally caused. The exceptions of arson and other intentional criminal matters account for a select percentage of the total responses, but most departments consider such operational responses within their routine patterns. The idea that these emergency services may themselves be intentionally targeted is rarely considered or planned for. This is not to be confused with any existing plans for operating under dangerous conditions or in a contaminated zone; these plans envision arriving at an ongoing, unusual, or terrorist event wherein something else is the primary target. The concept being considered here is that of emergency services being directly targeted and attacked as part of a wider terrorist event. Departments have an awareness of time-delayed “secondary” explosive devices being planted for the specific purpose of impacting emergency responders upon arrival, but the intentional attacking of the services prior to or concurrent with a wider attack is not an event generally included in emergency planning.

There are numerous examples of terrorist attacks targeting security forces whose expertise could impede or deny the terrorists’ attack objectives. Such actions as attacking command and control hubs, communications centers, hospitals, etc. that can reduce the impact of the terrorist attack by rapid and effective use of a department’s responding capabilities are such examples. 18 By neutralizing or minimizing that response capability the asymmetry of the attack shifts in favor of the terrorists.

Both captured intelligence evidence and past terrorist actions require that this intentional targeting potential be examined. 19 Causing death, injury, and destruction are some of the primary intentions of transnational terrorists. Terrorists have demonstrated that they can improve their effectiveness in those areas through the elimination or lowering of the response capabilities of local authorities. 20 Recent evolutions of such attacks, particularly in Mumbai, India, have clearly demonstrated that the terrorists were able to enhance the effects of their attacks through such means. Whether conducting pre-attack surveillance on emergency services, rehearsing attacks on responding vehicles, attacking police stations, commandeering emergency vehicles, or executing response commanders, there is ample evidence to indicate that such tactics are part of their overall planning. 21

Emergency services must realize that they represent some of the most valuable and finite counter-terrorism resources in the country. This means that departments should highlight the need to secure their resources from attack and take the possibility of any diminished capability or capacity due to such situations into account in their policy development and response planning and budgeting.

Even if departmental resources are not targeted directly, multiple types of WMD terrorist attacks are capable of wide-spread injury, death, and destruction. Emergency services are not immune from such consequences. These types of attacks can seriously impact both on-duty and off-duty personnel, and equipment serviceability, simultaneously. Crisis planning considerations should examine the departmental response profile through a range of diminishing levels of personnel and equipment availability due to the direct impact of a particular type of attack on the resources of the department itself, or by its being effected by these WMD. There is a direct relationship between the number, and capabilities, of the remaining department resources following an attack, and the selection of which emergency operational functions are to be continued at which critical community locations. There is a “tipping-point” at which operations are unavoidably or intentionally diminished. 22 This point will vary from department to department. Note that a departmental capability should never be confused with its capacity. A department may have excellent training, equipment, leadership, and experience to address an event – even a terrorist event – but its ability to rapidly respond and sustain those operations over time or in simultaneous multiple attack scenarios is a measure of its capacity, 23 which can be dramatically reduced by WMD.

The above risk assessment process can identify which assets are most at risk from terrorist-type attacks and their current vulnerability profiles. In planning terrorist response operations, senior emergency management needs to consider actions and expenditures that will help ensure that their most valuable resources (frequently the ones most at risk) remain viable and available for use by the wider community during and after these emergencies. 24 Even a cursory review by senior management will often reveal that the entirety of a department’s policies, practices, and particularly Standard Operating Procedures (SOP), have been created to function in a routine environment and will therefore need to be completely reconsidered to ensure survivability in a terrorist attack. Physical site hardening of critical assets and the installation of access-limiting measures that create a secure zone in depth, as well as operational changes, are some of the basic steps that can be taken to help protect these resources. Such hardening is not limited to physical sites; it should include mobile resources as necessary. In every instance it is the selection of the correct mitigation or (more frequently) a combination of mitigations, chosen because they are directly mapped to a risk reduction need identified through the above risk assessment process, that will be the most effective in addressing security concerns.

TRANSITION 3: Security Ensures Resource Allocation for Terrorist Events

The above risk assessment process results in a department understanding the ways in which it is threatened by terrorism and which of its assets are most vulnerable to that threat. The process also identifies those assets that will need to be secured from those threats since they are the most necessary and critical for the department to carry out its mandate in the event of a terrorist attack. That understanding of all aspects of risk is necessary in order to examine and address a department’s preparedness profile for responding to terrorism. One of the principle ways of determining preparedness is to understand the way a department allocates resources.

Resource Allocation

“What is our capacity to do what we do”?

For an emergency services department, the answer to this question is related to all the resources that attach to each of the department’s critical assets, and all other assets, in order to accomplish the department mission. For example, a fire department may have twenty apparatus including pumpers, ladder trucks, ambulances, rescue vehicles, mobile command vehicles, etc. The number of them and the total number of personnel assigned to those operational functions, in addition to those in administrative functions, can give an indication of the department’s response capacity. That distribution will reflect what local experience and practice has shown to be the appropriate number of resources necessary to meet the daily routine requirements of the department. Diagram 4 (below) demonstrates the possible assets and the number of emergency personnel distributed within a department.

image

Diagram 4

“How do we accomplish our mission?”

The answers to this question generally involve training, command and control, response patterns, communication systems and data bases, liaison and mutual aid, etc. Knowing the answers to these questions permits a department to have an overarching view of its functional means and processes necessary to operate. Specifically, it will have an analysis of its daily, routine operations and how the department mandate is met.

“What resources, and in what numbers, will be needed to respond to each type of terrorist event?”

Diagram 5 (below) hypothetically lists an asset, the number of personnel assigned to that type of asset, and the types of WMD that asset will be called on to mitigate. (Diagram 5 is not intended to be comprehensive.)

image

Diagram 5

Risk assessments (particularly in the response capabilities section) provide an analysis of critical issues and critical needs when operating in a WMD environment. The distribution of resources shown in Diagram 4 describes resource allocation for routine operations and functions.

As displayed in Diagram 5, the WMD response resource allocation needs are clear. The two diagrams (4 and 5) are dramatically different. In fact, the distribution of routine function resources (for example, personnel) may be nearly inversely proportional to the department needs in addressing the WMD terrorist threat. In Diagram 5, note that there are 150 personnel assigned to engine companies who can operate in response to three types of WMD attack, but only twenty rescue personnel available for addressing six types of WMD attack. Multiple, simultaneous attacks of this type would only serve to exacerbate this issue.

The reason for this disparity is that response to a routine matter and response to a terrorist/crisis event are two entirely different circumstances, requiring very different operational processes, abilities, and resources.

The expertise, equipment, and resources used most infrequently in daily operations will become some of the very elements in greatest demand during response to a terrorist event. Attempting to use the larger routine resources as a substitute for them during a crisis can/will result in great peril to those resources and an inadequate outcome for the conditions being addressed. This situation would be a crisis for the department.