In interviews with a wide mix of executives from security organizations, consulting firms, insurance brokerages, financial institutions, defense contractors and law firms, a terrorist attack on a large U.S. global corporation–especially one symbolic of U.S. influence in the global economy–is given high probability. "Terrorists taking down a large U.S. corporation is very plausible," says Charles R. Lee, a managing principal at the risk management consultancy Tillinghast, a business of Towers Perrin. "The only questions are how they would go about it, who will be the target and when the attack will occur."

Even if a company is not a specific terrorist target, it could be in close proximity to a company that is targeted or may endure economic distress in the event of an attack against some vital portion of the country's infrastructure. "Every check that is written goes on an airplane from one Federal Reserve to another, as part of the clearing operation," says Jeffrey P. Colbath, a first vice president and financial planner of Smith Barney, a Citigroup subsidiary. "After 9/11, the Federal Reserve system was under tremendous pressure because aviation was shut down. If this happens again, for a longer period of time, small companies everywhere and even larger ones will experience tremendous cash flow problems." A similar disruption would occur, he adds, if the postal system were shut down.

And, there are other indirect costs to non-target companies, such as the fear and anxiety the threat of terrorism produces that sap employee productivity. "Terrorists wreak havoc even when they don't attack, just by implying they might," says Lisa Parker, senior vice president of The Strickland Group, a New York-based executive coaching and development firm. "There is a substantial risk of a loss of productivity from employee fear, including greater absenteeism, missed deadlines, irritability and difficulty concentrating and making decisions. The recent scare in New York dramatized this starkly. I have a colleague who had trouble sleeping and would come into work late and go to meetings tired and frazzled. And we were not even close to the action. Fear has a way of infecting everyone."

GUESSING GAME ON TERROR

But planning risk management strategies to defend against a vast potential terrorist arsenal is difficult–first and foremost, because it is almost impossible to predict how a terrorist will strike, so plans must be devised to protect against any and all avenues of attack–from the suicide missions the nation has already experienced to a gamut of threats, including product tampering, supply chain disruption, assassination of key executives, theft of critical data, computer viruses and even insidious rumors created to destroy a company's credibility. "You can't say that no one will fly an airplane into a building anymore," says Anthony Beverina, president of Digital Sandbox Inc., a Reston, Va.-based risk measurement software firm. "The hardest part is identifying the potential range of ways a terrorist organization might try to bring you down and then making sure you're properly aligning corporate resources with those risks."

Another problem risk managers face when trying to devise adequate lines of defense–both financially and physically–is the uncertainty surrounding insurance coverage for terrorism attacks. If Congress does not act soon, insurance to broadly transfer the risks of terrorism will disappear quicker than Osama bin Laden in the mountains of Afghanistan–or wherever he is. The Terrorism Risk Insurance Act, popularly known as TRIA, is set to expire in 2005. The act currently transfers most of the risk of catastrophic terrorism incidents on U.S. soil by foreign organizations to the U.S. government. Insurers and many business organizations are lobbying Congress in the current session to extend TRIA for two more years. Otherwise, insurers threaten that they will start underwriting property and casualty policies, beginning in September 2004, which will exclude terrorism coverage once TRIA sunsets.

While the three-year TRIA was predicated in part on giving insurers time to develop a market solution to terrorism risk exposures, the industry now concedes one is not likely in the foreseeable future. "Complete privatization of terrorism risks is impossible," asserts Robert Hartwig, chief economist of the New York-based Insurance Information Institute. "We're talking about a new and unique type of risk that, in my view, is fundamentally uninsurable. With reports virtually every day that this nation is not safe from terrorists, it is unrealistic to expect the insurance industry, with about $100 billion in commercial capital at its disposal, to cover catastrophic terrorist risks of trillions of dollars in potential financial exposure."

A POTENTIAL HOLE IN THE SAFETY NET

For risk managers, like Kautzi, the specter of TRIA fading away is uncomfortable–although more than a few companies have chosen not to buy the less expensive terrorism insurance that TRIA made possible. If TRIA dies and companies can only purchase pricey stand-alone terrorism coverage, Kautzi (who now works with FM Global for terrorism coverage) predicts that Sprint–and many other companies that feel terrorism protection is essential–would likely have to self-insure. Many others will continue to operate with none. "We feel our resources are better spent elsewhere, on other risks," says Dave Hennes, director of risk management at Minneapolis-based The Toro Company, a $1 billion manufacturer of lawn maintenance equipment. "If we were closer to the Mall of America in the Twin Cities, I might buy it."

All this puts pressure squarely on chief risk officers and risk managers. "Our clients are aware of the [terrorism] insurance transaction issues and are coming to us in a broader way to make sure their business continuity planning and emergency response mechanisms are following best practices," says Steven Lundin, a senior vice president at New York-based Marsh Inc.

Of course, few companies confront the breadth of risk that daunts the 20 or so large global U.S.-based corporations that are symbols of America's economic power, such as the major oil companies, electric power providers, the biggest airlines, financial institutions, defense contractors and telecommunications providers. Other companies with a bull's-eye on them are those that define our culture, such as Hollywood studios, theme parks and "any company with the word 'America' in it," says Digital Sandbox's Beverina.

Once a company determines it may be a possible target of terrorism, risk management experts like Tillinghast's Lee advocate a team-based analysis of potential avenues of destruction. "You would want to conduct brainstorming sessions with people who really understand the key workings of the organization, to address the risk of a terrorist organization targeting you with unlimited resources at their disposal, not to mention individuals who are not concerned about their own well-being," he says. "This is not an exercise undertaken just by the CEO, chairman and a few senior executives. You want the people out in the field, from the person procuring raw materials to the guys on the manufacturing floor, to tell you where they think the pockets of vulnerability are. They can tell you things you would never imagine."

For example, one of the biggest potential chinks in most companies' armor is their supply chain. "Say you have a key component supplier in some foreign location that does not have the personnel security clearances or job hiring background searches that you do," Lee says. "A terrorist with an engineering or manufacturing background infiltrates the supplier and begins tampering with the component in such a way that it is unnoticed by other employees or the U.S.-based assembly operation. Once installed, the component destroys the product, and the company's reputation is in tatters."

How easy is it for a terrorist to infiltrate a U.S. corporation or its suppliers? "I met with a group of general contractors recently and looked over the list of their subcontractors," Lee responds. "Unfortunately, several subcontractors had been hired largely because of their low bids. So I asked if anyone had inquired about the hiring practices of these companies. I was told 'no.' Here were these contractors building these multimillion-dollar office towers and the like, and they had little information on the people working at their subcontractors, people who were given full security clearances to be on-site at the construction site. What if a terrorist infiltrated a subcontractor and did something, unbeknownst to others, that ultimately would destroy the building's integrity?"

"All you need is one terrorist on the inside, and it can implode a company," says Edward Krill, an employment law attorney with the Washington-based firm Carr Maloney P.C. Krill advises enhanced background checks and reference checks, which are increasingly becoming more standard at large corporations. Wal-Mart, with its 1.3 million employees, just implemented a new system, although that was in response to incidents of sex offenders being hired rather than terrorist concerns. "It is perfectly legal to write up an application for employment that has broad consent, where you can talk to the candidate's former workers, neighbors, girlfriend and the guy he drank beer with in high school," he says. "The only caveat is that the employment candidate has to sign the consent form allowing this level of investigation. If you don't get the signature, you can be charged with invasion of privacy. Most job candidates, however, are willing to sign the form. Nevertheless, have it written up by a lawyer to ensure you are legally safe."

Christopher Grniet, a vice president and regional manager at Kroll Schiff & Associates, a New York-based security engineering firm, says most client firms he deals with are addressing these supply chain challenges. "The larger Fortune 500-type companies are beefing up security around their manufacturing processes, doing more detailed inspections domestically, and, when it comes to overseas suppliers, requiring on-site testing and inspections of materials and components before shipping," Grniet says, adding that he can't cite specific examples because of confidentiality concerns. "The question is, are other companies?"

ADDRESSING YOUR VULNERABILITY

Another potential terrorist tactic could be the kidnapping and assassination of key executives and those with significant intellectual capital, such as research scientists and product designers. Lisa Zanotelli, practice group leader for a special contingency practice at insurance broker Willis Group Holdings Ltd., says "kidnap and ransom insurance is increasingly expensive, given the state of world affairs, but is still readily available. This is a market that is in constant flux these days, changing day-to-day and geographic market by geographic market." Zanotelli says K&R insurance remains available in the Middle East, and even in Iraq, though the premiums have risen considerably, especially following the beheadings of employees of foreign and U.S. corporations by Iraqi insurgents.

Perhaps one of the weakest links for many companies is their electronics infrastructure–servers, personal computers, intranets and information systems. The preponderance of wireless "hot sites" opens up a new area of vulnerability. A terrorist with access to a company's IT infrastructure could buy an inexpensive PDA and connect it to corporate systems or set up a WiFi hotspot in a remote part of the corporate campus and obtain sensitive information that may provide a means to enter the facilities. "Phishing" is another method to solicit corporate information, using phony e-mail addresses or malicious Web sites to obtain financial data by suggesting there is a problem requiring immediate access to this data.

A first step should be the creation of a "mirror site" equipped with backup tapes, computers and phones, advises John Medaska, a business continuity expert and vice president of business development with Relational Technology Services, a Rolling Meadows, Ill.-based technology consulting firm. Medaska suggests that even older equipment, as long as it is working properly and can accommodate current computer programs, could be used to reduce the cost to smaller companies. "A business continuity site doesn't have to be buried deep into the side of a mountain like NORAD," Medaska quips. "It can be within an hour's drive of the main site, far enough away not to be affected directly by an attack, but close enough that personnel would be willing to go there in a time of crisis and emotional upheaval."

STAYING UP AND RUNNING

To reduce the fallout from an IT attack, companies like Sargent Controls & Aerospace, a key supplier of precision hydraulic control components and specialty and self-lubricated lined bearings to many commercial and military aircraft as well as all U.S. Naval Nuclear Class Submarines, performs ad hoc IT disaster simulations to assess the duration of recovery. "We do more than 40 tests to determine the potential disaster that would occur from a stolen password, theft of data or other IT-related exposure," says George Blanton, CFO of Tucson-based Sargent. "We literally simulate a full-fledged disaster involving our IT system and then see if we can recover in a day. So far our track record is excellent, but one never knows what lurks around the corner."

Firewalls, intrusion detection devices and improved people processes can reduce IT risks, just as barricades, video monitoring cameras and security clearance procedures can minimize the risk of physical damage, and background checks can reduce the possibility of infiltration. But Digital Sandbox's Beverina, whose company is in the business of measuring corporate risks using sophisticated, computerized matrix technology, says an enterprise risk management approach to terrorism risks is the optimum way to allocate corporate resources. "We work with companies to evaluate the plausibility of various attacks, given historical data and the corporate profile, and then measure that against the company's areas of vulnerability," he explains.

"Chemical weapons are absolutely devastating, but would it be wise for a company to direct the lion's share of its resources to reducing this threat, if this is not as plausible as a truck bomb or cyber attack? Doing a vulnerability assessment is important, but it has to be measured against plausibility. With terrorism, plausibility is always the big question mark. Unlike the ability to predict the possibility of a hurricane striking or a worker becoming injured, a corporation cannot predict the random acts of individuals intent on bringing it to its knees." Nevertheless, says Beverina, "the more you quantify, the more you can make rational decisions."

Michael Chagares, Marsh practice leader for business risk consulting, says for some companies, adding up the costs of terrorism losses is far easier than predicting the risk of those losses. "A good enterprise risk management program encompasses the measurement of exposures and their root causes," he explains. "A company with a large shopping mall can start by doing scenario analyses like "What if the building was blown up, how much would this cost?" You can put a financial number on that relatively easily. More difficult is the question, "If the building was blown up, would people come back to the mall?" My point is that even when you can't answer a question in financial terms doesn't mean you shouldn't discuss it and take proactive measures to mitigate it. A lot of financial losses are manageable; it's the ones that do in your reputation that ultimately do you in."