Calculating the risk of terrorism

SINCE THE TERRORIST ATTACKS of 11 September 2001, which resulted in direct financial losses of up to $40 billion for re/insurance companies, there has been a discussion whether or not such high severity risks can still be insured. In the absence of similar attacks of comparable magnitude, the response has moved gradually from an initial “not really” towards a cautious “yes”.

While single phase incidents like bombings are foremost on the minds of people when it comes to terrorism, dual phase incidents like hostage taking and kidnappings, where a negotiation phase follows the initial act, are also of concern for the insurance industry and governments. The seizure of ships and hostage taking of sailors by pirates, and the abduction of tourists in North Africa and elsewhere, not only raise financial issues, but also the fear that the ransom money paid will engender a contagious effect.

Some governments have been unwilling to rescue citizens seized abroad, while others have been more flexible (or less principled). Corporate employees of multinational corporations are often covered by private anti-kidnapping insurance schemes. In either case, the issue of paying ransoms for persons taken hostage or compensation for lives lost in acts of terrorism poses moral, political and financial problems for the responders.

The key question for the insurance industry is this: how high is the risk of a client suffering attack by political terrorists and criminal abductors? The answer regarding the probability of a terrorist attack on a specific target – whether it is a facility or a group of people – is highly context-specific, varying not only between countries, cities, industries and sectors, but also over time.

If one company or iconic site is a probable target, a neighbouring building, that in itself is an unlikely target, could suffer severe collateral damage merely by virtue of its proximity. All this makes risk and, hence, premium calculation difficult. What is needed is a wealth of longitudinal (time-series) and location-specific (hotspot) data, and a model that can forecast the risk by using indicators which reflect previous incidents of terrorism where the outcome is already known.

Risk calculation

Risk is often calculated as a function of vulnerability x threat x impact. Much progress has been made in calculating probable impact, both for direct and collateral damage. The vulnerability of facilities and people in a certain location depends heavily upon the terrorist weapon. Vulnerability is hard to determine, especially when it comes to chemical, radiological and biological weapons.

Yet vulnerability, like impact, can in most cases be modelled and assessed to a satisfactory degree. The real difficulty lies in calculating the threat of an impending attack. While applying mitigation counter-measures allows us to exert a degree of control over vulnerability and impact, the threat variable is largely in the hands of the terrorists themselves.

Often we have nothing more to go on than trend extrapolation from their past record of performance, based on indicators such as:

• Variations in the frequency of terrorist attacks, including intervals between attacks

• Success rate of past attacks, with failed and foiled attacks deducted from the total number of attempts

• Severity of attacks in terms of casualties and material damage

• Consequences of the attacks for the terrorists themselves, not only the increase or decrease in number of terrorists captured, wounded or killed, but also in recruitment and desertion rates.

• Sophistication of the attacks, whether stationary or increasing.

• Geographical spread of attacks.

• Known targeting priorities, based on captured internal strategy papers and online website discussions.

Such data often have to be hand-coded for each terrorist organisation, as existing open source databases, such as the US National Counter-Terrorism Center’s worldwide incidents tracking system (WITS), University of Maryland’s global terrorism database (GTD) and International Terrorism: Attributes of Terrorist Events (ITERATE) compiled by terrorism expert and former CIA officer Edward Micholus, are not nuanced enough to catch all of these dimensions.

This requires a substantial investment in basic research, but it could be paid back many times, as a better knowledge of threats would make risk calculation more of a science than an art. Closer affiliations with academia, even more than in the past, are inevitable if the insurance industry wants to understand and calculate better the terrorist threat based on realistic models and manage the risk at a profit.