Moving from Risk Assessment to Implementation of Incremental Building 
Protection 
2 

The terrorism risk assessment process
described in FEMA 452, Risk Assessment: A
How-To Guide to Mitigate Potential Terrorist
Attacks Against Buildings, helps building owners
to assess major vulnerabilities in a building and
identify mitigation measures to correct such
vulnerabilities. The information generated
by the application of FEMA 452 and by the
methodology provided in this manual are
fundamental for implementing an incremental
security enhancement process for existing
commercial buildings.

[text box]
The mitigation measures generated by
the application of FEMA 452 provide the
starting point for the application of this
document. This document then demonstrates
how a building owner or facility manager
categorizes those mitigation measures into
increments of terrorism risk reduction, and
integrates the increments into ongoing or
planned facility maintenance or capital
improvement projects.
[end text box]


A building owner or facility manager proceeding through the five steps 
of FEMA 452 described in Section 2.1 generates a series of physical 
protection and strengthening measures, as well as operational mitigation 
measures. In moving from a risk assessment to implementation, the 
building owner should check the compatibility of the former (physical 
protection and strengthening), as well as some of the latter (operational), 
with the maintenance and capital improvement plans. A matrix, as shown in 
Section 2.3, should be used to highlight opportunities for integration of 
specific mitigation options with specific maintenance or capital improvement 
activities. 

2.1 Risk Assessment Process 
the risk assessment process described in FEMA 452 is based on five 
critical steps (Figure 2-1). These critical steps identify the best and 
most cost-effective terrorism mitigation measures for a building’s 
unique security needs. 

Conducting a threat assessment to identify, define, and quantify the 
threats or hazards is the first step of the risk assessment process. For 
terrorism, the threats are aggressors (people or groups) that are known to 
exist and that have the capability and a history of using hostile actions, or 
that have expressed intentions for using hostile actions against potential 
targets. Current credible information on targeting activity (surveillance of 
potential targets) or indications of preparation for terrorist acts may be 
available for these aggressors. 

Figure 2-1: Risk assessment process model. 

The second step of the risk assessment process is to identify the 
consequences of the loss of a building that needs to be protected from 
terrorist attack. Consequences relate to the criticality of the building in 
terms of the importance of the building operation to the owner and the 
locality, and can be defined as a degree of debilitation that would be 
caused by its destruction. This assessment of consequences can be applied 
to the entire building or significant portions of a very large building. It 
can also refer to a resource of value requiring protection. Consequences can 
be tangible (i.e., loss of buildings, facilities, equipment activities, 
operations, and information) or intangible (e.g., loss of processes or a 
company’s reputation). 

As explained in FEMA 452, “after assessing consequences, the third 
step is to conduct a vulnerability assessment. A vulnerability assessment 
evaluates the potential vulnerability of the critical assets against a broad 
range of identified threats and natural hazards. By itself, the vulnerability 
assessment provides a basis for determining mitigation measures for protection 
of the building and its content. The assessment is a bridge in the methodology 
among threat/hazard, consequences, and the resultant level of risk. 

“The fourth step of the process is the risk assessment. The risk assessment 
analyzes the likelihood or probability of the threat or natural hazard 
occurring and the consequences of the occurrence. Thus, a very high likelihood 
of occurrence with very small consequences may require simple low cost 
mitigation measures, but a very low likelihood of 
occurrence with very serious consequences may require more costly and 
complex mitigation measures. The risk assessment should provide a 
relative risk profile. High-risk combinations of assets against associated 
threats, with the identified vulnerability, allow prioritization of resources 
to implement mitigation measures. 

“The fifth and final step is to consider mitigation options that are directly 
associated with, and responsive to, the major risks identified during Step 4. 
From Step 5, decisions can be made as to where to minimize the risks and how 
to accomplish that over time.” 

2.1.1 Levels OF Vulnerability assessment 

FEMA 452 provides guidance in conducting varied levels of assessments, 
ranging from screening level assessments to in-depth assessments. As 
stated in FEMA 452, “the level of assessment for a given building is 
dependent upon a number of factors such as potential threat, type 
of building, location, type of construction, number of occupants, 
economic life, and other owner specific concerns and available economic 
resources.” FEMA 452 defines a three-tier assessment process as follows: 

“Tier 1. A Tier 1 assessment is a ‘70 percent’ assessment. It can typically be 
conducted by one or two experienced assessment professionals in approximately 
two days. A Tier 1 assessment will likely be sufficient for the majority of 
commercial buildings and other non-critical facilities and infrastructure. 

“Tier 2. A Tier 2 assessment is a ‘90 percent’ assessment. It typically 
requires three to five assessment specialists, can be completed in 3 to 5 
days, and requires key building staff participation. A Tier 2 assessment 
is likely to be sufficient for most high-risk buildings such as iconic 
commercial buildings, government facilities, schools, hospitals, and other 
high-value designated infrastructure assets. 

“Tier 3. A Tier 3 assessment is a detailed evaluation of the building using 
blast, weapons of mass destruction (WMD), earthquake, flood, and high wind 
models to determine building response, survivability, and recovery, and the 
development of mitigation options. The assessment team is not defined for this 
tier; however, it could be composed of 8 to 12 people. Modeling and analysis 
can often take several days or weeks and is typically performed for high value 
and critical infrastructure assets.” 

2.1.2 the Building Vulnerability assessment Checklist 

FEMA 452 includes a Building Vulnerability Assessment Checklist, 
covering explosives, CBR, earthquakes, floods, and high-wind hazards. 
The checklist can be used to collect and report information related to the 
building. It compiles many best practices, based on the latest technologies 
and scientific research, to consider during the design of a new building or 
renovation of an existing building. 

The vulnerability assessment step is supported by the Building 
Vulnerability Assessment Checklist (FEMA 452, Appendix A), which is 
organized into 13 sections corresponding to building subsystems: 

1. Site
2. Architectural
3. Structural Systems
4. Building Envelope
5. Utility Systems
6. Mechanical Systems
7. Plumbing and Gas Systems
8. Electrical Systems
9. Fire Alarm Systems
10. Communications and IT Systems
11. Equipment Operations and Maintenance
12. Security Systems
13. Security Master Plan

The 13 sections of the Building Vulnerability Assessment Checklist 
provide a framework for the categorization of incremental measures of 
terrorism risk reduction discussed in the following sections. 

[text box]
To support the building assessment
process, a Risk Assessment
Database has been developed
as a companion tool to FEMA
452. The database is a standalone
application with several
functions: import files and folders;
display digital photos, emergency
plans, and digital floor plans; and
provide specific GIS tools. The
database can be used to collect
and report information related to
the building.
[end text box]


2.2 scheduling increments: 
Physical Protection and strengthening Measures and Operational (Protective and 
Control) Measures 

Once identified, the terrorism risk reduction improvements 
should be considered in relation to the owner’s ongoing facility 
planning for maintenance and capital improvements (discussed 
in Section 2.3). Physical protection and strengthening measures and 
some operational measures can then be integrated with maintenance 
and capital improvements using this document, and can be scheduled for 
implementation. 

2.2.1 Physical Protection and strengthening Measures 

The increments of physical protections measures listed on the vertical 
axes of the integration matrices 1 and 2 in Section 2.3 are presented 
as an example of measures that might be generated by the FEMA 452 
process or others and implemented using this manual. The specific 
measures included in the matrices were generated for this manual and 
are discussed in Chapters 3, 4, and 5. Where applicable, the references in 
parentheses following items in the list refer to the respective discussions in 
Chapters 3, 4, and 5. The protection measures are presented in the order of 
the 13 sections of the Building Vulnerability Assessment 
Checklist in Appendix A of FEMA 452. 

2.2.2 Operational Measures 

The list of incremental operational measures is presented in Chapter 5, 
Section 5.11 as an example of measures that might be generated by the 
FEMA 452 process or others and implemented using this manual. The 
specific measures included in the matrices were generated for this manual 
and are discussed in Chapters 4 and 5. Some of these measures include 
physical elements and are also included in the list that comprises the 
vertical axes of the integration matrices in Section 2.3. Where applicable, 
the references in parentheses following items in both lists (Section 2.3 and 
Section 5.11) refer to the applicable discussions in Chapters 4 and 5. The 
measures are presented in the order of the 13 sections of the Building 
Vulnerability Assessment Checklist in Appendix A of FEMA 452. 

2.3 identifying integration Opportunities FOR incremental Building Protection 

Typical maintenance and capital improvement projects in commercial buildings 
fall into two categories: 

Maintenance and capital improvements that are common to all 
four types of commercial buildings—office, retail, and multifamily 
apartment buildings, and hotels. 

Maintenance and capital improvements specific and unique to each of 
the four types of commercial buildings. 

These categories may also vary by building classification (A, B, or C). 

The following categorizations of maintenance and capital improvements are 
typical and reflect groupings of building elements, administrative and 
funding categories, tenant versus public spaces, or other parameters. 
Owners can substitute their own categories. 

Common categories of maintenance and capital improvement projects: 

1. Roofing maintenance and repair/reroofing 
2. Exterior wall and window maintenance/façade modernization 
3. Fire and life safety improvements 
4. Public area modernization (Retail: mall public areas; Hotels: 
public and service areas) 
5. Underfloor and basement maintenance and repair 
6. HVAC upgrade and energy conservation 
7. Hazardous materials abatement 
8. Landscaping and site work 
Occupancy-specific categories of maintenance and capital improvement 
projects: 

Office Buildings: 

1. New technology accommodations 
2. Tenant alterations and improvements 

Retail Buildings: 
1. Retail area modernization 

Multifamily Apartment Buildings: 
1. Kitchen and bathroom modernization 

Hotels and Motels: 
1. Guestroom finishing, furniture, and equipment (FF&E) 
2. Public area FF&E 

Both of these respective categories are used as the horizontal axes of the 
integration matrices presented on the following pages. 

How to Use the Matrices 

In order to identify integration opportunities, a building owner should 
follow these three steps: 

1. Identify the column of the planned maintenance or capital 
improvement. 
2. Identify the physical increments of building protection with a 
corresponding check mark in the column. 
3. Consider integration of the physical increments with the planned 
maintenance or capital improvement activities. 

Matrix 1: Integration Opportunities for Common Categories 
of Maintenance and Capital Improvement Projects 

Matrix 2: Integration Opportunities for Occupancy-Specific Categories 
of Maintenance and Capital Improvement Projects