Cover

Graphic: Illustration of cityscape overlaid with photos of buildings damaged 
by terrorist attacks.

Risk Management Series

Risk Assessment
A How-To Guide to Mitigate
Potential Terrorist Attacks Against Buildings
Providing Protection to People and Buildings



Title Page

Risk Management Series

Risk Assessment
A How-To Guide to Mitigate
Potential Terrorist Attacks Against Buildings
Providing Protection to People and Buildings

Any opinions, findings, conclusions, or recommendations expressed in this 
publication do not necessarily reflect the views of FEMA. Additionally, neither 
FEMA or any of its employees makes any warrantee, expressed or implied, or 
assumes any legal liability or responsibility for the accuracy, completeness, or 
usefulness of any information, product, or process included in this publication. 
Users of information from this publication assume all liability arising from 
such use.



Forward and Acknowledgments

BACKGROUND
The Federal Emergency Management Agency (FEMA) developed this Risk Assessment, A 
How-To Guide to Mitigate Potential Terrorist Attacks Against Buildings, to 
provide a clear, flexible, and comprehensive methodology to prepare a risk 
assessment. The intended audience includes the building sciences community of 
architects and engineers working for private institutions, building 
owners/operators/managers, and State and local government officials working in 
the building sciences community.
 

OBJECTIVE AND SCOPE
The objective of this How-To Guide is to outline methods for identifying the 
critical assets and functions within buildings, determining the threats to those 
assets, and assessing the vulnerabilities associated with those threats. Based 
on those considerations, the methods presented in this How-To Guide provide a 
means to assess the risk to the assets and to make risk-based decisions on how 
to mitigate those risks. The scope of the methods includes reducing physical 
damage to structural and non-structural components of buildings and related 
infrastructure, and reducing resultant casualties during conventional bomb 
attacks, as well as chemical, biological, and radiological (CBR) agents. This 
document is written as a How-To Guide. It presents five steps and multiple tasks 
within each step that will lead you through a process for conducting a risk 
assessment and selecting mitigation options. It discusses what information is 
required to conduct a risk assessment, how and where to obtain it, and how to 
use it to calculate a risk score against each selected threat. 

This is one of a series of publications that address security issues in high-
population, private sector buildings. This document is a companion to the 
Reference Manual to Mitigate Potential Terrorist Attacks Against Buildings (FEMA 
426) and the Building Design for Homeland Security Training Course (FEMA E155). 
This document also leverages information contained within the Primer for Design 
of Commercial Buildings to Mitigate Terrorist Attacks (FEMA 427). 

The primary use of this risk assessment methodology is for buildings, although 
it could be adapted for other types of critical infrastructure.
The foundation of the risk assessment methodology presented in this document is 
based on the approach that was developed for the Department of Veterans Affairs 
(VA) through the National Institute for Building Sciences (NIBS). Over 150 
buildings have been successfully assessed using this technique. The risk 
assessment methodology presented in this publication has been refined by FEMA 
for this audience. 

The purpose of this How-To Guide is to provide a methodology for risk assessment 
to the building sciences community working for private institutions. It is up to 
the decision-makers to decide which types of threats they wish to protect 
against and which mitigation options are feasible and cost-effective. 

This How-To Guide views as critical that a team created to assess a particular 
building will be composed of professionals capable of evaluating different parts 
of the building. They should be senior individuals who have a breadth and depth 
of experience in the areas of civil, electrical, and mechanical engineering; 
architecture; site planning and security engineering; and how security and 
antiterrorism considerations affect site and building design. 

The information contained in this document is:
--not mandatory
--not applicable to all buildings
--not applicable when it interferes with other hazards such as fire


ORGANIZATION AND CONTENT
In order to create a safe environment, many factors must be considered. Figure 1 
depicts the risk assessment process presented in this document to help identify 
the best and most cost-effective terrorism mitigation measures for a building’s 
own unique security needs. The first step is to conduct a threat assessment 
wherein the threat or hazard is identified, defined, and quantified (Step 1). 
For terrorism, the threat is the aggressors (people or groups) that are known to 
exist and that have the capability and a history of using hostile actions, or 
that have expressed intentions for using hostile actions against potential 
targets as well as on whom there is current credible information on targeting 
activity (surveillance of potential targets) or indications of preparation for 
terrorist acts. The capabilities and histories of the aggressors include the 
tactics they have used to achieve their ends. The next step of the assessment 
process is to identify the value of a building’s assets that need to be 
protected (Step 2). 

Figure 1: Risk assessment process model. Graphic showing a flow chart.
Step 1: Threat identification and rating
Step 2: Asset Value Assessment
--perform a Cost Analysis by analyzing how mitigation options affect asset 
criticality and ultimately risk
Step 3: Vulnerability Assessment 
--perform a Benefit Analysis to analyze how mitigation options change 
vulnerability and ultimately risk
Step 4: Risk Assessment
Step 5: Consider Mitigation Options
(final step): Risk Management Decision

After conducting a asset value assessment, the next step is to conduct a 
vulnerability assessment (Step 3). A vulnerability assessment evaluates the 
potential vulnerability of the critical assets against a broad range of 
identified threats/hazards. In and of itself, the vulnerability assessment 
provides a basis for determining mitigation measures for protection of the 
critical assets. The vulnerability assessment is the bridge in the methodology 
between threat/hazard, asset value, and the resultant level of risk.

The next step of the process is the risk assessment (Step 4). The risk 
assessment analyzes the threat, asset value, and vulnerability to ascertain the 
level of risk for each critical asset against each applicable threat. Inherent 
in this is the likelihood or probability of the threat occurring and the 
consequences of the occurrence. Thus, a very high likelihood of occurrence with 
very small consequences may require simple low cost mitigation measures, but a 
very low likelihood of occurrence with very grave consequences may require more 
costly and complex mitigation measures. The risk assessment should provide a 
relative risk profile. High-risk combinations of assets against associated 
threats, with the identified vulnerability, allow prioritization of resources to 
implement mitigation measures.

The final step (Step 5) is to consider mitigation options that are directly 
associated with, and responsive to, the major risks identified during Step 4. 
From Step 5, decisions can be made as to where to minimize the risks and how to 
accomplish that over time. This is commonly referred to as Risk Management. 

A number of worksheets are utilized in this How-To Guide. They can be used to 
apply key concepts described in this document and are presented at the end of 
each Step. 

A core element of this How-To Guide is the Building Vulnerability Assessment 
Checklist included in Appendix A. The Checklist can be used to collect and 
report information related to the building infrastructure. It compiles many best 
practices based on technologies and scientific research to consider during the 
design of a new building or renovation of an existing building. It allows a 
consistent security evaluation of designs at various levels. 

A Risk Assessment Database accompanies this publication in the form of computer 
software. The purpose of this database is for a user to collect and organize 
risk scoring, building vulnerability data, and mitigation measures for multiple 
buildings. More information can be found throughout this publication and in 
Appendix B. 

The Building Vulnerability Assessment Checklist and the Risk Assessment Database 
were developed for the Department of Veterans Affairs with assistance from the 
National Institute for Building Sciences.


ACKNOWLEDGMENTS
Principal Authors:
Milagros Nanita Kennett, FEMA, Project Officer, Risk Management Series 
Publications    
Eric Letvin, URS, Project Manager
Michael Chipley, PBSJ
Terrance Ryan, UTD, Inc. 

Contributors: 
Lloyd Siegel, Department of Veterans Affairs
Marcelle Habibion, Department of Veterans Affairs
Kurt Knight, Department of Veterans Affairs
Eve Hinman, Hinman Consulting Engineering
Sarah Steerman, UTD, Inc.
Deb Daly, Greenhorne & O’Mara, Inc.
Julie Liptak, Greenhorne & O’Mara, Inc.
Wanda Rizer, Consultant

Project Advisory Panel:
Elizabeth Miller, National Capital Planning Commission
Doug Hall, Smithsonian Institution
Wade Belcher, General Service Administration
Michael Gressel, CDC/NIOSH
Kenneth Mead, CDC/NIOSH
Robert Chapman, NIST
Lawrence Skelly, Department of Homeland Security
Curt Betts, U.S. Army Corps of Engineers
Earle Kennett, National Institute for Building Sciences
Frederick Krimgold, Virginia Tech
David Hattis, Building Technology, Inc.
Ettore Contestabile, Canadian Explosives Research Laboratory

This How-To Guide was prepared under contract to FEMA. It will be revised 
periodically, and comments and feedback to improve future editions are welcome. 
Please send comments and feedback by e-mail to riskmanagementseriespubs@dhs.gov.



Table of Contents

Foreword and Acknowledgments	i

Step 1:	Threat Identification and Rating	1-1
Task 1.1	Identifying the Threats	1-1
Task 1.2	Collecting Information	1-16
Task 1.3	Determining the Design Basis Threat	1-17
Task 1.4	Determining the Threat Rating	1-23

Step 2:	Asset Value Assessment	2-1
Task 2.1	Identifying the Layers of Defense	2-2
Task 2.2	Identifying the Critical Assets	2-6
Task 2.3	Identifying the Building Core Functions and                         
Infrastructure	 2-17
Task 2.4	Determining the Asset Value Rating	2-23

Step 3:   	Vulnerability Assessment	3-1
Task 3.1	Organizing Resources to Prepare the  Assessment	3-2
Task 3.2	Evaluating the Site and Building	3-6
Task 3.3	Preparing a Vulnerability Portfolio	3-11
Task 3.4	Determining the Vulnerability Rating	3-14 

Step 4:	Risk Assessment	4-1
Task 4.1	Preparing the Risk Assessment Matrices	4-2
Task 4.2	Determining the Risk Ratings	4-7
Task 4.3	Prioritizing Observations in the Building Vulnerability Assessment 
Checklist 	4-10

Step 5:	Consider Mitigation Options	5-1
Task 5.1	Identifying Preliminary Mitigation Options	5-2
Task 5.2	Reviewing Mitigation Options	5-6
Task 5.3	Estimating Cost	5-9
Task 5.4	Mitigation, Cost, and the Layers of Defense	5-13

Appendix A	Building Vulnerability Assessment Checklist

Appendix B1	Risk Management Database:  Assessor's User Guide

Appendix B2	Risk Management Database:  Database Administrator's User Guide

Appendix B3	Risk Management Database: Manager's User Guide

Appendix C	Acronyms and Abbreviations


Figures

Foreword and Acknowledgments
Figure 1  Risk assessment process model	iii

Chapter 1
Figure 1-1  Steps and tasks	1-1
Figure 1-2  Total international attacks by region, 1998-2003	1-3
Figure 1-3  Explosive environments - blast range to effect	1-4
Figure 1-4  Incident overpressure as a function of stand-off               
distance	1-6
Figure 1-5  Total facilities affected by international terrorism and weapons of 
choice, 1998-2003	1-15

Chapter 2
Figure 2-1  Steps and tasks	2-1
Figure 2-2  Layers of defense	2-3
Figure 2-3  Layers of defense in urban setting	2-5
Figure 2-4  Layers of defense when a particular building is considered a 
critical asset	2-5
Figure 2-5  Potential blast effects – 200-lb car bomb	2-7
Figure 2-6  Potential blast effects – 11,000-lb truck bomb	2-7
Figure 2-7  Using HAZUS-MH to identify the criticality of assets	2-8

Chapter 3
Figure 3-1  Steps and tasks	3-1
Figure 3-2  Common system vulnerabilities	3-15

Chapter 4
Figure 4-1  Steps and tasks	4-1

Chapter 5
Figure 5-1  Steps and tasks	5-1
Figure 5-2  Cost considerations	5-10
Figure 5-3  Mitigation options for the second layer of defense	5-14
Figure 5-4  Mitigation options for the third layer of defense	5-15


Tables

Chapter 1
Table 1-1  Explosive Evacuation Distance	1-5
Table 1-2  Critical Biological Agent Categories	1-11
Table 1-3  Event Profiles	1-13
Table 1-4  Criteria to Select Primary Threats	1-21
Table 1-5  Nominal Example to Select Primary Threats for a Specific Urban Multi-
story Building	1-22
Table 1-6  Threat Rating	1-25
Table 1-7A  Nominal Example of Threat Rating for an Urban Multi-story Building 
(Building Function)	1-26
Table 1-7B  Nominal Example of Threat Rating for an Urban Multi-story Building 
(Building Infrastructure)	1-26

Chapter 2
Table 2-1  Correlation of the Layers of Defense Against Threats	2-12
Table 2-2  Building Core Functions	2-18
Table 2-3  Building Core Infrastructure	2-20
Table 2-4  Levels of Protection and Recommended Security             Measures	2-
21
Table 2-5  Asset Value Scale	2-23
Table 2-6A  Nominal Example of Asset Value Rating for an Urban Multi-story 
Building (Building Function)	 2-24
Table 2-6B  Nominal Example of Asset Value Rating for an Urban Multi-story 
Building (Building Infrastructure)	2-24

Chapter 3
Table 3-1  Screening Phase	3-4
Table 3-2  Full On-site Evaluation	3-5
Table 3-3  Detailed Evaluation	3-5
Table 3-4  Vulnerability Rating	3-16
Table 3-5A  Nominal Example of Vulnerability Rating for a Specific Multi-story 
Building (Building Function)	3-17
Table 3-5B  Nominal Example of Vulnerability Rating for a Specific Multi-story 
Building (Building Infrastructure)	3-17

Chapter 4
Table 4-1  Critical Functions Asset Value 	4-4
Table 4-2  Critical Infrastructure Asset Value	4-4
Table 4-3  Critical Functions Threat Rating	4-5
Table 4-4  Critical Infrastructure Threat Rating	4-5
Table 4-5  Critical Functions Vulnerability Rating	4-6
Table 4-6  Critical Infrastructure Vulnerability Rating	4-7
Table 4-7  Total Risk Scale Color Code	4-8
Table 4-8  Site Functional Pre-Assessment Screening Matrix 	4-8
Table 4-9  Site Infrastructure Pre-Assessment Screening Matrix	4-9
Table 4-10  Nominal Example of Observations in the Building Vulnerability 
Assessment Checklist	4-10