Terrorism Risk Assessments and Vulnerability Assessments

For Medical/Health Care Facilities

When conducting an assessment of the risks or vulnerabilities associated with a facility for potential acts of terrorism, it is important to understand that these vulnerabilities, in most cases, exist for physical security and intrusions as well.  Terrorism acts are acts that manifest themselves if conditions are right, if the opportunity meets the target and desired location for the terrorist, and if the risk or vulnerability is able to be exploited at the time the terrorist wishes to accomplish the act.  Put another way, they are opportunistic rather than probabilistic.  Where one can assign a probability factor to events such as weather, fire, or floods, doing so for acts of terrorism is not a useful statistic.  Terrorism vulnerabilities can exist and never be manifested if the company or facility does not meet the target profile or goals of the terrorist.  

When conducting an assessment for the potential acts of terror that could be anticipated for the facility, we begin by carefully identifying the facility and the routine operations that are conducted at the facility.  For Health Care or Medical facilities, it is important to note the procedures provided, the type of care facility (in patient/out patient), location of the facility, and other nearby facilities that might be terror targets.  Types of routine procedures being performed may by their very nature be controversial (such as abortions, abortion counseling, stem cell research, stem cell harvesting, pharmaceutical research that involves animal testing, etc.).  If the facility that performs these types of services is also well signed with a recognizable name (being associated with a known name or high profile company) it could enhance the location as a desirable target.

In addition to the facility, if staff members are high profile or if they are very well known and hold controversial positions or advocate treatments or other views that may be considered controversial, they will need to be factored into the risk and vulnerability assessment.  The nationality of the principals, providers, and staff could matter to a potential terrorist, and must therefore be noted or examined in the assessment.  These personal attributes can be the visible target, can be the intended recipient for the expected actions following the attack, and can be the motivation or religious rationale for the attack.  They also make conducting an assessment for terrorism vulnerabilities a difficult task.  The target groups change frequently, and as events are occurring on a global basis, the results of the assessment needs to be updated and re-examined regularly.  Unlike an assessment on the fire-rating of a facility or its construction, which rarely will change after the construction is completed, terrorism assessment values can be changed frequently due to external factors or current political trends.

Another area to note, not all the risk for terrorism impacts lay within the company itself.  Most companies rely upon suppliers for goods or services in the routine conduct of business.  If you manufacture items, others often provide the raw materials, sub assemblies, or critical components that complete the process.  These companies can also be targets of terrorism.  Should that occur, then you will be impacted in the fallout from the event.  This vulnerability exists for all other forms of risk and threats as well.  These external suppliers are often beyond the company’s ability to control and the risk needs to be understood and the business process sometimes must be modified to ensure an acceptable level of operating risk can be established.  Most have addressed these risks by examining the supply chain for alternatives, examining the existing level of finished goods in inventory, or adding other forms of redundancy in the manufacturing process.  

Finally, the products that are manufactured or the products used in the services being offered can be ideal targets for the terrorist.  Rather than expose themselves to the direct risk of attacking a facility, the acts of terror could be targeted toward the goods being manufactured or used in the procedures being accomplished at the health care facility.  If product manufacturing is being done at the facility, the manufacturing process should include pre-production checks to ensure the raw materials are pure and correct for the process and post production checks to ensure nothing was added to the product during the manufacturing process,.  Sabotage is an effective form of terrorism that will damage the company for a very long time.  If services are delivered to the consumer, similar quality and purity checks should be performed.  For example: is that oxygen or another gas being delivered; are those the correct drugs being dispensed?

How the assessment is conducted

Assessments for terrorism threats and vulnerabilities are expansions of the more routine physical and location threats and vulnerability assessments A Going Concern Consulting Services conducts as part of our services for our clients.  These physical assessments provide the baseline for a facility and its strengths and weaknesses and can also incorporate the security assessments that may have been completed.  These assessments examine the facility for weaknesses to events such as bombings, physical acts of violence like kidnapping or robbery.  They will also look at the camera coverage or ability to secure the facility.  Part of the prevention or mitigation to make a facility less of an attractive target is to make sure the perpetrator is prevented from accessing the site, caught on film or prevented from leaving the site.


To complete these steps, the team will:

 Conduct a walk-through of the facility

 Interview the leadership team and those knowledgeable about the construction and operation of the facility

 Document activities associated with the site

 Examine historical activities that were targeted toward similar facilities

 Examine the surrounding neighborhood and look for potential targets in close proximity to the facility being assessed


Our report and presentation

A Going Concern Consulting Services will provide a report which includes our findings and recommendations.  These reports are often treated as confidential documents due to the nature of the assessment and the information likely to be contained in the report.  A Going Concern Consulting Services prefers to present the report and have a discussion with the leadership team in person to provide the necessary security for the information being discussed and opportunity for frank discussion.

The report includes:

 Description of the project and the methodology utilized

 Executive summary of the key findings and recommendations

 Detailed findings and discussion of the threat or vulnerability with recommendations for mitigation (if possible)

 Recommended next steps and a timeline to implement

The report is usually provided in Microsoft Word format with an accompanying Microsoft PowerPoint presentation.


We have found it best to build an integrated team using our specialists and members of our client’s staff to ensure we have the necessary experience, skill sets and site knowledge required to conduct the assessment.

Our process depends on data being provided to our team by our client.  In order to minimize the time it takes to complete the assessment and the overall cost of the assessment, our team members do not routinely conduct vulnerability testing such as physical penetrations, core analysis of the construction of the building, or other validations of the information collected.