This article highlights how risk analysis calculates the probability and consequences of failures so that appropriate action can be taken to forestall them. Factories judge the best maintenance intervals for machinery, and military planners rate the soundness of missions. A broad group of experts from industry, government, and academia are trying to adapt risk analysis methods to problems of protecting the nation's infrastructure from acts of terrorism. The program, dubbed RAMCAP (from "risk analysis and management for critical assets protection"), is intended to give the federal government a means of evaluating risk across the country. Having a means of judging relative risk can help the government decide where to spend federal money for public defense or where to concentrate the expertise of the national laboratories as they develop technology to protect the country's infrastructure. There are a lot of other people-risk analysis engineers, security consultants, and safety experts-stepping back.

## Article

SOMEBODY HAS TO MAKE SECURITY DECISIONS, and lots of them, if the country is to spend its defense resources wisely. Money and manpower always have limits, and there are always risks left to cover. But some things need more protection than others. Government officials say they need to judge risks and compare them if they are to apportion their assets to best advantage.

When he resigned as Secretary of Homeland Security, at the end of November, Tom Ridge held a press conference during which he made a statement that was widely quoted: "We have to be right a billion-plus times a year, m.eaning we have to make literally hundreds of thousands, if not millions, of decisions every year, or every day, and the terrorists only have to be right once." Ridge had been with the Bush administration for a little more than three years.

In an effort to help security officials make those judgments—maybe even take a little of the pressure off the decision makers—a new collaboration, led by ASME, wants to see if it can apply a practice common in industry on a level never attempted before. What they hope to do is work out a way to apply the formal methods of risk analysis to the infrastructure of the United States.

Risk analysis calculates the probability and consequences of failures so that appropriate action can be taken to forestall them. By this means, factories judge the best maintenance intervals for machinery, and military planners rate the soundness of missions.

Now a broad group of experts from industry, government, and academia are trying to adapt risk analysis methods to problems of protecting the nation's infrastructure from acts of terrorism. The program, dubbed RAMCAP (from "risk analysis and management for critical assets protection"), is intended to give the federal government a means of evaluating risk across the country.

A consultant to the project, Robert Nickell, a former ASME president and also the current president of Applied Science & Technology, an engineering firm in Poway, Calif., pointed out that many critical sectors of the economy, from nuclear reactors to railroads and chemical plants, have already undergone considerable risk analysis. Owners have spent vast amounts of money to make those assets more secure from terrorist attack.

According to Lawrence Stanton, the branch chief for strategic planning and policies in the protective security division at the Department of Homeland Security, "There were obvious needs and decisions to be made right after 9/11. We addressed that low hanging fruit, and now need to turn our attention to vulnerabilities that aren't as obvious. Many of these needs require a scientific explanation so the people who write the checks can understand the problem."

What's more, the assessments address issues inside the property to be protected, but the government has to consider a larger perspective, including the safety of families downwind of a burning chemical plant.

The private sector, which owns more than 80 percent of the country's critical assets, has been using a variety of methods to assess risk. As a result, the Department of Homeland Security cannot objectively compare the relative risk of, say, an attack on a nuclear power station with the loss of a bridge carrying key communications lines, and so it has no objective means of judging where to expend its preventive assets. It also has no objective means of conveying its priorities to Congress, which will provide funding.

Stanton worked for AcuTech Consulting Group in San Francisco before he was hired by Homeland Security last summer and is the federal official overseeing the RAMCAP project. When he was with AcuTech, which offers safety and security se rvices to companies that handle hazardous materials, Stanton worked on the early stages of the critical-asse ts risk analysis project.

Nine key areas—covering nuclear reactors and waste storage, chemical plants, refineries, liquefied natural gas tanks, subways, railroads, highways, and power systems—have been identified for a first phase of the work. If it is successful, the program will provide guidelines for risk analysis specialized for each area. Other sectors not on the current list will be addressed when the first group is finished.

ASME has formed a company, ASME Innovative Technologies Institute LLC, devoted to homeland and national security services. The corporation received its first grant, $1.6 million, from the Department of Home land Security in September 2003. Reese Meisinger, president of the limited liability corporation, said signing is imminent for up to$6.9 million more to fund the next stage of work.

The engineers involved define risk as a product of three fac tors: the frequency, or likelihood, of a threat; the vulnerability of the target, and the cost of the consequences. T hey can render it as a formula: R = FVC. If business operators in each of the nine sectors could use the same terms to compute risk, their conclusions would be comparable.

The math will be easy. Based on what people working on the project say, the hard part is assigning values to F, V, and C. That work has just begun.

"These needs require an explanation so the people who write the checks can understand."

According to Stanton, the value of F may take into account what makes a potential target attractive to an attacker—for instance, how easy a target it is, and how much damage an attack could do. The final value may also rely on classified information, the result of intelli ge nce work that may n ever b e made public. Finally, the intuitively derived information may be expressed as a number.

Vulnerability might include openness to different types of attacks and the likelihood that one will succeed. Certain questio·ns would have to be answered. Are any critical assets within range of a rocket-propelled grenade? H ow far could a car bomb penetrate into the complex—as far as the atrium, into a courtyard?

Once vulnerability has been established, the cost of a successful attack must be calculated. How many lives would be los t? How much property destroyed? What would the business interruption cost? What kind of harmful substances might be released into the environment? How many more lives might that cost?

In addition to immediate effects, the full cost must reflect long-term, indirect damage. As Stanton pointed out, not all the risks are obvious. A large vessel containing a hazardous substance is an easily recognizable risk. The loss of another large vessel may be just as serious if the contents are critical to manufacturing a medicine that keeps a number of people alive.

The effect on public morale is also part of the cost. A suc cessful attack on another American skyscraper could hurt rental values if many companies considered the risk too great in high-rise properties. The loss of a critical plant could disrupt supply chains, a condition that could lead to economic hardship, or to vulnerability elsewh ere in the infrastructure, as in the case of a disruption in the fuel supply.

Once the tools are created, they will be given to asset owners, who will use them to help the government calculate risks nationwide—and to judge their relative exposure. The Department of Homeland Security will not be permitted to share information it receives from the private sector.

The answer to all these calculations may prompt an owner to build a higher fence or one farther away from factory structures. It may lead to installation of concrete blockades or the sealing off of an access road. There may be steps that the government must take in order to protect the community around the plant, or to assure continuity of supply if a high-risk factory makes a critical conunodity.

Having a means of judging relative risk can help the government decide where to spend fede ral money for public defense or where to concentrate the expertise of the national laboratories as they develop technology to protect the country's infrastructure, Stanton said.

It can guide officials who are planning something as b asic as a disaster drill, according to Kenneth Balkey, a fellow engineer in reliability and risk assessment at Westinghouse Electric Corp. in Pittsburgh. He is also advising the Innovative Technologies Institute as an ASME Critical Assets Protec tion Initiative Fellow, a new service function that is similar to ASME's White House and Congressional Fellows.

Collaborating organizations are the American Institute of Chemical Engineers, American Nuclear Society, American Petroleum Institute, American Society of Civil Engineers, American Society of Heating, Refrigerating and Air-Conditioning Engineers, Institute of Electri cal and Electronics Engineers, and the Nuclear Energy Institute.

According to Meisinger, the corporation is lining up individuals and companies in various sectors to serve as contractors. Nickell is one of several consultants already working under contract to the ASME Innovative Technologies Institute, and the group needs more experts in each of the nine are as that the risk analysis project will address first.

When Ridge announced his resignation, there were questions about his immediate plans. For a star t, he said, he would "step back a little, breathe deeply, and then decide."

There are a lot of other people—risk analysis engineers, security consultants, and safety experts—stepping back, too. They're trying to size up a task. Sure, they predict and prevent hazards for a living. But they have never tried doing their jobs on this scale before.