Two days after the terrorist attacks of Sept. 11, 2001, Doug Pasley and another risk management officer with the Tampa police department received orders to evaluate the security of 300 city buildings and infrastructure systems. Much of this work had been done before. But that day, of course, had changed everything, and so everything had to be reexamined, this time in light of the new threat of potential terrorist attacks.

Pasley and his associate wondered if there wasn't a better way to deal with risk analysis. Why did risk management professionals have to start anew every time a new threat appeared?

Not long after Pasley's unit went to work on the new risk analyses, Tampa's strategic planning manager and deputy chief of police, looking for answers to Pasley's question, discovered a young company called Digital Sandbox Inc., Reston, Va.

Working in the emerging category of Enterprise Risk Management (ERM), Digital Sandbox was developing an ERM software product called Site Profiler. The underlying goal of the new software is to help solve a particularly alarming problem: U.S. law enforcement and security professionals had information that could have prevented or abated most, if not all, recent terrorist attacks against Americans. But no one could tie all the information together in a way that would have sounded an alarm. “This failure mode is not only common, it is expected, given the sheer volume of information that exists and is generated and the numerous organizations and individuals involved,” writes Anthony Beverina, president and co-founder of Digital Sandbox in a white paper about Site Profiler.

ERM technology provides a way to unify the many functions of traditional risk management in an enterprise- or city-wide software application, Beverina says. The various risk management jobs include threat analyses, asset characterizations, vulnerability assessments, risk mitigation work and option analyses. Local, state and federal law enforcement and security professionals work in all of these areas, but they rarely share information. Even when they want to share, it's difficult. Who in the Fire Department should know what the Crime Prevention Unit discovered about vulnerabilities in local natural gas lines?

Site Profiler provides a framework for assessing risks to buildings and infrastructure. It also prioritizes those risks in light of current threat information and communicates information about changing risks to selected recipients in other departments.

“When we saw this, our mouths started watering,” Pasley says. “At that point, we were doing 10 to 15 site surveys a month and looking for ways to automate the process.”

Tampa officials approached the Department of Homeland Security (DHS) about a grant that would fund the system along with desktop and laptop computers for users. DHS provided $300,000 in the hope that Tampa had hit on a risk assessment model that would work in other cities and organizations.

Currently, Pasley and his partner are entering their newly conducted risk assessments into the system, along with three-dimensional CAD-CAM models of the buildings and infrastructure they evaluate. Once data is entered about a building, Pasley applies a risk assessment methodology built into Site Profiler by answering a series of questions:

• How accessible is the building?

• How many people work there?

• How critical is the building within the community?

• Does the facility employ access control technology and closed circuit television systems?

As Pasley works through the process, Site Profiler assigns a numerical rating or code to each building or item. The system uses the codes to facilitate swift responses to new threats. Suppose, for example, intelligence reveals a threat against the airport. When that information is entered, Site Profiler alters the risk profile of the airport and everything else in the system, advising appropriate officials in the process.

“We're getting the risk and threat assessments out of the filing cabinet and delivering them to officers using the information,” Pasley says. “None of the information is new. We have always collected it. But we have only distributed the information to a few people. Now we can share information. For example, we're sharing our information with the Fire Department, and they're sharing their information with us.”

Officials with the Regional Domestic Terrorism Task Force, a state agency, will also have access to the information, along with others that need to be in the loop.

Along the way, Tampa is automating its ability to respond to new threats when they arise.