1 s2.0 S0950423013000259 Main

Journal of Loss Prevention in the Process Industries 26 (2013) 1662e1669
Contents lists available at SciVerse ScienceDirect
Journal of Loss Prevention in the Process Industries

journal homepage: www.elsevier.com/locate/jlp
A Threat Assessment Review Planning (TARP) decision owchart for

complex industrial areas
Genserik Reniers a, *, Dioni Herdewel a, Jean-Luc Wybo b
a
b
ARGoSS, University of Antwerp, Prinsstraat 13, 2000 Antwerp, Belgium

Mines ParisTech, CRC, CS 10207, 06904 Sophia Antipolis, France
a r t i c l e i n f o
a b s t r a c t
Article history:
Received 7 September 2012
Accepted 21 January 2013
Planning Threat Assessments (TAs) within an area consisting of numerous chemical installations, should
be part of adequate and sound Management Of Change procedures (including a baseline periodic TA, on
top of change control) of every company belonging to the chemical and process industries. This paper
discusses the optimization of threat assessment planning activities. By establishing a planning procedure
that objectively determines the need for TAs for all kinds of threats, correct, updated and consistent
information becomes easily available to the companys security management department. Threat assessments to be carried out in each facility belonging to an organization can thus easily be scheduled on
an organization-wide scale. A prioritization can be made considering legislative requirements, the type
of threats, the type of assessment to be carried out, the availability of external experts, etc.
2013 Elsevier Ltd. All rights reserved.
Keywords:
Threat Assessment
Complex industrial area
1. Introduction
Since the WTC attacks of 9/11, threats by terrorists and criminal
actions are often included in a chemical companys assessment of
risks. The tragic events in 2001 have made many organizations
aware of the real risk of an intentional release, deviation or theft
of hazardous chemicals with the intent to cause damage or even
devastation or disaster. Such actions may result in a large number of
public fatalities, environmental and economic damage and undermine the condence of society (see e.g. Baybutt, 2003; Cornwell &
Roberts, 2010; Rosenthal & Muller, 2007). Accidents thus not only
occur when people make errors or mistakes, or when equipment
fails. They can also be the result of intentional acts. Deliberate acts
are performed with the intention of causing harm and include
terrorism, sabotage, vandalism and theft. The focus of this paper is
on the last type of risks.
A Threat Assessment (TA) takes all the threats from inside and
outside an organization into account. TA is a specic step in a security risk assessment, and can be briey explained as a method to
determine the threat capabilities, strength, motives, weapons,
tactics, likelihood of attack, etc. As indicated in API Recommended
Practice 780 (2012), Threat Assessment is an important part of a
(company) security management system. There is a need for
* Corresponding author.
E-mail addresses: genserik.reniers@ua.ac.be (G. Reniers), jean-luc.wybo@minesparistech.fr (J.-L. Wybo).
0950-4230/$ e see front matter 2013 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.jlp.2013.01.009
identifying and understanding the threats facing the industry and

any given facility, installation or location in order to properly
respond to those threats. A Threat Assessment is usually part of the
security management process. A TA is used to evaluate the likelihood of threat activity against a given asset or group of assets. It
helps to establish and prioritize security-program requirements,
planning and resource allocations. Such an assessment identies
and evaluates each threat on the basis of various factors, including
capability, intention and impact of an attack. API Recommended
Practice 780 (2012) also mentions that a TA is a process that
should be carried out systematically and kept current in order to be
useful. The determination of the threats posed by different adversaries leads to the recognition of vulnerabilities and to the evaluation of countermeasures required to manage the threats. Without
a design basis threat or situation specic threat in mind, a company
cannot effectively develop a cost-effective security management
system. In other words, a TA should be performed regularly, but
taking into account the costs necessary to do so. On the one hand,
when security measures are not adequate, a criminal action may be
easily successful. The more complex the business or the environment, the more complex and difcult it becomes for all security
measures to be adequate and to stay adequate. Hence, complex
chemical industrial areas are difcult to secure. On the other hand,
carrying out many TAs may be very expensive for an organization
and thus an intelligent way to perform TAs is needed. Therefore, a
planning scheme is needed within a complex industrial surrounding to be able to carry out as many TAs as needed to be (and
G. Reniers et al. / Journal of Loss Prevention in the Process Industries 26 (2013) 1662e1669
stay) secured, but not too many (since overshooting is very

expensive and not desirable from an economic viewpoint). This
paper is concerned with elaborating such an intelligent approach to
plan TAs in a complex industrial park.
Moreover, a TA is part of a (larger) Security Risk Assessment
(SRA). The API Recommended Practice for carrying out SRAs (2012)
recommends that an SRA should be performed for an initial
assessment of risk, as well as for consideration of risk when signicant changes to a facility or operation are planned or have been
implemented. API mentions seven occasions to conduct or review
an SRA, amongst them when a threat substantially changes, at the
discretion of the manager of the facility. Unlike the other six recommended times for conducting and reviewing an SRA, this
recommendation seems to be rather unclear. It is not evident or
straightforward to know when one or several of the many threats
has substantially changed. TAs have to be carried out and kept upto-date for all threats to guarantee this knowledge. Therefore, a
review planning of Threat Assessments needs to be used to verify
whether TAs are complete, and timely. For a large industrial complex, this is not at all an easy task. The TARP decision owchart
helps to keep this huge task under control.
Todays society is constantly changing and new technologies
frequently emerge. New technology can for example be used to
carry out a criminal action, hence it is necessary to re-assess threats
within a certain period of time, taking into account new developments. Obviously, physical security countermeasures, people
security measures, and information security controls must be
reviewed regularly to ensure their resonance against contextually
related threats (CCPS, 2003). This paper discusses a method to have
an understanding when further assessment is necessary and which
assessment must take place to offer the best awareness of internal
and external threats, which is a key factor in the protection against
them.
In the United States, ten years following the WTC terrorist attacks on 9/11 in New York, security at the nations chemical facilities remains a key focus. In 2007, the so-called CFATS regulations
(Chemical Facility Anti-Terrorism Standards) came into effect,
regulating the security of high-risk chemical facilities in the US.
Information is collected and the US Department of Homeland Security (DHS) determines whether a facility is high risk or not.
Subsequently, if a plant is considered high risk, the Department
assigns a facility to a tier, whereafter it is required to prepare and
submit a Security Vulnerability Assessment, identifying specic
assets of concern to DHS (see e.g. AcuTech Consulting Group, 2011;
DHS, 2013).
In Europe, the situation is quite different. The Council Directive
on the identication and designation of European Critical Infrastructures (EPCIP) and the assessment of the need to improve
their protection (Council Directive, 2008) provides directives as
how to enhance European prevention, preparedness and response
to terrorist attacks involving critical infrastructures. The goal is to
ensure there are adequate and equal levels of protective security for
critical infrastructure, minimal single points of failure and rapid,
tested recovery arrangements throughout the European Union.
However, harmonized European legislation on the issue of chemical plant security has yet largely to be determined. There are no
detailed regulations at European level which could act as concrete
guidelines for security management of chemical enterprises.
Regulations or legislation concerning the reconsideration/review of the process of a threat assessment is not available. In other
words, no concrete TA review term has been xed by law. Since
companies within the chemical and process industries are an
interesting potential target for criminal actions, such adequate
planning of threat assessments is however important. To meet with
this item of concern, guidance is available in the API Recommended
1663
Practice 780 (2012). The API guidance is concerned with elaborating, explaining and discussing a security risk assessment
methodology, and goes beyond the scope of this paper, since, as
already indicated, threat assessments are only part of a full-scale
security risk analysis.
The carrying out of safety-related risk analyses is regulated but
does not account for possible threats and only counts for internal
safety in a chemical plant. In Europe for example, Council Directive
96/82/EC (Council Directive, 1997), sets a term of 5 years for
revising the risk analysis when a number of dangerous substances
are present within the company.
Based on current events, new technologies, incident records,
etc., a period in which the threat assessment should be revised, is
suggested in this paper. The factors that give occasion for such a
threat assessment revision, are identied and discussed.
2. Methodology
The rst part of the study consists of conducting an extensive
literature review to identify threats present in a chemical company.
A lack of security increases the risk of an unwanted (deliberate)
event. Therefore a general list of threats was developed that can be
used by any chemical organization. To do this, internal, external and
internal assisted (an external person who is helped by an internal
person) threats were taken into account. All hazards that are susceptible to intentional criminal action were included. The threats
apply to any company of the industry and they apply to local,
regional or national events. In a second part of our study, a owchart is elaborated and proposed. The owchart should be
employed to check whether a TA is present for a certain threat or
whether the existing TA is still valid for the present conditions.
Different suggested triggers make it possible to control the present
threat awareness level within any installation belonging to a
chemical plant and the existence of appropriate countermeasures.
By doing so, the company is able to check its security level. The use
of the owchart might lead to a review of a TA for a specic threat.
Afterwards, a review of the SRA might also be desirable or appropriate, or not. This depends on the results of the newly carried out
TA. The triggers which may have an inuence on the characteristics
of the threats, are dened and described in this paper. In the third
part of the study, the planning and timing of threat assessment
reviews are suggested and discussed. An implementation algorithm
is suggested to implement the owchart in a complex organization.
3. Research results
3.1. Security threats
A security risk is any event that could result in the compromise of
organizational assets. The unauthorized use, loss, damage, disclosure,
or modication of organizational assets for the prot, personal interest, or political interests of individuals, groups, or other entities constitutes a compromise of the asset, and it also includes the risk to harm
people (CCPS, 2003). Due to security risks, there may thus be
physical damage as well as human detriment. A security threat
is not the same as a security risk, and can be dened (API
Recommended Practice 780, 2012) as any indication, circumstance, or event with the potential to cause loss of, or damage to, an
asset. It can also be dened as the intention and capability to undertake actions that would be detrimental to valued assets. Hence,
a threat implies the notion of intention and indication to cause
malicious acts. The compiled list of security threats given hereunder should be regarded as a (general) non-exhaustive list. It is
obvious that circumstances, working conditions, living conditions,
etc. change continuously or from time to time, and new security
1664
threats will arise. Some security threats on the list may thus not be
present in the company but are standard for the chemical industry
and/or for local, regional or national events. These threats should be
kept on the list because they may become present in the future due
to changes. Nonetheless, security management should keep an inuse list with security threats up-to-date. Table 1 shows a list of
security threats that should be regarded as essential.
Besides the threats mentioned in Table 1, also contextual factors
may be very important contributors to a certain level of threat. Such
factors should also e at least to some extent e be taken into account. Contextual factors can be for example

Cultural or religious differences

Domestic violence
Family inuences
Inadequate education and/or training
Language
Organizational structures and responsibilities
3.2. TARP decision owchart

A Threat Assessment Review Planning (abbreviated as TARP)
decision owchart is elaborated to point out if there is need for a
new or for a review of an existing Threat Assessment for a chemical
installation situated within a complex chemical industrial area. The
list of security threats suggested in the previous section is used to
start the TARP chart. Every security threat should have its own
Threat Assessment and by processing the security threats through
the different steps, the user of the owchart may assess the quality
and timeliness (whether it is up to date or not) of the existing
Threat Assessment for the different threats. Fig. 1 displays the TARP
owchart.
The owchart starts at the upper-left rectangle mentioning
Start. The rst security threat from the list (which is composed by
company-wide security management, based on the list provided in
the previous section and applied to the companys specic activities)
is considered. The presence of the security threat in the facility or
installation of the company is questioned because the list of security
threats may contain threats which are present somewhere in the
organization, but which are not present in a specic part of the
organization (facility, chemical installation or any location) where
the TARP decision owchart is being implemented. If the security
threat is assumed not present, the chart has to be restarted with the
next threat on the list. If the security threat is assumed present, the
used should consider the next step of the chart.
Step two questions the presence of a Threat Analysis for the
threat under investigation. If such an analysis is not present for that
specic threat, it needs to be carried out. If it is already present, the
user should consider the step 3 of the chart.
If a TA is present for the security threat considered, the user of
the owchart should question whether this TA is still up-to-date.
Since threats change less rapidly than working conditions, a TA
carried out e or reviewed e within a certain period of time, should
still be able to provide the necessary security countermeasures
against current threats, under the condition that no major changes
(e.g.; political, technological, societal, etc.) occurred and that there
is no important motive to review.
The triggers that indicate whether to proceed with a TA or not,
are signallers of a change in risk due to a change in their characteristics. These changes may or may not have an impact on the
existing Threat Assessment results. The triggers will be dened in
the next section. A signicant impact means it is worth to review
the TA based on the changes in the triggers, also taking the nancial
implications for reviewing the existing TA into consideration.
It might be possible that several triggers do not have a signicant inuence on the existing results as a single trigger, but they
might have, when considered together. If this appears to be the
case, the Threat Assessment should be reviewed. Otherwise, the
next security threat should be considered.
The TARP owchart process stops when all security threats from
the list are assessed and evaluated.
When all threats of the list have been considered, and all Threat
Analyses are updated and present, security management needs to
investigate whether a full-scale Security Risk Assessment is desired
or needed for the company, facility or location under consideration.
3.3. Triggers for reviewing a threat analysis
In real life, there are continuously changes in resources enabling
criminals to achieve their goals. Therefore, it is necessary to
discover new threats and to regularly update the existing threat
assessments. Determining changes in the capabilities of the adversary and in internal security measures can be performed by socalled TA-triggers.
A TA-trigger can be regarded as an occasion that results in a
change in the threat. If the threat factor substantially increases or
decreases, a review of the threat analysis is needed. Monitoring
such triggers should be done by security management. The various
TA-triggers should be analysed for every security threat in order to
adequately map the changes within company threats and company
security. Note that a trigger does not necessarily lead to a new
threat assessment. Based on the assessment of the security manager, helped by the list of security threats and by the list of TAtriggers, it is decided by a security team whether there is a need
for a new TA per threat.
Due to the diversity between the different threats, there are
different triggers. Some triggers exert no inuence on the threat
assessment, while other triggers do. The trigger occurs or has
occurred when a change in the relevant characteristic of the security threat took place with respect to the last assessment of that
threat. We distinguish nine triggers with different characteristics.
The TA-triggers are discussed hereafter.
3.3.1. Technology
CCPS (2003) indicates that technological advantages can be
used for better but also for worse, the latter by those who desire to
deliberately cause losses. Through research and development,
mankind nds new ways to reach the same goals. A safer way to
produce a hazardous substance or a new technology with benet
for criminals are examples that give rise to a revision of the
existing threat analysis. This trigger covers the internal (secure
environment) and external (new threats) conditions. ICT is an
example of technology that has completely changed security:
assets and information are protected jointly but also the programs
and databases must be protected. The intention is to observe the
current technological developments. This can either be used for
the reduction of threats, as well as for the assessment of new
threats.
3.3.2. Neighbouring activity
Activities in the surroundings of the chemical company may
give rise to an increased or decreased security threat. An adjacent
chemical company with excellent, respectively poor, security
measures may affect the security level of the own company in a
positive, respectively negative, way. Another neighbouring activity
would be the construction of a railway or waterway near a chemical
company making it easier to get into the proximity of a plant. Yet
another possibility for danger would be the damages of a neighbouring activity spreading to the plant (by so-called domino
Table 1
Basic list of security threats with possible targets.
Security threats
Criminal threats
Assassination
Attack, assault or
harassment
Bombing
Civil disorder
Crime
Cyber attack
Drive by shooting
Fire/arson
Funding
Inadvertent
disclosure
Kidnapping
Leakage
Manipulation of data/
information
Physical assault
Poisoning
Robbery
Sabotage
Sexual assault
Theft
Unauthorized or
forced access
Vandalism
Verbal assault or
harassment
Terrorist threats
Assassination
Attack, assault, or
harassment
Bombing
Cyber attack
Drive by shooting
Fire/arson
Funding
Inadvertent
disclosure
Kidnapping
Leakage
Loss of data or
sensitive trade
material
Physical assault
Poisoning
Sabotage
Unauthorized or
forced access
Vehicle bombing
Verbal assault or
harassment
Foreign intelligence services threats
Assassination
Civil disorder
Cyber attack
Financial stress or
gain/inuence
Funding
Impersonation of
staff member
Isolation
Kidnapping
Loss of data or
sensitive trade
material
Target
People assets
People assets
Physical assets, People assets
Business and nancial status,
People assets, Physical assets
Various
ICT network, information assets
People assets
Various
Various
People assets
ICT network, Image, Information
assets
People assets
People assets
Physical assets
Physical assets
People assets
Physical assets
Various
Physical assets
People assets
People assets
People assets
ICT network, Information assets
People assets
Various
Various
People assets
Image, People assets, Physical
assets
Image, Information assets
People assets
People assets
Physical assets
Various
People assets
People assets
ICT network, Information assets
Business and nancial status
Various
People assets
People assets
People assets
1665
Table 1 (continued)
Security threats
Target
Loyalty/coercion/
corruption/
collusion
Manipulation of
data/information
Various
Business and nancial

status, ICT network,
Image, Information
assets
People assets
Physical assets
Physical assets
Physical assets
Various
Poisoning
Robbery
Sabotage
Theft
Unauthorized or forced
access
Threats from commercial or industrial competitors
Co-location with high
risk tenants
Image, People assets, Physical
assets
Commercial espionage
Information assets
Discrimination/
Image, People assets
prejudice
Disgruntled employee
Failure of equipment
Image, Physical assets
(e.g., maintenance
and reliability)
Financial stress or gain/
Business and nancial status
inuence
Funding
Various
Impersonation of staff
People assets
member
Isolation
People assets
Loyalty/coercion/
Various
corruption/collusion
information
ICT network, Image, Information
assets
Public perception
Image
Reluctance to adopt
Various
security policy
Staff attraction
Image, Information assets,
People assets
Staff loyalty
People assets
Stress related behavioural
People assets
issues
Theft
Physical assets
Travel
People assets
Threats from malicious people
Assassination
People assets
Attack, assault or
People assets
harassment
Bombing
Civil disorder
Crime
Various
Cyber attack
ICT network, information assets
Discrimination/prejudice
Image, People assets
Disgruntled employee
Disruption of service
ICT network, Image, Physical
assets
Drive by shooting
People assets
Failure of equipment
(e.g., maintenance
and reliability)
Fire/arson
Various
Fraud
Image
Funding
Various
Impersonation of staff
People assets
member
Inadequate emergency
Various
management procedures
(continued on next page)
1666
Table 1 (continued)
Security threats
Target
Inadequate threat details

Inadequate vetting
Inadvertent disclosure
Various
Various
People assets
Image, People assets,
Physical assets
Various
Kidnapping
Leakage
Loss of data or sensitive

trade material
Loyalty/coercion/
corruption/collusion
Mail handling and receipt
Maintenance
information
Mismanagement
Physical assault
Poisoning
Public perception
Procurement
methodology
Reluctance to adopt
security policy
Robbery
Sabotage
Sexual assault
Sexual preference or discrimination
Staff attraction
Staff loyalty
Stress related behavioural issues
Theft
Travel
Unauthorized or forced access
Vandalism
Verbal assault or harassment
Workplace violence
People assets
ICT network, Image,
Information assets
Various
People assets
People assets
Image
status,
status,
status,
status
Various
Physical assets
Physical assets
People assets
People assets
People assets
People assets
People assets
Physical assets
People assets
Various
status, Physical assets
People assets
People assets,
Physical assets
effects). CCPS (2003) warns for collateral exposure and denes this
as the presence of third-party high-vulnerability entities or highthreat targets, which is possible for example when the company is
located close to attractive targets such as embassies, religious
buildings, military installations, etc. A change in this trigger clearly
may have an impact on the security of the process company and
associated security measures.
3.3.3. Politics and prosperity
A stable prosperity is accompanied by a stable political government. However, this harmony cannot be found everywhere in
the world. Chemical companies located in a country where political
instability rules, are forced to more frequently review their existing
threat analyses due to possible chaos or unexpected events (cfr. also
trigger 9: Learning from external events).
3.3.4. Companys characteristics
The image of the company may give rise to controversy and even
to hatred. Dismissals and staff changes can also undermine an organizations security since such people know the company from the
inside. Even the future strategy of a company may give rise to new
threats.
3.3.5. Incidents and accidents

The occurrence of incidents and accidents may give rise to the
revision of security measures. When daily activities are not safe,
they can more easily be exploited by attackers. Therefore it is
necessary for such products or systems to optimize security.
Security incidents and the lessons learned from them, should
evidently also be taken into account when considering a revision of
a TA.
3.3.6. Remarks and suggestions
Security Management has the task to take care of security
company-wide, however, it is impossible to detect practical problems on each level or sub-part of any large organization. Employees
of facilities or installations within the larger organization, may
therefore provide comments or recommendations about security
problems that they daily experience within their environment. Also
audit and inspection remarks may lead to new insights and security
actions.
3.3.7. Legislation and regulations
Compliance is a priority for chemical plants. Hence, if new
legislation or regulations are issued, the company needs to make all
necessary changes to comply with the new rules. Adjustments in
regulations may have an adjustment in the daily operation of the
company as a result.
3.3.8. Topicality and relevant factors
Topicality plays a major role in the timing of a TA-review. The
world is constantly changing as a whole where every day solutions
are found and problems are created. One cannot hedge against
these evolutions but a good analysis of the current state of the
different actors may benet the security of any company. Other
relevant (changed) factors that affect the risk of the threats should
be observed too. They may come from various angles.
3.3.9. Learning from external events
Every threat occurrence worldwide is a learning opportunity
and should be used to trigger a TARP analysis. When an event (can
be of any kind) occurs anywhere in the world, the analysis of its
emergence, the context in which it occurred, the damage it caused
(to any kind of assets) provides relevant information to question
the companys security level: are we aware of that specic threat?
Have we set in place countermeasures? Would our countermeasures be adequate in such a context?
3.4. Timing and planning of Threat Assessments
CCPS (2003) states that any TA will be out-of-date over time.
This is because the assets and potential threats and vulnerabilities
are very likely to change over time. As the business changes, the
production and the customers change, both the systems and processes, and hazardous materials should be adapted to the changes.
However it is noted that threats change less rapidly. Therefore, a
Threat Assessment should be revised periodically to ensure optimal
security.
If no threat assessment has been carried out yet for a certain
threat, it should be carried out as soon as possible, as indicated in
the TARP decision owchart. Its urgency depends on the choice and
the qualitative assessment of a companys security management
team. Security threats may be divided into two types, each with
specic characteristics, giving leeway to a different time lapse
concerning when the threat assessment needs to be revised. The
rst type holds any major security threats. Since the European
Seveso legislation, Council Directive 96/82/EC (1997), sets a term of
5 years for the revision of a safety-related risk analysis (for major
1667
Fig. 1. TARP decision owchart.
risks) when a number of dangerous substances are present within

the company, it also seems a fair term for certain low likelihood,
high impact threats, when no triggers have led to a TA-revision.
Hence, as a recommendation, re-assessing very low likelihood,
very high impact security threats should be carried out at least
every 5 years. The second type of security threats comprises all
other threats. These threats may be recommended to be reassessed with a frequency depending on the severity of the potential outcome. A minimum frequency for assessing all threats
within a company, and taking into account economic arguments, is
suggested to be a decade. As already indicated, the threats may
change less rapidly than the working conditions, but an update of
all threat assessments, even if there were no important changes
over time, is needed over time. Of course some security threats
need to be assessed with higher frequency, due to their nature (and
the assessed likelihood and impact of these risks). For example,
hacking, theft of certain assets, disgruntled employees, etc. are all
risks where the company might decide about to carry out more
frequent TAs. A list of such frequent-assessment threats should be
developed on a company-wide basis, to be used, next to the general

threat list, by the parts of the organization. Following Bajpai and
Gupta (2005), these threats should be re-assessed yearly.
As mentioned before, the changes in working or living conditions which might have a signicant inuence on security threats
should be analysed by company, facility or location/factory/installation management. Factory management checks whether one or
more triggers have changed and whether the new threat is large
enough to carry out a new threat assessment. This procedure, the
use of the TARP owchart, may be performed every 2 years. A 2year term holds a detailed succession of the security threats.
When there is a need for a review of the assessment of a security
threat, it is scheduled as soon as possible. When the Threat
Assessment is reviewed, it lasts at least one year for this security
threat to be re-included in a new assessment by company security
management.
Fig. 2 visualizes that in the beginning (year 0), a TA is performed
for all security threats. Afterwards, in no-change conditions, it
takes 5 years before all TAs for major security threats are reviewed.
1668
Fig. 2. Threat Assessment revision and TARP timeline.
In year 10, all TAs for the general security threats list are reviewed,
as well as all TAs for major security threats. These reviews are
carried out, regardless if no changes occurred at all. Moreover,
frequent-assessment threats (mentioned on a specic list) are
assessed with a higher frequency, for example every year. The review frequency depends on different factors specic for industrial
activities, and is determined by company security management.
To verify for the changes in a systematic way, it is recommended
to use a 2-year frequency for implementing the TARP owchart
within the parts of the company. Security management ultimately
decides on the TARP implementation frequency. It should be noted
that the 2-year period may for example be different from one facility (or installation or factory) to another, within one company.
As we mentioned with the trigger number 9 (Learning from
external events), if a sudden event (outbreak of civil war, technological revolution, etc.) with a major impact on security threats
would occur anywhere else, it is straightforward that security
management does not have to wait to use the TA-triggers. If a new
threat assessment would be required to account for the analysis of
that event, it should be planned as soon as possible. This can be
seen as an event-driven asynchronous updating scheme.
3.5. TARP implementation diagram
Reniers (2009) indicates that the review planning concept can
be integrated in a complex organization by the following ve
steps. In the case of the suggested threat assessment planning, the
rst step is for facility/installation/factory/location management
to collect the general and present security threats for the facility
and keep this list of security threats up-to-date. Step 2 covers the
periodically use of the TARP Decision Flowchart. This step points
out if there is need to review one or more TAs for the region
under consideration. If this is not the case, local management
keeps the list of security threats in order and looks forward to the
next period. If there would be need for one or more TA reviews,
the organizations company security management is informed in
detail about the triggers, potential threats, scenarios, timeline,
etc., completing step 3. In a next step, company security management plans the necessary TA reviews and assessments of
existing/needed countermeasures for the whole organization,
taking the different factory/installation management recommendations into account. This way double work or different approaches or methods are avoided, and a TARP plant-wide
overview scheme is created. Company security management holds
a good view about the present security threats, security measures
and review planning in the different departments of the organization. A last step is the execution of the planned TAs aligned
with all other planned TAs. When all reviews have been executed,
the cycle starts again. Local management keeps the list of security
threats up-to-date until the TARP Decision Flowchart is used over.
Fig. 3 shows the different steps composing the TARP owchart
implementation diagram.
Fig. 3. TARP implementation diagram.
4. Discussion of the study

The research was presented to two security experts belonging to
major international chemical organizations. Positive and negative
points of the suggested owchart, diagram, timeline, etc. were
discussed with these experts.
Using a list of security threats was evaluated positive. Through
the years a database of specic company threats will be developed
as the list is kept up-to-date, associated to the countermeasures set
in place for each threat.
The TARP Decision Flowchart was found complete and useful by
both experts. They indicated however that dening the signicance
of a change may lead to a problem in practice. Reviewing a Threat
Assessment is seen as a cost by company management and hence,
obtaining budget for security measures is often difcult. Time cost,
nancial cost, the economic situation, etc. all may play an important role for determining the signicance of a change. Further
guidance on the denition and notion of major change of a threat
is therefore desired.
All triggers were found to be justied and complete by the experts. However, broader denitions could be dened. For example,
the trigger Regulations could be expanded with commitments to
company rules or to certications (auditors). The commitment to
the certicate may lead to reviews that may be needed to earn or
keep a specic certicate.
The meetings with the experts pointed out that the terms for the
periodic reviews are subject to debate. One expert was positive with
the terms of 10 and 5 years as planning review frequencies. The other
expert advised to review all security risks every 6 years. The 2-yearterm for using the TARP Decision Flowchart was found positive by
both experts. The review frequencies are likely to be company specic depending on which substances are present, which threat level
the company has, the importance of security within the company,
and the nancial and economic status of the company in general.
5. Conclusions
Planning security threat assessments is based on three main
parts. The rst part is the detailed and complete (at least, as complete as possible with regard to the companys activities and history
of threat occurrences) listing of different security threats. These are
threats which need to be secured to ensure a secured working and

living environment against potential malicious acts within an organization. These threats need to be assessed and security measures need to be taken, if deemed required. A second part is the
TARP Decision Flowchart. The owcharts different subsequent
steps point out if there is a need to review an existing threat
assessment for a certain security threat. The SHARP owchart uses
a number of threat assessment triggers. Such triggers are changes
in certain criteria that have an inuence on security threats. If a
trigger is not changed or only in a minor way, then it is assumed
that the results of the threat assessment are still valid. A third part
is the timing and planning of the review of threat assessments, and
of recommended reviews. Every 2 years, security management
should investigate whether there are triggers changed. Every 10
years all security threats (of all types) are recommended to be reassessed and every 5 years all major-accident security threats are
recommended to be investigated. In parallel with these periodic
reviews, external threat occurrences in relation with the company
activities or prole should trigger the TARP method in an eventdriven asynchronous way.
These three components, if correctly implemented in a complex
industrial area, show whether and when new threat assessments
are needed. Moreover, by employing the elaborated and suggested
methodology, the investigation of security threats and planning of
the necessary threat assessments in various installations/factories
being part of a large complex organization, are aligned across the
1669
entire company. The results of the threat assessments also give

indication as to when a full-scope Security Risk Assessment might
be needed or appropriate.
References
AcuTech Consulting Group. (2011). A survey of CFATS progress in securing the
chemical sector. Washington, USA: American Chemistry Council.
API Recommended Practice 780. (2012). Security risk assessment methodology for the
petroleum and petrochemical industries, document draft. Washington, USA:
American Petroleum Institute.
Bajpai, S., & Gupta, J. P. (2005). Site security for chemical process industries. Journal
of Loss Prevention, 18, 301e309.
Baybutt, P. (2003). Inherent security: protecting process plants against threats.
Chemical Engineering Progress, 99(12), 35e38.
CCPS (Center for Chemical Process Safety). (2003). Guidelines for analyzing and
managing the security vulnerabilities of xed chemical sites. New York, USA: John
Wiley and Sons.
Cornwell, D., Roberts, B. (2010). The 9/11 terrorist attack and overseas travel to the
United States: Initial impacts and longer-run recovery. Working paper, Homeland Security, USA.
Council Directive 96/82/EC. (14/01/1997). Ofcial Journal of the European Union, L10,
13e33.
Council Directive 2008/114/EC on the identication and designation of European
Critical Infrastructures and the assessment of the need to improve their protection, Ofcial Journal of the European Union, L 345, 75e82.
DHS. (2013). Available via: www.dhs.gov/chemical-facility-anti-terrorism-standards.
Reniers, G. L. L. (2009). An optimizing hazard/risk analysis review planning
(HARP) framework for complex chemical plants. Journal of Loss Prevention,
22(2), 133e139.
Rosenthal, U., & Muller, E. R. (2007). The evil of terrorism. Diagnosis and countermeasures. Springeld, Illinois, USA: Charles C. Thomas Publisher.

1 s2.0 S0950423013000259 Main

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

1 s2.0 S0950423013000259 Main

Transféré par

Droits d'auteur :

Formats disponibles

Journal of Loss Prevention in the Process Industries 26 (2013) 1662e1669

Contents lists available at SciVerse ScienceDirect

Journal of Loss Prevention in the Process Industries

A Threat Assessment Review Planning (TARP) decision owchart for

ARGoSS, University of Antwerp, Prinsstraat 13, 2000 Antwerp, Belgium

identifying and understanding the threats facing the industry and

stay) secured, but not too many (since overshooting is very

Cultural or religious differences

3.2. TARP decision owchart

Business and nancial

Inadequate threat details

Loss of data or sensitive

3.3.5. Incidents and accidents

Fig. 1. TARP decision owchart.

risks) when a number of dangerous substances are present within

developed on a company-wide basis, to be used, next to the general

Fig. 2. Threat Assessment revision and TARP timeline.

Fig. 3. TARP implementation diagram.

4. Discussion of the study

threats which need to be secured to ensure a secured working and

entire company. The results of the threat assessments also give

Vous aimerez peut-être aussi