By: Stacey Hall
Walter E. Cooper
With the ‘unknown certainty’ of terrorist actions and fan behavior, it is impossible to ensure a risk-free environment at America’s sporting venues. Incidents will happen and emergencies will arise. It is a matter of how one prepares, responds, and recovers to mitigate the consequences of emergencies at a sporting venue. Sport venue managers need to be aware of risk assessment methodologies to detect threats, identify vulnerabilities, and reduce consequences. Information gathered through this process is extremely valuable for enhancing security measures. This article discusses risk assessment and analysis, addresses the need for risk assessments at sporting venues, and describes the sport-specific risk assessment model developed while conducting research through a Homeland Security grant.
Sport lost its innocence on September 5, 1972, at the Olympic Games in Munich, Germany (CNN.com, 2002). A Palestinian group known as Black September crept into the Olympic Village and took nine members of the Israeli team hostage. The captors demanded a safe exit out of Germany and the release of Palestinian prisoners held in Israeli jails (2002). Unfortunately, a failed rescue attempt led to the death of all nine Israeli hostages, five terrorists, and one German policeman (2002). “For the first time, world sport had become a victim of terrorism, bringing with it a brutal reminder of the world’s harsher realities” (2). Terrorism struck again in 1996. A ‘domestic terrorist’ was responsible for the Centennial Olympic Park bombing at the Atlanta Games. This incident killed one person and injured more than 100 (CNN.com, 1996). Regardless of the motives for these attacks, terrorists chose to act on a world stage that offered global exposure for their cause. The incident in which an Oklahoma student prematurely detonated a bomb strapped to his body outside a football stadium packed with 84,000 in October 2005 (Hagmann, 2005), and the most recent threat of a dirty bomb attack on several NFL stadiums in October 2006 (CNN.com, 2006), emphasize the fact that sport venues are an attractive target for potentially catastrophic consequences. Besides terrorism, sport venue managers must plan for other incidents or unexpected disasters, such as fan/player violence or natural hazards.
One problem that sports venue manager’s face is determining the potential threat level, “causing leagues, teams and venues to prepare for a range of possible incidents at their facilities and to maintain close contact with federal, state and local law enforcement representatives regarding possible threats” (Hurst, Zoubek, Pratsinakis, n.d., p. 4). The risk assessment process is a way to determine risk and threat levels and identify vulnerabilities. “A good risk management approach includes three primary elements: a threat assessment, a vulnerability assessment, and a criticality assessment.” (Decker, 2001, p. 1). These assessments provide vital information for the protection of critical assets against terrorist attacks and other threats. Sport venue managers are able to identify vulnerabilities and thus harden the facility and improve physical protection systems. This may include implementing access controls, using CCTV security cameras, adding lighting, encouraging background checks, credentialing, checking backpacks, enhancing communication networks, and developing or updating emergency response and evacuation plans.
“Risk is the possibility of loss resulting from a threat, security incident, or event” (General Security Risk Assessment Guideline, 2003, p. 5). Risk is inherent in almost all aspects of life. Sport venue managers must continually attempt to minimize risk at their facilities. Risk cannot be totally eliminated from the environment, but with careful planning it can be managed. “Risk management is a systematic and analytical process to consider the likelihood that a threat will endanger an asset, individual, or function and to identify actions to reduce the risk and mitigate the consequences of an attack” (Decker, 2001, p. 1).
Risk is best understood as the product of the consequence of an event and the probability of the event occurring: Risk = Consequence x Probability (“Risk 101”, n.d). Risk increases as the consequences and probability of occurrence increases (n.d.). “In order to manage risk, it must first be identified, measured, and evaluated” (4). The Vulnerability Methodologies Report (2003) issued by the Office for Domestic Preparedness, Department of Homeland Security, identified three types of risk: mission or function risks, asset risks, and security risks. Mission risks prevent an organization from accomplishing a mission. Asset risks may harm an organization’s physical assets. Security risks have the potential to cripple actual data and people (2003).
Sport facility managers identify risks through various means. They can conduct surveys of attendees, conduct inspections of the facility, interview present employees, or ask experts in the field (Ammon, Southall, & Blair, 2004). Sport facility managers must address primary and secondary factors in order to reduce risk (2004). Primary factors are identified in the standard operating procedures. Facility staff is included among these factors (2004). An unsupervised or improperly trained ticket taker, usher, or cashier can become a risk for the facility manager (2004). “A well-trained staff, educated about proper risk management procedures, can help the risk manager to identify potential risks” (p. 108). Secondary factors of risk faced by most sport facilities include weather, type of event, patron demographics, and facility location (2004).
The essence of risk is dependent on the potential of threats. “A threat is a product of intention and capability of an adversary, both manmade and natural, to undertake an action which would be detrimental to an asset” (Vulnerability Assessment Report, 2003, p. 11). Vulnerabilities expose the asset to a threat and eventual loss. The General Security Risk Assessment Guideline (2003) defines vulnerability as “an exploitable capability; an exploitable security weakness or deficiency at a facility, entity, venue, or of a person” (p. 5). A risk analysis evaluating the potential of loss from a threat will determine whether risk should be reduced, re-assigned, transferred, or accepted (Vulnerability Assessment Report, 2003). “An acceptable risk is the risk level that an individual or group considers reasonable for the perceived benefit of an activity” (“Risk 101”, n.d., Acceptable Risk 1). An acceptable level of risk is usually determined by the asset manager or owner (2003). Severe risks that cause a high degree of loss and occur frequently should be avoided (Ammon, Southall, & Blair, 2004). Average frequency and moderate severity risks can be transferred to someone who’s willing to assume the risk. The facility manager may decide to pay an insurance company to cover physical and financial damages (2004). Some facility mangers may decide to keep or retain the risk. In so doing, they become financially responsible (2004). Facility managers can reduce risk through staff training, preventative maintenance, and development of a risk management plan to be included in the standard operating procedure (SOP) (2004). “The SOP is a set of instructions giving detailed directions and appropriate courses of action for given situations. SOP’s should be developed for all risks,” (Farmer, Mulrooney, & Ammon, 1996, p. 81).
In order to determine threats and vulnerabilities, an organization must undergo a risk assessment. The Department of Homeland Security issued a ten-step risk assessment methodology criterion (Vulnerability Assessment Report, 2003):
- Clearly identify the infrastructure sector being assessed.
- Specify the type of security discipline addressed, e.g. physical, information, operations.
- Collect specific data pertaining to each asset.
- Identify critical/key assets to be protected.
- Determine the mission impact of the loss or damage of that asset.
- Conduct a threat analysis and perform assessment for specific assets.
- Perform a vulnerability analysis and assessment to specific threats.
- Conduct analytical risk assessment and determine priorities for each asset.
- Be relatively low cost to train and conduct.
- Make specific, concrete recommendations concerning countermeasures.
This is general in nature and may be adapted to meet the needs of a specific organization. Several other risk assessment models exist today. For example, Sandia National Laboratories developed the RAM-Chemical to assess chemical facilities in the United States. Sports facilities in the U.S. must embrace risk management processes. Identifying the greatest threats and eliminating or reducing vulnerabilities will help minimize risk at sports events. “A sports arena is always critical as a high value terrorist target because of the potentially high casualty rate” (Durling, Price, & Spero, 2005, p. 8). Whether facing a terrorist attack, natural disaster, or unruly fan behavior, sport venue managers must pursue an effective risk management approach to protect the facility and human lives.
The Sports Event Security Assessment Model (SESAM)
In May, 2005, the Department of Homeland Security, in conjunction with the Mississippi Emergency Management agency, awarded the University of Southern Mississippi a $568,000 research grant to create a research-based model for the security management of university sport venues. Several risk assessment methodologies were reviewed and the DHS risk assessment criterion was customized for the assessment of sport venues. The Sport Event Security Assessment Model (SESAM) was developed through the collaboration of academic and security professionals in a six-hour brainstorming session. Academic professionals with experience in the sport event security area and training in DHS threat/risk assessment participated. Security professionals included former employees of the FBI, CIA, and Secret Service with extensive background in risk assessment methods and vulnerability assessment experience in the security and sport security field. This collaborative group supported the development and field testing of the model. A seven step procedure was created to evaluate sport security operations. An overview of the SESAM is presented in figure 1.
A risk assessment was conducted of the sport operations at seven public universities in Mississippi between May 2005 and February 2006. The following highlights the critical points during each stage of the seven-step process:
1. Step 1 of the process involves the identification of a SESAT team, including all key personnel responsible for game day security. These may include the athletic facility manager, campus police chief, emergency management director, local sheriff, and/or campus physical plant facility manager. Once the SESAT is established, meetings and interviews are scheduled to provide assessment objectives and define the assessed area based on a one mile radius of the sport venue.
2. Characterization of assets and target identification are achieved through in-depth surveys and interviews at each sport facility. Campus and community assets are identified and prioritized. Critical infrastructure and existing physical protection countermeasures are also identified. The target attractiveness is finally evaluated.
3. The threat assessment focuses on potential threat elements on campus and in the surrounding community. Specific factors are taken into consideration, including the existence of a group/individual operating close to the venue, history or past activity of the group/individual, intentions of the potential threat to act, their capability to act, and the ultimate targeting of the sport venue. A threat level is assigned to each critical asset, which is identified during step 2 of the risk assessment process.
Figure 1: Sport Event Security Assessment Model (SESAM). Adapted by Robert Rolen, Walter Cooper, Lou Marciani, and Stacey Hall. The Center for Spectator Sports Security Management.
4. The vulnerability assessment is a key component of the risk assessment model involving the analysis of several key factors about the venue, including:
- Level of Visibility: assess the awareness of existence and visibility of the sport venue to the general public.
- Criticality of Sport Venue to the Jurisdiction: assess the usefulness of the sport venue to the local population, economy, or government.
- Potential Sport Venue Population Capacity: assess the maximum number of people at a site at any given time.
- Potential for Collateral Mass Casualties: assess potential mass casualties within a one-mile radius of the sport venue.
- Impact Outside of the Venue: assess the loss outside of the sport venue.
- Existence of CBRNE Elements: assess the presence of a legal WMD on the site.
- Potential Threat Element Access to Sport Venue: assess the availability of the sport venue for ingress and egress by a PTE.
5. The consequence evaluation component analyzes the number of potentially injured people at the sport venue who might require transportation/hospitalization. It also assesses the loss of life, loss of infrastructure, economic and environmental impact, and the potential social trauma.
6. The overall risk level of a sport venue is calculated during this step. The risk assessment evaluates the threat potential (produced during step 3), likelihood of adversary success (produced during step 4), and severity of the consequences of an attack (produced during step 5). A final risk level is determined for the sport venue based on a scale of 0 to 5, with 0 being low and 5 being the greatest. It is the sport manager’s responsibility to determine what level is acceptable for the venue.
7. The final step involves the proposal of
measures. These recommendations will help sport managers develop and/or enhance security policies and procedures, emergency response capabilities, and physical protection systems and capabilities at the venue. Also, suggestions for appropriate training in security awareness for staff and the sporting public are recommended.
The SESAM is a cyclical model, as assessments must be continuously completed to ensure that adequate plans and security measures are in place and maintained over a period of time. A sport venue’s threat or vulnerability level may change regarding circumstances in the country or even in the surrounding community. Evaluations of potential threats and existing vulnerabilities “are not only used to determine what dangers to prepare for and how to meet them, but also to prioritize preparedness efforts.” (Sauter & Carafano, 2005, p. 338). By determining which threats are the most dangerous, managers are able to decide where they should invest their time and effort in preparing to deal with the consequences of a potential incident (2005). The risk assessment process is also considered by most specialists “to be the most vital task establishing an effective business continuity/disaster recovery plan” (p. 338). Contingency planning will aid sport businesses in recovery efforts and continuation of operations during incidents.
“On September 11th, it became abundantly clear that stadium and arena operators needed to incorporate security safeguards at America’s sporting venues.” (Pantera et. al, 2003, 1). It is critical that all sport organizations complete a risk assessment of their sport venues in order to identify vulnerabilities and improve security measures. The sport organization should not become complacent or content with their current security practices. Sport programs in America are faced with an ongoing battle to stay alert and be prepared for the ‘unthinkable.’
Ammon, R., Southall, R. & Blair, D. (2004). Sport facility management: Organizing events and mitigating risks. Morgantown, WV: Fitness Information Technology, Inc.
CNN.com. (1996, July 27). Sources: arrest in Olympic bombing could occur within days. Retrieved September 15, 2005, from http://www.cnn.com/US/9607/27/blast.am/index.html
CNN.com. (2002, September 5). When sport lost its innocence. Retrieved September 26, 2005, from http://archives.cnn.com/2002/WORLD/europe/09/05/munich.72/
CNN.com (2006, October 18). Threats against NFL stadiums not credible. Retrieved October 18, 2006, from http://www.cnn.com/2006/US/10/18/football.threats/index.html
Decker, R.J. (2001). Key elements of a risk management approach. United States General Accounting Office. [On-line]. Available: http://www.gao.gov/new.items/d02150t.pdf
Durling, R.L., Price, D.E., & Spero, K.K. (2005). Vulnerability and risk assessment using the Homeland-Defense operational planning system (HOPS). Retrieved October 4, 2005, from http://www.llnl.gov/tid/lof/documents/pdf/315115.pdf
Farmer, P.J., Mulrooney, A.L., & Ammon, R. (1996). Sport facility planning and management. Morgantown, WV: Fitness Information Technology, Inc.
General Security Risk Assessment Guideline. (2003). ASIS International. [On-line]. Available: http://www.asisonline.org/guidelines/guidelinesgsra.pdf
Hagmann, D.J. (2005, October 30). Black hole in America’s heartland. Northeast Intelligence Network. Retrieved July 20, 2006, from http://www.homelandsecurityus.com/site/modules/news/article.php?storyid=16
Hurst, R., Zoubek, P., & Pratsinakis, C. (n.d.). American sports as a target of terrorism: The duty of care after September 11th. [On-Line]. Available: www.mmwr.com/_uploads/UploadDocs/publications/American%20Sports%20As%20A%20Target%20Of%20Terrorism.pdf
Pantera, M.J., et. al. (2003). Best practices for game day security at athletic & sport venues. The Sport Journal, 6 (4). [On-Line]. Available: http://www.thesportjournal.org/2003Journal/Vol6-No4/security.asp
Risk 101. (n.d.). U.S. Coast Guard. Retrieved October 4, 2005, from http://www.uscg.mil/hq/gm/risk/background.htm
Sauter, M. A. & Carafano, J.J. (2005). Homeland Security: A complete guide to understanding, preventing, and surviving terrorism. New York, NY: McGraw Hill.
Vulnerability Assessment Report. (July, 2003). Office of Domestic Preparedness, U.S. Department of Homeland Security. Retrieved May 31, 2005, from http://www.ojp.usdoj.gov/odp/docs/vamreport.pdf