For the entire country, the September 11, 2001, terrorist attacks confirmed that the unthinkable was possible. To the business world, it meant that being ready for a fire, a flood or a violent crime no longer represented “preparing for the worst.”

The attacks redefined the meaning of risk management in both the public and private sector, Wharton experts say, forcing companies and the government to rethink the ways that they prepare for, respond to and recover from large-scale disasters. The new agenda for security that was set on that sunny fall Tuesday has been tested, questioned and reshaped again and again in the decade since — by events including Hurricane Katrina, the BP oil spill in the Gulf, the 2008 financial crisis, the Arab Spring, the earthquake and tsunami in Japan, and most recently, Hurricane Irene.

“September 11 is a turning point and a touchstone,” notes Wharton management professor Michael Useem. “It’s something that we still grieve about and something we also want to build from, to ensure that it never happens again. Or, if something terrible happens, we want to make sure we get through the crisis and rebuild.”

New government policies along with efforts at disaster planning by private companies are aimed at preventing another horrific day like 9/11. The U.S. Department of Homeland Security has an annual budget that exceeds $50 billion. Over the past 10 years, federal dollars allocated for intelligence clocked in at $80 billion a year — more than double what it was in 2001, according to a report issued last week by former 9/11 Commission co-chairmen Tom Kean and Lee Hamilton on the status of the groups’ recommendations.

But questions remain over how best to protect valuable assets — from buildings to computer systems to people. Indeed, the “report card” released by the former 9/11 Commission chairmen identified nine major recommendations from their initial report that have yet to be sufficiently implemented, including a unified framework for training emergency personnel and responding to crises. “In 2005, Hurricane Katrina revealed that a catastrophic natural disaster could produce a chaotic and disorganized response by all levels of government, causing large-scale human suffering. A decade after 9/11, the nation is not yet prepared for a truly catastrophic disaster,” the report concluded.

Fear is a powerful motivator, Wharton marketing professor J. Scott Armstrong says, and in some cases the security measures put in place after 9/11 have not been fully thought through. Among those measures, he notes, was the creation of the Department of Homeland Security. “[The department] was developed very rapidly and with little systemic look at the costs and benefits…. If you instill enough fear in people, they start to make irrational decisions.” It leads to what he called the “politician’s syllogism: ‘We have a problem; something must be done. This is something; therefore, this must be done.'”

September 11, 2001, was a sign that more attention needs to be paid to “black swan” events, or events that are highly improbable but have major impacts. Yet “one of the real challenges in doing risk management for firms is that they do a really good job learning about one specific event — the one that already happened,” Wharton marketing professor Robert Meyer points out. “They make great strides in ensuring that one event doesn’t happen again. But oddly, just by the definition of ‘very rare events,’ the next catastrophe that happens is not going to be the same” as the one that came before.

The Wake-up Call

When a truck bomb was detonated below the North Tower of the World Trade Center in 1993, killing seven people and injuring thousands, it was a sign to Rick Rescorla that there was a need to better prepare for future threats. Rescorla, the security chief for financial services firm Morgan Stanley, began conducting regular emergency evacuations of the company’s offices there, despite employee grumbling about having to walk down dozens of flights of stairs.

After a plane crashed into the building’s North Tower on September 11, 2001, Rescorla ignored building officials’ advice to stay put and began evacuating 3,700 Morgan Stanley employees from 20 floors in the South Tower. “That’s exactly what ultimately saved so many people at Morgan Stanley,” Useem says. “The twist to it is that [Rescorla] went back in one last time to make sure everybody got out. After he went back in, the tower collapsed and he was lost.”

The earlier bombing served as a wake-up call for Rescorla — just as, years earlier, the Exxon Valdez oil spill spurred Exxon Mobil to rethink its crisis prevention systems. “Prior to 9/11, if you had been through something terrible — if you had touched the void, if you had looked off the cliff,” that would cause companies to act, Useem notes. But the attacks on the World Trade Center and the Pentagon were such a shock, and the impact was so devastating, that firms of all sizes, in all locations and across industries suddenly felt as if they were teetering on the precipice.

“The culminating effect of the disasters that happened throughout the 2000s is that all of a sudden, catastrophic risk is on the front burner,” Meyer says. “It used to be the case that enterprise risk management was something firms felt that they needed to do, and they had somebody within the organization that was in charge of it. But it didn’t have much presence in the board room.”

Now there is the sense that “there is no area of our life that is really safe,” according to Wharton marketing professor Jerry (Yoram) Wind. “Terrorists could attack basically any facility, any place where there is a congregation of people, where they can claim the victory of killing more Americans and causing more damage. In a sense, every single business that has some visibility and an aggregation of people is at risk. And it’s not only the business itself: If you’re located in the vicinity of, say, a nuclear facility, you are at risk.”

To see how firms detect and prepare for extraordinary events today — and to develop strategies and standards to help decision-makers do so effectively — Useem, Howard Kunreuther, co-director of Wharton’s Risk Management and Decision Processes Center, and Erwann Michel-Kerjan, managing director of the Center, are conducting a study that involves interviewing leaders of S&P 500 companies to learn about their experiences. So far, they have talked to executives at about 50 companies, but ultimately hope to speak with representatives from more than 100 firms.,

What they found, according to Useem, is that boards of directors have become more directly involved in catastrophic risk management, and many companies are now emphasizing that preparing for a catastrophe no longer falls solely on the shoulders of the executive in charge of risk management. “If it looks like H1N1 is going to erupt in Mexico City as it did a couple of years ago, [multinationals] want people on the ground to be able to recognize that and communicate it back to headquarters,” Useem says.

Many firms are now running intensive disaster drills — and not just for violent events such as a fire or terrorist attacks. “A big bank we interviewed now runs its more senior management through a two-day exercise in which [employees are told] that a major hedge fund other than their own has failed or a big sovereign wealth fund has failed — which, like the Lehman Brothers failure, creates huge waves within the financial markets,” Useem notes. “In light of that simulated failure, over the next day and a half, employees learn about how to respond, whom they have to call and what steps they have to take” to keep the firm afloat.

But forecasting exactly how a potential threat will play out is difficult, and Armstrong argues that in many cases, experts aren’t using the most effective methods. A study he conducted with Kesten C. Green, a senior lecturer at the University of South Australia, found that when experts and non experts were asked to use intelligence reports to predict the outcome of a particular conflict, both groups came up with the right answer only about a third of the time.

According to Armstrong, a better approach to forecasting such risks is creating structured analogies in which people come up with several past conflicts that might be similar to the current threat, and then deciding which is the best fit. Another, more effective, option is an interactive simulation exercise. “It’s all about making better use of the information,” he says.

Forecasting the Unthinkable

In addition to planning for the unthinkable, firms are also insuring themselves against possible losses. “One of my colleagues likes to tell me that the price of terrorism insurance in Manhattan was zero before 9/11, meaning insurers and people in the business of knowing, quantifying and putting probability on that kind of risk thought it was effectively impossible,” Meyer notes. “No one was willing to pay a significant price, because they considered it such an implausible, rare event. Then all of a sudden it happens, and you have completely the opposite — you still can’t buy terrorism insurance, but for the opposite reason.”

In a 2010 paper, Michel-Kerjan studied the evolution of terrorism insurance in the U.S. since the attacks. Prior to 9/11, he says, terrorism risk was included as an unnamed peril in most commercial insurance contracts. The attacks jolted the industry, causing an estimated $23 billion in damages, making it the second costliest disaster in U.S. history after Hurricane Katrina. By early 2002, 45 states allowed insurance companies to exclude terrorism from their corporate policies, leading to the creation of the Terrorism Risk Insurance Act (TRIA), a public-private program that covers up to $100 billion of insured losses. Similar programs exist in countries including Germany, the United Kingdom, France and Australia.

“Our capacity to be economically resilient in the aftermath of another attack will be critical,” Michel-Kerjan argues, noting that terrorism insurance is a “vital tool to assure such resiliency.” He found that demand for the coverage grew significantly between 2002 and 2006, plateauing at a point where approximately 60% of firms are now covered. Without renewal by the federal government, TRIA is set to expire in 2014. “Given the current federal deficit, Washington might be reluctant to increase, de facto, its financial liability,” Michel-Kerjan adds. “On the other hand, our security is a matter of national interest, so keeping this program alive would make sense.”

The government has become more entangled with business interests in several other ways, grappling with the challenges of balancing national security with economics. That struggle has arguably been most prominent in the airline industry, with the introduction of more stringent screenings of passengers and cargo. Heightened security is also evident at the offices of major banks, according to Wharton finance professor Richard Herring. “You have seen financial institutions disperse from their heavy concentration in and around Wall Street. Part of this was inevitable as improvements in technology and data transmission — particularly in the dematerialization of securities — made it possible to relocate in pleasanter places. But the trend was certainly accelerated by the attack on 9/11.”

Wharton legal studies and business ethics professor David Zaring points to the financial services industry and mergers and acquisitions as two areas where companies are also feeling the impact of increased oversight.

“The financial industry is very much being made a part of the war against terrorism and is supposed to help the government impede terrorists from using the financial sector to finance their operations,” Zaring says. “The industry has to get to know their customers much better than they had to before 9/11. They have to collect a lot of data on the kinds of transactions their customers are doing, and on occasion share that with the government.” Failure to do so can result in “truly massive” multimillion-dollar fines, Zaring adds. For example, Washington, D.C.-based Riggs Bank agreed to a $16 million fine in 2005 for failing to report suspicious transactions.

Banks are increasingly working with outside consultants and IT experts to create systems for flagging risky transactions. “That created something of a cottage industry of regulatory compliance,” Zaring notes. “It has really been quite expensive for the banks because they have to hire these consultants and software providers.” It’s a requirement they can’t ignore “if they want to keep doing business.”

According to Herring, companies have also learned important lessons about data protection and recovery. He notes that on 9/11, Bank of New York, for example, “did have back-up facilities [for its data] but [the facilities] were on the same transportation and electric grid as the main center and were of no use in keeping the institution functioning. Since then, regulators have required that financial institutions meet exacting standards for backing up and recovering data from a remote site that is unlikely to be affected by a terrorist strike against headquarters.”

The government also is now paying greater attention to efforts by foreign companies to purchase assets in the U.S., potentially rejecting purchases of those thought to be strategically important to national security. “Sometimes, American companies want to get bought by, or want to partner up with, an overseas company, and that, too, can be reviewed and rejected by the government,” says Zaring, adding that one instance of this was the 2008 collapse of a deal by Chinese company Huawei Technologies to buy a stake in 3Com, a U.S.-based maker of Internet router and networking equipment. The purchase fell apart amid questions from the Bush administration about its national security risks. 3Com, which was purchased by Hewlett-Packard in 2010, made anti-hacking computer software for the military, and Huawei had ties to the Chinese military.

According to Zaring, “There’s a constant push and pull, and the government doesn’t always have a perfectly predictable view about what kinds of things can be sold abroad and what kinds of things can’t be…. Mergers and acquisitions has turned into something where you need not just think about what the capital markets will say and what the potential target will say, but also you need to think about how Washington will react. That used to involve worrying if there were anti-monopoly issues that could arise, but now you really have to add national security to the list.”