Since the events of September 11, many chemical companies have scrambled to implement plans and processes in preparation for attacks and other potential crises. But now, months later, new questions arise.

Has your company taken the correct and necessary steps? Is it dealing with real threats and vulnerabilities?

Your company might claim to have increased security ," both on the physical and information fronts ," but did it spend wisely? Is it "over-securing" some areas while ignoring others? How much security is enough security?

Is your facility truly prepared to weather any crisis? Is its crisis management plan and process timely, effective and truly understood by those who will be responsible for implementation? Finally, has your company become, once again, too complacent about potential threats and risks?

Many chemical firms, using the methodologies suggested by the American Chemistry Council (ACC), have begun the security assessment process of identifying vulnerabilities, targets, consequences and countermeasures. Many firms, and the experts supporting them, have overly depended on costly and inconvenient security measures based on staffing additions (e.g., security officers) and/or electro-mechanical systems (e.g., fences, closed-caption television, card access, locks, etc.).

Often, the most effective countermeasures involve better deployment of existing resources, enforcement of existing policies and procedures, and the fostering of a high level of awareness on the part of employees, contractors and suppliers. More consideration should be given to less costly and disruptive procedural measures, including new employee and contractor screening, revised and better-communicated policies, security awareness training, hotlines, employee and contractor identification, collaboration with law enforcement and other government agencies, incident reporting/tracking/trending, signage and cooperation with neighboring facilities. In any case, all security countermeasures, whether physical or procedural, must be part of a strategically reasoned whole that includes crisis planning.

Another common mistake made during this new, increased security effort has been the reliance on law enforcement officials instead of trained and experienced security experts. Although these officials are highly skilled in event response, law enforcement typically is a reactive discipline that focuses on a loss or attack after it occurs. Security, however, is a proactive discipline that aims to prevent or mitigate the risk or loss by means of deterrence, delay, detection or detainment.

Security planning ideally is geared toward the prevention or mitigation of losses and attacks, but prevention alone is not sufficient. Most chemical firms have in place emergency and/or crisis management programs, but they most likely are stand-alone efforts ," not part of a synergistic and integrated whole having security as a critical component.

The crisis plan and security program must be mutually supportive. Ideally, the security plan will be geared toward prevention and immediate response to an emergency or crisis situation. The crisis plan will focus on protecting, on a short- and long-term basis, the firm's reputation, value and continuing existence following the crisis.

It is easily possible to spend millions of dollars on chemical plant security, but is that appropriate and reasonable? Amounts can be based, at least partly, on the courts, which have determined what is prudent and practical in many industrial applications. That decision also can be based on industry benchmarking. If your security processes provide a level of protection at least comparable to similar facilities, you have made a good beginning.

Security planning should address those risks and attacks that are preventable. The theft of a tanker trailer full of a dangerous chemical or the attack on a storage tank by one or two trespassers might be preventable, but an organized attack from the air or by an armed militia might not. Place your focus and efforts on those risks that are most likely preventable and critical for you.

Companies must be aware that liabilities exist, only heightened by the events of September 11, for not adequately and reasonably protecting various stakeholders from the effects of a crisis situation. Firms that fail to prudently plan for potential internal or external attacks might face very substantial liabilities if a future crisis affects personnel, neighbors or other stakeholders.

It is also important to note that a crisis is not always a physical catastrophe. Potential crises could include legal and public relations fall-outs. A co-worker could sexually harass a colleague or a co-worker could be dealing with severe depression. A whistleblower could go to the press before reporting an issue internally, or a plant could even employ a potentially dangerous individual. Even the perception of a crisis such as the rumor of a terrorist attack can be a serious and very real crisis for a firm.

Many companies mistakenly believe a crisis is confined to and should be handled by senior management only. In fact, it is important for each employee to be aware of his or her surroundings and to be a critical part of the process. Employees should be trained to report and act on anything they see as a potential crisis or threat.

Companies need to institute awareness programs in which employees learn their responsibilities under the security and crisis management processes. They should understand that their involvement is for their own protection, as well as the company's. Too often, employees assume the fence or the guard at the gate protects them, and accept little security responsibility themselves. Many workplace violence situations could be prevented or substantially mitigated if employees are aware and willing to report their suspicions or concerns.