Since the events of September 11, many chemical companies have scrambled to implement plans and processes in preparation for attacks and other potential crises. But now, months later, new questions arise.
Has your company taken the correct and necessary steps? Is it dealing with real threats and vulnerabilities?
Your company might claim to have increased security ," both on the physical and information fronts ," but did it spend wisely? Is it "over-securing" some areas while ignoring others? How much security is enough security?
Is your facility truly prepared to weather any crisis? Is its crisis management plan and process timely, effective and truly understood by those who will be responsible for implementation? Finally, has your company become, once again, too complacent about potential threats and risks?
Many chemical firms, using the methodologies suggested by the American Chemistry Council (ACC), have begun the security assessment process of identifying vulnerabilities, targets, consequences and countermeasures. Many firms, and the experts supporting them, have overly depended on costly and inconvenient security measures based on staffing additions (e.g., security officers) and/or electro-mechanical systems (e.g., fences, closed-caption television, card access, locks, etc.).
Often, the most effective countermeasures involve better deployment of existing resources, enforcement of existing policies and procedures, and the fostering of a high level of awareness on the part of employees, contractors and suppliers. More consideration should be given to less costly and disruptive procedural measures, including new employee and contractor screening, revised and better-communicated policies, security awareness training, hotlines, employee and contractor identification, collaboration with law enforcement and other government agencies, incident reporting/tracking/trending, signage and cooperation with neighboring facilities. In any case, all security countermeasures, whether physical or procedural, must be part of a strategically reasoned whole that includes crisis planning.
Another common mistake made during this new, increased security effort has been the reliance on law enforcement officials instead of trained and experienced security experts. Although these officials are highly skilled in event response, law enforcement typically is a reactive discipline that focuses on a loss or attack after it occurs. Security, however, is a proactive discipline that aims to prevent or mitigate the risk or loss by means of deterrence, delay, detection or detainment.
Security planning ideally is geared toward the prevention or mitigation of losses and attacks, but prevention alone is not sufficient. Most chemical firms have in place emergency and/or crisis management programs, but they most likely are stand-alone efforts ," not part of a synergistic and integrated whole having security as a critical component.
The crisis plan and security program must be mutually supportive. Ideally, the security plan will be geared toward prevention and immediate response to an emergency or crisis situation. The crisis plan will focus on protecting, on a short- and long-term basis, the firm's reputation, value and continuing existence following the crisis.
It is easily possible to spend millions of dollars on chemical plant security, but is that appropriate and reasonable? Amounts can be based, at least partly, on the courts, which have determined what is prudent and practical in many industrial applications. That decision also can be based on industry benchmarking. If your security processes provide a level of protection at least comparable to similar facilities, you have made a good beginning.
Security planning should address those risks and attacks that are preventable. The theft of a tanker trailer full of a dangerous chemical or the attack on a storage tank by one or two trespassers might be preventable, but an organized attack from the air or by an armed militia might not. Place your focus and efforts on those risks that are most likely preventable and critical for you.
Companies must be aware that liabilities exist, only heightened by the events of September 11, for not adequately and reasonably protecting various stakeholders from the effects of a crisis situation. Firms that fail to prudently plan for potential internal or external attacks might face very substantial liabilities if a future crisis affects personnel, neighbors or other stakeholders.
It is also important to note that a crisis is not always a physical catastrophe. Potential crises could include legal and public relations fall-outs. A co-worker could sexually harass a colleague or a co-worker could be dealing with severe depression. A whistleblower could go to the press before reporting an issue internally, or a plant could even employ a potentially dangerous individual. Even the perception of a crisis such as the rumor of a terrorist attack can be a serious and very real crisis for a firm.
Many companies mistakenly believe a crisis is confined to and should be handled by senior management only. In fact, it is important for each employee to be aware of his or her surroundings and to be a critical part of the process. Employees should be trained to report and act on anything they see as a potential crisis or threat.
Companies need to institute awareness programs in which employees learn their responsibilities under the security and crisis management processes. They should understand that their involvement is for their own protection, as well as the company's. Too often, employees assume the fence or the guard at the gate protects them, and accept little security responsibility themselves. Many workplace violence situations could be prevented or substantially mitigated if employees are aware and willing to report their suspicions or concerns.
It is important to keep in mind that the time to think about how to respond is not when a crisis is occurring. A plan in a binder gathering dust on a shelf is no assurance of proper response. Key employees and managers must have in place a process to simulate crisis scenarios to ensure their ability to respond properly. Proper advance planning will help eliminate confusion and allow a company to focus on the crisis at hand.
Preparing for the unthinkable
It is often difficult for employees to "see the forest for the trees" when they have become too familiar and comfortable with their surroundings.
Outside experts can provide a vital perspective on how to prevent and respond to any potential situation before and during a crisis and will bring real-time experience to post-September 11 planning. This process also will help a facility create a crisis plan or assess the current plan. It can identify any existing holes in the plan, determine the plan's effectiveness against current threats and vulnerabilities, and assess the appropriateness of the people involved.
Crisis planning should include extensive scenario role-playing. Senior managers must be taught how to deal with each possible twist and turn within a particular crisis.
It is dangerous to assume managers will make the right decisions and take the best possible actions when the crisis occurs. Even the sharpest senior managers will benefit from an authentic simulation and its resulting critique.
Preparation and maintenance of a solid crisis plan must be a team effort. The senior executives responsible for your facility's information technology, legal (including outside counsel), risk management, human resources, operations, security and corporate communications departments must be trained together on crisis reaction, what steps to be taken by whom, and how to communicate with employees and external constituents.
Lines of communication among all department heads must make it clear what information can be disseminated and what information legally should not be released. The sidebar outlines some key steps to proper crisis planning.
In the months following the events of September 11, many firms that had intensified their focus on security and crisis management needs lost that focus when a follow-up attack failed to materialize.
Security, law enforcement and intelligence experts agree that more attacks are inevitable and that chemical facilities could be targets. Therefore, chemical plants should maintain a reasonable, cost-effective level of security and crisis-management preparedness at all times. CP
The "CARES" Process
The acronym "CARES" stands for the following five steps a facility should take during crisis planning and preparation:
1. Composure and collection of information: How composed were the executives after hearing and initially reacting to the crisis? Are the executives/managers on the scene capable and equipped to manage and pass on information? What information was collected and how was it collected? Did the executive collect enough vital information to properly assess the situation? What other sources of trustworthy information can we call on?
2. Assessment: Did the executives adequately assess the situation? For example, did the executives clearly assess the challenges and/or obstacles surrounding the situation and who might be affected? Is the information accurate and thorough? Are the full extent and scope of the crisis clear?
3. Reaction: What is the action plan, and how was this decision made? Were benchmarks created for success? How will personnel reactions and steps taken affect all constituencies and stakeholders in the near and long terms? What ripple effects might this crisis cause?
4. Evaluation: How effectively is the situation being evaluated, monitored and adjusted? Who is being notified and how? Based on new changes, how is the situation being evaluated? What new goals/benchmarks have been set? How do the various constituencies and stakeholders perceive the facility? How does the plant know the crisis is under control and subsiding?
5. Success: Once the crisis has subsided, how effectively is the success of the response measured? What changes to the crisis plan/process were made based on these metrics? How prepared is the facility for the next crisis? How will it prevent a recurrence here or elsewhere? Did the metrics prove effective in measuring the situation?
By implementing a program such as the CARES program, companies can truly measure how well a crisis team performed throughout any situation. Real recommendations can be provided as broadly or specifically as needed. CP
Moed is managing partner and co-founder of Peppercom, a strategic communications firm in New York, San Francisco and London that specializes in crisis management with an expertise in the chemical industry. Sem is president and founder of Sem Security Management and has more than 30 years of experience in the security and crisis management industry, including assessments of chemical facilities. Contact them at (212) 931-6116 and (815) 577-6833, respectively.