The Department of Homeland Security established the Chemical Facility Anti-Terrorism Standards (CFATS) to impose mandatory security regulations on high-risk chemical facilities. Interpreting and fulfilling the regulations present challenges to security directors, but finding the right guidance and working with a security integrator who has experience in the chemical industry can help achieve compliance while having a positive impact on the facility’s business objectives.
Understanding the regulations
The security of the chemical industry is a critical matter in the U.S. The $637-billion industry is one of the largest in the U.S., producing 70,000 different products and 21% of the world’s chemicals — as well as employing nearly 1 million people.*
The impact of a significant security incident could be devastating. More than 123 chemical facilities are located in areas where a release could injure or kill more than 1 million people. Another 700 facilities are located where a release could harm 100,000 people. Due to the considerable safety concerns and the potential economic impact of an incident, the Department of Homeland Security (DHS) has identified the industry as one of the 17 critical infrastructure sectors.
While the industry has long been developing initiatives to address security risks and assess potential gaps in security planning, training, and response, these efforts have been largely voluntary. The enactment of CFATS by DHS now imposes mandatory security requirements.
This positive development creates two significant challenges. Some companies may be concerned with fulfilling CFATS requirements throughout their entire enterprise. Others may worry that obtaining funds to meet these federal requirements will be problematic. Navigating these two issues can be tricky, and accomplishing both of these tasks may prove difficult.
That said, strategic consideration of the big picture could allow individual corporations to find ways to achieve DHS compliance while also having a positive impact on core business. While this scenario may seem unlikely, it is possible with the right information and guidance.
Interpreting regulations is a challenge
There are numerous levels to CFATS that may lead to misinterpretation or error.
The process begins with determining which facilities meet the criteria for high risk. DHS developed the Chemical Security Assessment Tool (CSAT) Top-Screen, an online questionnaire that must be completed by manufacturing, storage, and distribution facilities possessing any chemical on the CFATS Chemicals of Interest List at or above the Screening Threshold Quantity (STQ). Once identified, these facilities may be required to complete a Site Vulnerability Assessment (SVA) and develop a Site Security Plan (SSP).
Until a SSP has been submitted, reviewed, and finally approved by DHS, it is difficult to know with certainty what changes will help comply with CFATS. This leaves security divisions across the country anxiously waiting and worrying about the possibility of expensive adjustments.
The performance standard that facilities need to comply with for their SSPs is called the Risk-Based Performance Standards (RBPS). By using a performance standard rather than a prescriptive standard, DHS provides individual facilities some flexibility with how they address their unique security and business scenarios. While applying performance standards does provide flexibility, it can lead to ambiguity with regard to interpreting the requirements.
These issues will require planning and research to determine the optimal security solution for each enterprise. Unfortunately, mistakes can be costly, and penalties for CFATS violations include fines, and in extreme cases, a complete shutdown of operations.
Adding to the distress is the fact that the current version of CFATS is scheduled to expire in October 2009.
Justifying the costs of security solutions
Companies must take action to address identified security vulnerabilities, but concerns about costs and the effect on the bottom line are warranted.
Security is typically seen as necessary but expensive, and competing for budgetary dollars has been a familiar struggle for security professionals long before the advent of CFATS. Unless a company has experienced an incident, corporate management is frequently reluctant to spend scarce resources to prevent something that may never happen. Security directors who can effectively justify such expenditures have an improved chance of attaining necessary funds. The key is developing the ability to demonstrate a direct correlation to business objectives.
The financial costs of an incident are many. At a minimum, recovery can cost tens of thousands of dollars. Even a less than worst case scenario could result in a complete cessation of operations, perhaps for many months. Such an incident could adversely affect the local economy, or reach even wider, depending on the incident’s severity.
Additionally, the public relations implications are huge, particularly if the incident results in any injury or death. Loss of consumer confidence can result in lost sales, cancellation of contracts and even public protests. In addition, the costs of potential litigation and future medical care could be fatal to the core business.
Internal damage can be equally destructive. The loss of wages to employees, ongoing health concerns of those directly affected, psychological harm, and loss of confidence in the company can result in reduced productivity well after the initial incident.
It must be made clear to senior management that achieving compliance with CFATS is not only a mandate, but also an opportunity to provide essential security to business operations across the enterprise.
Security solutions can provide so much more than protection. Employing the right technology can have a clear-cut and measurable impact on the bottom line. Improved efficiencies and better resource management are possible in numerous departments, such as production, human resources, payroll, risk management and accounts payable.
Once those involved understand the tangible and intangible impact of security on business operations, the potentially devastating effects of an incident, and the benefits of integrating a well-planned solution, it becomes easier to demonstrate the case for security and its return on investment.
Finding the right guidance is key
Compared with other industries, chemical security entails more than the average integrator can provide, because these programs are more complex and require specialized expertise. Complying with the RBPS can be balanced with the financial needs of the business by working with an expert integrator. Armed with a thorough understanding of the standards, true security integrators will know when state-of-the-art technology is warranted and when more measured upgrades will help achieve compliance.
Engaging such an expert integrator early in the process is a critical business decision that will help shape priorities and create solutions that are both reasonable and responsible.
Such experts can translate the RBPS and thoroughly understand their impact on a facility, and will come to know their customers’ businesses inside and out to create tailored solutions that employ the right blend of people, application, systems, and service. These integrators will possess a vast portfolio of products and the depth of resources needed at both local and national levels throughout the lifecycle. And they will offer ongoing service and support to help clients adapt security strategies to the ever-changing range of risks they may face.
Finally, the right integrator will choose to become a full partner to their clients in order to help maintain security and achieve business objectives.
*American Chemistry Council; 2007, August; The Business of Chemistry: Essential to Our Quality of Life and the US Economy.
About the author:
Phil Atteberry is the chemical security business development manager for the Security Solutions Business Unit at Siemens Building Technologies, Inc. (1000 Deerfield Parkway, Buffalo Grove, IL 60089; Phone: 847-941-6303; Email: [email protected]). He is responsible for the strategic and tactical development of chemical security sales, marketing and product development, as well as being the Siemens representative for industry associations such as the Chemical Industry Council of Illinois (CICI), Society of Chemical Manufacturers and Affiliates (SOCMA), and American Chemical Society (ACS). Prior to his career at Siemens, Atteberry worked as the global account manager at Chemtura Corp. (previously Great Lakes Chemical Corp.), vice president at Transtech Show Tours, and process controls application engineer at the Antel Corp. Atteberry graduated with a B.S. in chemical engineering and mathematics from Vanderbilt University and an MBA degree from the University Of Chicago Booth School Of Business.