Thursday, December 17, 2009

Reader Email – 12-16-09 – Security Costs

I got an email yesterday from a reader that frequently communicates with me semi-anonymously. He provides his comments via email instead of posting comments on the blog because, for professional reasons, he doesn’t want his identity made public. Since his email comes from one of the major ISPs I don’t know specifically who he is, but we can exchange views. In any case he was responding to my blog posting on RBPS metrics from earlier this week with some suggestions about things I should address in future postings about the RBPS. He brings up a couple of points that are worth public discussion. Costs of Security Measures This reader wrote:
“What I think will help to bring more attention to RBPS postings is some talk of some of the costs of meeting the metric. Of course they will vary due to differences in the size of the facility. But an example to help would be the cost of different kinds of fencing per linear foot. The costs of lighting per square area. The costs of various kind of IDSs and CCTVs. Money seems to be what really grabs attention and I think it would also help to talk about it in addition to some of your good RBPS postings.”
He is correct, of course, that costs of security are very important to the facilities that are being required to bring their security measures up to CFATS standards. I’m just not sure that I can write about specific costs in a meaningful way, especially not at the ‘dollar per linear foot’ level. Chemical facilities don’t normally directly purchase security hardware. They have neither the expertise to select the hardware nor the personnel to install it. They typically contract that type work out to someone in the business and trust them to get them the best price on materials. Some facilities will attempt to contract out the individual pieces of their security program themselves while others will rely on a security integrator to sub-contract out the pieces. This presents its own special problems when you talk about selecting a security contractor for a CFATS covered facility. You certainly can’t expect to put out a request for competitive bids on development of an SSP. Because of the nature of the CFATS requirements it is too open ended a project for the conventional low-price bidding process. I cannot imagine any legitimate security integrator telling a facility that it will cost X amount of dollars to bring the facility into compliance. No one knows what it will take, because no facility has gotten an SSP fully approved yet. Even six months from now an integrator’s claim that they have two Tier 1 clients with approved SSP’s will not be a guarantee that they will be able to get first-time approval on a Tier 2 or 3 facility, even if they provide a Tier 1 program for that facility. Chemical facilities are too unique and the CFATS requirements too vague (by Congressional intent, not DHS design) to know in advance what it will take to get an SSP approved with any reliability. This is the reason that no one writing in this field is bandying about any real numbers about the cost of CFATS security programs. A year or two from now we may have a better understanding of the costs, provided that Congress does not change the ground rules too much. I would be interested in hearing from integrators working in the field about how they address the price side of their contracts for CFATS programs. Cost of Doing Business For a number of years now it has been a truism that that ‘the cost of safety is a cost of doing business’ and the same is true for environmental regulations. With the advent of CFATS the same is becoming true for security. If a facility is going to remain in business, the cost of regulatory compliance will have to be added to the other costs of doing business. This is not, however, the same thing as what my reader was apparently saying when he wrote that: “It may also be helpful for facilities to be mindful that money should not get in the way of their decisions to stay in business.” I am finding this type comment popping up more and more often, especially among academics and various advocacy groups and it exemplifies a basic misunderstanding of business. In many cases, these societal costs of doing business can be passed on to the consumers in the form of higher prices. However, in today’s truly global market place, there is a limit to how much of a price increase will be absorbed by the consumer. If the price goes up too much, the customer will just switch to lower cost providers, be they across the street or across the Pacific Ocean. Companies need to make a profit to stay in business. While many banks, Chrysler and GM got bailouts over the last year, it was always with the intention that they would pay the government back or go out of business. If the cost of doing business prevents the company from making a profit, it will go out of business. If the costs that are preventing profits are due to government regulations then there will be a second alternative, move away from the controls of that government. The Costs of CFATS Compliance The CFATS program does provide an environment for management of security costs. Since no specific security measure can be required by DHS, a company with a creative security team has the opportunity to work on cost containment while it is developing their Site Security Plan. It would be helpful if there were some mechanism for sharing these successful strategies, but cost containment will offer a facility a competitive advantage so these strategies may remain closely held. One interesting thing about the CFATS process is that it does provide for another way of avoiding the security costs associated with the program. All a company has to do to avoid CFATS compliance requirements is to reduce or eliminate their inventory of high-risk chemicals of interest. In some cases this means a switch to safer chemicals or processes. In other cases it means transferring the risk to another facility that makes a safer chemical intermediate or even to increasing transportation risks by making more frequent shipments to reduce on-hand inventory below STQ levels. Any of these choices can reduce the required security costs. The true costs of CFATS compliance are just now beginning to be felt across a broad range of industries. It will be years before we can gauge the true affects of those costs. If history is any guide, the costs of CFATS will become, for the most part, just another cost of doing business. Some facilities will close; others will move out of the country, but most facilities will adapt and figure out how to survive while becoming stronger, safer and more secure.

No comments:

/* Use this with templates/template-twocol.html */