Best Practices C-TPAT 5-Step Risk Assessment Process

Transcription

1 Best Practices C-TPAT 5-Step Risk Assessment Process 17 th Annual T&T Conference April 3, 2013 Karen Lobdell Director Global Solutions Integration Point 1

2 Is This Your Current Process? 2

3 CBP s Approach to Risk Assessment 2001/2002: Loosely defined set of C-TPAT criteria 2003/2010: Company profile identifying existing procedures to meet criteria Criteria is amended and becomes more customized by entity (Re)Validations become tighter as bar is raised by the trade and CBP SCSSs gain experience April 2010 International Security Risk Assessment requirement bulletin is issued 5-Step Risk Assessment Guide is provided by CBP CBP begins incorporating into the application process and (Re)Validations 3

4 Risky Business Definition of Risk: General: Probability or threat of a damage, injury, liability, loss, or other negative occurrence, caused by external or internal vulnerabilities, and which may be neutralized through pre-mediated action Threats likelihood of occurrence Vulnerabilities weaknesses or gaps in security from the established standards Consequences impact of adverse occurrences 4

5 One Size Does Not Fit All Numerous factors impact risk Geographic regions of operations Volumes and number of supply chains Complexity of the supply chain Commodity/Industry Types/number of business partners Resource availability 5

6 5-Step Risk Assessment Process Conducting a vulnerability assessment (in accordance with C-TPAT criteria) Conducting a threat assessment Preparing an action plan Mapping cargo flow & identifying business partners Documenting how risk assessments are conducted 6

7 5 Step Risk Assessment Process 7

8 Conduct a Risk Assessment What are the threats? Use open source resources to assist with this process Assess the vulnerability Identify gaps in security standards Identify consequences (such as lost customers, brand reputation, financial impact) Assign a risk score to each combine the risk score for each to determine overall risk rating 8

9 # 1- Conduct a Threat Assessment Minimum areas to focus on include: Terrorism Contraband Organized Crime Human Smuggling Other considerations: Hijacking Cargo theft Product tampering IPR violations Political unrest Corruption Financial instability Natural disasters 9

10 Threat Assessment After conducting the appropriate research, assign a threat score Low: no recent incidents, no intelligence Medium: no recent incidents, some intelligence High: recent incidents and intelligence 10

11 Resources Third Party Consultants Insurance Providers Open Source Data CBP SCSSs Business colleagues Social Networking (e.g., LinkedIn Groups) Conferences (e.g., CBP C-TPAT) Internal company resources (Risk Management Dept) Associations (e.g., BASC, TAPA, etc.) Local/State Law Enforcement ITRAC data 11

12 No Cost Open Source Data Customs & Border Protection CIA World Factbook Dept. of State Annual Country Reports on Terrorism Overseas Security Advisory Council (OSAC) World Bank (Fragile States) Transparency International Corruption Perception Index AON Risk Maps D&B Country Risk 12

13 Country Threat Analysis 13

14 # 2 - Conducting a Vulnerability Assessment Designed to identify gaps or weaknesses from identified standards C-TPAT criteria would be the applicable measurements A vulnerability score should be identified Low risk: Meets all musts and shoulds Medium Risk: Meets all musts, no shoulds met High Risk: Just one must is not met Vulnerability assessments should be done on business partners, as well as internal departments 14

15 Conducting a Vulnerability Assessment C-TPAT Criteria / Standards: Business partner requirements Conveyance security Procedural security IT security Physical security Physical access controls Personnel security Security & Threat Awareness Training Methods could include surveys, third party audits, in-house personnel (on-site is preferred) 15

16 Assessing Business Partner Risk Supplier Name/Address: Point of Contact: C-TPAT VULNERABILITY ASSESSMENT Date of Review: Supply Chain Process C-TPAT Security Criteria C-TPAT Sub-Criteria M = Must S = Should Method to Verify Vulnerabilities Identified Risk Rating (Criteria) Risk Rating (subcriteria) Best Practices Foreign Supplier Business Partner Requirements Screens Subcontracted Source M Verifies Partners as C-TPAT Certified (if eligible) M Verifies Partners adherence to C-TPAT criteria (if not eligible) M Participation in foreign customs administration security program S Conducts periodic reviews of Partner's facilities and processes S 16

17 Supplier Results Database 17

18 Consequences Although CBP does not spell this out in their guidelines, it is a key component of any risk assessment What is the impact to your business of a security incident/breach? Potential outcomes: Damage to brand reputation Loss of program status / benefits Financial Delays value of the cargo Increased scrutiny by government agencies Decrease in sourcing options/flexibility 18

19 # 3- Preparing an Action Plan Use your risk ratings to prioritize corrective actions Define the deficiencies Assign a responsible party Have a deadline Follow up & verify! Re-calculate the party s risk score if appropriate Action plans should be documented 19

20 Sample Action Plan 20

21 #3- Preparing an Action Plan 21

22 #4 - Mapping / Cargo Flow Mapping cargo flow for all potential supply chains may be unrealistic Focus on those posing the highest risk or exposure Drill down within trade lanes to identify the vulnerabilities Apply corrective actions accordingly 22

23 Trade Lane Mapping Analysis 23

24 #5 Document How Risk Assessments Are Conducted A Risk Assessment Process should be part of standard policy/procedures and include: When established Who is responsible (have backups) When assessments are done & on who How frequently How often the policy is reviewed Process for each of the steps Training Management oversight 24

25 Effective Risk Management Have a documented risk assessment process in place Written and verifiable procedures for continuity Identify, characterize and assess threats Focus on lowering the highest risk areas first Have an action plan to address deficiencies Prioritize, responsible party, deadlines, track Conduct periodic risk assessment reviews to determine changes in your risk profile You may not be able to change a threat, but you can impact vulnerability and consequences 25

26 Best Practices Top-down commitment to the program should be evident Review the criteria upfront and understand the obligations before applying Assemble a (C-TPAT) team that is cross-functional Consider use of third party resources where it makes sense Conduct the requisite annual self-assessment and keep the portal current Follow up on questionnaires and inquiries to business partners in a timely manner Keep a consistent point of contact for the program Automate where it makes sense 26

27 Automate or Perish Managing the 5-step risk assessment process especially business partner requirements, can be administratively burdensome. Consider the paperless alternatives On demand Standardized Single database Proactive Risk calculations Verifiable for validation purposes 27

28 Coming Attractions C-TPAT for Exports Portal 2.0 C-TPAT/ISA Merger? 28

29 Karen Lobdell Director Global Solutions Integration Point Tel: (704) X