Outline for the CEN Supply chain security (SCS) Good Practices guidebook

Transcription

1 Outline for the CEN Supply chain security (SCS) Good Practices guidebook Foreword: The purpose of this 7 page outline document is to provide a concrete basis for kicking off the development of the SCS Good Practices guidebook, as a collaborative effort between supply chain operators and experts in the field. Cross border Research Association (CBRA) research team would also like to thank all the CEN/TC 379 members who answered the survey (Sep Oct. 2010) helping to set priorities for the upcoming content. We are looking forward to having you and all other experts interested in the topic to work with us to develop the first draft book during Nov.2010 April All potential contributors, please contact us by cenbook@cross border.org, to get involved in the process! Preliminary table of content for the SCS guidebook Chapter 1. Introduction Scope and objectives for the good practices guidebook Chapter 2. Supply chain security management and crime prevention overview Chapter 3. Good SCS practices Set 1: Application of a holistic security management approach Chapter 4. Good SCS practices Set 2: Anecdotes/ short stories on crime incidents and security responses in Europe Chapter 5. Good SCS practices Set 3: Complying with SCS programs/standards/regulations in Europe Chapter 6. Good SCS practices Set 4: Any SCS management and crime prevention anecdotes from anywhere in the world Chapter 7. Summary and conclusions Bibliography, recommended readings Annexes

2 Chapter 1. Introduction Scope and objectives for the SCS Good Practices guidebook This SCS good practices book is aimed at collecting and presenting practical approaches enabling companies to manage risks related to supply chain crime in a cost efficient way. As stated by Menzer et al (2008), Supply Chain encompasses the planning and management of all activities involved in sourcing and procurement, conversion, demand creation and fulfillment, and all logistics activities. 1 The aim of security and operational management is to create and maintain systematic, coordinated, and cost effective activities and practices in order to prevent exploitation of supply chains for criminal purposes, and to enable quick response in case of a security breach. Crimes of interest include (among others): theft, counterfeiting, customs law violations, organized immigration crime, terrorism, and sabotage. Crimes can have intra and/or inter organizational impacts. The content of the good practices book is collected by means of comprehensive literature and standard reviews, and case company / supply chain interviews and written replies. The SCS standard review follows recommendations by the members and observers of CEN TC 379. The semi structured interviews aim at collecting experiences related to implemented security measures, contributing or preventing factors during the process and attained results. Due to the fact that connections between implemented security measures and their outcomes are contextdependent, part of the experiences are collected in the form of anecdotes, which include descriptions of the conditions under which the outcomes were achieved. Findings are compressed into the form of crime problem solving processes following continuous improvement principles. This should facilitate exploiting presented practices and processes inside normal quality improvement programs, decision making processes, and operational practices in companies. This should also help to fill traditional communication gaps between supply chain managers, risk managers, compliance managers, and security managers, amongst others. The good practices book considers existing standards, including EU AEO; ISO28000 Security in the Supply Chain, ISO31000 Guidance on Risk Management and ISO/PAS28002: Resilience in the Supply Chain, and other relevant security standards (EN, BS, and DIN standards) as potential sources for good practices, and the book provides examples on how to comply with such requirements for those interested in doing so (and, what the consequential benefits may be if such data is available). 1 Menzer, J.T. et al. (2001), Defining Supply Chain Management Journal of Business Logistics, 22(2), 1-25.

3 Chapter 2. Supply chain security (SCS) management and crime prevention overview The objective of this chapter is to inform readers about the most relevant frameworks, models, and reference standards of managing security of the supply chain. Risk management forms an important part of this overview chapter. Below, initial references are made to SARA approach and SCS management layers. During the book s development, this chapter will be expanded to cover other relevant aspects of SCS management and crime prevention in supply chains. For example, good practices discovered during ISO implementations 2 will be highlighted (subject to access to the data). Also, references to several annexes (preliminary list of annexes can be found at the end of this overview paper) will be made. SARA approach SARA presents good practices in crime prevention commonly used by police agencies in the United States, the United Kingdom, Canada, Scandinavia, Australia, and New Zealand. Early experiments can be traced back to the early 1980s. SARA is a problem solving approach, which uses the data to establish the existence and extent of a problem, analyze its nature and source, plan intervention measures to reduce it, and monitor and evaluate the effectiveness of the selected measures (Read and Tilley, ). It emphasizes the transfer and sharing of crime prevention knowledge. SARA is a generic problem solving tool, which enables one to connect specific crime types, specific contexts, appropriate security measures, and observed outcomes. SARA resembles the risk management principles of ISO 31000, Total Quality Management (TQM), and Continuous Improvement, and exploits opportunity reducing crime preventive techniques. SARA consists of four phases (Clarke and Eck, ): 1. Carefully defining the specific problems (Scan) 2. Conducting an in depth analyses to understand their generative mechanisms (Analysis) 3. Undertaking broad searches for solutions to disable causes (Response) 4. Evaluation of the result (Assessment) 2 ISO 28000:2007, Specification for security management systems for the supply chain; ISO 28001:2007, Security management systems for the supply chain Best practices for implementing supply chain security Assessments and plans Requirements and guidance; ISO 28004:2007, Security management systems for the supply chain Guidelines for the implementation of ISO Read T., Tilley N. Not Rocket Science? Problem Solving and Crime Reduction (2000) London: Home Office. Crime Reduction Research Series Paper 6 4 Clarke, R.V.and Eck, J. (2003) Becoming a problem solving crime analyst in 55 small steps. London: UCL Jill Dando Institute

4 SCS management layers Regarding the SARA Step 3 explained above, the following 7 layer SCS management model is applied as a reference in this good practices guidebook (adapted from Hintsa J., ): 1. Design and planning layer: designing sourcing (countries) and transport (routes) to minimize risks; creating and updating security, disaster recovery, training, and audit plans. 2. Process control layer: managing key business processes, creating visibility into them, monitoring for deviations, and providing stability/minimizing variations (in time, quality, etc.) 3. Supply chain assets layer: securing facilities, vehicles, shipments, products, data systems, and data by exploiting a broad set of security procedures, technologies, and solutions. 4. Human resources layer: checking backgrounds, training, and motivating personnel; protecting them against blackmail, kidnapping, etc.; minimizing the risk of insider crime. 5. Business partners layer: selection process for business partners; requirements for SCS certifications; and monitoring and audit activities. 6. Aftermath capabilities layer: ensuring post incident recovery with minimum supply chain disruptions; developing competences for investigations, evidence collection, and court procedures. 7. Disrupting criminal activities layer: causing problems in the illicit supply chains, by influencing supply (e.g., counterfeit factories), production, logistics operations, and distribution (e.g., awareness campaigns) 5 Hintsa J. Post-2001 Supply chain security private sector implication. Doctoral thesis manuscript submitted to the thesis jury. Oct.2010

5 Chapter 3. Good SCS practices Set 1: Application of a holistic security management approach This data is collected by means of semi structured interviews. Interview questions confine the whole security management process starting from (a) identification and defining of the problem, (b) analysis of the nature and extent of the problem, (c) generations of alternative security measures and evaluation of trade offs, and (d) assessing costs and benefits. The following list of questions may be regarded as an example: 1. What did your company do to enhance security in the supply chain? 2. Why did your company take the action (specific crime incident in own organization; specific crime incident in other organization; crimes exceeded the acceptable level; management interest to secure supply chains against potential crime incidents; systematic management process to identify deviations which revealed a possible vulnerability; increased risk level because of entering new sourcing or manufacturing countries, or transport routes; pressure to comply with an existing SCS standard or regulation, etc.)? 3. Did you have practices which contributed to or exacerbated the problem(s) or otherwise made it more difficult to solve the problem(s) (organizational barriers; lack of management commitment; reluctance to follow security requirements on every organizational level; inadequate audit methods, etc.)? If yes, how did you manage to overcome them? 4. What kind of targets and measurements were set (e.g., declined specific crime incident level; better facility and asset utilization; compliance with governmental regulations or programs; lower insurance fees, etc.)? How were such positive effects measured? 5. What kind of alternative security measures were generated and how did you select the implemented security measures? How were the selected security measures expected to work (make it harder to commit a crime; increase a perceived risk of being caught; reduce the anticipated rewards from the crime related activity; remove reasons to commit crime, etc.)? 6. How did the security measures work in practice (fully eliminated the problem; substantially reduced the problem; reduced the consequences caused by the problem; dealt with a problem more efficiently; transferred the problem to other areas of the supply chain or onto others, etc.)? 7. What type of costs were experienced during and after the implementation of new measure(s) (Investment costs; operational costs; maintenance costs, etc.)? Can you quantify any of them? 8. Did the security measures have any positive side effects (better visibility and operational control; better customer satisfaction; fewer governmental inspections; reduced insurance premiums, etc.)? How were these effects measured? 9. Did the security measures have any negative or reverse effects (impact on employee morale; negative impact on environment; displacement of crime to other areas, types, etc.)?

6 Chapter 4. Good SCS practices Set 2: Anecdotes/ short stories on crime incidents and security responses in Europe This chapter presents a collection of short stories regarding crime incidents and security responses in European supply chains, with the following basic structure: - What happened, what was the trigger (the incident; management attention, etc.)? - Why was it important to act (to do something about it)? - What was done (the security response)? - How was it done when by whom? - What were the outcomes (both positive and negative ones)? Chapter 5. Good SCS practices Set 3: Complying with SCS programs/standards/regulations in Europe Existing SCS initiatives, including the EU AEO program and ISO2800 series, are not selfexplanatory and self executing programs. On the contrary, they often present a framework where compliance with requirements can be attained in several ways. These initiatives often introduce new tasks involving many people at different levels of the organisation. For example, the EU AEO program relates to manufacturing, logistics, financial administration, legal affairs and agreements, social responsibilities and governmental relationships, human resources, supplier relationship, security, and risk management. In this chapter, examples are presented on how different types of companies have managed EU AEO, ISO28000, and other relevant SCS implementation processes, highlighting problems and solutions of potential broader interest and relevance. Chapter 6. Good SCS practices Set 4: Any SCS management and crime prevention anecdotes from anywhere in the world (this chapter is optional, tbd later)

7 Chapter 7. Summary and conclusions The actual summary and conclusions can be written only towards the end of the book development project. This good practices guidebook helps companies operating in supply chains to enhance their SCS management processes, methods, and techniques: - All actors in supply chains, including companies with cargo interest/ownership and logistics service providers. - All sizes of companies, especially small and medium sized enterprises (SMEs) (this is based on the quick survey in Sep Oct.2010) The good practices presented in this book have helped (the case) companies in the past to 6 : - reduce opportunities for crime and/or actual crime incidents in the supply chain (as the main priority based on the quick survey in Sep Oct.2010); and/or - comply with existing SCS initiatives (standards, regulations, etc.) The good SCS practices shared in this guidebook were not invented by experts in the domain (including security consultants or academics), but they were real implementations of various SCS management approaches in real supply chains. 7 Risk management has played an important role throughout the guidebook. Bibliography, recommended readings To be added later Annexes Preliminary list of annexes for the book Annex 1. Template/questionnaire for collecting SCS good practice cases and anecdotes Annex 2. Crime in supply chains, taxonomy and definitions Annex 3. Security measures in supply chains, taxonomy and examples Annex 4. Selected SCS programs and standards, overview and requirements Annex 5. Technical norms in security management; EN, DIN, BSI, etc. 6 One should note that all the good practices described in this guidebook are context dependent (at least to some extent), thus there is no guarantee that they produce similar results in a new situation (time, mode, location, commodity type etc.). 7 One should note that subjective aspects of many of the good practices could not be avoided, due to the complexities in measuring (and verifying) the actual implications (or benefits) of SCS measures implemented.