Best Practices C-TPAT 5-Step Risk Assessment Process 17 th Annual T&T Conference April 3, 2013 Karen Lobdell Director Global Solutions Integration Point 1
Is This Your Current Process? 2
CBP s Approach to Risk Assessment 2001/2002: Loosely defined set of C-TPAT criteria 2003/2010: Company profile identifying existing procedures to meet criteria Criteria is amended and becomes more customized by entity (Re)Validations become tighter as bar is raised by the trade and CBP SCSSs gain experience April 2010 International Security Risk Assessment requirement bulletin is issued 5-Step Risk Assessment Guide is provided by CBP CBP begins incorporating into the application process and (Re)Validations 3
Risky Business Definition of Risk: General: Probability or threat of a damage, injury, liability, loss, or other negative occurrence, caused by external or internal vulnerabilities, and which may be neutralized through pre-mediated action Threats likelihood of occurrence Vulnerabilities weaknesses or gaps in security from the established standards Consequences impact of adverse occurrences 4
One Size Does Not Fit All Numerous factors impact risk Geographic regions of operations Volumes and number of supply chains Complexity of the supply chain Commodity/Industry Types/number of business partners Resource availability 5
5-Step Risk Assessment Process Conducting a vulnerability assessment (in accordance with C-TPAT criteria) Conducting a threat assessment Preparing an action plan Mapping cargo flow & identifying business partners Documenting how risk assessments are conducted 6
5 Step Risk Assessment Process 7
Conduct a Risk Assessment What are the threats? Use open source resources to assist with this process Assess the vulnerability Identify gaps in security standards Identify consequences (such as lost customers, brand reputation, financial impact) Assign a risk score to each combine the risk score for each to determine overall risk rating 8
# 1- Conduct a Threat Assessment Minimum areas to focus on include: Terrorism Contraband Organized Crime Human Smuggling Other considerations: Hijacking Cargo theft Product tampering IPR violations Political unrest Corruption Financial instability Natural disasters 9
Threat Assessment After conducting the appropriate research, assign a threat score Low: no recent incidents, no intelligence Medium: no recent incidents, some intelligence High: recent incidents and intelligence 10
Resources Third Party Consultants Insurance Providers Open Source Data CBP SCSSs Business colleagues Social Networking (e.g., LinkedIn Groups) Conferences (e.g., CBP C-TPAT) Internal company resources (Risk Management Dept) Associations (e.g., BASC, TAPA, etc.) Local/State Law Enforcement ITRAC data 11
No Cost Open Source Data Customs & Border Protection www.cbp.gov CIA World Factbook https://www.cia.gov/library/publications/theworld-factbook/ Dept. of State Annual Country Reports on Terrorism http://www.state.gov/j/ct/rls/crt/2011/ Overseas Security Advisory Council (OSAC) www.osac.gov World Bank (Fragile States) www.worldbank.org Transparency International Corruption Perception Index http://cpi.transparency.org/cpi2011/ AON Risk Maps http://www.aon.com/risk-services/terrorism-riskmap/register.jsp D&B Country Risk http://www.dnbcountryrisk.com/ 12
Country Threat Analysis 13
# 2 - Conducting a Vulnerability Assessment Designed to identify gaps or weaknesses from identified standards C-TPAT criteria would be the applicable measurements A vulnerability score should be identified Low risk: Meets all musts and shoulds Medium Risk: Meets all musts, no shoulds met High Risk: Just one must is not met Vulnerability assessments should be done on business partners, as well as internal departments 14
Conducting a Vulnerability Assessment C-TPAT Criteria / Standards: Business partner requirements Conveyance security Procedural security IT security Physical security Physical access controls Personnel security Security & Threat Awareness Training Methods could include surveys, third party audits, in-house personnel (on-site is preferred) 15
Assessing Business Partner Risk Supplier Name/Address: Point of Contact: C-TPAT VULNERABILITY ASSESSMENT Date of Review: Supply Chain Process C-TPAT Security Criteria C-TPAT Sub-Criteria M = Must S = Should Method to Verify Vulnerabilities Identified Risk Rating (Criteria) Risk Rating (subcriteria) Best Practices Foreign Supplier Business Partner Requirements Screens Subcontracted Source M Verifies Partners as C-TPAT Certified (if eligible) M Verifies Partners adherence to C-TPAT criteria (if not eligible) M Participation in foreign customs administration security program S Conducts periodic reviews of Partner's facilities and processes S 16
Supplier Results Database 17
Consequences Although CBP does not spell this out in their guidelines, it is a key component of any risk assessment What is the impact to your business of a security incident/breach? Potential outcomes: Damage to brand reputation Loss of program status / benefits Financial Delays value of the cargo Increased scrutiny by government agencies Decrease in sourcing options/flexibility 18
# 3- Preparing an Action Plan Use your risk ratings to prioritize corrective actions Define the deficiencies Assign a responsible party Have a deadline Follow up & verify! Re-calculate the party s risk score if appropriate Action plans should be documented 19
Sample Action Plan 20
#3- Preparing an Action Plan 21
#4 - Mapping / Cargo Flow Mapping cargo flow for all potential supply chains may be unrealistic Focus on those posing the highest risk or exposure Drill down within trade lanes to identify the vulnerabilities Apply corrective actions accordingly 22
Trade Lane Mapping Analysis 23
#5 Document How Risk Assessments Are Conducted A Risk Assessment Process should be part of standard policy/procedures and include: When established Who is responsible (have backups) When assessments are done & on who How frequently How often the policy is reviewed Process for each of the steps Training Management oversight 24
Effective Risk Management Have a documented risk assessment process in place Written and verifiable procedures for continuity Identify, characterize and assess threats Focus on lowering the highest risk areas first Have an action plan to address deficiencies Prioritize, responsible party, deadlines, track Conduct periodic risk assessment reviews to determine changes in your risk profile You may not be able to change a threat, but you can impact vulnerability and consequences 25
Best Practices Top-down commitment to the program should be evident Review the criteria upfront and understand the obligations before applying Assemble a (C-TPAT) team that is cross-functional Consider use of third party resources where it makes sense Conduct the requisite annual self-assessment and keep the portal current Follow up on questionnaires and inquiries to business partners in a timely manner Keep a consistent point of contact for the program Automate where it makes sense 26
Automate or Perish Managing the 5-step risk assessment process especially business partner requirements, can be administratively burdensome. Consider the paperless alternatives On demand Standardized Single database Proactive Risk calculations Verifiable for validation purposes 27
Coming Attractions C-TPAT for Exports Portal 2.0 C-TPAT/ISA Merger? 28
Karen Lobdell Director Global Solutions Integration Point KLobdell@IntegrationPoint.com Tel: (704) 576-3678 X-1179 29