SUPPLY CHAIN SECURITY IN THE 21 st CENTURY
INTRODUCTION Overview of the Supply Chain Recent Supply Chain Security Issues Standards: World Customs Organization (WCO) Framework U.S. Customs and Border Protection s C-TPAT Program ISO 28000 Series Security Management Systems for the Supply Chain Other Supply Chain Security Approaches Risk-Based Supply Chain Security Approach Supply Chain Security Management Best Practices
DEFINITION The term Supply Chain Security can be defined as a process encompassing the: Programs Procedures Systems Technology and, especially, the People applied to addressing threats to the supply chain and the related threats to the economic, social and physical well-being of citizens and organized society.
SUPPLY CHAIN SECURITY ISSUES CUSTOMS AND BORDER PROTECTION, TAPA AND PINKERTON EXPERIENCE IS BASICALLY THE SAME: 60% of all supply chain security problems involved poor transportation related security 20%+ involved poor security at the manufacturing site, including poor access controls and poor security practices within the shipping and receiving departments 90% of the time, the security weaknesses were well known internally by staff 75% of the incidents had an internal connection
SUPPLY CHAIN SECURITY ISSUES CUSTOMS AND BORDER PROTECTION, TAPA AND PINKERTON EXPERIENCE IS BASICALLY THE SAME (cont): In spite of the pop culture that drivers and staff are intimidated and coerced into helping with theft and smuggling, less than 5% of the incidents investigated had that linkage 15% involved bribes and kickbacks Main motivation money and greed
SUPPLY CHAIN SECURITY ISSUES In Asia and Latin America: Both smuggling and theft are serious problems; can involve violence but usually focused on pay-offs Major issues revolve around transportation from the factory to a distribution center or customs clearance area Another major source of problems is transportation from the distribution center, truck yard or customs clearance area to an international port or border crossing Sophisticated modus operandi involves compromising transportation companies and/or drivers; multiple surveillance teams, and use of stolen duplicate rigs with hidden compartments; transloaders include wreckers or repair vehicles and box trucks
SUPPLY CHAIN SECURITY ISSUES In Asia and Latin America (cont.): Trailers/containers can be unloaded/transloaded in less than 30 minutes Criminal groups have experts who can get into the trailer or container without breaking the high security seal; have special racks to hold the doors and keep the seal in place Have experts who can duplicate the seal and replace it
SUPPLY CHAIN SECURITY ISSUES In Europe: Truck/trailer theft is increasing 20%+ a year Violent hijacking is extremely popular modus operandi Drivers are threatened and turn over their rigs/loads to avoid being shot or beaten; Eastern European, especially Russian, Albanian and Bulgarian organized crime often involved Drivers are often overpowered when sleeping along the way or at rest stops Drivers are oblivious to the threats and are not trained on how to avoid or respond to threats
SUPPLY CHAIN SECURITY ISSUES In the United States: Truck theft is a major issue Sophisticated organized crime groups are targeting manufacturers, distribution centers, truck stops, rest stops, etc. Ethnic Cubans, El Salvadorians (MS-13), working in conjunction with Eastern European (Albanian, Bulgarian and Russian) organized crime elements steal trucks/trailers, remove the property and ship it out of the country or sell it on E-Bay or to fences Trucks, heavy equipment and parts are also targets and go to Latin America/Europe Tactics include recruiting or inserting individuals inside a business with high value goods ; sometimes as employees, sometimes as temps Surveillance groups in vans and SUV s follow trucks or stake out truck stops, rest stops or other identified areas where trucks are parked (e.g. Wal-Mart or shopping center parking lot) Drivers are involved or are oblivious to threats; are untrained in how to detect surveillance and avoid problems; security officers equally oblivious and untrained
SUPPLY CHAIN SECURITY ISSUES So What Can We Do???
SUPPLY CHAIN SECURITY ISSUES It is VERY much a global business: Organized crime (even Italian) Mexican cartels Latin American gangs Cuban gangs Chinese triads And they will work together and share resources and expertise!
Supply Chain Security Use good, tested Supply Chain Security Programs!! Evaluate your situation; know the threats and modus operandi Know the supply chain security programs you can borrow from Select one as a starting point, or combine several, and move forward with a standard to evaluate against
WCO Guidelines World Customs Organization (WCO) 174 member nations Standardize worldwide customs policies and procedures (including supply chain security) WCO SAFE Framework of Standards Provide security and facilitate world trade Built upon joint customs and business pillars Authorized Economic Operator (AEO) is the name of the WCO supply chain security program
C-TPAT Program CUSTOMS-TRADE PARTNERSHIP AGAINST TERRORISM (C-TPAT) The United States implementation of the WCO Framework of Standards AEO program U.S. Customs and Border Protection (CBP) and the Trade Community working together in a voluntary program first of its kind in the world Joint, voluntary commitment to secure the supply chain
C-TPAT Program C-TPAT PROGRAM ELEMENTS: General Security Business Partner Requirements Conveyance Security Physical Access Control Personnel Security Physical Security IT Security Security Training and Threat Awareness
Other Supply Programs OTHER INTERNATIONAL SUPPLY CHAIN SECURITY RELATED APPROACHES: Authorized Economic Operators (AEO) e.g. European Union AEO or Japan AEO program, etc. ISO 28000 Transported Asset Protection Association (TAPA) Business Alliance for Secure Commerce (BASC)
Risk-Based Supply Chain RiskSecurity Programs How do you get Risk-Based security solutions from C-TPAT, AEO or ISO 28000? RISK is a Widely Mis-used Term!! US government (Department of Homeland Security and Department of Defense), the British CCTA Risk Analysis and Management Method (CRAMM) or the French Marion methodology, and most recently the ISO 28000 series, all basically break the Risk Assessment Methodology down to this formula: Risk = Threats X Vulnerabilities X Consequences If you want a Risk-Based Approach Use an Established Methodology and Use the Terms Properly
Risk-Based Supply Chain RiskSecurity Programs (cont) (Risk = Threats X Vulnerabilities X Consequences) Threats (T) considered should be holistic and can include: Terrorism Cargo Theft Hijacking Drug, Contraband Smuggling People Smuggling Undeclared Hazardous Goods Government Instability Labor or Health Issues IP/Brand Protection General Integrity of People Rated: Severe, High, Moderate, Low or None
Risk-Based Supply Chain RiskSecurity Programs (cont) (Risk = Threats X Vulnerabilities X Consequences) Vulnerability (V) (effectiveness of security) based on ability to deter, detect, delay and respond in, as a minimum, the following categories: General Security Procedural Security Business Partner Requirements Physical Access Controls Physical Security Container and Trailer Security IT Security Security Training and Threat Awareness Rated: High, Moderate, Low or None
Risk-Based Supply Chain RiskSecurity Programs (cont) (Risk = Threats X Vulnerabilities X Consequences) Consequences (C) is determined based on a Business Impact rating. Issues to consider include: Volume of Business Percentage of Particular Components/Services Provided Timeliness Cost/Value of Goods Impact on Business if Lost Quality Performance Rated: High, Moderate, Low or None
Risk-Based Supply Chain RiskSecurity Programs (cont) (Risk = Threats X Vulnerabilities X Consequences) IS THIS RISK? Excerpt from Congressional Research Service Report on Air Cargo Security, January 2005 Air Cargo Security Risks Potential risks associated with air cargo security include introduction of explosive and incendiary devices in cargo placed aboard aircraft; shipment of undeclared or undetected hazardous materials aboard aircraft; cargo crime including theft and smuggling; and aircraft hijackings and sabotage by individuals with access to aircraft.
Supply Chain Security Management So How can we manage the Risk and reduce the Risk? Lower the Threats? How? Lower the Vulnerabilities? Lower the Consequences? How? How?
Supply Chain Security Management Supply Chain Security Management (SCSM): Cannot eliminate most Threats; work with law enforcement Instead, the goal is to minimize the impact of any type of threat within the supply chain Threats can be of minor or major nature Threats can consist of removing cargo (theft) or adding to cargo (smuggling) Threats include: theft, terrorism, sabotage, extortion, accidents, etc. - Also can include counterfeit, product diversion, parallel trade, loss of reputation, etc. Note: Good SCSM can help companies to deal with all types of supply chain Threats, including bad weather, natural disasters etc.
Supply Chain Security Management Supply Chain Security Management (SCSM) (cont): Focuses on how to make security measures more effective and, hence, lower the Vulnerability Individual security measures typically have one or more of the following goals: Deter/Prevent Detect Delay Respond/Recover But all must be present to have effective security Identify security gaps and close them How can the enterprise do better at this? (Supply chain security action plans!) The biggest vulnerabilities seem to focus around PEOPLE which is why security education and awareness and personnel security are so important!! As is, having a reporting mechanism
Supply Chain Security Management Supply Chain Security Management (SCSM) (cont): Companies can certainly reduce the impact of adverse Consequences on their business. Not all consequence related actions are security actions It might involve broadening the supply base or changing processes It definitely involves business continuity and recovery planning This can play a major role in reducing Risk!!
Supply Chain Security Management Analysis Framework BASC Security Management Concept
Supply Chain Security Best Practices General Supply Chain Security Related Best Practices (CBP/ISO/TAPA/BASC/Pinkerton): Make your solutions Risk-Based (but properly determine your Risk) Use qualified third parties to assist; they don t have your blind spots Conduct Self Assessments of your Supply Chain Business Partners, document the gaps and develop a Corrective Action Plan; monitor the implementation of improvements or lack thereof Conduct On-Site Assessments of the Highest Risk Business Partner Sites; document the gaps and develop a Corrective Action Plan; monitor the implementation of improvements Follow-up and re-audit the Highest Risk Sites, if they do not score well (high vulnerability scores) but claim implementation of improvements Build security into your Business Partner selection and retention process as a factor Track, and require tracking, of all shipments -- and immediately respond to any anomalies
Supply Chain Security Best Practices (cont) Access Control Documented policies and procedures Advanced visitor approval Real-time monitored systems that document entry, exit and movement Check IDs of all visitors, vendors, drivers, etc. and keep a record of everyone who enters, when they entered and when they exited Require escorts for visitors and vendors Don t tolerate tailgating Work Area Restrictions (identifiable badges, color coded uniforms, further physical/electronic restrictions) Controlled driver waiting area
Supply Chain Security Best Practices (cont) Security Related Policies and Procedures Comprehensive and integrated Include special policies and procedures for information/data security Include special policies and procedures for shipping/receiving Include special policies and procedures for purchasing/contracting Integrated with security guard post orders
Supply Chain Security Best Practices (cont) Personnel Security Have a Code of Conduct that addresses supply chain security and integrity Include documented special policies and procedures for personnel/hr Have detailed policies and checklists for timely termination and return of IDs, keys, equipment and restriction for IT and other access Conduct detailed BI s, in accordance with the law, and check all references, including developed references, documents, education and qualifications; do re-checks!! Consistent enforcement of policy violations, etc.
Supply Chain Security Best Practices (cont) Physical Security Routine and random facility inspections and ensure compliance to established standards Well trained and equipped personnel, following documented procedures, and doing detailed reporting Monitored access control, CCTV and alarm systems that are integrated, (monitored) and allow for immediate real-time response Conduct tests (e.g. penetration tests) and audits of compliance Review and analyze systems and information Document what you do; guard patrols should be producing detailed reports on every shift!! Ensure security is looking for surveillance or suspicious activities and is reporting it
Supply Chain Security Best Practices (cont) Shipping and Receiving Specialized packing material Specialized shipping markings Segregated and controlled areas (ID badges, uniforms) High Security Seals controlled, secured and randomly issued CCTV and still photography of loading/unloading process, entry and exit Anonymous reporting of issues or conspiracies Rotate employees including supervisors and security System for tracking shipments and reporting/responding to anomalies
Supply Chain Security Best Practices (cont) Highway Carrier or Transportation Provider Establish standards for contracting/purchasing; require this of all transportation service providers Require notification of any subcontractor use and make it clear they must adhere to the same requirements as the primary Ensure all drivers are screened for licensing and criminal records Documented education and awareness training required including: Training on detecting surveillance Trailer security Reporting procedures Responses to different scenarios Establish communications methods and emergency signals
Supply Chain Security Best Practices (cont) Highway Carrier or Transportation Provider (cont) Know the transportation carriers security procedures and ensure they include no stops in designated red zones Allow stops only at authorized, pre-cleared trucks stops, etc. Require GPS tracking for both the tractor and trailer; GPS must be actively monitored and require regular check-ins and communication with the driver A response should be available that can be dispatched if there are any suspicious activities or stops Use automatic and/or remote cut-off and remote locking capabilities Consider light sensitive alarms linked to GPS Require high security locking devices/seals, spot weld hinges and tamper tape
Supply Chain Security Best Practices (cont) Security Education and Awareness Training All training well-documented Have a documented method for determining effectiveness of training Orientation and recurring general security training Specialized training for: Shipping/Receiving Drivers Mail and package handling Security and reception HR Internal conspiracies Outreach to Business Partners Focus on the NQR (Not Quite Right) approach Make sure reporting and response is addressed
Supply Chain Security Conclusion Supply chain security is an important facet of doing business Supply chain security can be improved by using RiskBased Security Management C-TPAT, AEO, ISO 28000 can all be a part of enhancing supply chain security Effective supply chain security can save the enterprise money, preserve reputation and protect brand name It s not James Bond stuff!!
Thank You!! QUESTIONS?