4303 locking down the supply chain · “locking down the supply chain” scs top “10” list –...
TRANSCRIPT
2016‐08‐30
1
Locking Down the Supply ChainSeptember 14, 2016
Orlando, Florida
ASIS Supply Chain & Transportation Security Council ‐ SCSC
Laura HainsVicki NicholsDennis Blass
“Locking Down the Supply Chain”
What’s New!C-TPAT – Import/Exporter Program
Laura Hains, CPP
Operations Manager Supply Chain Security Group- Pinkerton
2016‐08‐30
2
Trade Facilitation and Trade Enforcement Act of 2015 (“Customs Bill”)
• Signed into law February 24, 2016 with objective to ensure a fair and competitive trade environment through:
• Protect Economic Security through Trade Enforcement• Strengthens enforcement capabilities and methods
• Establishes a new administrative procedure of investigating allegation of evasion of Antidumping and Countervailing Duty (AD/CVD)
• Enhances CBP’s efforts to combat the import of counterfeit goods and IPR holders.
• Prohibits all products made by forced labor from being imported.
• Collaborate with the Private Sector through Direct Engagement
• Reinforces collaboration with both Partner Government Agencies & private sector.
• Authorizes the Commercial Customs Operation Advisory Committee (COAC) to advise on CBP’s regulations, policies and practices.
• Formalizes CBP’s industry seminar programs• Codifies the requirement for CBP’s longstanding consultation with PGA’s
Trade Facilitation and Trade Enforcement Act of 2015
• Streamline and Modernize through Business Transformation:
• Extends the funding through 2018 for the Automated Commercial Environment (ACE)
• Supports CBP’s efforts to develop and implement the Centers of Excellence and Expertise Centers
• Recognizes the authority to establish and maintain CBP’s preclearance program for international travelers
• Simplifies and modernizes drawback legislation governing the refund of relevant duties, taxes and fees.
• Raises the de minimis value from $200 per shipment to $800.00 per shipment.
https://www.cbp.gov/sites/default/files/assets/documents/2016-Aug/TFTEA_Overview_FINAL.pdf
2016‐08‐30
3
Basis For Supply Chain Programs
• Programs based in some form on the World Customs Organization (WCO) Framework of Standards to Security and Facilitate Global Trade (SAFE) and Safe has origins in the revised Kyoto Convention.
• 161 of 171 WCO members have signed on to SAFE• SAFE Objectives & Principles
• Establish standards that provide SCS and facilitation at a global level to promote certainty and predictability.
• Enable integrated SC management for all modes of transport.• Enhance the role, functions and capabilities of Customs to
meet the challenges and opportunities of the 21st century.• Strengthen co-operation between Customs administrations to
improve their capability to detect high-risk consignments.• Strength Customs to Business co-operation• Promote the seamless movement of goods through secure
international trade supply chains.
Four Core Elements of Safe Framework
Two Pillars of Safe
Framework
Harmonizes Advance Electronic Cargo Information
Countries commit to employing risk management to address security threats
Reasonable requests to perform outbound inspection of high risk cargo
Defines benefits that Customs will provide to business that meet minimal SCS Standards
Customs‐to‐Customs Customs‐to‐Business
2016‐08‐30
4
Authorized Economic Operator-AEOSafe Framework defines an AEO as:
“A party involved in the international movement of goods in whatever function that has been approved by or on behalf of a national Customs Administration as complying with WCO or equivalent supply chain security standards.
AEO’s include manufacturers, importers, exporters, brokers carriers, consolidators, intermediaries, ports, warehouses, distributors.”
Customs Trade Partnership Against Terrorism (C-TPAT)
• C-TPAT developed by the US Customs Service as a result of growing concerns by government and business to “safeguard the world’s vibrant trade industry from terrorists, maintaining the economic health of the U.S. and its neighbors.” (CBP.Gov)
• Begun in November 2001 with seven (7) major importers. (Started in the late 90’s as a trade initiative)
• Includes U.S. Importers, U.S./Canada highway carriers; U.S./Mexico highway carriers; rail and sea carriers; licensed U.S. Customs brokers; U.S. Marine Port Authority/Terminal operators; U.S. freight consolidators; ocean transportation intermediaries and non-operating common carriers; Mexican and Canadian manufacturers and Mexican long-haul carriers.
• Today there are more than 11,400 certified members.
2016‐08‐30
5
C-TPAT: Benefits• Reduced number of CBP Examinations:
• Tier 1 = 2 times less likely; Tier 2 = 4 times less likely; Tier 3 = 7 • 6 Times less likely to have exams for security reasons
• Front of the line Inspections.• Possible exemption from Stratified Exams.• Shorter wait times at the border.• Assignment of a Supply Chain Security Specialists (SCSS)to the company.• Access to the Free and Secure trade (FAST ) Lanes at the land borders.• Access to the C-TPAT web-based Portal system and the library of training
materials.• Possibility of enjoying additional benefits by being recognized as a trusted trade
Partner by foreign Customs administrations that have signed Mutual Recognition with the US.
• Eligibility for other US Government pilot programs (FDA)• Business resumption priority following a natural disaster or terrorist attack.• Importer eligibility to participate in the Importer Self-Assessment Program (ISA)• Priority consideration at CBP’s industry-focused Centers of Excellence and
Expertise. (CBP.GOV)
Who Can be a Member?• A company can be certified in C-TPAT if they
are PHYSICALLY located in the United States (US), Canada (CA), or Mexico (MX).
C-TPAT 2016 Current State• Remains a voluntary Supply Chain Security
Initiative.
• Currently 11,000 Members in the C-TPAT Program
• Controlling 60% of all imported Goods
• Total importers in US-810,000
• CBP Wants new Direction, “Secure and Expedited Trade”
• Increase membership to include small & medium companies
• Expansion of Trusted Trader Programs
• Synchronization with other US Government Programs
• Single Window at the Border by this year (2016)
2016‐08‐30
6
Mutual Recognition Arrangements• A signed “arrangement” that indicates that the security requirements or
standards of the foreign industry partnership program Insure that the programs are compatible in theory & practice.
• Sign first one in 2007, today the U.S. has signed 11 arrangements.
• Mutual Recognition is based solely on security; specifically, it is based on the Foreign Customs partnership programs having similar security criteria and verification procedures as the C-TPAT program.
• Members do have to be compliant.
• C-TPAT members engaged in fraud or have had serious penalties against them for customs issues (undervaluation, incorrectly declaring goods, classification issues, etc…) can and have been suspended and/or removed from C-TPAT.
• Because you have a mutual recognition arrangement that does not mean you will not have examinations.
Operational AEO Programs With Mutual Recognition
• Canada – Partners in Protection (PIP) Customs Self-Assessment (CSA), Free and Secure Trade (FAST), Partners in Compliance (PIC), Import/Export-CSA, FAST, Pic-Import (June 2008)
• Dominican Republic, (Dec 2015)
• EU – AEO (27 Countries), Import/Export (May 2012)
• Israel – Import/Export (June 2014)
• Japan – AEO, Import/Export (June 2009)
• Jordan – Golden List Program, Import/Export (June 2008)
• South Korea - AEO, Import/Export (June 2010)
• Mexico - New Scheme of Certified Companies (NEEC), Import/Export (Oct 2014)
• New Zealand – Secure Exports Scheme (SES), Export (June 2007)
• Singapore – Secure Trade Partnership (STP), Import/Export (Dec 2014)
• Taiwan – Import/Export (Nov 2012)***
• USA – Customs-Trade Partnership Against Terrorism (C-TPAT), Import (Nov 2001)/Export-(May 2015)
2016‐08‐30
7
C-TPAT Export Program• Began May 16, 2015
• Exporter: A person or company who, as the principal party in interest in the export transaction, has the power and responsibility for determining and controlling the sending of the items out of the United States.
• Exporter Benefits
• Mutual Recognitions Arrangements
• Marketing
• Reduced Examination Rates and Time
• Priority Processing
• Business Resumption
• Access to Individual-Assigned C-TPAT Supply Chain Security Specialist (SCSS)
• Eligibility to Attend C-TPAT Training and Seminars
• Access to the C-TPAT Portal System
• Common Standard
Organizational Gains Beyond Regulatory Compliance
Ba
• Background Checks• Access Control• Hiring &
Termination Procedures
• Shipment Documentation
• Information Security
• Business Partner Vetting
• Internal and External Audit Function
• Purchasing• Facility
management• Administration• Logistics• Trade Compliance• Security• IT
• Ability to join other programs such as FAST and ISA‐Importer Self Assessment
• Duty payment‐monthly instead of transactional
• Reduced Penalties
• Internal Conspiracy• Workplace violence• Intellectual
property protection• Country risk
factors‐crime, Contraband and Human Smuggling
• Improved supply chain
transparency by mapping end to
end supply chains.
Internal Controls
Security Awareness
Financial
Threat Analysis
Transparency
Internal Controls
2016‐08‐30
8
“Locking Down the Supply Chain”
SCS Top “10” List – Practitioner TipsVicki Nichols
SCS Top “10” Practitioner Tips
1. Secure Leadership Commitment
2. Address Organizational Issues
3. Know Your Supply Chain
4. Engage Your Supplier
5. Share Tools of the Trade
6. Embed Supply Chain Risk
7. Standardize Risk Management
8. Innovate Risk Mitigations
9. Implement a Strong Audit Program
10.Constantly Evaluate and Evolve
2016‐08‐30
9
# 1 Secure Leadership CommitmentSecure Leadership Commitment
• Develop strategy and actively govern your SCS Program
• Align that strategy to evolving business goals
• Implement and effective and robust SCS Program
Move toward collaborative cross-functional security management
# 2 Address Organizational IssuesIdentify Stakeholders
• Security• International Trade Compliance• Logistics• Procurement• Risk Management• Human Resources
Deploy and empower cross functional teams to:
• Continuously assess and qualify; • Categorize and prioritize and;• Manage risk
2016‐08‐30
10
# 3 Know Your Supply Chain• Thoroughly and continuously vet your supply base
• Know touches your product, materials and freight• Shipment volume• Mode of transportation• Number of suppliers• Countries of export• Carriers and filers
• Evaluate cargo country risk• Cargo disruption• Unmanifested cargo• Anti-western sentiment
• Control who is arranging transportation for your freight• Add SCS Elements to Contract Language• Use Incoterms that provide the most security
# 4 Engage Your Supplier• Develop a SCS communication strategy for
engaging:• Suppliers• Logistic service providers
• Interact frequently with suppliers using multiple channels:
• Supplier conferences • Websites• Printed material• Training
2016‐08‐30
11
# 5 Share Tools of the Trade
• Collaborate with industry to identify leading edge practices such as:
• Supplier score cards• Risk registers• Risk criteria• Self-assessment questionnaires• Example questions to ask suppliers
# 6 Embed Supply Chain Risk• Advocate on policy and procedure updates
• Spread SCS references into existing policies and procedures
• Potential policy and procedures insertion points:• Hiring practices• Acquisitions procedures• Risk and opportunity management• Internal and external auditing
• Integrate SCS requirements into suppliers and logistic service providers contract terms and conditions
2016‐08‐30
12
# 7 Standardize Risk Management
Poor Supplier Financials or Delivery Performance
Political /Country Instability
Supply Chain Use for Smuggling
Cargo Tampering
Intrude or Take Control of an Asset
Dangerous Routing
Environmental/Natural Disasters
IP Theft
Information Tampering
Cyber Attacks
Terrorism
Legal/Regulatory Non‐ Compliance
Risk Identification
Track & Trace Technologies
Alternate Suppliers
ID Critical Suppliers
Authorized Distributors
Cargo Mapping
Performance Metrics
Traceability & Controls
Business Partner Credentialing
Limiting Access
Business Rules
Inventory Monitoring
Tamper Evident Technologies
Country Risk Ratings
On‐Site Assessments
Targeted Assessment
Supplier Self‐Assessments –Questionnaires
Risk Event Data
Compliance Monitoring
Handling Strategies
Integrated Supply Chain Risk Assessment Process
Risk Assessment
Define Strategy
Risk Handling
Accept Risk?
What? When
? W
here? How? Who?
Yes
No
Monitor an
d Review
Communication & Consultation
# 8 Innovating Risk MitigationsMitigation Measures
• Strategic use of “track/trace” technologies
• Consistent use anti-tamper tape• Practice “Need to Know” with your
supplier• Incident response planning• Employee & supplier awareness &
training• Critical questions for supplier vetting• Investigate suspicious anomalies• Periodically Change procedures
• How critical is the product?• Is it exploitable?• HOW can it be exploited?• What are the implications of
product compromise? • How much data does the
supplier NEED to fulfill the contract?
• What do I know about my supplier?
• How will the supplier safeguard product information?
2016‐08‐30
13
# 9 Implement a Strong Audit Program
External:• Right to Audit in
Contract Language
• Prioritize on-site supplier audits
• Establish corrective action plans
• Perform follow-up assessments
Internal:• Include cargo security
in corporate risk management program
• Integrate cargo security into internal audit programs
• Create a dedicated group that has expertise in key areas
# 10 Constantly Evaluate and EVOLVE
• Increase end-to-end visibility
• Integrate risk management teams that manage security, resilience and risk
• Engage external partnerships in risk management and resilience.
• Design procedures to ID emerging risks
• Conduct full scenario & contingency exercises
• Prepare response and recovery plans
• Focus on “bounce back”
RESILIENCE used as a COMPETITIVE ADVANTAGE
2016‐08‐30
14
# 10 Constantly Evaluate and EVOLVE
Pre‐Compliant
• Not C‐TPAT Compliant
• No established SCS prevention
• No response standards or practices
Compliant
• Response to regulations or standards imposed from outside
• Security is the cost of doing business
Secure
• Outside standards are seen as insufficient
• Greater emphasis on security & prevention to support company vision & strategies, protect brand reputation, physical assets, & shareholders
• Security is seen as part of the business model
Resilient
• A comprehensive business strategy that leverages SCS investments to enable an increase in competitiveness
• Disruptions seen as inevitable and adds focus on “bounce back”
• Flexibility and/or redundancy in SC for detection and response, ensuring product movements, business continuity, and service to customers in and post disruption
• RESILIENCE used as COMPETITIVE ADVANTAGE
Constantly Evaluate and EVOLVE cont.
Constantly Evaluate and EVOLVE cont.Key Processand Focus
Pre‐Compliant
Compliant Secure Resilient
Leadership No risk focus Program compliance
Prevention security Response for advantage
Internal Integration
None Reactive coordination
Proactive coordination
Integrated teams manage security, resilience, risk
External Partnership
No defined partners
Limited interaction
Partners involved in security only
Partners is risk management and resilience
Visibility Limited to novisibility
Some system visibility
Partner visibility End‐to‐end visibility
Risk Management
No standards Emerging security standards
Partners pre‐screened
Partners help manage risk
Risk Detection None Some reactive procedures
Some proactive procedures
Procedures to ID emerging risks
Training No training Internal training Security training for suppliers
Full screening & contingency exercises
Communication No plans Reactive Proactive Response and recovery plans
Culture No awareness Compliance only Security and compliance
Actions affecting security, resilience
2016‐08‐30
15
Supply Chain Security “Takeaways”
• Supply Integrity: uninterrupted supply helps ensure Customer commitments are continually achieved
• Financial Imperative: companies can improve bottom line performance through SC risk management
• Regulatory Compliance: alternatives are penalties, damage to reputation, and increased oversight
• Competitive Advantage: if you can’t execute, there are others who will gladly take on your business
• National Security: Securing the global supply chain is essential to the country’s defense posture and economic prosperity
Sources (Hyperlinked)In order to access websites, enter Slide Show mode and click on the titles
• Supply Chain Security: A Compilation of Best Practices• Defense Supply Chain Security: Current State and Opportunities
for Improvement• Investing in Supply Chain Security: Collateral Benefits• Promoting Resilience and Efficiency in Preparing for Attacks and
Responding to Emergencies (PREPARE) Act• Supply Chain Sustainability: A Practical Guide for Continuous
Improvement• World Economic Forum on Transport and Supply Chain Security• Supply Chain News: The Top 10 Best Quotes• Stemming the Rising Tide of Supply Chain Risks: How Risk
Managers Roles are Changing Responsibilities
2016‐08‐30
16
“Locking Down the Supply Chain”
Dennis Blass, CPP, PSP, CISSP
Director Safety, Security and
Emergency Preparedness
Children’s of Alabama
Transition
• The Pinkertons and Lockheed Martin have great programs. Laura Hains and Vicki Nichols do great jobs protecting their Supply Chains.
• How did do they you get to where they are with your organization?
• SAFE • C-TPAT Supply Chain Security Training Guide• ASIS Standards and Guidelines and Crisp Reports
• Supply Chain Security: A Compilation of Best Practices• Situational Crime Prevention and Supply Chain Security• Maturity Model
2016‐08‐30
17
Supply Chain Risk Management
Hazard Vulnerability Assessment
Facility / Community
Hazard ChampionThreat Motivation Low=1, Med=2,
3=High
0=None 1=Rare 2= Occasional 3= Frequent Event 4=Routine Event
0=No Impact 1 = Limited 2 Substantial 3 Major
0=No Impact 1 = Limited 2 Substantial 3 Major
0=No Impact 1 = Limited 2 Substantial 3 Major
Impact Analysis
Hazard Motivation of Threat Likelihood of eventImpact (consequence) on
Population Impact on PropertyImpact on reputation or regulatory consequences
Likelihood* population + property + reputational /
regulatory risks
Naturally Caused
Biological Disease Outbreak (Ebola) Community Vason 0 2 3 0 2 8
Major Earthquake Community Blass 0 0 0 0 0 0
Major Hurricane Community Blass 0 0 0 0 0 0
Loss of Network Services Facility Wood 0 1 1 1 0 2
Severe Winter Weather Facility Blass 0 3 1 0 1 4
Tornado/Wind Shear Facility Blass 0 1 1 1 0 2
Pandemic Outbreak Community Vason 0 2 3 0 0 6
Volcano Community Blass 0 0 2 2 0 0
2016‐08‐30
18
Hazard profile• List hazards (column A)• Classify as a facility or community problem (Column B)• Determine the motivation of the threat (Column D)• Determine Likelihood of event (probability or “P”)
(Column E) Does threat event occur daily, three or four times a week, once a year or once every 10 or 100 years
• Determine the consequences of the event “$”+ Impact on population Column F+ Impact on operations (Property) Column G+ Impact on reputation and regulatory retaliation Column H
• P*$ = Impact Analysis (Likelihood*Consequence)
Mitigation profile• For every hazard determine the controls available (Risk
reduction or mitigation plans in effect) (Column J)• Determine the effectiveness of controls (Column K)
• Have they been tested in exercises or actual events?• Are controls and assessments current• Law of the parasite –threats evolve• Have single points of failure been identified
• Subtract from Impact analysis• Determine risk management options
• Assume• Monitor• Develop Management Plan
2016‐08‐30
19
It looks like this
• An HVA looks is like looking at the forest.
• Bow-tie diagrams focus on trees• Events are in the middle• Efforts to reduce probability (P) are on the right of the
event• Efforts to reduce consequences ($) are on the left
• Risk Funnel
• Heat Maps
2016‐08‐30
20
•
2016‐08‐30
21
There are other views
Exercising and testing – the pathway to GREATNESS
2016‐08‐30
22
Where does this stuff come from?
Where does this stuff come from?
2016‐08‐30
23
There are more good things in the Supply Chain Risk Management compilation of Best Practices
• Annex A, A discussion on Information and Communication Technologies (ICT) Security
• Annex B, Examples of Organizational Resilience Procedures
• Prevention and Mitigation Planning Guide• Response Treatment Planning Guide• Continuity Treatment Planning Guide
• Annex C, Examples of Risk by Category and Type
What else is there?
• Annex D, Examples of Generic for Supply Chain Security Agreements
• Annex E, Examples of Supply Chain Security Self Awareness Questionnaires for Suppliers or Other Supply Chain Partners
• Annex F, Examples of Elements of Supply Chain Security Contract Language for External and Third Party Logistics Service Providers
• Annex G, Example of Crisis Management Program Element Review
• Annex H, Examples of Site Crisis Plan
2016‐08‐30
24
What difference does it make?
Get the book “Supply Chain Risk Management-A Compilation of Best Practices” (free to ASIS members).
Reading it may not make you an expert in supply Chain Risk Management in a day, but studying it (the whole thing plus the annexes) will put you ahead of 68.27% of the people in our field.
Mastering it (using it over and over and over) it will put you 95.45% ahead of your peers and with the likes of Vicki Nichols and Laura Hains.
“Questions?”
THANK YOU!