walmart’s supply chain security...any critical standard question is found not performed at the...

Walmart’s Supply Chain Security

Program

• About Supply Chain Security

• About the Audit

• FAQ’s and Contacts

September 2016

About Supply Chain Security

Global Security Operations – Supply Chain Security

3

What is Supply Chain Security?

Supply Chain Security is the accumulation of

controls throughout the supply chain process

that enhance the security of the supply chain

during the transportation of finished

merchandise. Allowing protection against threats

such as smuggling, terrorism, fraud and theft.


4

What - When - How?


• The Security audit should begin early in the buy plan process, Audits can take 45

– 60 days AFTER the audit is paid for and scheduled.

• It all begins with facility Disclosure

• Facility disclosure is followed by requesting the audit – as soon as you know you

will be producing work for Walmart ensure your facilities have been disclosed and

the audit requested.

• Then pay for and schedule the audit date

Waiting to request the audit when it is needed is too late.

• Risk of inactivation

• No new PO’s can be placed with inactive facilities

• Potential disruption to business

Supply Chain Security audits take place where the finished goods are

sealed into the carton that is sealed into the trailer or container and will

ship across a country border.

5

What facilities need to be disclosed?

• All facilities producing direct import goods.

• All facilities where a Walmart private label branded items are produced, regardless of Importer of Record.

• A new facility used to source goods for Walmart

• If there is a natural disaster or fire and the facility reopens, it must be re-disclosed and a new audit performed

• Factory has moved to a new address

• 3PL’s – Third Party Logistic firms

• Consolidated Freight Shippers – CFS’s

• Warehouses

• Sometimes 2 locations of the same production location may need to disclose and be audited. Example production facility and warehouse storage.


Factory Disclosure is performed on Retail Link in Factory Audit System.

*Manual Factory Disclosure is available only for suppliers without access to Retail Link.

6 Global Security Operations – Supply Chain Security

START HERE

Supplier

discloses

facility in

Retail

Link

Factory

ID is

created

by

Walmart

SCS

Audit is

requested

to 3rd

Party

audit firm

Audit fee is

collected

and audit is

scheduled

3rd Party

audit firm

audits the

facility

Closing

Meeting with

the facility

management

Findings

are shared

with

Walmart

Security

audit is a

pass or a

fail

Assessment

results are

communicated to

Suppliers,

Walmart’s

Merchant and

Sourcing Teams

Supplier and

Facility

responsible for

CAPS &

Remediation

Follow up

audits

based on

risk

Supply Chain Security Audit Process

• Disclosure takes about 15 minutes

• Factory Attachment typically takes 24 - 48 hours

• Audit frequency depends on risk matrix

• Security Audits will be assessed by Walmart as pass or fail

7

Supplier Responsibilities

• The suppliers own the management of and relationship with facilities they

choose to work with.

• The suppliers and facilities own ensuring they can meet the Supply Chain

Security Standards and will be assessed by security audits.

• The suppliers and facilities own ensuring payment for the security audits is

rendered timely. Failure to remit payment timely can cause undue delays

to the specified audit time range and possible business disruption.

• Suppliers and facilities own the responsibility of ensuring the remediation

and any CAPA’s – Corrective Action Plans are completed timely and

correctly.


About the Security Audits


9

Security Audits

1. The WMT SCS Audits • Supplier requests the audit in Retail Link / Factory Audit System.

• Audit is performed by an approved Walmart audit firm.

• Audit firm contacts Supplier for payment and scheduling.

• Audit results are shared with the Supplier, the expectation is the Supplier

shares with the Facility.

2. The SCAN Audit • Walmart requests the audit, informs the Supplier, the Supplier informs the

Facility.

• Audit is performed by an approved SCAN audit firm.

• SCAN approved audit firms contacts the Facility for payment and

scheduling.

• The facility is provided a log-in code to access the audit results, the

expectation is the Facility will communicate to Suppliers the results.


There are two methods for Walmart Security Audits

10

Security Audits


Security Audits Globally All Have 8 basic categories for assessment:

• Personnel Security

• Threat Awareness

• Physical Access Control

• Physical Security

• Container / Trailer Security

• Procedural Security

• Information Security

• Contractor Security / Business Partner Requirements

11 Global Security Operations – Supply Chain Security

Personnel Office

The Facility has a written Employee Security policy that

includes procedures for hiring, employment applications,

employee documentation and screening of new employees

Applicants photo ID card is reviewed in

application process

C

C

The facility uses surveillance to monitor

activities in sensitive areas of the facility,

such as receiving, shipping, final packing,

main offices, lobby, and the computer

server/systems room

The facility has a written

policy indicating that

employees are not

permitted to bring personal

items into final packing and

shipping areas

Main Office

The facility security policies are

reviewed every 12 months and

updated when necessary

Final Packing and Loading area

C

Gate security guard or

facility manager performs

a container or trailer

inbound inspection

Prior to loading trailer/container

integrity and security are verified by

7 pt inspection

The facility has a process to

screen arriving packages and

mail prior to distribution

The facility uses security

methods to prevent tampering

with goods during final packaging

Facility has a written access control

program that establishes responsibility to

maintain control of all locks, keys, and

access cards

C

Facility has a written policy that designates which

employees are permitted access to information systems

Receiving

Server Room

Lobby

Facility has a written procedure regarding

security vetting of service contractors who

require routine access to the facility

The facility has a written procedure to ensure that data used

to create cargo documents and manifests are accurate,

legible, complete, and protected against tampering or loss

M

C

The facility places an ISO 17712 High

Security Seal on a container or trailer

immediately after loading is complete

M

C

The facility has a process to ensure that only

authorized management and the shipping

supervisor has access to high security seals

The facility has a written policy that requires a

control log is maintained for any pick-up delievery

truck arrival and departure to include the driver’s

name, driver’s license number, truck license number,

reason for visit, and the control log is kept for 30

days

39'-9"

17

'-3

"

Lo

ck

er

s

Shipping

Office

C

C

C

C

C

The shipping supervisor

or an authorized

employee verifies that the

transportation document

are complete and

accurate

The gate security guard or designated facility

manager performs a truck outbound inspections

and the results are recorded in an outbound vehicle

logDuring times of darkness the facility’s perimeter

fence/wall is well illuminated

The facility’s perimeter is secured with a fence

or wall or patrolled by security guards/facility

management or supervisors, to deter

unauthorized access

Security Booth

Auditor Code of

ConductAct with Integrity.

Conduct opening meetings to explain

audit purpose.

Explain audit process.

Show respect for the individual.

Do not give the results of the audit.

Never ask for or accept a gift.

Report to your supervisor any gift offering

and provide details.

Conduct closing meeting.

Report conflict of interest.

Steps for a Successful

AuditBe on time.

Be prepared.

Minimize disruption.

Conduct an opening meeting.

Review facility documents.

Write down findings.

Conduct Closing meeting.

Instruct Facility to accept findings.

Walmart Stores, Inc. Global Supply Chain Security Critical Areas

12

Security Audits Score & WMT SCS CAP

WMT SCS Corrective Action Plan (CAP)

Plan (CAP) Supply Chain Security Audit Renewals

A security audit is renewed based on the

country’s Risk Rating where the facility is

located

Audited facility is in a country rated high risk for supply chain security.

Any Critical Standard question is found not performed at the facility

Factory has 60 days to make security improvement.

Email [email protected] with completed SCS CAP’s.

Country Risk Level

High Risk

Medium Risk

Low Risk

12

Months

12 or 24

Months (*)

24

Months

Audit Renewal Period

13

Member Audit Company Member

Shared Program

Vision/Concept

• ONE audit for ALL

• Standardized criteria that meets

Global Security Program standards

• Adheres to both C-TPAT and AEO

requirements

• Potential to become the recognized

security audit platform

• Potential to become the platform for

more types of audit requirements

Shared Audit Firms

Engineer/Build

• Standardized fees

• Standardized auditor training

• Standardized audit result

assessments

• Standardized Validation process

• Global capacity

• Corrective Action Plans

Shareable Results

Execute/Support

• SCAN manages the program

• Centralized data base

• Flexibility by member companies to

assess results in accordance with

company standards

• Drives industry Best Practices

• Confidentiality maintained


SCAN – Supplier Compliance Audit Network

14

SCAN Audit Score & CAPA

Corrective Action Plan Accomplished (CAPA) • A CAPA is required when any Critical or Must questions on the audit are

missed.

• All CAPA’s must be completed by the facility before the audit is considered

complete.

• If a CAPA is required the facility will be sent an email with the CAPA request

within 10 days of the on-site audit. This will include the questions, the facility

response and SCAN feedback.

• Facilities are expected to return to the Assessment Portal and respond to the

corrective actions by the due date.

• Facilities will receive an email notification confirming CAPA completion.

Audit Renewal Cadence • A security audit is renewed based on the Member company’s protocol –

see page #12).

FAQ’s and Contacts


16

FAQ’s

• Who/ what is the Importer of Record (IOR)? If you (the supplier) are responsible for

customs clearance, your company is the Importer of Record (i.e. USA Supplier). If Wal-

Mart Stores, Inc. is responsible for customs clearance, Wal-Mart will be in the Importer

of Record. If you are unsure, please contact your buyer/ sourcing manager for

verification.

• I have multiple Supplier/ Vendor IDs. Do I need to disclose my factories in each

profile? Yes, it is required to disclose all factories that will be producing items under the

corresponding Supplier ID.

• How do Suppliers know when the audit is for SCAN, and how can they track the

audit process? Regional teams will engage the business and suppliers when the audit

is requested for SCAN. The Global Office will update Retail Link as information

becomes available, and Regional teams will keep the business updated on status as

reporting comes available.

• How do Suppliers know when their facility is contacted by a SCAN audit firm?

Walmart GSO Regional teams notify the supplier that a SCAN audit has been

requested for their facility and advised the supplier to engage their facility.


17

Who Are My Contacts?

Key Contacts: Retail Link Help Desk: 479.273.8888


Region Contact Address

_ China and North Asia [email protected]

_ The Americas (includes Canada) [email protected]

_ Indian Subcontinent, Southeast Asia,

Australia, New Zealand, Philippines [email protected]

_ Europe, Africa, Middle East [email protected]

_ Global Security Operations – Global Office [email protected]

mailto:[email protected]















walmart’s supply chain security...any critical standard question is found not performed at the...

Documents