2016‐08‐30 1 Locking Down the Supply Chain September 14, 2016 Orlando, Florida ASIS Supply Chain & Transportation Security Council ‐ SCSC Laura Hains Vicki Nichols Dennis Blass “Locking Down the Supply Chain” What’s New! C-TPAT – Import/Exporter Program Laura Hains, CPP Operations Manager Supply Chain Security Group- Pinkerton
24
Embed
4303 Locking Down the Supply Chain · “Locking Down the Supply Chain” SCS Top “10” List – Practitioner Tips Vicki Nichols SCS Top “10” Practitioner Tips 1. Secure Leadership
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
2016‐08‐30
1
Locking Down the Supply ChainSeptember 14, 2016
Orlando, Florida
ASIS Supply Chain & Transportation Security Council ‐ SCSC
• Programs based in some form on the World Customs Organization (WCO) Framework of Standards to Security and Facilitate Global Trade (SAFE) and Safe has origins in the revised Kyoto Convention.
• 161 of 171 WCO members have signed on to SAFE• SAFE Objectives & Principles
• Establish standards that provide SCS and facilitation at a global level to promote certainty and predictability.
• Enable integrated SC management for all modes of transport.• Enhance the role, functions and capabilities of Customs to
meet the challenges and opportunities of the 21st century.• Strengthen co-operation between Customs administrations to
improve their capability to detect high-risk consignments.• Strength Customs to Business co-operation• Promote the seamless movement of goods through secure
international trade supply chains.
Four Core Elements of Safe Framework
Two Pillars of Safe
Framework
Harmonizes Advance Electronic Cargo Information
Countries commit to employing risk management to address security threats
Reasonable requests to perform outbound inspection of high risk cargo
Defines benefits that Customs will provide to business that meet minimal SCS Standards
Customs‐to‐Customs Customs‐to‐Business
2016‐08‐30
4
Authorized Economic Operator-AEOSafe Framework defines an AEO as:
“A party involved in the international movement of goods in whatever function that has been approved by or on behalf of a national Customs Administration as complying with WCO or equivalent supply chain security standards.
Customs Trade Partnership Against Terrorism (C-TPAT)
• C-TPAT developed by the US Customs Service as a result of growing concerns by government and business to “safeguard the world’s vibrant trade industry from terrorists, maintaining the economic health of the U.S. and its neighbors.” (CBP.Gov)
• Begun in November 2001 with seven (7) major importers. (Started in the late 90’s as a trade initiative)
• Includes U.S. Importers, U.S./Canada highway carriers; U.S./Mexico highway carriers; rail and sea carriers; licensed U.S. Customs brokers; U.S. Marine Port Authority/Terminal operators; U.S. freight consolidators; ocean transportation intermediaries and non-operating common carriers; Mexican and Canadian manufacturers and Mexican long-haul carriers.
• Today there are more than 11,400 certified members.
2016‐08‐30
5
C-TPAT: Benefits• Reduced number of CBP Examinations:
• Tier 1 = 2 times less likely; Tier 2 = 4 times less likely; Tier 3 = 7 • 6 Times less likely to have exams for security reasons
• Front of the line Inspections.• Possible exemption from Stratified Exams.• Shorter wait times at the border.• Assignment of a Supply Chain Security Specialists (SCSS)to the company.• Access to the Free and Secure trade (FAST ) Lanes at the land borders.• Access to the C-TPAT web-based Portal system and the library of training
materials.• Possibility of enjoying additional benefits by being recognized as a trusted trade
Partner by foreign Customs administrations that have signed Mutual Recognition with the US.
• Eligibility for other US Government pilot programs (FDA)• Business resumption priority following a natural disaster or terrorist attack.• Importer eligibility to participate in the Importer Self-Assessment Program (ISA)• Priority consideration at CBP’s industry-focused Centers of Excellence and
Expertise. (CBP.GOV)
Who Can be a Member?• A company can be certified in C-TPAT if they
are PHYSICALLY located in the United States (US), Canada (CA), or Mexico (MX).
C-TPAT 2016 Current State• Remains a voluntary Supply Chain Security
Initiative.
• Currently 11,000 Members in the C-TPAT Program
• Controlling 60% of all imported Goods
• Total importers in US-810,000
• CBP Wants new Direction, “Secure and Expedited Trade”
• Increase membership to include small & medium companies
• Expansion of Trusted Trader Programs
• Synchronization with other US Government Programs
• Single Window at the Border by this year (2016)
2016‐08‐30
6
Mutual Recognition Arrangements• A signed “arrangement” that indicates that the security requirements or
standards of the foreign industry partnership program Insure that the programs are compatible in theory & practice.
• Sign first one in 2007, today the U.S. has signed 11 arrangements.
• Mutual Recognition is based solely on security; specifically, it is based on the Foreign Customs partnership programs having similar security criteria and verification procedures as the C-TPAT program.
• Members do have to be compliant.
• C-TPAT members engaged in fraud or have had serious penalties against them for customs issues (undervaluation, incorrectly declaring goods, classification issues, etc…) can and have been suspended and/or removed from C-TPAT.
• Because you have a mutual recognition arrangement that does not mean you will not have examinations.
Operational AEO Programs With Mutual Recognition
• Canada – Partners in Protection (PIP) Customs Self-Assessment (CSA), Free and Secure Trade (FAST), Partners in Compliance (PIC), Import/Export-CSA, FAST, Pic-Import (June 2008)
• Dominican Republic, (Dec 2015)
• EU – AEO (27 Countries), Import/Export (May 2012)
• Israel – Import/Export (June 2014)
• Japan – AEO, Import/Export (June 2009)
• Jordan – Golden List Program, Import/Export (June 2008)
• South Korea - AEO, Import/Export (June 2010)
• Mexico - New Scheme of Certified Companies (NEEC), Import/Export (Oct 2014)
• USA – Customs-Trade Partnership Against Terrorism (C-TPAT), Import (Nov 2001)/Export-(May 2015)
2016‐08‐30
7
C-TPAT Export Program• Began May 16, 2015
• Exporter: A person or company who, as the principal party in interest in the export transaction, has the power and responsibility for determining and controlling the sending of the items out of the United States.
• Exporter Benefits
• Mutual Recognitions Arrangements
• Marketing
• Reduced Examination Rates and Time
• Priority Processing
• Business Resumption
• Access to Individual-Assigned C-TPAT Supply Chain Security Specialist (SCSS)
• Eligibility to Attend C-TPAT Training and Seminars
• Access to the C-TPAT Portal System
• Common Standard
Organizational Gains Beyond Regulatory Compliance
Ba
• Background Checks• Access Control• Hiring &
Termination Procedures
• Shipment Documentation
• Information Security
• Business Partner Vetting
• Internal and External Audit Function
• Purchasing• Facility
management• Administration• Logistics• Trade Compliance• Security• IT
• Ability to join other programs such as FAST and ISA‐Importer Self Assessment
• Security• International Trade Compliance• Logistics• Procurement• Risk Management• Human Resources
Deploy and empower cross functional teams to:
• Continuously assess and qualify; • Categorize and prioritize and;• Manage risk
2016‐08‐30
10
# 3 Know Your Supply Chain• Thoroughly and continuously vet your supply base
• Know touches your product, materials and freight• Shipment volume• Mode of transportation• Number of suppliers• Countries of export• Carriers and filers
• How critical is the product?• Is it exploitable?• HOW can it be exploited?• What are the implications of
product compromise? • How much data does the
supplier NEED to fulfill the contract?
• What do I know about my supplier?
• How will the supplier safeguard product information?
2016‐08‐30
13
# 9 Implement a Strong Audit Program
External:• Right to Audit in
Contract Language
• Prioritize on-site supplier audits
• Establish corrective action plans
• Perform follow-up assessments
Internal:• Include cargo security
in corporate risk management program
• Integrate cargo security into internal audit programs
• Create a dedicated group that has expertise in key areas
# 10 Constantly Evaluate and EVOLVE
• Increase end-to-end visibility
• Integrate risk management teams that manage security, resilience and risk
• Engage external partnerships in risk management and resilience.
• Design procedures to ID emerging risks
• Conduct full scenario & contingency exercises
• Prepare response and recovery plans
• Focus on “bounce back”
RESILIENCE used as a COMPETITIVE ADVANTAGE
2016‐08‐30
14
# 10 Constantly Evaluate and EVOLVE
Pre‐Compliant
• Not C‐TPAT Compliant
• No established SCS prevention
• No response standards or practices
Compliant
• Response to regulations or standards imposed from outside
• Security is the cost of doing business
Secure
• Outside standards are seen as insufficient
• Greater emphasis on security & prevention to support company vision & strategies, protect brand reputation, physical assets, & shareholders
• Security is seen as part of the business model
Resilient
• A comprehensive business strategy that leverages SCS investments to enable an increase in competitiveness
• Disruptions seen as inevitable and adds focus on “bounce back”
• Flexibility and/or redundancy in SC for detection and response, ensuring product movements, business continuity, and service to customers in and post disruption
• RESILIENCE used as COMPETITIVE ADVANTAGE
Constantly Evaluate and EVOLVE cont.
Constantly Evaluate and EVOLVE cont.Key Processand Focus
Pre‐Compliant
Compliant Secure Resilient
Leadership No risk focus Program compliance
Prevention security Response for advantage
Internal Integration
None Reactive coordination
Proactive coordination
Integrated teams manage security, resilience, risk
External Partnership
No defined partners
Limited interaction
Partners involved in security only
Partners is risk management and resilience
Visibility Limited to novisibility
Some system visibility
Partner visibility End‐to‐end visibility
Risk Management
No standards Emerging security standards
Partners pre‐screened
Partners help manage risk
Risk Detection None Some reactive procedures
Some proactive procedures
Procedures to ID emerging risks
Training No training Internal training Security training for suppliers
Full screening & contingency exercises
Communication No plans Reactive Proactive Response and recovery plans
Culture No awareness Compliance only Security and compliance
• Financial Imperative: companies can improve bottom line performance through SC risk management
• Regulatory Compliance: alternatives are penalties, damage to reputation, and increased oversight
• Competitive Advantage: if you can’t execute, there are others who will gladly take on your business
• National Security: Securing the global supply chain is essential to the country’s defense posture and economic prosperity
Sources (Hyperlinked)In order to access websites, enter Slide Show mode and click on the titles
• Supply Chain Security: A Compilation of Best Practices• Defense Supply Chain Security: Current State and Opportunities
for Improvement• Investing in Supply Chain Security: Collateral Benefits• Promoting Resilience and Efficiency in Preparing for Attacks and
Responding to Emergencies (PREPARE) Act• Supply Chain Sustainability: A Practical Guide for Continuous
Improvement• World Economic Forum on Transport and Supply Chain Security• Supply Chain News: The Top 10 Best Quotes• Stemming the Rising Tide of Supply Chain Risks: How Risk
Managers Roles are Changing Responsibilities
2016‐08‐30
16
“Locking Down the Supply Chain”
Dennis Blass, CPP, PSP, CISSP
Director Safety, Security and
Emergency Preparedness
Children’s of Alabama
Transition
• The Pinkertons and Lockheed Martin have great programs. Laura Hains and Vicki Nichols do great jobs protecting their Supply Chains.
• How did do they you get to where they are with your organization?
• SAFE • C-TPAT Supply Chain Security Training Guide• ASIS Standards and Guidelines and Crisp Reports
• Supply Chain Security: A Compilation of Best Practices• Situational Crime Prevention and Supply Chain Security• Maturity Model
Loss of Network Services Facility Wood 0 1 1 1 0 2
Severe Winter Weather Facility Blass 0 3 1 0 1 4
Tornado/Wind Shear Facility Blass 0 1 1 1 0 2
Pandemic Outbreak Community Vason 0 2 3 0 0 6
Volcano Community Blass 0 0 2 2 0 0
2016‐08‐30
18
Hazard profile• List hazards (column A)• Classify as a facility or community problem (Column B)• Determine the motivation of the threat (Column D)• Determine Likelihood of event (probability or “P”)
(Column E) Does threat event occur daily, three or four times a week, once a year or once every 10 or 100 years
• Determine the consequences of the event “$”+ Impact on population Column F+ Impact on operations (Property) Column G+ Impact on reputation and regulatory retaliation Column H
• P*$ = Impact Analysis (Likelihood*Consequence)
Mitigation profile• For every hazard determine the controls available (Risk
reduction or mitigation plans in effect) (Column J)• Determine the effectiveness of controls (Column K)
• Have they been tested in exercises or actual events?• Are controls and assessments current• Law of the parasite –threats evolve• Have single points of failure been identified
• Subtract from Impact analysis• Determine risk management options
• Assume• Monitor• Develop Management Plan
2016‐08‐30
19
It looks like this
• An HVA looks is like looking at the forest.
• Bow-tie diagrams focus on trees• Events are in the middle• Efforts to reduce probability (P) are on the right of the
event• Efforts to reduce consequences ($) are on the left
• Risk Funnel
• Heat Maps
2016‐08‐30
20
•
2016‐08‐30
21
There are other views
Exercising and testing – the pathway to GREATNESS
2016‐08‐30
22
Where does this stuff come from?
Where does this stuff come from?
2016‐08‐30
23
There are more good things in the Supply Chain Risk Management compilation of Best Practices
• Annex A, A discussion on Information and Communication Technologies (ICT) Security
• Annex B, Examples of Organizational Resilience Procedures
• Annex D, Examples of Generic for Supply Chain Security Agreements
• Annex E, Examples of Supply Chain Security Self Awareness Questionnaires for Suppliers or Other Supply Chain Partners
• Annex F, Examples of Elements of Supply Chain Security Contract Language for External and Third Party Logistics Service Providers
• Annex G, Example of Crisis Management Program Element Review
• Annex H, Examples of Site Crisis Plan
2016‐08‐30
24
What difference does it make?
Get the book “Supply Chain Risk Management-A Compilation of Best Practices” (free to ASIS members).
Reading it may not make you an expert in supply Chain Risk Management in a day, but studying it (the whole thing plus the annexes) will put you ahead of 68.27% of the people in our field.
Mastering it (using it over and over and over) it will put you 95.45% ahead of your peers and with the likes of Vicki Nichols and Laura Hains.