3 Replies Latest reply on Mar 10, 2010 6:01 AM by dustinmattison

    Supply chain security - do I place a fence around an island?

    peter.boyce Newbie

      Is there any point in placing a fence around an island?


      Customs and Boarder Security requirements prescribed by some countries do not account for the local variations that many businesses encounter. A checklist that is prescriptive disadvantages many would-be participants, from a cost perspective if they apply all the criteria, or a business perspective if they choose not to participate in the programs.


      Many businesses have a desire to comply with the Customs security regulations like C-TPAT, EU-AEO, STP and other emerging schemes, either for the lauded trade and facilitation benefits, client contractual requirements or simply as good citizens.

      Whatever the reason, businesses are facing a growing number of variations of National Customs Security regulations.

      Oddly enough – all are supposedly based on the World Customs Organisation (WCO) SAFE Framework of Standards (Authorised Economic Operator criteria) yet no country is fully compliant with the Framework, resulting in a growing number of varying schemes.


      Customs Departments and Businesses have differing sets of objectives when it comes to Supply Chain Security (Terrorism -v- Business Interests), yet both can be achieved through the utilisation of a RISK BASED management system that identifies Assets, Threats, Vulnerabilities and the Likelihood and Consequences of a Security related incident - then managing the plausible risks.


      There is a way of managing any number of variations to differing Customs security programs through the use of the risk based ISO 28000 - security for the supply chain, but this then requires the regulators to understand and apply the principles of risk management.


      So the question still remains;

      Is there any point in placing a fence around an island?



        • Re: Supply chain security - do I place a fence around an island?
          dustinmattison Apprentice

          What are some justifications by companies for not investing in proactive risk mitigation?




          The number one response by companies is that they are insured. However, if you ask the vast majority of people in any company what it means to be “insured” relative to a cargo loss, the typical answer is “we get 100% of the money back from the loss” due to theft. If you ask someone in risk management what it actually means, they will be able to tell you what shortcomings are contained within the agreement when the theft takes place. 100% coverage is never the case in any circumstance for the issues I mentioned previously, however, even more so, if we are referring to most international shipments where there are limits on liability for losses.



          “It’s not my product”

          This is an easy answer, and again, pushes the loss accountability back to other people and ultimately to insurance. Clareo helps facilitate agreements between carriers and companies to ensure both have a vested interest in front end secure design solutions.



          “We are C-TPAT certified”

          Again, this is not going to stop a theft from taking place. This is a minimum facility standard and those, in and of themselves, will not necessarily prevent a theft from taking place. This is a minimum start for a global company to build a much more comprehensive layered program.



          “We do not lose anything”

          To that I argue one should bottle that and sell it. All commodities, in their inbound raw materials suppliers or outbound finished goods, will have loss. The better answer is “we do not know how much we are losing”…



            • Re: Supply chain security - do I place a fence around an island?
              dustinmattison Apprentice

              According to David Serafine:


              1)    There is not ANY global standard that can be applied across different countries with an expectation that “results” will be the same…that is the whole point of evaluating risk throughout a supply chain and applying layers beyond what a basic “standard” might suggest. Again, the criminals could care less if a container is “CTPAT” approved…this is supported by the fact that “CTPAT approved companies” continue to import drugs all the way to the border.  If that particular load happened to be an explosive instead of 3,000 pounds of marijuana…the damage would have been done.  The point is EVERYONE needs to focus on point of origin risk AND transport to final customer.  The main issue companies simply do not want to understand or face is the fact that loss reduction SHOULD be there motive, not checking the box for the newest standard that has arrived.



              2)    I did like your points below…the problem is that companies are the cause of the reason why governments are “forcing” some standard…if they did not force something, companies would do nothing (which was the state of supply chains prior to 9/11…the trick is to proactively design solutions based on risk and effectively work with the local CBP reps to communicate and educate how a company’s standards are beyond the current risk level…that is the key. Again the problem is the majority of companies do not have the skill sets to effectively gauge risk, understand foreign markets/risk and therefore CBP tries to do it for them.



            • Re: Supply chain security - do I place a fence around an island?
              dustinmattison Apprentice

              I have been exchanging emails with David Serafine on the topic of global supply chain security and would like to share a fews of his thoughts. To put his views in perspective, David is the CEO of Clareo, Inc., a Texas-based security solutions provider.


              "The challenge," according to David, "is convincing companies, particularly those employees who work in procurement and logistics, that proactive security measures will far outweigh any benefit they derive from 'cheaper' shipping/cheaper commodities."  Companies failing to take appropriate action has been the catalyst for government involvement, but government standards are meant to be a "minimal baseline" -- unfortunately, many people believe that applying those minimal standards to their supply chain is the equivalent of comprehensive security program. David says the clients he works with understand that -- some have learned the lesson "through historical issues with theft, lawsuits, lost customers, etc.," and some simply have effective security directors.


              According to David Serafine, "Without trying to sound too cynical, the vast majority of companies operate in massive silos (procurement, security, finance, logistics, etc), each of which has their own performance goals, bonuses and pay increases dependent on that small piece. Very rarely -- and the cargo crime statistics support this claim -- do companies ever do a good job designing company-wide goals that are in the company’s best interest. Hence the reason one department celebrates a $.02/pallet reduction in 'transport costs' when another department experiences the 25% increase in “lost in transit” product, re-build, overtime, increase in customer complaint calls, loss of market-share, etc. It’s crazy to think that most CEOs are that removed from what takes place in their companies, but this is the way many things work."


              I thought it was interesting that David mentioned "silos," because I am currently conducting a series of interviews with supply chain professionals on the topic of silo-based organizational architectures for my own supply chain community. One of the questions I am asking is whether new organizational architectures are needed for companies to innovate in the 21st century? David's response to the question was, "I could literally speak for months on that issue, it is the bane of my existence and certainly that of security practitioners world-wide. And the answer from my perspective is 100% yes -- new organizational structures need to be designed for effective supply chains."


              David went on say that he is "NOT a fan of government-based compliance programs as they pertain to security," and to reiterate a point he made earlier -- Government programs "are misused by companies," and "are not customized to fit risk at specific points of origin, etc." The only upside from David Serafine's perspective is that government mandated security standards encourage "cross-functional involvement," something security professional have wanted for years.


              "Take C-TPAT as an example," David wrote,  "I do NOT like the application of the program from a security perspective on a global scale.  What I LOVE is it forces people from legal, manufacturing, IT, security, procurement, compliance and logistics to sit in the same room once per quarter and do what is required to maintain the certification. You would never be able to do that if a company wanted to design a secure supply chain on its own… they only do it because it is required.  It forces breaking some of the silos to maintain it.  It is interesting to watch various groups set aside their own agendas, performance plans etc to “check the box” of this program."


              In closing, on the subject of silo-based organizational architectures, David Serafine added, "I would be absolutely thrilled to understand how any argument could support value in continuing silos in companies… consulting is a great deal in that there is exposure to literally hundreds of companies — their cultures, practices, personalities, valued performance objectives, etc.  I personally have never witnessed a company operating more effectively by inducing silos within the company.  Generally, the “successful” companies are that way despite themselves.  They are simply less effective than they can be."