U.S. Customs & Border Protection recently held its annual Customs-Trade Partnership Against Terrorism Conference in San Diego, and once again this sold out gathering featured top caliber speakers.

In keeping with the theme, “A Decade of Supply Chain Security & Innovation”, Bradd Skinner, Director of the C-TPAT program, reflected upon the progress made in the last 10 years. Conceived in 2001 with only a handful of U.S. importers, C-TPAT now has over 10,000 business entities that have received C-TPAT certification. Globally, the C-TPAT program has become recognized as the standard for supply chain security excellence.

Director Skinner also provided insight into a number of important issues, including future direction for this historic program.

One of the points he made was the emphasis that C-TPAT will now place on “evidence of implementation“ during validations. Being actively involved with validations domestically and internationally, I’ve experienced this new focus firsthand. Whereas, the Supply Chain Security Specialist teams used to accept documents that simply formalized supply chain security policies and procedures, companies being validated are now required to prove that they are in fact being diligently followed.

When I was a speaker at the 2010 C-TPAT conference, I made the statement that most security programs look much better on paper than they actually work in reality. Danbee Investigations has performed supply chain security investigations and audits for over 25 years, ranging from inventory theft, sabotage, product tampering, and counterfeiting, to workplace substance abuse/distribution and smuggling.

We’ve repeatedly found the most major security breaches were the result of companies believing that their safeguards were far more effective than they ultimately proved to be. Company executives wrongly assumed that their asset protection safeguards incorporated best industry practices and were being diligently followed on a day-to-day basis. The reality for these companies was that many vulnerabilities existed, and were subsequently exploited.

By C-TPAT requiring companies to show proof of implementation, they will expose those companies not fully committed to implementing and consistently maintaining meaningful safeguards throughout their supply chain. Essentially, it is the “trust but verify” concept at work.

The February 2011 Global Awareness Bulletin published by the U.S. Department of State warns that American companies doing business in foreign countries may be targeted more aggressively by terrorist organizations like al-Qa’ida. Terrorists measure success not just in the number of victims but by the financial damage and long term costs associated with additional regulations governments are forced to enact to deter future terrorist incidents. Consequently, because of dramatically reduced inspection rates, C-TPAT certified companies automatically become high value targets.

If a C-TPAT member has superficial supply chain security controls in place they are at significatly higher risk of unknowingly transporting a conventional, biological, chemical or nuclear weapon into the United States. Obviously, safety is the number one concern. However, the ensuing panic, the widespread economic ramifications both domestically and abroad, as well as the financial and legal consequences for the company that imported the weapon of mass destruction would be catastrophic.

CBP’s mission is a daunting one. Unlike baseball, a .500 or .600 batting average will equate to failure rather than Hall of Fame status. While import volume to the U.S. may make perfection an unrealistic objective, striving for anything less creates an unacceptable level of risk. That’s why I not only understand CBP requiring evidence of implementation, I fully support this initiative.

by Barry Brandman

Here are two reasons why supply chain security should be taken seriously:

1. If your safeguards look considerably better on paper than they work in reality, your company faces the risk of having illegal narcotics or a weapon of mass destruction smuggled into the United States via one of your shipments.

2. The other risk you face is that when C-TPAT inspectors validate your foreign suppliers and logistics providers, they may find your controls woefully inadequate and lower your tier level or even remove you from the C-TPAT program.

If you want to protect your import shipments from theft, smuggling and terrorism, you’ll need to have a diligent auditing process in place. Aside from it being a C-TPAT requirement, it’s also one of the most critical components of your security program.

One of the primary objectives when performing a comprehensive security audit is to separate fact from fiction.

Prior to conducting one of our C-TPAT compliance audits at a foreign distribution center, we had been assured that all their security controls were being diligently followed and our client’s product was extremely well protected.

Prior to our arrival, this consolidator had informed us that they had complete video coverage throughout their facility, tight control over inbound and outbound goods and that our clients’ product was always kept in a highly secured segregated area.

What we observed however was quiet different. Not only were the CCTV camera views providing terrible clarity, but our client’s goods were not being monitored from the time they were taken off an inbound truck to the time they were eventually reloaded for transport to the Hong Kong seaport. There were numerous “blind spots” where our client’s product could have been tampered with and completely avoided observation by their video system

We found that their digital hard drive was much too small, only archiving recorded video for 7 days – an inadequate period of time in the event that a post event investigation was required in the future.

We also exposed loopholes with their cargo handling practices. Inbound truck security seals for example, were being removed by anyone working on the receiving dock rather than by more senior personnel (which is what their policy called for). Consequently, we found that many workers did not take the time to verify that the seal number on an arriving truck matched the manifest (another major policy violation).

We also found that the seals used on outbound trucks were left exposed in an open box on the shipping dock, fully accessible to all employees, vendors and outside truckers. Because the shipping crew didn’t use seals in numerical sequence, these exposed seals could have been stolen and then reattached to a truck’s cargo doors after a driver left their facility.

Insofar as our client’s product being segregated “in a highly secured area”, we observed that the fencing was only 8’ high and had no ceiling to protect against employees simply climbing over it. We also found that  the keypad code to this area hadn’t been changed in nearly nine months and was known to most of the workforce (including those without clearance to this area). Additionally, we determined that the alarm system was only being armed at the end of each workday, even when there was no work being performed in this area for hours at a time.

These issues, as well as an array of other security loopholes that were exposed, were promptly addressed and remedied. However, had this audit not been performed, our client’s risk factor would have remained unnecessarily high.

Training is another important component, yet it’s frequently not provided when an on site assessment is performed. During a recent C-TPAT training program we conducted for a foreign manufacturer, we asked if anyone knew whether bolt seals could be circumvented. Ninety percent of those in attendance responded that it was impossible to manipulate them. The problem here is that bolt seals can in fact be circumvented a number of ways and if those responsible for seal integrity think they’re foolproof, they’ll never recognize and expose breaches when they do occur.

When evaluating the quality of a foreign site’s security program, it’s’ also important to avoid “getting lost in the translation.” Because C-TPAT focuses on imports, working with foreign companies is commonplace.

Cultural differences and language barriers can result in misleading responses and faulty conclusions. It’s for this reason that we deliberately ask the same questions several times (although they are worded differently) in our supply chain security questionnaires sent out to foreign suppliers and logistics providers. When respondents answer yes on page one and no on page five to the same question, we know that they either didn’t understand what we were asking or weren’t providing us with accurate responses.

It’s also a good idea to confirm questionnaire responses through follow up e-mails and conference calls. More often than not, we receive feedback that differs from many of the original answers that were provided to us.

Is it a case of some foreign firms wanting to look more secure than they really are for their U.S. based customers? Or, did the respondents have different interpretations of words or phrases, resulting in inaccurate feedback?

Whatever the reason, you can’t afford to be inadvertently or deliberately misled if you want to know that your supply chain is in fact as secure as it needs to be.