450 likes | 1.42k Views
JOHN J. TOMONEY, CCSS, PRINCIPAL STRATEGIC SOLUTIONS, LLC. C-TPAT THE NEW BUSINESS DYNAMIC for Supply Chain Security & Good Importer Practices. UNDERSTANDING HOW THE CHANGES IN CUSTOMS MISSION IMPACTS YOUR BUSINESS. Prior to September 11 , 2001
E N D
JOHN J. TOMONEY, CCSS, PRINCIPAL STRATEGIC SOLUTIONS, LLC. C-TPAT THE NEW BUSINESS DYNAMIC for Supply Chain Security & Good Importer Practices
UNDERSTANDING HOW THE CHANGES IN CUSTOMS MISSION IMPACTS YOUR BUSINESS • Prior to September 11 , 2001 • US Customs missions were to generate revenue by collection of customs of Customs Duties and the interception of substances being illegally smuggled into the US • After the events of September 11th 2001 • US Customs Mission was changed to a National Security function by virtue of the fact they controlled access and egress of products passing through Seaports , Land Border Crossing and Airports. • In addition they have a large number of personnel trained in locating illegally smuggled goods and other contraband • The FDA in conjunction with other federal agencies including Homeland Security/US Customs issued the: • Good Importer Practices Guidance Draft(http://www.fda.gov/RegulatoryInformation/Guidances/ucm125805.htm) in early 2009 which directly mirrors C-TPAT Requirements due to heighten concerns from the Food and Pharmaceutical industries to secure their Supply Chains from tampering. NJ ISPE Chapter
C-TPAT AND OVERIEW OF THE PROGRAM • C-TPAT is short for the Customs Trade Partnership Against Terrorism and was enacted in February 2002 in response to the threats posed by the potential introduction of WMD (Weapons of Mass Destruction) into the Global Supply Chain. • It is a Voluntary Program between the Government and Private Sector and currently has over 10,000 C-TPAT Partners. • In return for pledging to maintain minimum security standards throughout their supply chain, partners are granted faster Customs Clearance times and fewer inspections. • The Program is open to all US Manufacturers and Importers as well as select Canadian, Mexican Manufacturers and most Transportation and Logistics Providers. NJ ISPE Chapter
WHY SHOULD WE PARTICIPATE IN C-TPATTHE BUSINESS CASE FOR PARTICIPATING SUPPLY CHAIN SECURITY • The US is not the only country to enact a Supply Chain Security Program for Importers, Canada has introduced PIP or Partners in Protection and the EU has enacted AOE or Authorized Economic Operator. • If you source or ship globally you are going to be touched by the increased security requirements for Supply Chain Security. • Although participation in the program is voluntary, companies that chose not to participate are at a competitive disadvantage to those that do for the following reasons: • Most Major Retailers have implemented Supply Chain Security Requirements and impose charge-backs on companies that have inadequate Supply Chain Security processes in place. • Clearing Customs quicker allows you to get your product to market faster. • A tight Supply Chain means less chance of contamination of raw ingredients, components, and product during and after manufacturing as well as reducing incidents of theft and pilferage in transit. NJ ISPE Chapter
SUPPLY CHAIN SECURITY IS NOT ROCKET SCIENCE • However Supply Chain Security utilizes many of the same validation processes and procedures that one would utilize in verifying a product was being manufactured in accordance with accepted safety practices NJ ISPE Chapter
C-TPAT REQUIRES YOU DO A SELF –ASSESMENT OF YOUR GLOBAL SUPPLY CHAIN TO INSURE ADEQUATE SECURITY IS IN PLACE • This requires a through assessment of security measures throughout your supply chain for everyone that touches your product, from raw material to finished product. This includes all company and vendor facilities! • This assessment encompasses both traditional and areas not previously thought of as traditionally impacted by security, as well all the associated written policies and procedures: • Physically Security – Guards, Fences, Lighting. • Personnel Security – Hiring, Background Checks, Training. • IT Security – System Access, Password Procedures, Fire Walls. • Electronic Security- Alarms, CCTV, Access Control. • Conveyance Security- Inspection of Trailer or Containers prior to loading for signs tampering prior to leading as well as the storage, issue of seals. • The types of seals utilized to secure the conveyance while it is in transit. NJ ISPE Chapter
SUBMITTING YOU COMPANY PROFILE FIRST STEP IN THE C-TPAT AFTER YOUR SELF -ASSESSMENT IN ORDER TO MOVE TO CERTIFICATION AND VALIDATION • Once completing your self-assessment you need to submit your profile to US Customs for review and approval. • Upon submission US Customs will assign a C-TPAT Security Specialist to assist you in moving from the Certification to Validation Process. • Certification is granted once Customs has reviewed your company profile. Please note that if you have not completed you profile or answered the questions US Customs has, you will not be certified which will effect your ability to move on to the validation process. • Once you have been Certified you will be scheduled for a validation visit by US Customs personnel to one of your of your manufacturing partners sites. NJ ISPE Chapter
SUPPLY CHAIN DIAGRAM #1 • The diagram below shows how a typical supply chain works. NJ ISPE Chapter
Supply Chain Management • Service Providers • Service to producers, distributors, retailers or customers • Carriers • Intermediaries • Infomedaries • Expertise about particular activity • Transportation, Freight Forwarding and Consolidation Warehousing, Financial services, Market Research Advertising, Engineering, Legal Information Technology NJ ISPE Chapter
SUPPLY CHAIN DIAGRAM # 2 • This Diagram illustrates the numerous vendor types involved in moving your raw materials and finished product through the various stages of manufacturing to distribution. NJ ISPE Chapter
Supply Chain Management • Producers • Provide raw materials, components, finished products, and services • Distributors • Receive products from producers and distributes to retailers • Retailers • Sells directly to customer • Consumer • End consumer-or entity that uses the materials in the production of another product NJ ISPE Chapter
BEGINNING THE C-TPAT PROCESS • C-TPAT begins with: • A signed Memo of Understanding between your organization and CBP or US Customs Border Protection signed by your Senior Management pledging to maintain minimum security standards. • In return for this pledge you will be granted faster US Customs Clearance Times and fewer invasive inspections of your shipments. • You should be aware that if you source from high risk countries then you might not see this benefit. Also be aware you will be subject to an audit by CBP within 2 – 3 years of becoming a C-TPAT Partner, so your information needs to be accurate and complete. • The next step is to assess your entire supply chain: • Raw Materials Providers, Manufacturing Partners, Transportation, Logistics Providers. • This is to insure they have adequate security measures, policies and procedures in place and that they are being followed. • Sending out your supply chain requirements along with a detailed security questionnaire to be answered by them. There also needs to be an audit process were someone physically verifies the answers on the questionnaire are correct. NJ ISPE Chapter
C-TPAT ASSESESMENT PROCESS • Starts with assessing your own process. While many people find they have good written policies and procedures for their own facilities, they find they have few if any guidelines for Manufacturing, Transportation or Logistics partners. • Once you have assessed your own process you can access the C-TPAT website to see what additions need to be made to meet the C-TPAT requirements. Many companies find they have good processes and procedures at their own facilities but know little of anything about what their partners have in place. • The next step is to publish your security requirements to all your partners and advised them you require them to adhere to these requirements. This process is backed up by a security questionnaire each is required to complete and return so it can be reviewed. This will give you a baseline of just how much work is required to get your vendors process up to the level were they meet your expectations. NJ ISPE Chapter
SECURITY QUESTIONAIRE FORMAT Procedural Security • Is there a separate area for receiving and shipping? • Is tamper indicative tape utilized? • Are photographs taken during loading and unloading process? • Is cargo kept segregated? • Are incoming and out going containers utilized? • Are containers inspected prior to loading? • Do you issue gate passes for out going trucks? • How long are photographs kept? • Is the driver’s ID verified before admittance? • Is access to shipping and receiving restricted? • How is product manifested? • Are seals verified on inbound containers ? • Who issues seals? • Do you maintain a seal controls log? • Are seals utilized on outbound containers? • Where are seals stored ? • Do you have a written security policy? NJ ISPE Chapter
SECURITY QUESTIONAIRE FORMAT Conveyance Security • Are Container numbers verified? • Are containers stored on the premises? • Is the cab of the truck inspected? • How are loaded containers secured? • Is the conveyance inspected for signs of tampering? • What type of sealing devices are utilized? NJ ISPE Chapter
SECURITY QUESTIONAIRE FORMAT Physical Security • Does your company have CCTV? • Is the facility enclosed by a fence or wall? • Does your company have an Alarm System? • Is the exterior of the premises illuminated? • Does your company employ security personnel? • What type of access control methods are used? NJ ISPE Chapter
SECURITY QUESTIONAIRE FORMAT Personnel Security • Are background checks done on employees? • Do you issue employ ID cards? • Are employee issued passwords? • Is there security awareness training? • Is internet access restricted and are they revalidated? NJ ISPE Chapter
EXAMPLES OF ACCEPTABLE AND UNACCEPTABLE RESPONSES TO SECURITY QUESTIONAIRE Acceptable Responses Unacceptable Responses • Seals are verified by Security and Receiving personnel • All vehicles are inspected prior to admittance to facility • Conveyance is inspected prior to loading for integrity and signs of tampering • We have an alarm and we employ security personnel 24/7 • CCTV is monitored by security and recording is kept for 30 days • It is against the law to do background checks on employees • Loaded containers are stored at the loading dock prior to departure • We just cut the seal off and only check if shipment is short. • We do not inspect conveyance that is drivers responsibility. • Manager keeps CCTV and notifies us if there was an incident. • We do not photograph condition of inbound and outbound loads. • We know all our employees so trust what they tell us. NJ ISPE Chapter
EXAMPLES OF ACCEPTABLE AND UNACCEPTABLE RESPONSES TO SECURITY QUESTIONAIRE Acceptable Responses Unacceptable Responses • All employees receive security awareness training • Password are changed every 60 days • Internet access is restricted to those employees who job function requires them to have internet access. • Photographs of all inbound and outbound loads are kept for 30 days. • Security Awareness Training is only for the Security Department • We do not change passwords because employees need to be able to access computers at all times • We let driver provide lock to secure container NJ ISPE Chapter
VALIDATING SECURITY QUESTIONNAIRE ANSWERS • Upon reviewing the questionnaire you first need to take note of any deficiencies and address those with the vendor. • You give them a reasonable amount of time 45-60 days and provide whatever assistance they need to become compliant. • The next step is to have the facility audited to insure that the answers you received are truthfully and that any deficiencies have been rectified. • During the audit you will find most vendor have made a good faith effort but they need some help in refining their process and you will also find other vendors who do not have the process that are required in place some because they do not understand security and some because they are deceitful. • Once you have validated the answers you have to either get those vendors of facilities compliant or move out of them because their level of security impacts your C-TPAT status with CPB. NJ ISPE Chapter
PROCESSES FOR VALIDATING THE AUDIT • There are three ways to validate the answers you have received from you vendors: • You can hire an outside audit firm like CSCC or BV • You can do that internally with training existing staff in C-TPAT Processes • You can utilize a mix of outside auditing and existing personnel • We recommend that a mix of outside auditing and internal staff is the best method since it establishes a series of independent checks and balances that will allow you to detect deficiencies in the partners process that need to be refined or corrected. • This will keep all parties honest and should allow you to get accurate picture of your supply chain. NJ ISPE Chapter
WHAT AM I LOOKING FOR • As with the FDA manufacturing process and guidelines you follow, you will be looking for a verifiable process both in your own organization as well as your partners organizations. • This is what US Customs will be looking for when they do their validation audit of your supply chain. • You’re not looking for all sorts of security technology ,which although it has a part in securing supply chain, the most important aspect you should be looking for is there be clear, concise written polices and procedures and procedures. • You then need to verify that these policies and procedures are being adhered to by checking written logs and records for Shipping, Receiving, Security, Human Resources, Training, Visitors. • US Customs major concern is that you have written polices and procedures in place and that you have a process in place to determine if these polices and procedures are being followed. NJ ISPE Chapter
WHAT TO EXPECT AND HOW PREPARE FOR THE VALIDAION AUDIT BY US CUSTOMS • US Customs will schedule a meeting at your Corporate HQ in which they will meet with the company executive responsible for C-TPAT implementation as well your in-house experts for Customs, Compliance, Human Resources, Logistics, Manufacturing, Distribution, IT, Facilities and Security. • They should bring the written policies and procedures to the meeting • US Customs will advise you of which overseas site they have chosen to inspect, which is based on the volume of your production in a specific country. I would recommend you inspect this facility prior to the visit to insure all processes and procedures in place are being followed. • Your designated Supply Chain Security Specialist will meet you at the location and examine the process and procedures that are in place. Passing a validation audit and your tier level assignment will be influenced by their findings. • Expect they will have additional recommendations which you need to address. NJ ISPE Chapter
INSTITUTING BEST PRACTICES SECURITY PROCESS TO MEET C-TPAT REQUIREMENTS • US Customs is NOT mandating that you spend a ton of money on security, but they are looking for you to have clear established written policies and procedures that are followed just like the FDA has. • We do a self-assessment now to begin getting any deficiencies corrected and instituting best practices. • Keep in mind that US Customs has published best practices on the C-TPAT website (http://www.cbp.gov/xp/cgov/trade/cargo_security/ctpat)/) and you can utilize the information when you submit your company profile to US Customs for the certification part of the process. • US Customs will review your profile, suggest changes and tell you were you need to tighten your process or clarify items that were unclear. NJ ISPE Chapter
RECOMMENDED PHYSICAL SECURITY BEST PRACTICES • US Customs is looking to see that the facilities you have or utilize are secure from unauthorized entry or intrusion for the purposes of introducing a WMD or other contaminant into shipment bound for the US. This is best accomplished by layering your security with the following: • CCTV to cover the Receiving/Shipping Areas/ Packing/Main Gate/Facility Perimeter are the critical areas. They like to see that the CCTV records for 30 days and is being monitored! • Fencing/Natural Barriers that make it difficult for intruders or unauthorized personnel to gain access to the premises. Fences should be a minimum of 8 feet in height and constructed of solid materials to sufficiently deter intrusion. • Lighting – Facilities should be well lit during hours of darkness to sufficiently discourage attempts at unauthorized access. • Alarms- Facilities should have sufficient alarm coverage to detect or prevent intrusion with a dedicated phone line for alarm system. • Access Control- Facilities are controlled through electronic means such as the use of Access Cards, Electronic Fobs Cipher locks or manned security check points. NJ ISPE Chapter
PROCEDURAL SECURITY AND PROCESSES BEST PRACTICES • Customs is most concerned that you have written policies and procedures in the following critical areas: • Visitor Policy- • Do you have written policies covering visitors to the facility, is there ID verified prior to admittance, do you issue visitors badges, do they sign in and out , is their movements restricted to the non-critical areas , in critical areas are they escorted? • Seal Control- • Who has access to the seals for outbound loads, is there a log kept to detail the use of seals, is someone responsible for keeping track of seal usage? Are Seals on inbound loads verified and if there is a discrepancy what processes are in place for their organization to report discrepancies? • Manifesting of Cargo- • How is cargo manifested through electronic of manual processes such as scanning or hand counting, what process is in place for verifying overages and shortages on both in bound and outbound loads and how are they reconciled? NJ ISPE Chapter
PROCEDURAL SECURITY AND PROCESSES BEST PRACTICES • US Customs is most concerned that you have written policies and procedures in the following critical areas: • Vehicle Inspections- • Are trucks, trailers and cars of vendors and visitors inspected prior to admission to the facility Parking? Are there designated parking areas for employees and visitors? Are parking decals issued by employees? • Conveyance Inspections- • Are Conveyances inspected for signs of tampering upon arrival and upon departure? What methods do you use to conduct these inspections. • Emergency Management- • Do you have an emergency evacuation plan? Do you have drills? Are all employees aware of the processes and procedures to be followed? NJ ISPE Chapter
CONVEYANCE SECURITYPerforming Through Inspection of the Conveyance both before loading and after unloading as required by Customs to detect evidence of tampering to the load NJ ISPE Chapter
SECURING THE CONVEYANCE • US Customs has criteria on how to secure conveyances and there are several types of devices that can be used to meet these requirements, with varying degrees of effectiveness. • Case Hardened Locks – A good method for securing the load, but you need a verifiable method of key control, so you can prove that access to the keys is subject to stringent controls to prevent unauthorized personnel gaining access to keys. • Barriers/Handcuff devices that are secure both doors such as Sealocks or Navalocks. There are both single use and multiple use devices. • Cable Seals- long enough to wrap around both doors. • All of the above are tamper indicative, which means if they are breached, the breach is detectable. • Devices like bolt seals and ribbon seals are not secure sealing devices, since they can be tampered with and is harder to detect any tampering. NJ ISPE Chapter
Seals The Seal is the right answer How many ways can a seal be defeated? NJ ISPE Chapter
PERSONNEL SECURITY BEST PRACTICES • These are two other areas that concerns US Customs : that you have strong processes and procedures in place and that they are followed: • Are there some forms of background checks or investigations being performed on people that have access to conveyances and cargo, do you utilize alternative methods for verifying employee information in countries that do not permit background checks? • i.e. verification of national ID card, social security information through government agencies. This policy should included contract personnel. • Are employee identification cards being utilized to identify employees work areas? When employees are terminated do you have a checklist to reclaim company property including ID, cards, keys and company vehicles and restrict their access to the facility? • Does the organization have security awareness training for all employees and specialized for employees in critical areas such as shipping, receiving ,logistics, facilities management and security and is this training documented? • Do you have policies governing explosives, firearms, poisons and other deadly substances? • Is there a policy allowing for the search of parcels and bundles being brought into the facilities by employees and vendors as well lockers and vehicles? NJ ISPE Chapter
IT SECURITY BEST PRACTICES • A final area of concern is IT Security. Is your system secure and are there enough redundancies to prevent someone from manipulating an invoice that can introduce a WMD into a shipment? • US Customs is looking for the following best practices to be in place. • Employee Passwords that are unique to a specific user and that the passwords are changed periodically. • Which employees have internet access and is employee usage of the internet monitored as restricting internet only to those employees who job function requires internet access? • Written policies and procedures governing approved use of computers, internet and software and that you have defined policies for personnel that violate these polices • What type of anti-virus protection, firewalls are in place and do employee receive instructions not to open suspect e-mails? Are computers automatically locked after not being utilized so employees must sign back onto the system? • Does the IT department conduct regular audits of all of the above to verify systems are functioning properly and that all policies and procedure are being followed? NJ ISPE Chapter
THE BENEFITS OF FOLLOWING RECOMMENDED BEST SECURITY PRACTICES • C-TPAT works on a tier system, with tier three being the highest. The higher your score the less intrusive inspections you will have and the faster you will clear customs. • Best practices is usually accompanied by reduction through loss in transit from thefts, pilferage and damage. This in turn will be reflected by a reduction in your insurance premiums and policy deductible. • In the event there is another major terrorist incident in the US, the plan is to close all Seaports, Airports, Border Crossing for 9 days. • Once they are reopened C-TPAT Partners by Tier status will be given priority. Non C-TPAT Partners may wait as long 45- 60 days before there goods are released. • Since we live in a just in time logistics environment, the cost to non partners could put them in dire financial peril when they cannot deliver their customer or manufacturer’s product. NJ ISPE Chapter
SOME UNKOWN FACTS ABOUT ATTEMPTS TO INTRODUCE WMD OR SMUGGLE TERRORISTS VIA THE GLOBAL SUPPLY CHAIN • On September 15, 2001 5 Al Qaeda operatives were detected inside of 5 separate containers in the port of Genoa. • Each was equipped with a laptop computer, cell phone, sufficient food and valid employee ID for both Newark Liberty and Chicago O’Hare Airports. • Over 300 suspect shipments including, weapons, explosives and components for chemical and biological weapons have been intercepted since 2002. • Interception of counterfeit and Gray Market goods have risen by 700%. • 6 years ago a low level WMD was smuggled into Israel. It failed to detonate the dirty bomb because the terrorists forget to install the trigger. NJ ISPE Chapter
THE RETURN ON INVESTMENT FOR HAVING A SECURE SUPPLY CHAIN • We touched on the reduction in pilferage, theft and damage that will allow your organization to get product on time to your customers. This can only impact your market share in a positive manner. • A reduction of insurance premiums for having less theft and pilferage damage. • However the most compelling argument your organization must consider is: would it be able to survive the loss of consumer confidence as well the resulting litigation that would occur if your product was contaminated, or if a WMD was introduced into your shipment. • Ultimately your Supply Chain Security is your responsibility and you define what is an acceptable risk. NJ ISPE Chapter
SOME IMPORTANT THINGS TO REMEMBER • US Customs, like the FDA, is a badge carrying agency so you want to avoid the following: • Putting inaccurate or false information on your company profile • Refusing to answer questions in a timely manner • Failing to follow up and implement US Customs recommendations • Only following the process until you pass your validation audit, once you are C-TPAT validated you can expect to undergo a follow-up audit every two years • All processes and procedures must be thoroughly documented for US Customs, just like FDA, or they do not exist. • You MUST maintain your own audit of security process and procedures or there will be an incident and you will find yourself doing a lot of unpleasant explaining to US Customs. • Our presentation was made to inform you on what C-TPAT is and its effects on your business if you choose to participate or opt not to. NJ ISPE Chapter
COMMENTS QUESTIONS? • Thank you for your time and the privilege of presenting to you NJ ISPE Chapter
Contact Information John Tomoney Strategic Solutions (732)522-0570 Email: johntomoney@verizon.net NJ ISPE Chapter