When I would attend industry meetings, people would often ask, “What keeps you up at night?” My answer was always consistent – I was afraid someone would load something in a container of ours that would go ‘Boom’ in the Port of Los Angeles.
With all the advancements in globalization, supply chain security has become an increasingly vital element of doing business. One incident of unwittingly transporting illegal substances, smuggling, or aiding a terrorist organization can have a dramatic impact on the P&L, as well as on working capital. Failure to adhere to minimum standards can lead to fines, penalties and/or longer lead times due to suspension of the business’s ability to move goods around the world. There is no plausible deniability.
The benefits of operating a compliant supply chain security program are:
- Maintaining a good corporate citizenship that reduces risk in its supply chain
- Providing a safe and secure environment for employees, suppliers and customers
- Reducing cycle time and operating costs by operating a lean supply chain with proper business controls
The Movement of Contraband
Once upon a time …
- A giant multinational company became an early adopter of C-TPAT (or Customs Trade Partnership Against Terrorism)
- They trained their people, assessed their facilities and did the paperwork
- They were certified with Tier 3 benefits and referenced by CBP as a benchmark
- They had an exemplary shipping record
- And they lived happily in the FAST lane
That is, until one hot July day when an interesting event took place.
Then came two dark and cold December nights when other incidents occurred.
And suddenly, a lumbering giant awoke.
What’s all that about? Here’s the real story, which unfortunately is not a fairy tale. Over the Christmas holiday of 2009 I gained a full appreciation for how the Mexican drug cartels worked. Late one Friday night I was notified by the El Paso Police Department that they had impounded a truck of ours for carrying 4 tons of marijuana from Chihuahua across the border to El Paso. I was quite aware that the cartels liked to pick on soft targets for transporting their product into the U.S., but how could this be us? We were the benchmark for Customs and Border Patrol.
Then, a week later on a Sunday evening, it all happened again. Four tons of marijuana were found being carried on our truck, this time on the Mexican side of the border. How was this happening? Would we lose all of the goodwill we built between Customs and ourselves? Was this an outside or an inside job? Would we ever get the impounded goods back? And, would there be a substantial fine and penalty associated with this action?
We had tried to do everything the right way: security checks on all of our labor and management; GPS units in our trailers, certifications and facility audits, driving the security processes down through the operations. Still, now twice in two weeks we had transported 8 tons of marijuana and a box of heroin.
Lessons Learned from These Events
- We got complacent thinking we were too good – we took our eye off the ball.
- We had to harden ourselves as a target to an ever-changing threat.
- Our chain of custody was much too loose – dock workers could be easily compromised.
- Never doubt that someone is watching and poised to capitalize on your mistakes.
Supply Chain Security
A secure supply chain is the visible demonstration of a business’s commitment to employ processes that emphasize a commitment to a safe and secure environment for its employees, customers, products, facilities and the communities in which they serve. Furthermore, it is a routine way of doing business which enhances the commitment to regulatory compliance, meets customers’ delivery requirements and exceeds productivity goals. These fundamental principles are linked by using lean processes which are supported by the leadership team, employees and supply chain partners.
The business leadership’s role is to:
- Be visible by embracing security
- Perform periodic self assessments
- Provide continuous improvement which remediates assessment exceptions
- Proactively engage the business on the subject of security
- Provide clear communications with escalation paths
Furthermore, the employees are expected to:
- Escalate all concerns or observations to management
- Remain vigilant and aware of the security processes
- Ensure there are no deviations from procedure
- Incorporate the supply chain security practices into the daily work routines
Fundamentals of a Supply Chain Security Program
Customer Care/Order Management
- Prevention of misuse of products by customers
- Requirement for an original Power of Attorney (POA)
- Keeping all customer information current
- Management to prevent unknown customers
- Use of external resources to screen customers and orders
- Refusal to receive goods from unknown locations and parties
- Adoption, awareness and adherence to the Supply Chain Security Program
- Execution of the Segregation of Roles & Responsibilities to ensure that one individual does not control all aspects of the supply chain
- Established perimeter with efficient electronic surveillance and lighting
- Segregated shipping and receiving areas
- Effective access control, including visitor screening, driver control, etc.
- Incident reporting
- Overall ownership of processes to communicate requirements to suppliers
- Holding the Sourcing and Suppliers teams accountable for supply chain security
- Ensuring contracts have a supplier code of conduct
- Refusal to accept goods from unknown locations and parties
- Collaboration between Sourcing, Logistics and Trade on supplier selection
- Use of external resources to screen suppliers orders
- Management of non-compliant business partners
- Provide documentation of memberships of other supply chain security programs – C-TPAT, AEO
- Creation of written procedures for bidding, selecting and contracting processes
- Maintaining good standing in global supply chain security programs
- Provide background checks for all carriers and personnel as allowed by law
- Prohibit subcontracting without prior approval
- Immediate notification of supply chain security issues, exceptions or violations
- Adherence to container/trailer security procedures
Programs like the Customs Trade Partnership Against Terrorism (C-TPAT) are an example of voluntary programs implemented for Trade participants to partner with Customs. The purpose is to adopt procedures and best practices to secure global supply chains. These programs include the establishment of minimum security requirements, the implementation of security best practices and a validation assessment performed by Customs. Upon successful enrollment, participants are then categorized into tiers relative to benefits vs. demonstrated practices.
Tier 1- For certified members but not yet validated. This immediately reduces inspections
Tier 2- Certified and validated. Targeting scores for Customs exams are lowered
Tier 3- Exceeds minimum standards and has demonstrated best practices. The Green Lane at a border becomes available with no security inspections and infrequent random inspections. If inspected, the business is moved to the front of the line.
The benefits for these programs are:
- Participants experience reduced inspections and faster clearance time across borders
- Priority processing for inspections
- A reduced overall risk for the supply chain
- A visible component of good corporate citizenship
Cybersecurity is the process of protecting the confidentiality, integrity and availability of a business’s I.T. assets (systems, data, networks). Conversely, compliance is the minimum a business does to meet the regulatory requirement or an industry standard. Compliance involves checklists, whereas security involves a discussion with the business about their tolerance for risk. In compliance both the regulators and businesses are slow to acknowledge new threats as well as slow to implement change. On the other hand, cyber security requirements move quickly at the pace of the market, threats and risk profile of the business.
Resilience of a business’s crown jewels and processes is a key topic. Since cyberthreats are generally not a matter of if but when, a resilience program’s objective becomes fourfold:
- To maximize visibility
- To minimize impact
- To maximize speed to recovery
- To continuously improve
Cybersecurity is focused on a business’s critical assets first and then applied elsewhere to the next most important resources. Elements of a cybersecurity program include:
- Network Security
- Security Architecture
- Data Security
- Security Awareness and Training
- Malicious Content Management
Many businesses elect to invest in security only after a significant event. The downside of this from a cash standpoint is that suppliers are acutely aware of when a customer is in crisis, which is then reflected in the price. Compounding the issue is that expensive 3rd party professional services are often required during a crisis to implement new controls on aggressive timelines. Therefore, the best strategy is to build the process before a business’s weakness are evident.
As a rule of thumb, large corporations will spend 3% of revenue on I.T. with small businesses doubling that. Cybersecurity can be benchmarked as a percent of I.T. spend, and will depend on several factors including the risk-tolerance of the company and the maturity of the cybersecurity function. Cyber will likely range from 2%-10% of the I.T. budget. It is also important to note that cyber budgets are increasing now, whereas I.T. budgets are decreasing.
Finally, many businesses have concluded that shifting inventory back to a supplier by use of supplier portals is an effective way to manage working capital. However, this method of insuring against threats increases a company’s risk and cost profile.
Final Words on Supply Chain Security
As a supply chain leader, I’ve had to develop a keen sense for detecting when a security or crisis plan needed to be executed. I’ve also been blessed to have had a tight partnership with the security group of my company over the years. They’ve been vital in keeping me out of trouble, as well as in preventing me from getting into it!
Since the late ‘80s, I’ve had to implement a number of crisis management processes for a variety of incidents and subjects:
Public Health Emergencies
- Mexico – 2009 Swine Flu Quarantine
- Hong Kong and China – 2013 H1N1 Virus
- Hong Kong and China – 2003 SARS
- Port of L.A. – multiple times
- French Warehouse and Transport Workers – multiple times burning tires in front
- World Series Earthquake – 1989 Loma Prieta/Bay Area with collapsed freeways and infrastructure
- The Flood of the Century – 1993 Midwestern U.S.
- Bali Tsunami – 2004
- Fukashima Earthquake, Tsunami and Nuclear Disaster – 2011
- Icelandic Volcano – 2010
Civil Unrest and Wars
- L.A. Riots – 1992
- September 11 – 2001
- Iraq and Afghanistan Invasions – 2002
- Arab Spring and Possible Suez Shutdown – 2011
- Drug Wars in Mexico – 2008 to 2012
Through benchmarking, I came to understand the following points for building and executing the process needed to manage a crisis:
- Don’t wait until crisis hits to build a plan.
- Respond in a timely manner – the longer you wait, the more damage can be done.
- Build a war room (physical or virtual).
- Build a mindset that supply chain security is everyone’s job – no exceptions.
- Don’t react – be quick, but be fact-based and remember that nothing is off-the-record.
- All communications should go through one channel, with a spokesperson to represent the organization throughout the crisis process.
- Express empathy and concern for the victims.
- Never hide anything – all problems will eventually come to the surface.