Most likely, your company has sourced raw materials, parts, finished goods or packaging from foreign business partners. When a company leverages a business partner instead of build their own foreign production capabilities, it allows them to shift suppliers to low cost regions without having to worry about their foreign investments. The global supply chain and flow of international goods continues to increase every year.
The global supply chain, however, doesn’t operate in a vacuum. It can be disrupted by a number of factors including terrorism, theft, smuggling and natural disasters, to name a few. Throughout the last decade, the public and private sectors have partnered up to improve supply chain security while still facilitating trade and maintaining the flow of goods.
C-TPAT, PIP and AEO are a few supply chain security programs that have been created to establish a standard for secure supply chains and give participants the benefits of reduced inspections and first-in-line privileges. Not only do these programs address the physical security of a site, they also include the need to conduct supply chain risk assessments and evaluating the security of partners, which are two integral components of a secure supply chain.
Supply Chain Risk Assessments
In order to secure your supply chain, you must first know your supply chain. Sounds simple, but it is often overlooked. Most companies start the process with the C-TPAT application and run the Supply Chain Risk Assessment last. The right way is for companies looking to secure their supply chain to start with an in-depth understanding of where it sources its raw materials, parts, sub-assemblies, finished goods, packaging, and point-of-sales materials to get a complete picture of its supply chain.
Understanding where materials are sourced will help determine who you are sourcing these from, and ultimately, how they are transported and by whom. In mapping your supply chain you should understand:
- Where materials come from (origin), where they go (route) and where they end up (destination)
- Who produces the materials, who handles them and who transports them
Depending on the nature of your business, mapping the supply chain can be simple or complex. When doing so, you should be focused on:
- Nodes: Fixed points were goods are sourced, manufactured, stored, consolidated or held
- Modes: Methods of transportation (air, sea, rail, highway, etc.)
The nature of threats against Nodes and Modes are different, as are the means of protecting them. The business partners operating these nodes and modes will be an integral part of your supply chain security program.
Assessing Business Partner Security
The first step to assessing your business partners is to gather information on them. You’ll want to know things like where they are located, who owns the business, what the nature and scope of their services are, how big they are, and who their other customers are. All of these factors will help you gauge whether they have the size, knowledge and corporate oversight to effectively manage security.
As you go through the process of information gathering, you should also assess whether or not they are certified in any supply chain security programs, such as C-TPAT, but be very careful to review and certify the responses you get. It has occurred where companies use certification letters given to them by third-party consultants and even letters from other customers who visited the site and thanked them for their cooperation as proof of certification. If a business partner is certified, they should be able to provide evidence that can be verified easily. For example, if they are C-TPAT certified, they should be able to provide their “SVI Number,” an identifying number provided by U.S. Customs to certified companies. Either way, a company should always verify evidence of certification. Some programs provide official listings online showing certified companies.
During this phase, many companies use some form of questionnaire to help gather and assess the information to determine whether a company is certified and meets their security requirements. This sometimes includes a self-assessment for non-certified companies, where they’re asked to assess their own security and identify gaps and corrective actions that can be taken. Other companies simply provide a list of requirements they believe the business partner should have, and ask them to sign an acknowledgement stating they meet the guidelines.
Whichever method you choose to follow, don’t just rely on a self-assessment or declaration of compliance. While this is a good starting point, at some point you need to see it yourself. Visiting sites and performing your own assessments holds a lot of value. Ultimately, what you are trying to determine is:
- Is the site secure; does it have adequate lighting, access controls and the appropriate security systems?
- Does the business partner practice good personnel controls and provide employees adequate training?
- Are proper security procedures being followed such as supervised loading, independent counting, conveyance inspections, and proper seal controls?
- Does the business partner have the financial, personnel and knowledge resources necessary to effectively manage security?
Face-to-face interaction is critical. For most people, it’s not possible to be on-site every day to keep watch. We rely on the business partners to manage security and you need to be able to trust that their responses are accurate. At the same time, most people do not have the time or resources to visit every business partner they use. You may use some process to risk rate your business partners and prioritize which sites to visit first. For example, the following factors could be considered:
- Is the business partner located in a high-risk region? – There are a number of websites, both public and private, that can provide country risk ratings.
- Who owns the business? – Large global companies usually have their own internal compliance groups, documented processes and quality programs. This may indicate that there already is sufficient internal oversight.
- What does their customer base look like? – In my experience, business partners servicing several multinational customers are visited frequently by many security counterparts in other companies.
- How much of your volume do they handle? – You’ll want to put some weighting on your larger business partners.
Visiting your business partners and evaluating their security programs will benefit how you understand the supply chain and the risks inherent in the international movement of goods. Understanding where the risks lie in your supply chain, but it’s also important to understand what actions are necessary to close the gaps in your supply chain security program.
To learn more about securing your organization’s international supply chain, read Bill Anderson’s article with Security Magazine which provides some additional tips.
Written by Bill Anderson, Group Director, Corporate Security, Ryder System Inc.