In today’s environment of overseas manufacturing and supply chains spanning oceans, miles, and cultures, securing a logistics network can be a moving target. In addition to smuggling and cargo theft, certain areas of the world are also high-risk regions for drug-related violence, political unrest, corruption and terrorism. To effectively manage product flow in high-risk areas, supply chain security programs should have robust processes in three key areas: recognition, evaluation and control of emerging threats.
Recognition of emerging threats. Successfully securing a supply chain requires more than just a single party securing its operations. Trusted partners must share information to stay up to date. To recognize threats, companies with international supply chains should take an active approach to sharing information with key stakeholders, such as customers, government agencies, and law enforcement. They should participate in industry groups such as the OSAC (Overseas Security Advisory Council) to take advantage of its information resources and consider setting up periodic meetings or conferences where all stakeholders can come together and discuss emerging threats. For example, in the past year, Ryder held two border security conferences – one focused on the U.S.-Mexico border and one on the U.S.-Canada border – and brought together representatives from the U.S. Department of Homeland Security and its component agency, U.S. Customs and Border Protection, as well as representatives from law enforcement and business partners in those countries to discuss innovations and best practices. These types of events allow companies to strengthen their relationships with government agencies and law enforcement and to keep the lines of communication open, helping to identify security situations as they arise.
Evaluation of emerging threats.An evaluation of emerging threats is primarily a process that is handled through a supply chain risk assessment. Because cross-border supply chains typically consist of operations and business partners that encompass several regions, a formal risk assessment process is of critical importance. A standard risk assessment process with clearly delineated criteria promotes communication and compliance across the network. This process, moreover, should be based on a variety of inputs to provide as comprehensive a picture as possible. For example, a risk assessment can include open source information on corruption and terrorism. It can also include an analysis of the company’s experience and history in that region. Additionally, it can incorporate business partner risk ratings, self-assessments on site compliance, and observations gathered through site visits. Together, all these factors provide an overall, measurable picture into the threats facing the supply chain, the company’s preparation to respond to them, and business partners’ and customers’ abilities to deal with them. The company can then take action to address identified weaknesses.
Control of emerging threats. For a global enterprise to respond adequately to threats to its supply chain across an extended network, it becomes necessary to share security ownership and accountability with local operations. A centralized security authority should work in partnership with local management to secure operations. Under this arrangement, corporate security’s role is to create a single set of global policies and procedures, while local management’s role is to implement these procedures. By establishing a single set of global security policies and procedures, corporate security would eliminate any confusion related to the security requirements of the various authorized economic operator programs, such as the Customs-Trade Partnership Against Terrorism (C-TPAT), Canada Partners in Protection, and Europe’s Authorized Economic Operator (AEO) program, to name a few. Local management would have clearly stated criteria to implement, while corporate security could focus on teaching, training and auditing for compliance.
Cross-functional cooperation is also an important factor in securing the supply chain. Departments within a company such as Corporate Audit, Compliance and Sales can play smaller but equally vital parts. Corporate Audit can focus on detecting and responding to fraud, internal conspiracies, and financial compliance, while Corporate Compliance can monitor for compliance with the Foreign Corrupt Practices Act and conduct ethics investigations. Similarly, the Sales team can be responsible for knowing their customers and verifying that the information they are given is correct, as well as designing solutions that are compatible with the company’s overall customs security objectives. All of these departments can and should have securing the supply chain as one of their goals.
While these big-picture strategic concepts can help to structure a cross-border security program, there are several tactical measures that can also help. The following are some examples of best practices.
Develop a calendar of security-related activities.Every location in a supply chain should follow a calendar of security-related activities which are carried out on a monthly, quarterly, bi-annual, and annual basis to ensure that the location is prepared to address emerging threats. For example, at Ryder, we use a Web-based security management system called RyderSTAR. This tool allows the company to distribute security content such as policies, procedures, forms, and training materials to all of our locations, as well as schedule and track completion of security activities. Through this tool, the company’s security team can see where an operation stands on its security compliance at a glance.
Conduct real-time vehicle monitoring. Real-time monitoring of goods and conveyances in-transit is a critical security function, especially in high-risk areas. Simply putting a GPS on a tractor or trailer when transporting over ground is typically not enough to detect and respond to a potential breach. Conveyances can be hijacked and off-loaded very quickly, and there are devices that can block cellular signals, disabling a GPS. Without real-time monitoring and tracking, GPS simply becomes an investigation aid. A manned monitoring center where employees monitor estimated times of arrival as well as confirm drivers and conveyances is the most effective way to use GPS data to safeguard cargo.
Additional security measures forcross-border locations. Warehouses,yards, or cross-dock facilities near the border are often critical control points before cargo crosses the border. For this reason, these facilities should be equipped with additional layers of security, such as increased video and photo documentation, more frequent inspections, and extensive physical security, to safeguard their goods. Other security measures include using tight time controls and verifications for shipment crossings, remote vehicle shutdown capabilities and random driver assignments.
Mitigating extortion risk.Extortion can impact the supply chain when supply chain managers become targets for extortion. When assessing supply chain risk, a company should consider its capabilities to respond to extortion. What roadblocks exist to keep employees from reporting extortion? What resources exist to help them overcome it? A company should work to establish internal reporting mechanisms and provide specialized training for employees in areas at risk.
Mitigating bribery risk.In some parts of the world, the payment of bribes is so common that everyday cash transactions are considered routine. While the vast majority of these transactions do not impact supply chain security, they create an environment where loads can be breached with a small cash payment and the action is not recognized as suspicious activity. Therefore, in addition to having a robust FCPA program, including the vetting of business partners, work instructions where cargo containers are consolidated should include the segregation of duties. For example, the parties involved in the loading of freight should be independent from the individual responsible for verifying the contents and sealing containers. It is a common practice to require foreign agents to have a representative on the dock to ensure critical control measures are implemented.
Verifying information through site visits. Finally, the only way to truly understand your foreign supply chain partners is to go, in person, and observe their actual practices. While business partners may indicate they are compliant on self-assessments, the reality may sometimes be different. To secure the supply chain, a company must ask persistent questions and verify for itself that the information is true.
Our adversaries strive to overcome our defenses. When we are static, they are able to observe, test and plan methods to defeat those defenses. Our challenge as security professionals is to think outside the box and innovate. What worked yesterday may not work tomorrow, depending on what new threats arise. The only way to be ready is to share information and communicate with business partners on an ongoing basis to stay one step ahead.