Executive Briefings

New CPB Guidance Can help You Better Assess Risks to Your Global Supply Chain

The Customs-Trade Partnership Against Terrorism (C-TPAT), which began as a pilot supply chain security program in 2001 with a handful of importers, has blossomed into a robust program with more than 9,000 participants. As the program has grown over the last decade, U.S. Customs and Border Protection (CBP) has responded by refining program requirements and providing guidance.

In March 2010, CBP published the "C-TPAT 5-Step Risk Assessment Process Guide," which provides detailed guidance on how C-TPAT members can conduct an international supply chain risk assessment - a fundamental requirement of the program. 

C-TPAT is a voluntary U.S. government industry initiative designed to strengthen overall supply chain and border security. The program's emphasis is on self-monitoring rather than government oversight starting at the foreign point of origin and extending to the final destination to the United States. C-TPAT participants must ensure the integrity of their organization's security practices. Additionally, participants must communicate and verify the security guidelines of their business partners within the supply chain. In doing so, participants conduct a risk assessment of their international supply chain - at least annually - to identify the "high risk" supply chains and conduct testing based on the assessment.

Many importers have struggled to develop an effective risk assessment program, given that there was no specific guidance from CBP. During validations, CBP has observed that some importers were not completely assessing the risks of the international supply chain. These importers were focusing primarily on the security risks of their own domestic operations with not enough attention given to foreign business partners. A risk assessment of an importer's business partners is critical.

CBP Guidance

The new CBP guidance provides a five-step risk assessment process that all C-TPAT participants can follow.

1. Mapping cargo flow and identifying business partners (directly or indirectly contracted) This step involves developing process maps that depict the flow of goods from the point of origin to the U.S. final destination. It is import to include the modes of transportation, as well as "nodes" (e.g., country of origin, transit points). Mapping can look like a flow chart or can be organized in the form of a matrix. Key stages that should be highlighted in the maps include procurement, production, packing, storage, loading/unloading, transportation, and document preparation.

2. Conducting a threat assessment focusing on terrorism, contraband and smuggling, human smuggling, organized crime, and conditions in a country/region which may foster such threats
CBP encourages C-TPAT importers to focus on "open sources" of information, specifically websites like the CIA World Fact Book and the U.S. Department of State Terrorist Threats/Country Information, to target threats within the international supply chain. Importers should conduct research and assign a threat rating of "high," "medium" or "low" to each of its supply chains.

3. Conducting a vulnerability assessment in accordance with C-TPAT minimum security criteria and rate vulnerability
The vulnerability assessment evaluates the business partner's adherence to the published C-TPAT minimum security criteria to identify any gaps, vulnerabilities or weaknesses that could lead to a security breach. Vulnerability assessments can be conducted in a variety of ways; many companies choose to send security surveys or questionnaires to business partners who are not eligible or who do not participate in C-TPAT to identify the processes they perform and determine whether they meet the minimum criteria. Surveys should be tailored to the specific function of a business partner and should include open-ended questions in addition to "yes/no" questions. A rating of "high," "medium" or "low" should also be assigned based on the results of the assessment.

Interestingly, according to a June 2009 C-TPAT program survey, 90 percent of all security breaches involved "trucks" as the mode of transportation for cargo. Therefore, it is likely that the weakest links in the supply chain occur near the point of origin and the point of destination. This should be taken into account when conducting the vulnerability assessment. For instance, global manufacturers and suppliers at the point of origin (who are not C-TPAT certified) should be included in vulnerability assessment.

4. Preparing an action plan
The action plan documents the results from the threat and vulnerability assessments, corrective actions/strategies required to address any gaps or vulnerabilities, responsible parties, timeline for taking action and final outcome of any implemented changes.

5. Documenting how risk assessments are conducted
Finally, the last step involves documenting policies and procedures for the company's approach to the C-TPAT risk assessment process. For example, CBP suggests that these procedures document responsible parties, when and how often risk assessments are conducted, how the assessments are carried out (referencing tools, documents, etc.), how follow-up will be handled, and how management will oversee the process. This can be added to a company's existing C-TPAT procedures or can be included as part of the C-TPAT chapter in an import compliance manual.

Implications for C-TPAT participants and foreign business partners 

This new guidance from CBP provides a road map for C-TPAT importers in conducting a risk assessment of the international supply chain. While not a "one size fits all" process, C-TPAT participants should incorporate CBP's recommendations into their existing risk assessment processes. In particular, participants should ensure that foreign business partners are being appropriately assessed.

How comprehensive your risk assessment process is depends upon the complexity of your supply chain, the number of business partners (including subcontractors), and the level of risk identified. Obviously, the more risk in the overall supply chain, the more onerous the endeavor. This places significant focus on the business partners and the risk they bring to the supply chain.

Risk assessments need not be conducted on C-TPAT-certified business partners. However, formal C-TPAT membership is not yet available to manufacturers and exporters outside of the U.S., Canada and Mexico. Even so, there are steps foreign business partners can take to lessen the risk they bring to a supply chain. For instance, participation in local programs, such as the Authorized Economic Operator (AEO) will likely reduce supply chains to a lower risk category. Incidentally, Colombia is expected to roll out an AEO program in October 2010, which mirrors the security principles of C-TPAT and is similar to the European AEO program.

C-TPAT participants and business partners should also be aware of mutual recognition agreements between CBP and foreign customs administrations with similar supply chain security programs. One of the benefits of mutual recognition is that status in a foreign partnership program is recognized by CBP. As part of the vulnerability assessments, C-TPAT members can determine whether foreign business partners participate in any such programs, and note if the programs are mutually recognized by CBP. This will likely reduce supply chains involving these business partners to a low-risk category. 

Thus far, CBP has signed mutual recognition agreements with customs authorities from New Zealand, Canada, Jordan and Japan. Negotiations are ongoing with Korea, Singapore and the European Union. In addition, the United States will likely engage the Colombian customs authorities to work on an agreement for mutual recognition once the AEO program has been fully implemented.

While mutual recognition agreements and supply chain security programs are not offered in all countries, foreign business partners that review their security procedures against published C-TPAT minimum security criteria and close any existing gaps put themselves in a position to lessen the risk they bring to the supply chain. Such efforts not only improve the security and speed of the supply chain, but also increase the business partner's international competitiveness by being a trusted C-TPAT business partner.

The "C-TPAT 5 Step Risk Assessment Process Guide" is available at http://www.cbp.gov/xp/cgov/trade/cargo_security/ctpat/supply_chain/.

Source: Ernst & Young

The Customs-Trade Partnership Against Terrorism (C-TPAT), which began as a pilot supply chain security program in 2001 with a handful of importers, has blossomed into a robust program with more than 9,000 participants. As the program has grown over the last decade, U.S. Customs and Border Protection (CBP) has responded by refining program requirements and providing guidance.

In March 2010, CBP published the "C-TPAT 5-Step Risk Assessment Process Guide," which provides detailed guidance on how C-TPAT members can conduct an international supply chain risk assessment - a fundamental requirement of the program. 

C-TPAT is a voluntary U.S. government industry initiative designed to strengthen overall supply chain and border security. The program's emphasis is on self-monitoring rather than government oversight starting at the foreign point of origin and extending to the final destination to the United States. C-TPAT participants must ensure the integrity of their organization's security practices. Additionally, participants must communicate and verify the security guidelines of their business partners within the supply chain. In doing so, participants conduct a risk assessment of their international supply chain - at least annually - to identify the "high risk" supply chains and conduct testing based on the assessment.

Many importers have struggled to develop an effective risk assessment program, given that there was no specific guidance from CBP. During validations, CBP has observed that some importers were not completely assessing the risks of the international supply chain. These importers were focusing primarily on the security risks of their own domestic operations with not enough attention given to foreign business partners. A risk assessment of an importer's business partners is critical.

CBP Guidance

The new CBP guidance provides a five-step risk assessment process that all C-TPAT participants can follow.

1. Mapping cargo flow and identifying business partners (directly or indirectly contracted) This step involves developing process maps that depict the flow of goods from the point of origin to the U.S. final destination. It is import to include the modes of transportation, as well as "nodes" (e.g., country of origin, transit points). Mapping can look like a flow chart or can be organized in the form of a matrix. Key stages that should be highlighted in the maps include procurement, production, packing, storage, loading/unloading, transportation, and document preparation.

2. Conducting a threat assessment focusing on terrorism, contraband and smuggling, human smuggling, organized crime, and conditions in a country/region which may foster such threats
CBP encourages C-TPAT importers to focus on "open sources" of information, specifically websites like the CIA World Fact Book and the U.S. Department of State Terrorist Threats/Country Information, to target threats within the international supply chain. Importers should conduct research and assign a threat rating of "high," "medium" or "low" to each of its supply chains.

3. Conducting a vulnerability assessment in accordance with C-TPAT minimum security criteria and rate vulnerability
The vulnerability assessment evaluates the business partner's adherence to the published C-TPAT minimum security criteria to identify any gaps, vulnerabilities or weaknesses that could lead to a security breach. Vulnerability assessments can be conducted in a variety of ways; many companies choose to send security surveys or questionnaires to business partners who are not eligible or who do not participate in C-TPAT to identify the processes they perform and determine whether they meet the minimum criteria. Surveys should be tailored to the specific function of a business partner and should include open-ended questions in addition to "yes/no" questions. A rating of "high," "medium" or "low" should also be assigned based on the results of the assessment.

Interestingly, according to a June 2009 C-TPAT program survey, 90 percent of all security breaches involved "trucks" as the mode of transportation for cargo. Therefore, it is likely that the weakest links in the supply chain occur near the point of origin and the point of destination. This should be taken into account when conducting the vulnerability assessment. For instance, global manufacturers and suppliers at the point of origin (who are not C-TPAT certified) should be included in vulnerability assessment.

4. Preparing an action plan
The action plan documents the results from the threat and vulnerability assessments, corrective actions/strategies required to address any gaps or vulnerabilities, responsible parties, timeline for taking action and final outcome of any implemented changes.

5. Documenting how risk assessments are conducted
Finally, the last step involves documenting policies and procedures for the company's approach to the C-TPAT risk assessment process. For example, CBP suggests that these procedures document responsible parties, when and how often risk assessments are conducted, how the assessments are carried out (referencing tools, documents, etc.), how follow-up will be handled, and how management will oversee the process. This can be added to a company's existing C-TPAT procedures or can be included as part of the C-TPAT chapter in an import compliance manual.

Implications for C-TPAT participants and foreign business partners 

This new guidance from CBP provides a road map for C-TPAT importers in conducting a risk assessment of the international supply chain. While not a "one size fits all" process, C-TPAT participants should incorporate CBP's recommendations into their existing risk assessment processes. In particular, participants should ensure that foreign business partners are being appropriately assessed.

How comprehensive your risk assessment process is depends upon the complexity of your supply chain, the number of business partners (including subcontractors), and the level of risk identified. Obviously, the more risk in the overall supply chain, the more onerous the endeavor. This places significant focus on the business partners and the risk they bring to the supply chain.

Risk assessments need not be conducted on C-TPAT-certified business partners. However, formal C-TPAT membership is not yet available to manufacturers and exporters outside of the U.S., Canada and Mexico. Even so, there are steps foreign business partners can take to lessen the risk they bring to a supply chain. For instance, participation in local programs, such as the Authorized Economic Operator (AEO) will likely reduce supply chains to a lower risk category. Incidentally, Colombia is expected to roll out an AEO program in October 2010, which mirrors the security principles of C-TPAT and is similar to the European AEO program.

C-TPAT participants and business partners should also be aware of mutual recognition agreements between CBP and foreign customs administrations with similar supply chain security programs. One of the benefits of mutual recognition is that status in a foreign partnership program is recognized by CBP. As part of the vulnerability assessments, C-TPAT members can determine whether foreign business partners participate in any such programs, and note if the programs are mutually recognized by CBP. This will likely reduce supply chains involving these business partners to a low-risk category. 

Thus far, CBP has signed mutual recognition agreements with customs authorities from New Zealand, Canada, Jordan and Japan. Negotiations are ongoing with Korea, Singapore and the European Union. In addition, the United States will likely engage the Colombian customs authorities to work on an agreement for mutual recognition once the AEO program has been fully implemented.

While mutual recognition agreements and supply chain security programs are not offered in all countries, foreign business partners that review their security procedures against published C-TPAT minimum security criteria and close any existing gaps put themselves in a position to lessen the risk they bring to the supply chain. Such efforts not only improve the security and speed of the supply chain, but also increase the business partner's international competitiveness by being a trusted C-TPAT business partner.

The "C-TPAT 5 Step Risk Assessment Process Guide" is available at http://www.cbp.gov/xp/cgov/trade/cargo_security/ctpat/supply_chain/.

Source: Ernst & Young