Executive Briefings

Taking the Risk Out of Your Supply Chain

Terrorists are well aware of the opportunity that global supply chains present to deliver a devastating attack on the U.S. It's up to both the government and U.S. importers to protect us all.

Robert C. Bonner, commissioner of the U.S. Bureau of Customs and Border Protection (CBP), has a recurring nightmare: a dirty bomb explosion in a major city like Chicago delivered in an ocean container. Bonner says that the CBP has determined such an event would kill or injure thousands of people, close every U.S. seaport for at least one week, create a backlog of container traffic that would take at least three months to clear, cost the U.S. economy $58 billion and results in years of chronic security disruptions.

"Such an event is simply unacceptable," says Bonner. "The government and the trade community have a shared responsibility to prevent such an incident."

The CBP has certainly been doing its part. It has implemented a wide variety of regulatory and voluntary initiatives such as the 24-hour rule for inbound containers, the Container Security Initiative (CSI) to target and inspect containers in foreign ports and the Customs-Trade Partnership Against Terrorism (C-TPAT) program, which asks all supply-chain participants to voluntarily enhance their own security and create awareness among their partners.

So while CBP is clearly doing its part to enhance supply-chain security, the real question is this: Do U.S. importers and exporters share this concern and are they willing to take all reasonable steps to eliminate the risk of cargo movements being used for terrorist attacks?
Judging from the actions of a few leading companies and the success of programs such as
C-TPAT, supply-chain security has indeed gained boardroom attention.

The C-TPAT program in the trade community has been a phenomenal success. It already has 4,731 participants including 2,940 importers, 691 carriers, 1,051 forwarders and customs brokers, 11 foreign manufacturers and 38 U.S. marine port authorities. The program now covers 70 percent of all import containers accounting for 38 percent of the dollar value of all imports to the U.S.

More impressive are the measures that individual companies are taking to secure their supply chains.

Retail giant Target Stores, for example, started its supply-chain security initiative more than two years ago. According to Michael D. Laden, president of the company's in-house import operation, Target Customs Brokerage, Target was one of the first participants in C-TPAT. Target's own program goes beyond merely creating awareness of security guidelines, as required by C-TPAT. The retailer requires its vendors to sign a memo of understanding to adhere to certain security practices and procedures. Each vendor completes a four-page security profile and, based on the answers, Target has developed its own risk matrix. If a vendor does not appear to be adequately compliant, they will do a visit and bring it up to standards. In addition to its security teams, Target has mobilized the company's product-quality assessment teams to check on vendor compliance when they are doing their normal inspections.

Target has developed a database for assessing the risk of 80 countries where Target does business. It is updated daily, based on intelligence information. All risk data and partner profiles are stored and, as appropriate, shared with partners through a web-based system.
Corporate SecurityAwareness
Pharmaceutical leader Pfizer also began its own supply-chain security program before C-TPAT was created, under which it focused on working only with quality carriers and service providers that understood the importance of good security. Corporate Security Manager Richard E. Widup, Jr. says that C-TPAT was a boost for Pfizer's security programs. "C-TPAT has helped us move our programs along faster because it got our top management focused on the need for better supply-chain security," he says.

To assure supply-chain security among its suppliers, Pfizer clearly establishes rules, expectations and standards of care for its supply-chain partners, and it audits them on an ongoing basis. "We constantly update our operating procedures," says Widup. "There is always a new idea that we can incorporate."

Pfizer's standard operating procedures include identifying the movements of product that are high-value and those lanes that are high risk and high frequency.

The second company to be certified for C-TPAT and have its program fully validated by CBP was Austin, Tex.-based Texas Instruments (TI).

"C-TPAT really fit with what we were already doing," says Ann Lister, global compliance manager, for TI. "Our suppliers are long-term partners that the company visits frequently, so we routinely assess their security compliance."

TI now has a permanent cross-divisional corporate council that combines logistics and compliance people to manage all aspects of the supply-chain security program. It reports to top management. Lister says that TI has dual goals. It wants to maintain strong security, but it also needs to move its cargo through the supply chain as quickly as possible.

"We have no problems with back ups or delays," she says. "Even with increased security and advance notification reporting requirements, our cycle times have not increased. We have proved to our management that good security is good business."

Lister is a strong proponent of companies taking on more responsibility, and not depending on government agencies to drive supply-chain security. This belief in industry responsibility was one of the reasons that she and Linda Thomas of Pier One started an organization in 2001 called the International Compliance Professionals Association (ICPA).

"Forwarders, customs brokers and carriers had groups that helped their members stay on top of rapidly changing regulatory and trade issues after 9/11, but there was nothing for compliance people working for importers and exporters," says Lister. "We are the ones on the front lines of supply-chain security issues."

According to Lister, the ICPA (www.icpainc.org) started as an email network among compliance and logistics managers to share questions and answers and timely tips. It mushroomed quickly to include 400 members representing leading companies active in international trade, but the key attraction remains the shared knowledge base that provides answers to any question.

"We are essentially a compliance dating service," says Lister. "If I want to know about what is going on in China, most of our members do business there, so in half an hour I can find out just about anything that I need to know. Every one of our members has a sense of responsibility about important compliance issues."

Supply-chain security is not just for global giants. The Container Store, a mid-sized company providing storage and organization products for home and business was accepted into the C-TPAT program based on standards that it has long employed over its 25-year history.

According to Jamie Castellanos, import manager for the Dallas, Tex.-based Container Store, the company's imports now amount to about 1,500 TEUs and are growing at 25 percent a year. Every vendor must complete a questionnaire about its security procedures, as well as provide photos of its loading docks, packing rooms and perimeter security.

"If the vendor outsources any production, we get the information directly from the facilities that manufacturer, package and ship," says Castellanos. "We evaluate them and categorize the vendors in terms of risk."

While a company the size of the Container Store cannot routinely send employees to inspect vendor sites, the company calls on its forwarders and carriers in that region to do an on-site assessment.

"Our logistics providers are all C-TPAT approved and are well known to us," says Castellanous. "They are eager to help and they have the knowledge to do this assessment."

Castellanous is also an enthusiastic member of ICPA, which she says has been instrumental in helping the company navigate the increasingly complicated world of regulatory compliance and supply-chain security

"You get unvarnished opinions of other members on regulatory interpretations, since everything is anonymous," she says.

Good Security, Good Business
So are these companies unusually concerned about security or do they have especially patriotic management? William S. Ansley, vice president of trade management services for UPS Supply Chain Solutions points out that C-level executives do not spend money on highly theoretical supply-chain security risks, or because they want to be good citizens.

"CEOs want to gain tangible benefits for participating and avoid costly consequences if they don't, says Ansley. "CBP is now articulating the values of C-TPAT, so high-level executives understand the economic benefits."

Companies that are not C-TPAT participants receive greater scrutiny when documents are presented. These companies are more likely to have a delay of one or two days from a review process and further delays from an inspection. "The hard costs of longer cycle times and the resulting need for more inventory are well understood by top management," he says.

C-TPAT is also a requirement for participation in CBP's soon-to-be implemented, web-based, automated commercial environment (ACE). Users of this system not only will be able to handle all customs transactions over the web, but also will be allowed to pay customs duties periodically.

"The difference will be having 10 days to pay your duties versus 45 days," says Ansley. "ACE participants will save considerable cash flow."

Barry J. Wilkins, managing director for Pinkertons agrees that self-interest is driving supply-chain security at most companies. His security firm has helped over 35 Fortune 500 companies set up supply-chain security programs, including C-TPAT certifications. While he says that a handful of these companies may have taken these steps on their own, C-TPAT has been the driving force behind industry awareness of supply-chain security.

"I doubt that that there would have been the same attention to supply-chain security without the incentives of C-TPAT and the disincentives of not participating," says Wilkins. "As it turns out, every one of our clients has found that the benefits of C-TPAT far outweigh the costs."

For example, Wilkins has pointed out to his clients that if there is ever an incident, C-TPAT partipants' containers would probably get through, so their factories would not close. When he has helped clients access their logistics providers for CTPAT purposes, the companies have discovered that they can save significant transportation costs by rationalizing their carrier base or by leveraging freight volumes among divisions to gain lower corporate-wide rates. The C-TPAT process showed another client that it wasn't taking advantage of duty drawback available to it, and it saved millions of dollars.

"C-TPAT invariably uncovers unintended benefits," says Wilkins.

While U.S. importers by and large have embraced supply-chain security, there are significant concerns about the future. And what new initiatives will CBP and other government agencies be introducing?

For example, TI's Ann Lister thinks one of the greatest dangers attached to the C-TPAT program is complacency and lack of commitment. "Companies go through the initial process, get their certification and then let their security programs slip," she says, warning that just one company trying to save a few dollars can result in a bomb taking out a major port. "That company that was so concerned about its bottom line will no longer have a bottom line," she says. "We are all scared of these companies."

Andy Maner, chief of staff for CBP says that the C-TPAT program has a built-in mechanism to deal with the small portion of companies that are thumbing their nose at the system by signing up and not really doing anything.

At its new academy in Glencoe, Ga., CBP is creating so-called "supply-chain specialists" who are trained in various aspects of supply-chain management in addition to customs and immigration matters. These specialists are validating the security programs to which participants have attested.

"Through the ongoing validation process, we get the laggards out of the program," says Maner.

As CBP becomes more involved in this validation process, companies will have to become increasingly focused on maintaining the integrity of their programs. One software company in the international trade logistics sector has a novel approach to this challenge.

Open Harbor's global compliance and security system allows users to screen supply-chain partners and their personnel against constantly updated lists of known terrorists or other prohibited parties. The system also classifies products on every order for customs duties purposes, and simultaneously checks quotas and any restrictions on their import or export status for countries involved.

According to Mahipal Lunia, Open Harbor's director of product solutions, their most sought-after functionality is a module that constantly monitors C-TPAT compliance among all supply-chain partners. When the U.S. importer becomes C-TPAT certified, it maps all agreed-upon procedures into the Open Harbor system. Those procedures become embedded in a checklist workflow. The importer can require each party in the supply chain to use the checklist to verify that security procedures are being followed. If the system detects a security lapse, orders are put on hold. The importer can decide to override the system or to block all orders. If the problem is minor, such as product being stored in a warehouse with nonconforming fences, the importer would probably override the system and follow-up later to address the issue. If a shipment is being moved by an unauthorized carrier, the importer may decide to halt the shipment until it can be checked.

Lunia says that most users run the checklist every few months, but it can be employed for each order. Open Harbor stores the information and makes it available to CBP to prove that due diligence has been done.

"These responsibilities can no longer be pushed off to the freight forwarder, the carrier or the customs broker," says Lunia. "C-level executives are beginning to understand that supply-chain security and compliance are now high-level governance issues."

Advance Notification
The CBP has also announced that one area of focus in 2004 will be extension of a "zone of security" outside our borders. A key part of this border extension has been the 24-hour manifest rule, which uses advance cargo information to allow CBP and foreign governments to conduct its targeting and inspections before containers are loaded on ships. With the publication of the Trade Act of 2002 rules, such advanced notification information will soon be required for all modes and for both inbound and outbound cargo from the U.S.

John Motley, president of international logistics software company LOG-NET, says that the 24-hour rule has definitely created the need for up to three days of extra inventory for many importers. Freight has to be delivered to the loading port days in advance to give carriers enough time to create CBP's required manifest information. Motley predicts that the Trade Act of 2002 advanced rules are going to have similar effects because so little automated and shared electronic information exists in most supply chains.

Motley says that the importer must take charge of its own electronic information in the supply chain, starting with the purchase order (PO). The LOG-NET system, for example, creates a data thread that links all parties in the supply chain, including the importer, the offshore manufacturer, forwarder, international carrier and customs broker.

Motley also is a founder of Shippers for International Electronic Logistics Data (SHIELD), a group that promotes more automation of international trade processes. Several of his SHIELD members, including Jones Apparel, now are using LOG-NET's end-to-end system that includes a new electronic standard document called an ANSI 304 Shipping Instruction. The system captures complete product descriptions and at least a six-digit Harmonized Tariff System (HTS) number. It uses that product information and associated HTS numbers to generate the PO. That information automatically appears on the shipping instruction to the carrier.

For the companies automating their supply chains and using the 304 shipping instruction, Motley says that the 24-hour rule has little or no impact on costs, inventories or time. The importer's cargo and the data move together and can arrive at the port just prior to an ocean carrier's deadline. The carrier has no data collection work to do. It just pushes a button to forward the manifest information to CBP.

New Trade Rules
At this point, no one really knows what the impact of the Trade Act of 2002 rules will be because only the bare bones of the reporting requirements have been published. Implementation will be phased in throughout 2004 on a yet-to-be-announced schedule. One thing is clear: All international companies - as well as the government - will have to upgrade their systems to handle all reporting requirements electronically.

According to Carol Fuchs, government relations counsel at the Washington office of KMZ Rosenman law firm, CBP has purposely avoided stating when it will start enforcing the Trade Act rules because not all of its systems are in place at every port to accept the advanced electronic notifications.

"The vague terminology used in the rules apparently means no one has to worry if they don't have everything in place, because CBP is not going to stop shipments or assess penalties unless it really thinks there is a problem," says Fuchs, who serves on the Commercial Operations Advisory Committee (COAC) that advises CBP on the trade community regulatory concerns.

"There is a complex implementation process for the Trade Act rules that makes compliance dates depend on events that are not yet firmly established," she says. "The trade must watch the Federal Register to find out when the automated systems are in place. Those dates will trigger the effective dates and compliance dates."

Of even greater concern to importers of food-related products are the Food and Drug Administration (FDA) rules being implemented under the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (Bioterrorism Act). As of December 12, 2003, importers of food and food related items, which covers up to 800 HTS categories, had to register every domestic and foreign facility that touches their food supply-chain, including plants, warehouses and distribution points. They also have to notify FDA in advance of importing any food-related shipments, so the FDA can do a risk assessment. Additional rules will be forthcoming concerning record keeping and administrative detention for non-complying shipments.

For importers, the most troublesome issue is the FDA advance notification rules because they are not aligned with the CBP rules. Food importers are now subject to two separate regulatory regimes, despite a CBP and FDA announcement that they would be working together on these rules.

"As the rules have unfolded, there are many disconnects in terms of systems, parties that need to submit, data elements, time periods for submitting the data and many other areas," says Fuchs. "It is extremely important to trade that these rules be aligned. COAC has expressed great concern about this issue and will take it up again at its next meeting."

High-Tech Concerns
The entire trade community has been anxious about which high-tech devices CBP might insist upon in the near future. Pilot projects have been going on all over the world testing geographic positioning system (GPS) transponders, radio frequency identification (RFID) tags on or inside containers and a wide assortment of electronic seals that send out alerts if tampered with.

"Most the concepts were getting into the James Bond mode," says UPS's William Ansley. "The initial concept was to track the container in real time. The next idea was to have sensors that would indicate if the container was opened, and then transmit a signal at the time of the breach. Someone even suggested a device that would take a picture of the perpetrator and email it to the authorities. These ideas can quickly get out of hand."

Pinkertons's Barry Wilkins has been deeply involved in the Operation Safe Commerce project at the ports of Seattle and Tacoma, which includes some pilot tests of smart container technology. This program has shown him that the trade community is very apprehensive about the cost of any far-reaching technology solutions.

"When it comes to technology, companies expect productivity improvements to justify any significant investment," says Wilkins. "The only way that these security devices will become reality is if there are benefits such as better inventory control or optimization of freight movements."

Pfizer's Richard Widup believes that before any of these high-tech smart containers could be put into service, fundamental issues such as who is going to manage the smart containers and who is going to pay have to be firmly worked out. If the containers will be equipped with transponder capabilities, there needs to be a global frequency band for RFID and GPS.

"A carrier is not going to buy thousands of these containers," says Widup. "They may outfit only enough for those shippers that have the technology in place to use them. So how can the carrier manage those containers so that only these shippers are using them? No one can undertake this as things stand now."

He believes manufacturers are very willing to use this technology, but shippers are not in a position to manage them. Smart containers will only become a reality if there is a collaborative effort between industry and government that will make smart containers easy to use and cost effective.

According to CBP Commissioner Bonner, the C-TPAT smart container that it is suggesting will be a simple, low-tech design, but one that the agency would like to put into service as soon as possible. This smart container has only two attributes: an ISO high-strength bolt seal that is not attached to the hasp, and a tamper-evident sensor inside the box. The one-time use seal costs about one dollar, and the reusable light-sensitive sensors that CBP has been testing cost about $20. The sensor would be read at the CSI port by CBP. If there is any indication of tampering, the box would be opened.

"We are not recommending any highly sophisticated technology at this time," says Bonner. "This level of security is what we want to see very soon. This smart box will quickly become a C-TPAT best practice that will earn green-lane handling."

Pfizer's Widup says that the trade community will be relieved to learn that CBP is recommending a much simpler smart container that has no RFID or GPS capability and uses off-the-shelf technology.

"Simpler technology is far more likely to be adopted quickly," says Widup. "As technology advances, CBP can upgrade the systems and gradually raise the bar. That is how to get buy-in from industry."

Robert C. Bonner, commissioner of the U.S. Bureau of Customs and Border Protection (CBP), has a recurring nightmare: a dirty bomb explosion in a major city like Chicago delivered in an ocean container. Bonner says that the CBP has determined such an event would kill or injure thousands of people, close every U.S. seaport for at least one week, create a backlog of container traffic that would take at least three months to clear, cost the U.S. economy $58 billion and results in years of chronic security disruptions.

"Such an event is simply unacceptable," says Bonner. "The government and the trade community have a shared responsibility to prevent such an incident."

The CBP has certainly been doing its part. It has implemented a wide variety of regulatory and voluntary initiatives such as the 24-hour rule for inbound containers, the Container Security Initiative (CSI) to target and inspect containers in foreign ports and the Customs-Trade Partnership Against Terrorism (C-TPAT) program, which asks all supply-chain participants to voluntarily enhance their own security and create awareness among their partners.

So while CBP is clearly doing its part to enhance supply-chain security, the real question is this: Do U.S. importers and exporters share this concern and are they willing to take all reasonable steps to eliminate the risk of cargo movements being used for terrorist attacks?
Judging from the actions of a few leading companies and the success of programs such as
C-TPAT, supply-chain security has indeed gained boardroom attention.

The C-TPAT program in the trade community has been a phenomenal success. It already has 4,731 participants including 2,940 importers, 691 carriers, 1,051 forwarders and customs brokers, 11 foreign manufacturers and 38 U.S. marine port authorities. The program now covers 70 percent of all import containers accounting for 38 percent of the dollar value of all imports to the U.S.

More impressive are the measures that individual companies are taking to secure their supply chains.

Retail giant Target Stores, for example, started its supply-chain security initiative more than two years ago. According to Michael D. Laden, president of the company's in-house import operation, Target Customs Brokerage, Target was one of the first participants in C-TPAT. Target's own program goes beyond merely creating awareness of security guidelines, as required by C-TPAT. The retailer requires its vendors to sign a memo of understanding to adhere to certain security practices and procedures. Each vendor completes a four-page security profile and, based on the answers, Target has developed its own risk matrix. If a vendor does not appear to be adequately compliant, they will do a visit and bring it up to standards. In addition to its security teams, Target has mobilized the company's product-quality assessment teams to check on vendor compliance when they are doing their normal inspections.

Target has developed a database for assessing the risk of 80 countries where Target does business. It is updated daily, based on intelligence information. All risk data and partner profiles are stored and, as appropriate, shared with partners through a web-based system.
Corporate SecurityAwareness
Pharmaceutical leader Pfizer also began its own supply-chain security program before C-TPAT was created, under which it focused on working only with quality carriers and service providers that understood the importance of good security. Corporate Security Manager Richard E. Widup, Jr. says that C-TPAT was a boost for Pfizer's security programs. "C-TPAT has helped us move our programs along faster because it got our top management focused on the need for better supply-chain security," he says.

To assure supply-chain security among its suppliers, Pfizer clearly establishes rules, expectations and standards of care for its supply-chain partners, and it audits them on an ongoing basis. "We constantly update our operating procedures," says Widup. "There is always a new idea that we can incorporate."

Pfizer's standard operating procedures include identifying the movements of product that are high-value and those lanes that are high risk and high frequency.

The second company to be certified for C-TPAT and have its program fully validated by CBP was Austin, Tex.-based Texas Instruments (TI).

"C-TPAT really fit with what we were already doing," says Ann Lister, global compliance manager, for TI. "Our suppliers are long-term partners that the company visits frequently, so we routinely assess their security compliance."

TI now has a permanent cross-divisional corporate council that combines logistics and compliance people to manage all aspects of the supply-chain security program. It reports to top management. Lister says that TI has dual goals. It wants to maintain strong security, but it also needs to move its cargo through the supply chain as quickly as possible.

"We have no problems with back ups or delays," she says. "Even with increased security and advance notification reporting requirements, our cycle times have not increased. We have proved to our management that good security is good business."

Lister is a strong proponent of companies taking on more responsibility, and not depending on government agencies to drive supply-chain security. This belief in industry responsibility was one of the reasons that she and Linda Thomas of Pier One started an organization in 2001 called the International Compliance Professionals Association (ICPA).

"Forwarders, customs brokers and carriers had groups that helped their members stay on top of rapidly changing regulatory and trade issues after 9/11, but there was nothing for compliance people working for importers and exporters," says Lister. "We are the ones on the front lines of supply-chain security issues."

According to Lister, the ICPA (www.icpainc.org) started as an email network among compliance and logistics managers to share questions and answers and timely tips. It mushroomed quickly to include 400 members representing leading companies active in international trade, but the key attraction remains the shared knowledge base that provides answers to any question.

"We are essentially a compliance dating service," says Lister. "If I want to know about what is going on in China, most of our members do business there, so in half an hour I can find out just about anything that I need to know. Every one of our members has a sense of responsibility about important compliance issues."

Supply-chain security is not just for global giants. The Container Store, a mid-sized company providing storage and organization products for home and business was accepted into the C-TPAT program based on standards that it has long employed over its 25-year history.

According to Jamie Castellanos, import manager for the Dallas, Tex.-based Container Store, the company's imports now amount to about 1,500 TEUs and are growing at 25 percent a year. Every vendor must complete a questionnaire about its security procedures, as well as provide photos of its loading docks, packing rooms and perimeter security.

"If the vendor outsources any production, we get the information directly from the facilities that manufacturer, package and ship," says Castellanos. "We evaluate them and categorize the vendors in terms of risk."

While a company the size of the Container Store cannot routinely send employees to inspect vendor sites, the company calls on its forwarders and carriers in that region to do an on-site assessment.

"Our logistics providers are all C-TPAT approved and are well known to us," says Castellanous. "They are eager to help and they have the knowledge to do this assessment."

Castellanous is also an enthusiastic member of ICPA, which she says has been instrumental in helping the company navigate the increasingly complicated world of regulatory compliance and supply-chain security

"You get unvarnished opinions of other members on regulatory interpretations, since everything is anonymous," she says.

Good Security, Good Business
So are these companies unusually concerned about security or do they have especially patriotic management? William S. Ansley, vice president of trade management services for UPS Supply Chain Solutions points out that C-level executives do not spend money on highly theoretical supply-chain security risks, or because they want to be good citizens.

"CEOs want to gain tangible benefits for participating and avoid costly consequences if they don't, says Ansley. "CBP is now articulating the values of C-TPAT, so high-level executives understand the economic benefits."

Companies that are not C-TPAT participants receive greater scrutiny when documents are presented. These companies are more likely to have a delay of one or two days from a review process and further delays from an inspection. "The hard costs of longer cycle times and the resulting need for more inventory are well understood by top management," he says.

C-TPAT is also a requirement for participation in CBP's soon-to-be implemented, web-based, automated commercial environment (ACE). Users of this system not only will be able to handle all customs transactions over the web, but also will be allowed to pay customs duties periodically.

"The difference will be having 10 days to pay your duties versus 45 days," says Ansley. "ACE participants will save considerable cash flow."

Barry J. Wilkins, managing director for Pinkertons agrees that self-interest is driving supply-chain security at most companies. His security firm has helped over 35 Fortune 500 companies set up supply-chain security programs, including C-TPAT certifications. While he says that a handful of these companies may have taken these steps on their own, C-TPAT has been the driving force behind industry awareness of supply-chain security.

"I doubt that that there would have been the same attention to supply-chain security without the incentives of C-TPAT and the disincentives of not participating," says Wilkins. "As it turns out, every one of our clients has found that the benefits of C-TPAT far outweigh the costs."

For example, Wilkins has pointed out to his clients that if there is ever an incident, C-TPAT partipants' containers would probably get through, so their factories would not close. When he has helped clients access their logistics providers for CTPAT purposes, the companies have discovered that they can save significant transportation costs by rationalizing their carrier base or by leveraging freight volumes among divisions to gain lower corporate-wide rates. The C-TPAT process showed another client that it wasn't taking advantage of duty drawback available to it, and it saved millions of dollars.

"C-TPAT invariably uncovers unintended benefits," says Wilkins.

While U.S. importers by and large have embraced supply-chain security, there are significant concerns about the future. And what new initiatives will CBP and other government agencies be introducing?

For example, TI's Ann Lister thinks one of the greatest dangers attached to the C-TPAT program is complacency and lack of commitment. "Companies go through the initial process, get their certification and then let their security programs slip," she says, warning that just one company trying to save a few dollars can result in a bomb taking out a major port. "That company that was so concerned about its bottom line will no longer have a bottom line," she says. "We are all scared of these companies."

Andy Maner, chief of staff for CBP says that the C-TPAT program has a built-in mechanism to deal with the small portion of companies that are thumbing their nose at the system by signing up and not really doing anything.

At its new academy in Glencoe, Ga., CBP is creating so-called "supply-chain specialists" who are trained in various aspects of supply-chain management in addition to customs and immigration matters. These specialists are validating the security programs to which participants have attested.

"Through the ongoing validation process, we get the laggards out of the program," says Maner.

As CBP becomes more involved in this validation process, companies will have to become increasingly focused on maintaining the integrity of their programs. One software company in the international trade logistics sector has a novel approach to this challenge.

Open Harbor's global compliance and security system allows users to screen supply-chain partners and their personnel against constantly updated lists of known terrorists or other prohibited parties. The system also classifies products on every order for customs duties purposes, and simultaneously checks quotas and any restrictions on their import or export status for countries involved.

According to Mahipal Lunia, Open Harbor's director of product solutions, their most sought-after functionality is a module that constantly monitors C-TPAT compliance among all supply-chain partners. When the U.S. importer becomes C-TPAT certified, it maps all agreed-upon procedures into the Open Harbor system. Those procedures become embedded in a checklist workflow. The importer can require each party in the supply chain to use the checklist to verify that security procedures are being followed. If the system detects a security lapse, orders are put on hold. The importer can decide to override the system or to block all orders. If the problem is minor, such as product being stored in a warehouse with nonconforming fences, the importer would probably override the system and follow-up later to address the issue. If a shipment is being moved by an unauthorized carrier, the importer may decide to halt the shipment until it can be checked.

Lunia says that most users run the checklist every few months, but it can be employed for each order. Open Harbor stores the information and makes it available to CBP to prove that due diligence has been done.

"These responsibilities can no longer be pushed off to the freight forwarder, the carrier or the customs broker," says Lunia. "C-level executives are beginning to understand that supply-chain security and compliance are now high-level governance issues."

Advance Notification
The CBP has also announced that one area of focus in 2004 will be extension of a "zone of security" outside our borders. A key part of this border extension has been the 24-hour manifest rule, which uses advance cargo information to allow CBP and foreign governments to conduct its targeting and inspections before containers are loaded on ships. With the publication of the Trade Act of 2002 rules, such advanced notification information will soon be required for all modes and for both inbound and outbound cargo from the U.S.

John Motley, president of international logistics software company LOG-NET, says that the 24-hour rule has definitely created the need for up to three days of extra inventory for many importers. Freight has to be delivered to the loading port days in advance to give carriers enough time to create CBP's required manifest information. Motley predicts that the Trade Act of 2002 advanced rules are going to have similar effects because so little automated and shared electronic information exists in most supply chains.

Motley says that the importer must take charge of its own electronic information in the supply chain, starting with the purchase order (PO). The LOG-NET system, for example, creates a data thread that links all parties in the supply chain, including the importer, the offshore manufacturer, forwarder, international carrier and customs broker.

Motley also is a founder of Shippers for International Electronic Logistics Data (SHIELD), a group that promotes more automation of international trade processes. Several of his SHIELD members, including Jones Apparel, now are using LOG-NET's end-to-end system that includes a new electronic standard document called an ANSI 304 Shipping Instruction. The system captures complete product descriptions and at least a six-digit Harmonized Tariff System (HTS) number. It uses that product information and associated HTS numbers to generate the PO. That information automatically appears on the shipping instruction to the carrier.

For the companies automating their supply chains and using the 304 shipping instruction, Motley says that the 24-hour rule has little or no impact on costs, inventories or time. The importer's cargo and the data move together and can arrive at the port just prior to an ocean carrier's deadline. The carrier has no data collection work to do. It just pushes a button to forward the manifest information to CBP.

New Trade Rules
At this point, no one really knows what the impact of the Trade Act of 2002 rules will be because only the bare bones of the reporting requirements have been published. Implementation will be phased in throughout 2004 on a yet-to-be-announced schedule. One thing is clear: All international companies - as well as the government - will have to upgrade their systems to handle all reporting requirements electronically.

According to Carol Fuchs, government relations counsel at the Washington office of KMZ Rosenman law firm, CBP has purposely avoided stating when it will start enforcing the Trade Act rules because not all of its systems are in place at every port to accept the advanced electronic notifications.

"The vague terminology used in the rules apparently means no one has to worry if they don't have everything in place, because CBP is not going to stop shipments or assess penalties unless it really thinks there is a problem," says Fuchs, who serves on the Commercial Operations Advisory Committee (COAC) that advises CBP on the trade community regulatory concerns.

"There is a complex implementation process for the Trade Act rules that makes compliance dates depend on events that are not yet firmly established," she says. "The trade must watch the Federal Register to find out when the automated systems are in place. Those dates will trigger the effective dates and compliance dates."

Of even greater concern to importers of food-related products are the Food and Drug Administration (FDA) rules being implemented under the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (Bioterrorism Act). As of December 12, 2003, importers of food and food related items, which covers up to 800 HTS categories, had to register every domestic and foreign facility that touches their food supply-chain, including plants, warehouses and distribution points. They also have to notify FDA in advance of importing any food-related shipments, so the FDA can do a risk assessment. Additional rules will be forthcoming concerning record keeping and administrative detention for non-complying shipments.

For importers, the most troublesome issue is the FDA advance notification rules because they are not aligned with the CBP rules. Food importers are now subject to two separate regulatory regimes, despite a CBP and FDA announcement that they would be working together on these rules.

"As the rules have unfolded, there are many disconnects in terms of systems, parties that need to submit, data elements, time periods for submitting the data and many other areas," says Fuchs. "It is extremely important to trade that these rules be aligned. COAC has expressed great concern about this issue and will take it up again at its next meeting."

High-Tech Concerns
The entire trade community has been anxious about which high-tech devices CBP might insist upon in the near future. Pilot projects have been going on all over the world testing geographic positioning system (GPS) transponders, radio frequency identification (RFID) tags on or inside containers and a wide assortment of electronic seals that send out alerts if tampered with.

"Most the concepts were getting into the James Bond mode," says UPS's William Ansley. "The initial concept was to track the container in real time. The next idea was to have sensors that would indicate if the container was opened, and then transmit a signal at the time of the breach. Someone even suggested a device that would take a picture of the perpetrator and email it to the authorities. These ideas can quickly get out of hand."

Pinkertons's Barry Wilkins has been deeply involved in the Operation Safe Commerce project at the ports of Seattle and Tacoma, which includes some pilot tests of smart container technology. This program has shown him that the trade community is very apprehensive about the cost of any far-reaching technology solutions.

"When it comes to technology, companies expect productivity improvements to justify any significant investment," says Wilkins. "The only way that these security devices will become reality is if there are benefits such as better inventory control or optimization of freight movements."

Pfizer's Richard Widup believes that before any of these high-tech smart containers could be put into service, fundamental issues such as who is going to manage the smart containers and who is going to pay have to be firmly worked out. If the containers will be equipped with transponder capabilities, there needs to be a global frequency band for RFID and GPS.

"A carrier is not going to buy thousands of these containers," says Widup. "They may outfit only enough for those shippers that have the technology in place to use them. So how can the carrier manage those containers so that only these shippers are using them? No one can undertake this as things stand now."

He believes manufacturers are very willing to use this technology, but shippers are not in a position to manage them. Smart containers will only become a reality if there is a collaborative effort between industry and government that will make smart containers easy to use and cost effective.

According to CBP Commissioner Bonner, the C-TPAT smart container that it is suggesting will be a simple, low-tech design, but one that the agency would like to put into service as soon as possible. This smart container has only two attributes: an ISO high-strength bolt seal that is not attached to the hasp, and a tamper-evident sensor inside the box. The one-time use seal costs about one dollar, and the reusable light-sensitive sensors that CBP has been testing cost about $20. The sensor would be read at the CSI port by CBP. If there is any indication of tampering, the box would be opened.

"We are not recommending any highly sophisticated technology at this time," says Bonner. "This level of security is what we want to see very soon. This smart box will quickly become a C-TPAT best practice that will earn green-lane handling."

Pfizer's Widup says that the trade community will be relieved to learn that CBP is recommending a much simpler smart container that has no RFID or GPS capability and uses off-the-shelf technology.

"Simpler technology is far more likely to be adopted quickly," says Widup. "As technology advances, CBP can upgrade the systems and gradually raise the bar. That is how to get buy-in from industry."