​

The old axiom about a chain being only as strong as its weakest link is often repeated for a simple reason: it’s true. And nowhere does it apply more aptly than to the less concrete, yet highly complex and critical world of supply chains. Even stakeholders in relatively low-risk, domestic supply chains in the West understand that the security of each partner in their chain—from farm or factory to final customer—is as important as their own.

The risks rise when goods must cross borders, as U.S. stakeholders learned on September 11, 2001. In a seldom-discussed aftereffect of the attack, U.S. land borders closed for three days. A government-industry collaboration to improve import supply chain security “began on September 12,” says trade security specialist John Sharp, CPP. Its result was the voluntary Customs-Trade Partnership Against Terrorism (C-TPAT).

After seven years—and absent any regulatory mandate—C-TPAT has managed to attract close to 10,000 companies, and participation is increasingly considered a prerequisite for anyone wanting to do business with global trade’s biggest U.S. players. American Shipper reports that Customs and Border Protection (CBP) Commissioner Alan Bersin foresees a “grand bargain” of multinational, mutual recognition between C-TPAT and other countries’ supply-chain-security partner programs to speed trade while mitigating the risks of terrorism, smuggling, and old-fashioned shrink.

“If you have been waiting, the wait ends here, and it’s time to get on board,” says Beth Adams, a supply-chain-security specialist with standards and management firm BSI. “Yesterday’s ‘shoulds’ are becoming today’s ‘musts.’”

Framework

The conceptual framework behind CTPAT is a simple one, one that Bill DeWitt, CPP, corporate security director for stevedoring giant CARRIX/SSA Marine, traces to the invitation-only Super Carrier Initiative Program led by CBP predecessor, the U.S. Customs Service. The agency’s premise is that if a company can demonstrate that it has implemented sound security practices, CBP will ease the regulatory burden that company’s shipments incur at the border. Translation: fewer inspections result in faster trade, which equates to a bigger bottom line.

Under C-TPAT, member entities—primarily U.S. manufacturers with operations overseas, U.S.-based customs brokers, and entities such as trucking companies, which are eligible for certification but not membership—must attest to maintaining minimum security criteria set forth by CBP. They make that attestation via an online application form.

Depending on the sector, minimum criteria may include security fundamentals such as written security procedures, physical site security measures, personnel and IT security policies and programs, and the use of container seals. After CBP reviews a company’s online application, a process that can sometimes take several months, qualifying applicants are granted membership in C-TPAT, subject to prescheduled on-site validation of their security programs by CBP inspectors.

To pass muster, an applicant must make sure that all of its partners in its supply chain have secure operations as well. Each C-TPAT partner bears responsibility for every import shipment it touches, from the point a box or container is stuffed overseas to the point it reaches its destination in the United States. If an inspection at a border crossing point or elsewhere uncovers contraband, each C-TPAT member involved in that shipment is suspended immediately and, pending investigation, may be thrown out of the program entirely. To facilitate that process, members and certified operators are guaranteed access to an online CBP database of fellow C-TPAT members and certified entities.

In 2005, CBP introduced three tiers for C-TPAT membership. Initially accepted members are in Tier I, and validated members are admitted at CBP’s discretion to Tier II. Only members with validated implementation of supply-chain security best practices named by the agency—which C-TPAT director Brad Skinner calls “the best of the best”—are admitted to Tier III.

Examples of CBP best practices include cultural concepts like a “continuous improvement” philosophy and employee engagement, contractual measures like prohibitions on subcontracting, and operational measures like monitoring of shipments in transit, which can be achieved simply by moving trucks in convoys rather than individually. As of midyear, only 314 operators enjoyed Tier III status, according to CBP.

Risk Score

C-TPAT membership yields its practical benefits when CBP assigns a risk score for inbound shipments, something the agency does for every truck and shipping container bound for the border after receiving a mandatory shipment manifest prior to arrival. C-TPAT certification or membership and tiering shaves points off a company’s shipments’ risk scores, which the agency uses to determine whether a shipment is stopped and examined. Companies rated in the higher C-TPAT tiers receive point advantages. One in every 1.25 non-C-TPAT trucks is stopped for examination at the border, compared to one in five C-TPAT trucks, Skinner tells Security Management.

Throughout C-TPAT’s existence, DHS has discussed its vision for a fast track “Green Lane” at ground border crossings that trucks would sail through like cars bearing electronic toll collection tags. But experts emphasize to Security Management that this idea has never gone beyond the concept stage.

Instead, C-TPAT members that want to achieve maximum speed at border crossings can enroll their drivers in CBP’s trusted-driver program, called Free and Secure Trade (FAST), explains Kathleen Neal, director of trade compliance for manufacturer A.O. Smith and chair of the Border Trade Alliance (BTA), an industry group that represents industry stakeholders along the U.S.-Mexican Border.

Observers including C-TPAT consultant Lyes Sadoudi, owner of Customs Trade Solutions in San Diego, says that shippers see marked speed improvements through C-TPAT memberships and driver FAST compliance. One maquiladora—a U.S.-owned factory residing on the Mexican side of the border and producing material for sale in, or trans-shipment through, the United States—used to stop production daily at 2:15 p.m. for products to cross the border by 6 p.m. The same factory now operates until 5 p.m., he says.

That dramatic benefit, however, is not one seen at crossings around the country. A recent C-TPAT participant survey, conducted for CBP by the University of Virginia’s Center for Survey Research, found that among respondents, border times decreased for only 39 percent, stayed the same for 44 percent, and increased for 9 percent.

Skinner cites various reasons for the survey results, among them geography and infrastructure. In one report, the U.S. Government Accountability Office noted that at many border crossings, construction of additional lanes was prevented by surrounding infrastructure, and in one case, rock outcroppings.

Foreseeable Threat

It was not difficult to predict what Mexico’s drug cartels would do once the CTPAT program promised certain manufacturers and trucking companies that they could ship goods across the border with a reduced likelihood of inspection. The cartels wanted to exploit the system to take advantage of the “trusted” treatment CTPAT shippers would get, and they did.

Late in 2008, a truck aroused the suspicion of CBP agents working at the Mariposa Point of Entry in Nogales, Arizona. Inside, inspectors found nearly 3,000 pounds of marijuana with an estimated value of $4.6 million. The driver of the truck was FAST certified. It was not an isolated case. CBP would report several other seizures linked to C-TPAT members.

Neal, of the BTA, explains how drug cartels commonly infiltrate otherwise secure supply chains: the greatest points of vulnerability lie at the warehouse overseas and with the driver. A drug cartel will offer a Mexican warehouse hand $10,000 to allow placement of contraband among legitimate cargo. The next time the cartel offers the worker $2,000, and later the cartel may simply threaten the worker’s family to coerce him.

Neal says that this scenario is addressed by C-TPAT criteria, which require that more than one person oversee cargo loading and sealing processes. In the Nogales case, according to a CBP bulletin to members, Skinner reported that “companies had established security procedures in place yet failed to follow them.”

In addition to close oversight of stuffing—the industry term for putting goods into containers for shipping—Skinner offered a list of security measures that members should consider, among them audit and verification of employee screening with periodic reviews, rotation of personnel assigned to “operationally sensitive positions,” and establishment of route times for shipping legs to detect when trucks are delayed and, therefore, may be involved in smuggling.

Any C-TPAT member company or certified carrier involved at any point in a shipment found to contain contraband is suspended from the program immediately. Final action, however, can vary based on the findings of CBP’s investigation, they say. For example, while negligent disregard for security or systemic corruption might result in expulsion from C-TPAT, a finding that smuggling resulted from the actions of a single rogue employee or driver may lead to reinstatement. While each case is unique, Neal and other stakeholders said CBP could aid program members immensely by issuing a basic framework or guidelines for sanctions. With such information, members involved directly or indirectly in a violation would know, pending investigation, how it would likely affect their company’s operations.

The good news is that the drug smuggling was caught, but one can’t know how many similar efforts might have slipped through unnoticed, which raises the question: What if it weren’t just drugs? These instances highlight the risk of letting anything through without an inspection on the assumption that security procedures elsewhere in the supply chain have already removed the risk.

Robust Risk Assessment

From C-TPAT’s inception, CBP has required that members conduct risk assessments of all supply-chain partners and their security postures relative to the program’s minimum security criteria. In many cases, however, the assessments amounted to only simple yes/no questionnaires that C-TPAT members circulated to their supply-chain partners, says Sharp, who is vice president of global operations at supply-chain consultancy Inspectorate Sharp Global Corporation in New York and a member of ASIS International’s Transportation Council. The questionnaire process alone does not, however, provide adequate assurance of a global supply-chain partner’s security, says Sharp, whose company consults on C-TPAT compliance.

To increase risk management effectiveness across supply chains, this year CBP issued a process guide for five-step risk assessments.

The first step in CBP’s process is mapping cargo flow and identifying all of a company’s partners in its international supply chains. Second, companies are expected to conduct a threat assessment of supply chains, considering incidences of terrorism, organized crime, and human or contraband smuggling in regions where the company or its partners operate. Areas without activity are to be deemed “low risk,” areas without recent activity but some threat intelligence are to be deemed “medium risk,” and areas with recent activity are to be deemed “high risk.”

The third element of the assessment process, vulnerability assessment, again requires circulation of questionnaires to foreign supply-chain partners, but it now requires detailed explanations of security policies and measures the companies have in place. In the fourth step, the CTPAT member is expected to develop an action plan to mitigate risk along its supply chains—which might include requiring partners to implement added security. Finally, members must document how the risk assessment process has been carried out.

“What Customs is trying to do is make this more like a management system, like an ISO standard to where it’s incorporated into your business practices, and it makes sense because it gives you better control of your supply chain,” Sharp says.

One issue that Sharp raises is how honest suppliers will be. Sharp recalls site visits overseas to confirm what clients’ supply-chain partners had stated on their C-TPAT questionnaires. “We’ve had some of the companies that were very honest, some people were very straightforward; others didn’t have what they said they have in place.”

Therefore, Sharp says, to properly manage risk, supply-chain members must verify supply-chain partners’ security claims firsthand—either themselves or by hiring a consultant to do so for them. “A picture is worth 1,000 words,” he says. “I can’t stress enough you have to go see. That’s what a risk assessment process is about; and you have to have a verifiable process.”

Reciprocity

While the U.S. government and partners in the European Union (EU) developed customs-trade counterterrorism programs in the years following 9-11—C-TPAT and the Authorized Economic Operator (AEO) designation, respectively—they simultaneously sought to establish a global network of such programs to boost security without slowing global trade. The result, produced by the Belgium-based World Customs Organization (WCO) in 2007, is the WCO SAFE Framework of Standards.

The SAFE framework was signed by 161 countries. While it is a nonbinding document, each of its signatories have committed to developing a customs-trade security program like C-TPAT and to authorizing, via statute, mutual recognition arrangements (MRAs). Under an MRA, governments recognize each other’s programs and, eventually, other countries’ program members, explains Adams of BSI.

The United States codified mutual recognition in the SAFE Port Act of 2006. Since then, CBP has recognized four foreign programs: Canada’s Partners in Protection Program, Japan’s AEO Program, Jordan’s Golden List Program, and New Zealand’s Secure Export Scheme Program. Three more MRAs are in the works, with the EU and South Korea’s AEO programs and Singapore’s Trade Partnership Plus Program. The United States’ second and third biggest trade partners—China and Mexico—have yet to develop an internal customs-trade partnership program that meets U.S. security criteria.

As yet, U.S. MRA’s are solely customs-to-customs, Adams says, meaning that CBP and partners like Canada’s Border Services Agency share information about risk and members. What trade stakeholders want—and a primary business case for the broader construct—is customs-to-business recognition. Under that doctrine, a business validated by its home country’s customs agency would automatically be recognized by a foreign agency evaluating one of its own companies in the same supply chain. The arrangement would create efficiency through the elimination of redundant assessments and validations.

Worth Your While?

Return on investment in C-TPAT favors bigger companies, because, as Sharp notes, larger operations already had loss prevention programs in place before 9-11 that essentially met the minimum standards of C-TPAT and even, in some cases, its best practices. That meant the cost of compliance was slim to none, while the benefits included faster through-put at the border and, interestingly, a corollary benefit of lower shrink as supply-chain partners were forced to implement better security.

Smaller companies are not so lucky. They must incur real costs to meet C-TPAT standards in most cases, but they can’t simply decide they can’t afford to do so. The real question is how that cost stacks up against the cost of nonmembership.

Florida-based consultancy Supply Chain Security Inc. handles clients’ CTPAT application, membership, and certification processes while providing internal C-TPAT training programs. Sales manager Dorsey Hunt says that companies—even security savvy ones—hire his firm after they comb through CBP’s program materials online and find them overwhelming and realize that they lack the resources to assign the work in-house.

Sadoudi says there are some clear-cut cases in which C-TPAT membership is likely not worthwhile. He offered the example of a small customs broker working out of an airport and dealing with shipments handled by large commercial shippers such as FedEx.

At least one of Supply Chain Security’s clients was on the fence about C-TPAT membership and gave it a shot. After a couple years, accountants audited the costs of and returns on membership, in particular the business that membership helped the firm keep or win. The numbers didn’t add up, so the company withdrew from membership, Hunt says.

Neal says that the best case for C-TPAT membership goes back to the closed borders after 9-11 that spurred the program’s creation: when a border crossing shuts down, C-TPAT members are automatically bumped to the front of the line for processing when the border reopens.

“Are they going to get a 1 to 1 return? Probably not,” Neal says.” I think it’s up to each individual company to make that determination of whether the cost is worthwhile. I think the answer is ‘yes’ because of the real risk of a border closure.”

For Neal’s company, however, a bigger issue is at play, she says. “At least in the company that I work for, [the bottom line] is that it’s the right thing to do, and it shows our good corporate citizenship,” she says. “What is that worth? I don’t know.”

Joseph Straw is an assistant editor at Security Management.