Special Coverage: Supply chain security co-op eases import process

Importers are pooling efforts to make C-TPAT security audits of overseas vendors more efficient.

   Implementing security plans for international supply chains that meet U.S. government standards for uninterrupted cargo release at ports of entry can be daunting for importers and their overseas vendors.
   It is time-consuming and costly to get a security plan approved and validated by Customs and Border Protection, and then make sure employees and suppliers follow it. The challenge is especially great for small importers.
   Now, a new supply chain-security cooperative, whose members include companies such as Walmart Stores and Boeing, is simplifying the vetting process, improving security and reducing costs for all business partners, according to executives involved in the program. Since launching a little over a year ago, the non-profit Supplier Compliance Audit Network (SCAN) had completed 3,000 audits through late October, and 619 of the reports were shared by multiple companies.
   “I have to say that SCAN is the most successful supply chain security program out of the gate that I am aware of,” Dan Purtell, senior vice president of the governance, risk and compliance division at third-party verification firm BSI, said in an interview. Purtell’s experience developing supply chain security standards includes helping establish the Transported Asset Protection Association in the 1990s to spread best practices for preventing cargo losses.

Audit Fatigue. Factories and logistics providers often have to demonstrate the ability to secure their premises, workforce, IT systems and shipping conveyances from being infiltrated by terrorists and criminals if they want business from U.S. retailers and manufacturers.
   After the 9/11 terror attacks, U.S. authorities, in particular, became concerned about the potential for weapons of mass destruction to be smuggled in a container moved across borders by truck, rail, vessel or airplane. To prevent excess security inspections that delayed shipments, industry leaders worked with CBP to create the Customs-Trade Partnership Against Terrorism (C-TPAT), a voluntary program under which most cargo from participating companies is quickly cleared without having to undergo a security exam, provided the importers are pre-vetted and designated as trusted shippers that pose a low risk.
   Part of the vetting process includes C-TPAT specialists visiting a sample of an importer’s overseas supply chain, including outsourced factory, warehouse, and trucking operations, as well as the outbound port terminal, to assess whether C-TPAT minimum standards and the company’s security plan are properly followed. Companies are typically revalidated every three years by CBP personnel that check policies and procedures in the field to make sure they match the security plan on file.
   There are more than 11,400 companies enrolled in C-TPAT, more than a third of them importers, based on historical trends. But the program’s growth has plateaued for several years, and the number of participants is just a fraction of the total universe of importers. Many trade professionals question whether the stated benefits of C-TPAT, which now include front-of-the-line treatment in the event an exam is required, are worth the effort and cost required to put together a security plan, have it approved by CBP, prepare for and host security checks at their headquarters and an overseas location, implement the plan, and enforce supplier compliance.
   And again, the burden is especially felt by smaller importers.
   Retailers and manufacturers have developed requirements for vetting foreign vendors themselves or through third-party auditors. They provide basic training to internal personnel and suppliers on how to meet security requirements, perform audits against those standards and demand immediate corrective action for those that fall short. Some retailers have even terminated contracts with factories that did not follow their prescribed security program.
   Contract manufacturers, as a result, are bombarded with audits from many retail customers, which requires managers to spend time answering questionnaires, preparing for on-site audits, and accompanying audit teams during plant visits, as well as pay for third-party auditors when retailers outsource verification. This can also lead to confusion about which standards to follow and a focus on passing audits, rather than on fixing any underlying problems.
   And audits aren’t limited to security. Companies, to varying degrees, also vet suppliers for their internal controls on product quality, social responsibility such as treatment of workers or use of child labor, and environmental practices.
   SCAN was created by several companies to minimize duplication and help factories, which pay for the audits, save money. Collectively, SCAN members used to conduct more than 25,000 C-TPAT and European Union Authorized Economic Operator audits per year.
   “It’s not just about the cost savings, it’s the audit fatigue,” Kendra Riley, senior manager for global trade services at Home Depot and SCAN’s chairperson, said. “Some of these larger factories could be getting audits as frequently as bi-weekly or weekly. It takes away from operations and sometimes they need full-time people to manage these auditors coming in. If they can have someone come in once a year only, that’s much better.”

   It took about three years to stand up the organization because founding members had to draft common criteria and a questionnaire for the audit process, incorporate as a non-profit, and hire BSI to manage the program. The checklist incorporates the eight major areas CBP requires for C-TPAT certification, including container/trailer security, physical access controls, personnel security such as background checks, training, and secure information technology systems. The first board was elected in September 2014 and the first pilot audits began in May 2015.
   Participants say SCAN offers consistency across security criteria, with a uniform methodology for audits and implementing recommended fixes, so vendors aren’t whipsawed by different customer requirements. A committee periodically reviews and updates the criteria.
   A simple SCAN requirement, for example, is that facilities have access to controls that include checking the government-issued credential of every visitor and issuing them a badge, keeping an active log of visitors, escorting them at all times, and recovering the badge at departure.

How It Works. A SCAN member that wants to audit factory X in Vietnam, for example, first goes into the SCAN repository to check if an audit already exists that it can also use. (More than 8,345 factories are logged into the database so far). If one isn’t available, it places an order with BSI, previously known as British Standards Institution and the world’s first national standards body. BSI assigns the job to one of six contracted audit companies – Omega Compliance, Bureau Veritas, SGS, Underwriters Laboratories, Intertek, or BSI’s supply chain auditing branch, which is separate from the administrative services division that handles the data input, maintains the portal, and manages the auditors – and schedules the visit with the plant.
   The audit company reports back and BSI resolves any issues, such as questions that many not have been filled out, before scoring the checklist. Any security gaps are noted and an action plan is sent to the factory to correct any problems within a defined period of time. A final report is released to the company that requested the audit and it is placed in the online repository, where it can be viewed by other members. Ultimately, each company decides if the audit meets its own internal criteria and can order new a new one if it feels a score is too low or out-of-date.
   “What’s incredible about this process, from the date that SCAN member orders an audit, there’s 45 days to complete it. And that’s lightning fast for a turnaround,” Purtell said. “The average turnaround time is just under 40 days.”
   In addition to compliance performance, SCAN uses geographic risk indicators to help determine how frequently a factory should be audited. A factory in China, for example, may have less risk for security breaches than one making the same product in Bangladesh.
   Purtell said SCAN’s algorithm analyzes three primary factors in its risk determination: supply chain terrorism, the potential for contraband to be introduced into a container, and anti-Western terrorism.
   “One of the things I think they do better than anyone” is weighting factories by risk to best use resources, Purtell said. “They can predict where their problems are going to come from with great accuracy. That’s pretty slick.”
   SCAN requirements are much more rigorous than the C-TPAT minimum standards, and Customs has already acknowledged in several revalidation reports that SCAN procedures meet best practices for top tier C-TPAT status, according to officers of the non-profit group.
   Customs likes SCAN because it is a force multiplier for spreading supply chain security standards and compliance oversight, Purtell said. As a result of the 3,000 audits completed so far, there have been 13,000 corrective actions that have been successfully implemented, he said.

   The audits identify areas that are deficient, such as a lack of perimeter fencing, and factories have a certain number of days to rectify the issue and submit proof of completion, David Blackorby, vice president for global security operations at Walmart Stores Inc., said.
   BSI has master-level supply chain security specialists who evaluate the corrective actions. Overall, about a dozen people in Europe, the United States and Asia manage the audit process for SCAN.
   “What I like about the program,” Purtell said, “is that it’s a prescriptive-based program. Meaning, there are certain security criteria they expect. Other programs are subject to interpretation. This is more black and white. They either have it or they don’t. And it makes the corrective action program easier as well.”
   SCAN is also able to obtain accurate compliance statistics by country, manufacturing type, supplier type and individual facility, he added. BSI uses a software program called Supplier Compliance Manager to house the entire audit process and run analytics on the data collected.

Building Membership. Blackorby said SCAN is reaching out to all types of companies and trade associations to generate awareness because C-TPAT requirements are the same, regardless of size. And according to Riley, the best way to grow the co-op is for factories to promote SCAN to their customers.
   SCAN has tiered pricing, with membership fees based on the estimated number of audits a company expects to order in a given period.
   At the moment, most importers are taking a wait-and-see approach, but once the large corporations successfully demonstrate the proof of concept other firms will join, Purtell predicted.
   “I would think that for small- and medium-sized enterprises it’s almost more advantageous because the infrastructure they get to tap into – a global audit network with negotiated rates – is very low cost for these guys to join,” he said. “They can vet their 10 to 20 suppliers and have the same methodology as these market leaders have.”
   The cost savings can be substantial, said Purtell. A company that sends an inspector from the U.S. has to pay for all the travel and faces opportunity costs associated with being away from normal responsibilities. Audits also have to be scheduled three to four months out. Under SCAN, companies can vet their whole supply chain in a couple months and get corrective action completed, compared to dedicating several of their own personnel if they try to manage audits in-house. In addition, a single outsourced auditor might be limited by its geographical reach, he explained.
   “By pooling it together we can leverage the regional strengths of the six different audit bodies,” Purtell said.
   Another benefit of the co-op is the accountability and oversight built into the program. Audit firms are assigned audits on a rotating basis to keep their workload even, which also helps ensure the inspections are objective. Inspectors tend to make more thorough reviews knowing that somebody is coming in behind them in the near future and will check their work.
   In addition to the “check the checker” policy, SCAN performs random checks on audit bodies to ensure the accuracy of their work. And the SCM software can track how auditors score each set of criteria and compare them to sort out if a company is overzealous, or too lax. As more companies join SCAN, there will be more business for the audit service providers, Blackorby said.
   SCAN began the collective audit approach for security because that is the area companies audit the most, but other corporate standards, such as sustainability, eventually could be rolled into the SCAN program, as long as companies agree on common audit criteria, Eric Travis, associate manager for customs and trade compliance at pharmaceutical firm Celgene, said. For more information on the program, visit the SCAN website.