The US C-TPAT program continues to evolve since its inception in late 2001. As a requirement of the program, members must complete an international supply chain security risk assessment and are expected to have a documented process for determining and addressing security risks throughout their international supply chain to meet minimum criteria.
This risk assessment is not only required as part of the application process, but it should also be incorporated into the member’s Annual Security Profile Review. To assist program members with this process, CBP developed the “5-Step Risk Assessment Process”. Is your company wondering how best to implement this process? Are you concerned that implementing the process will be administratively burdensome?
The 5-Step Risk Assessment Process is comprised of the following steps:
- Mapping Cargo and Business Partners
- Conducting a Threat Assessment
- Conducting a Security Vulnerability Assessment
- Preparing an Action Plan to Address Vulnerabilities
- Documenting How the Security Risk Assessment is Conducted
While this exact format is not mandatory, a risk assessment process must be in place and incorporate these components, but how you do this is flexible. Let’s break this down into a more manageable process.
Mapping cargo and business partners can seem like an impossible task for companies that have a vast number of suppliers. So before mapping hundreds of trade lanes, take a look at those areas of highest threat and map those to drill down deeper within the supply chain and identify further areas of risk.
When conducting a risk assessment, values used for scoring are up to the individual company. The point is to go through the exercise and identify where the threats are and how severe the risk is. After this is done, you can move to the next step of conducting a security vulnerability assessment.
This step was designed to assist in identifying gaps or weaknesses in the supply chain that deviate from the standards. Vulnerability assessments should be done on business partners as well as internal departments, and are typically conducted via a questionnaire or survey. Although the minimum standards will be based on the C-TPAT criteria for this particular example, assessment could go above and beyond the program criteria and the standards would vary if conducting a risk assessment on an area other than C-TPAT/security. Many companies still perform this step manually with the use of Excel spreadsheets and email. This can be very administratively burdensome –especially for large corporations that may be working with thousands of suppliers/partners. This is one area where automation can be a huge time-saver, as well as improve accuracy.
A solid vulnerability assessment will identify those gaps/weaknesses that need to be addressed — but that is only one step. A successful risk management program includes implementation of an action plan to close those gaps, or at a minimum, mitigate the exposure that exists. Combining this information with threat scores and potential consequences can help prioritize actions that need to be taken.
The final step is documenting how you are conducting risk assessments. CBP’s mantra has always been — show us, don’t tell us.
CBP has stated that the focus will continue to be on segmenting high risk vs. low risk. This is more effective than the prospect of 100% scanning. Not only does CBP prefer to deal with safety and security from a risk standpoint, they expect the trade to do so as well. In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order.
For more on the 5-step risk assessment process, best practices and how it can be used for other trusted trader programs, check out the on-demand webcast presented by Integration Point. You can access the on-demand version via webex.