Category Archives: Compliance

Optimizing Your Procurement Technology Investments


This post originally ran on March 24, 2009.

The Sourcing Interests Group recently ran an interesting article on “optimizing your procurement technology investments in 2009”. Although it had some good suggestions, my top five suggestions would be the following:

  1. Get Visibility Into Your Spend (Spend Analysis)
    If you don’t know how much you’re spending on each category, sub-category, product, and service, who you’re spending it on, in what amount, by unit, you need to get this visibility. Get a good spend analysis solution and dive in!
  2. Take Your Strategic Sourcing up a Notch (with e-Sourcing)
    Start with the most attractive savings opportunities that were outlined in step 1. This is your best bet to negotiate big savings in this downturn.
  3. Focus on Contract Compliance (adopt Contract Management)
    You need to enforce hard-won savings by insuring that internal staff and suppliers are compliant with contractual agreements.
  4. Implement e-Procurement
    Done right, this will make it easy for your buyers to buy on contract.
  5. Get a Grip on Global Trade (adopt Trade Visibility solutions)
    Chances are your global sourcing endeavors are needlessly costing you more than you think! As per my recent Illumination on why you need trade visibility, you’re probably paying more than you need to on duty, using costly inefficient processes, paying unnecessary document preparation costs, and making costly errors that are costing you million of dollars a year.

Understanding & Completing the C-TPAT 5-Step Risk Assessment Process

Today’s guest post is from Karen Lobdell, Director of Global Solutions at Integration Point.

The US C-TPAT program continues to evolve since its inception in late 2001. As a requirement of the program, members must complete an international supply chain security risk assessment and are expected to have a documented process for determining and addressing security risks throughout their international supply chain to meet minimum criteria.

This risk assessment is not only required as part of the application process, but it should also be incorporated into the member’s Annual Security Profile Review. To assist program members with this process, CBP developed the “5-Step Risk Assessment Process”. Is your company wondering how best to implement this process? Are you concerned that implementing the process will be administratively burdensome?

The 5-Step Risk Assessment Process is comprised of the following steps:

  • Mapping Cargo and Business Partners
  • Conducting a Threat Assessment
  • Conducting a Security Vulnerability Assessment
  • Preparing an Action Plan to Address Vulnerabilities
  • Documenting How the Security Risk Assessment is Conducted

While this exact format is not mandatory, a risk assessment process must be in place and incorporate these components, but how you do this is flexible. Let’s break this down into a more manageable process.

Mapping cargo and business partners can seem like an impossible task for companies that have a vast number of suppliers. So before mapping hundreds of trade lanes, take a look at those areas of highest threat and map those to drill down deeper within the supply chain and identify further areas of risk.

When conducting a risk assessment, values used for scoring are up to the individual company. The point is to go through the exercise and identify where the threats are and how severe the risk is. After this is done, you can move to the next step of conducting a security vulnerability assessment.

This step was designed to assist in identifying gaps or weaknesses in the supply chain that deviate from the standards. Vulnerability assessments should be done on business partners as well as internal departments, and are typically conducted via a questionnaire or survey. Although the minimum standards will be based on the C-TPAT criteria for this particular example, assessment could go above and beyond the program criteria and the standards would vary if conducting a risk assessment on an area other than C-TPAT/security. Many companies still perform this step manually with the use of Excel spreadsheets and email. This can be very administratively burdensome –especially for large corporations that may be working with thousands of suppliers/partners. This is one area where automation can be a huge time-saver, as well as improve accuracy.

A solid vulnerability assessment will identify those gaps/weaknesses that need to be addressed — but that is only one step. A successful risk management program includes implementation of an action plan to close those gaps, or at a minimum, mitigate the exposure that exists. Combining this information with threat scores and potential consequences can help prioritize actions that need to be taken.

The final step is documenting how you are conducting risk assessments. CBP’s mantra has always been — show us, don’t tell us.

CBP has stated that the focus will continue to be on segmenting high risk vs. low risk. This is more effective than the prospect of 100% scanning. Not only does CBP prefer to deal with safety and security from a risk standpoint, they expect the trade to do so as well. In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order.

For more on the 5-step risk assessment process, best practices and how it can be used for other trusted trader programs, check out the on-demand webcast presented by Integration Point.

Thanks, Karen!

Doing Cross-Border Trade in Europe? Download this Free Handbook!

The Organization for Security and Co-operation in Europe (OSCE) recently released the “Handbook of Best Practices at Border Crossings — A Trade and Transport Facilitation Perspective” to assist the 56 OSCE participating States / UNECE member States in the development of more efficient border and customs policies through the promotion of existing best practices in the field. Clocking in at 268 pages and 5.7 MB, this e-book is filled with advice on the international legal framework; international co-operation; balancing security with trade and transport facilitation; policies for control, clearance, and transit of freight; risk management; border crossing point design; the use of information and communications technology for non-intrusive inspection; human resource management, and measuring performance. Given the wide array of legislation that an international organization can face, given that this e-book is totally free, the doctor thinks it’s a must have in your global trade e-Library.

As the handbook points out in chapter 3, there are five major categories of security threats that countries need to watch out for at their borders:

  • normal criminal acts
    such as car thefts on one side and chop shops on the other
  • technical violations
    such as lack of proper documentation
  • traditional organized crime
    that would include smuggling of weapons, people, and other contraband
  • terrorist threats
    that could result in attacks, destruction of property, and death
  • border management threats
    that would include corruption and abuse of power

These require a number of security procedures and controls to deal with. (The UK alone has 37 procedures, as outlined on page 57, that range from AEO [Authorised Economic Operators], CSI [Container Security Initiatives], and MATRA [Multi-Agency Threat and Risk Assessment] all the way to dangerous goods declarations, pre-ship notifications, and commercial insurance.) Some of these are compliant with the new WCO SAFE Framework, some are not. Either way you need to be aware of them, what impact they have, and how they can benefit you.

To really dive into the issues, and recommendations, download your FREE copy of the OSCE “Handbook of Best Practices at Border Crossings — A Trade and Transport Facilitation Perspective” today!

Best Practices of Trade Compliance

A recent article over on the ISM site entitled “A Steel Thread”, which discussed how import/export compliance management is part of the fabric of today’s global business world and how ignoring it could result in your shipment being flagged for intensive investigation, seized, or destroyed, did a good job of pointing out how federal trade compliance regulations have increased dramatically over the past several years. But this is not why SI liked it. It also did a good job of pointing out the roadblocks to compliance for an average Supply Management organization, starting from the fact that the sourcing and compliance teams often have different definitions of supply chain security. But this isn’t why SI liked it either. The reason SI likes it is because it summarizes six best practices of trade compliance that will significantly help an average Supply Management organization get its global trade processes and policies under control.

The six best practices it focusses on are:

  • Education and Training
    Let’s face it. The average supply management professional is probably not aware of the myriad of compliance and security legislations that an average category could be subject to when sourcing internationally. Training, which overviews the major legislations, the common sourced categories that might be covered under those legislations, and best practices to maximize the chances of compliance is a great place to start.
  • Senior Management Commitment
    We all know nothing takes root without senior management sponsorship, so making sure senior management understands the importance of a good trade compliance initiative and supports it is a great place to start. If you’re having trouble getting support, SI recommends that you start by pointing out the 88 Million Dollar Fine JP Morgan got for failing to comply with trade compliance legislation.
  • Written Policies and Procedures
    Once you’ve identified your best practice processes that minimize the chance of non-compliance, you need to write them down, create checklists, and make sure they are followed. The reality is that if you are found in non-compliance, you will be fined, even if it was 100% unintentional and you did everything you could to be in compliance, but if you can show you did your best, the severity of the fine and punishments levied will likely be minimal. The government agencies responsible for monitoring compliance aren’t out to shut businesses down or make trade unduly difficult, they are just trying to do their job and enforce the law. However, most of the acts only define maximum fines, not minimum ones, and it’s not common practice for them to severely punish good corporate citizens who have a process, follow the process, and do their best to ensure compliance for a small slip-up.
  • Connectivity with Business Units
    Not only is it impossible to do compliance in a vacuum, as the article points out, but it is the business units who often have the detailed data on products and services that you need to make proper compliance assessments. Working with them can eliminate issues before a shipment is even made.
  • Internal Assessment
    As the article points out, an internal self-assessment of compliance practices should be performed to gauge how well regulations are being met and how compliance is connecting with logistics, supply management, sales, shipping and receiving — and it should be done as soon as possible if you haven’t done one, and reviewed annually to see if all bases are still being covered. And it should be very well documented. This will help you if you are ever investigated for possibly running afoul of trade legislation.
  • Third Party Assessment
    In addition, as the article points out, once or twice a year, a “second set of eyes” should evaluate how trade compliance is being handled throughout the company to make sure you didn’t miss anything. This can turn the tide in your favour if non-compliance occurred someone along the supply chain as you not only did your best to make sure you were in compliance, but had a third party that has expertise in supply chain audits do their best to verify that you are in compliance as well.

About the only critical best practice that they missed is:

  • Implement a Trade Compliance Platform
    The reality is that you can’t do all of this manually, or even attempt to track all of the relevant data manually. You need a technology solution to help you — one that centralizes all of the data and makes it all available to all of the people in your organization that need it, as well as to trusted partners that need, and are authorized to use, it.

There are other best practices, but if you start with this list, you will get most of the way there in short order.

How Long Before Your Company Has to Produce an Integrated Report?

Integrated Reporting, defined by the IIRC (International Integrated Reporting Council) as a new approach to corporate reporting that demonstrates the linkages between an organization’s strategy, governance and financial performance and the social, environmental and economic context within which it operates, is on the rise as companies try to demonstrate their focus to sustainability, an increasingly important issue to many consumers.

Of course, producing one is only the first challenges. As noted in this recent ISM article on how “Integrated Reports [are] on the Rise”, there is no universally accepted framework for integrated reporting, and it remains largely a voluntary practice. Given that this report is supposed to show the relationship between financial and non-financial performance, and how strong performance in environmental and social areas contributes to good financial performance, and that this report may include facts regarding potential trade-offs that might occur across financial and non-financial performance, it’s difficult to select an appropriate structure.

But given that some countries are now requiring such reports for public companies, it likely won’t be long before we see such a requirement in North America. For example, South Africa now requires all companies listed on the Johannesburg Stock Exchange to provide integrated reports (or explain why they are not doing so). France passed a law in 2010 for companies with 500 or more employees to include a section in their annual reports that describe the environmental and social consequences of their actions. Denmark requires its largest companies to include similar non-financial information in annual reporting, and the UK is making a push for similar legislation.

Given that about 100 companies from different industries and countries plan to use the IIRC framework to produce their own integrated report, and then provide feedback for future revisions, it’s likely that the IIRC framework will involve into a standard, just like GAAP, but how long it will take will likely depend upon when additional legislation requiring integrated reporting comes into effect in the G-20.

So what does this have to do with Supply Management? As noted in the ISM article, that quoted Robert G. Eccles, Professor of Management Practice at Harvard Business School, Supply Management, by virtue of its function within an organization, is an ideal catalyst to spread integrated reporting. No one knows the impact of organizational activities better than Supply Management, so the requirement for integrated reporting will fall heavy on Supply Management.

The big issue though is how to make such a document a “living report”. As the supply chain evolves, so does the ramifications of the company’s activities on social and environmental ecosystems. Supply Management will need a solution that allows this information to be kept up to date. Will SIM (Supplier Information Management) systems step up to the challenge, or will an entirely new solution be needed?