Best Practices

C-TPAT 5-Step Risk Assessment Process

17th Annual T&T Conference

April 3, 2013

Karen Lobdell
Director Global Solutions
Integration Point

1
Is This Your Current Process?

2
 CBPs Approach to Risk Assessment

2001/2002: Loosely defined set of C-TPAT criteria

2003/2010: Company profile identifying existing

procedures to meet criteria
Criteria is amended and becomes more customized by entity
(Re)Validations become tighter as bar is raised by the trade and CBP
SCSSs gain experience

April 2010 International Security Risk Assessment

requirement bulletin is issued

5-Step Risk Assessment Guide is provided by CBP

CBP begins incorporating into the application process and

(Re)Validations

3
 Risky Business

Definition of Risk: General: Probability or threat of a damage,

injury, liability, loss, or other negative occurrence, caused
by external or internal vulnerabilities, and which may be
neutralized through pre-mediated action

Threats likelihood of occurrence

Vulnerabilities weaknesses or gaps in security from

the established standards

Consequences impact of adverse occurrences

4
 One Size Does Not Fit All

Numerous factors impact risk

Geographic regions of operations
Volumes and number of supply chains
Complexity of the supply chain
Commodity/Industry
Types/number of business partners
Resource availability

5
 5-Step Risk Assessment Process

Conducting a vulnerability assessment (in accordance with

C-TPAT criteria)

Conducting a threat assessment

Preparing an action plan

Mapping cargo flow & identifying business partners

Documenting how risk assessments are conducted

6
5 Step Risk Assessment Process

7
 Conduct a Risk Assessment

What are the threats?

Use open source resources to assist with this process

Assess the vulnerability

Identify gaps in security standards

Identify consequences (such as lost customers, brand reputation,

financial impact)

Assign a risk score to each combine the risk score for each to
determine overall risk rating

8
 # 1- Conduct a Threat Assessment

Minimum areas to focus on include:

Terrorism
Contraband
Organized Crime
Human Smuggling
Other considerations:
Hijacking
Cargo theft
Product tampering
IPR violations
Political unrest
Corruption
Financial instability
Natural disasters

9
 Threat Assessment

After conducting the appropriate research,

assign a threat score

Low: no recent incidents, no intelligence

Medium: no recent incidents, some
intelligence
High: recent incidents and intelligence

10
 Resources

Third Party Consultants

Insurance Providers
Open Source Data
CBP SCSSs
Business colleagues
Social Networking (e.g., LinkedIn Groups)
Conferences (e.g., CBP C-TPAT)
Internal company resources (Risk Management Dept)
Associations (e.g., BASC, TAPA, etc.)
Local/State Law Enforcement
ITRAC data

11
 No Cost Open Source Data

Customs & Border Protection www.cbp.gov

CIA World Factbook https://www.cia.gov/library/publications/the-
world-factbook/
Dept. of State Annual Country Reports on Terrorism
http://www.state.gov/j/ct/rls/crt/2011/
Overseas Security Advisory Council (OSAC) www.OSAC.gov
World Bank (Fragile States) www.worldbank.org
Transparency International Corruption Perception Index
http://cpi.transparency.org/cpi2011/
AON Risk Maps http://www.aon.com/risk-services/terrorism-risk-
map/register.jsp
D&B Country Risk http://www.dnbcountryrisk.com/

12
Country Threat Analysis

13
 # 2 - Conducting a Vulnerability
Assessment

Designed to identify gaps or weaknesses from identified

standards

C-TPAT criteria would be the applicable measurements

A vulnerability score should be identified

Low risk: Meets all musts and shoulds
Medium Risk: Meets all musts, no shoulds met
High Risk: Just one must is not met

Vulnerability assessments should be done on business

partners, as well as internal departments

14
 Conducting a Vulnerability Assessment

C-TPAT Criteria / Standards:

Business partner requirements
Conveyance security
Procedural security
IT security
Physical security
Physical access controls
Personnel security
Security & Threat Awareness Training

Methods could include surveys, third party audits,

in-house personnel (on-site is preferred)

15
 Assessing Business Partner Risk

C-TPAT VULNERABILITY ASSESSMENT

Supplier
Name/Address:
Point of
Contact:

Date of Review:

Risk Rating
M = Must Risk Rating
Supply Chain Process C-TPAT Security Criteria C-TPAT Sub-Criteria Method to Verify Vulnerabilities Identified (sub- Best Practices
S = Should (Criteria)
criteria)

Business Partner Screens Subcontracted

Foreign Supplier M
Requirements Source

Verifies Partners as C-TPAT

M
Certified (if eligible)

Verifies Partners adherence

to C-TPAT criteria (if not M
eligible)

Participation in foreign
customs administration S
security program

Conducts periodic reviews of

Partner's facilities and S
processes

16
Supplier Results Database

17
 Consequences

Although CBP does not spell this out in their guidelines, it is

a key component of any risk assessment

What is the impact to your business of a security

incident/breach?

Potential outcomes:
Damage to brand reputation
Loss of program status / benefits
Financial
Delays value of the cargo
Increased scrutiny by government agencies
Decrease in sourcing options/flexibility

18
 # 3- Preparing an Action Plan

Use your risk ratings to prioritize corrective

actions
Define the deficiencies
Assign a responsible party
Have a deadline
Follow up & verify!
Re-calculate the partys risk score if appropriate
Action plans should be documented

19
Sample Action Plan

20
#3- Preparing an Action Plan

21
 #4 - Mapping / Cargo Flow

Mapping cargo flow for all potential supply chains

may be unrealistic

Focus on those posing the highest risk or

exposure

Drill down within trade lanes to identify the

vulnerabilities

Apply corrective actions accordingly

22
Trade Lane Mapping Analysis

23
 #5 Document How Risk
Assessments Are Conducted

A Risk Assessment Process should be part of standard

policy/procedures and include:

When established
Who is responsible (have backups)
When assessments are done & on who
How frequently
How often the policy is reviewed
Process for each of the steps
Training
Management oversight

24
 Effective Risk Management

Have a documented risk assessment process in place

Written and verifiable procedures for continuity

Identify, characterize and assess threats

Focus on lowering the highest risk areas first

Have an action plan to address deficiencies

Prioritize, responsible party, deadlines, track

Conduct periodic risk assessment reviews to determine changes in

your risk profile

You may not be able to change a threat, but you can impact
vulnerability and consequences

25
 Best Practices

Top-down commitment to the program should be evident

Review the criteria upfront and understand the obligations

before applying

Assemble a (C-TPAT) team that is cross-functional

Consider use of third party resources where it makes sense
Conduct the requisite annual self-assessment and keep the
portal current
Follow up on questionnaires and inquiries to business partners
in a timely manner
Keep a consistent point of contact for the program
Automate where it makes sense

26
Automate or Perish

Managing the 5-step risk

assessment process especially
business partner requirements,
can be administratively
burdensome.

Consider the paperless

alternatives
On demand
Standardized
Single database
Proactive
Risk calculations
Verifiable for validation
purposes

27
 Coming Attractions

C-TPAT for Exports

Portal 2.0

C-TPAT/ISA Merger?

28
Karen Lobdell
Director Global Solutions
Integration Point
KLobdell@IntegrationPoint.com
Tel: (704) 576-3678 X-1179

29