• Our Company
  • About Us
  • Philosophy
  • Key Facts
  • History
  • Leadership
• Core Services
  • Supply Chain Solutions
  • Transportation
  • Customs & Compliance
  • Distribution
  • Order Management
  • Risk Management
• Customer Solutions
  • Industries
  • Project Cargo
  • Network Solutions
  • Tradeflow
  • Tradewin
• Technology
  • Our Systems
  • Online Tools
• Sustainability
  • Our Program
  • Environmental Stewardship
  • Health & Safety
  • Social Responsibility

• Our Company
  • About Us
  • Philosophy
  • Key Facts
  • History
  • Leadership
• Core Services
  • Supply Chain Solutions
  • Transportation
  • Customs & Compliance
  • Distribution
  • Order Management
  • Risk Management
• Customer Solutions
  • Industries
    • Aviation & Aerospace
    • Healthcare
    • Oil & Energy
    • Retail & Fashion
  • Project Cargo
  • Network Solutions
  • Tradeflow
    • Tradeflow Centres
    • Sign In
  • Tradewin
• Technology
  • Our Systems
  • Online Tools
• Sustainability
  • Our Program
  • Environmental Stewardship
    • Customers
    • Service Providers
    • Accomplishments
  • Health & Safety
  • Social Responsibility
    • Branch Events
    • Corporate Initiatives
• Careers
  • Working At Expeditors
  • Our Culture
  • Current Openings
• News & Media
  • Featured Information
  • In the Press
  • Expeditors Newsflash

< All 2010 Featured Information

C-TPAT's 5 Step Risk Assessment

Securing Your Assets, People and Brand

Keeping up with security related threats to your supply chain is a challenge, whether they are on an organizational, national or global scale. As conditions change, strategies must evolve so you remain one step ahead of the issues.

On July 16, 2010, U.S. Customs and Border Protection (CBP) posted a process guide that discussed the suggested process importers should apply when assessing supply chain security. This guide, entitled C-TPAT 5 Step Risk Assessment Process Guide, was created in order to "assist C-TPAT (Customs-Trade Partnership Against Terrorism) partners with conducting a risk assessment of their international supply chain(s) in accordance with C-TPAT minimum criteria."

C-TPAT is a voluntary program between U.S. Customs and Border Protection and members of the import and logistics community. Since its creation in 2001, the primary goal of C-TPAT is to raise the overall level of supply chain security in an effort to reduce threats posed by international terrorism. As of March there were 9,675 C-TPAT partners; CBP predicts that number will reach 10,000 by the end of 2010.

At the 2010 annual C-TPAT conference, CBP clarified what they are looking for when asking importers to "conduct a comprehensive assessment of their international supply chains based upon C-TPAT security criteria." CBP relayed that C-TPAT members and applicants have been conducting comprehensive domestic risk assessments of their facilities and processes within the United States, but are not thoroughly scrutinizing potential threats and vulnerabilities that exist prior to arrival in the U.S. They introduced the 5 Step Risk Assessment Process to demonstrate the type of analysis that should be taking place.

The 5 Step Risk Assessment is published on the CBP website and specifies a suggested method to assess a company's vulnerabilities and risks. However, the guide is not inclusive of all that is required and will not fit every business model. At its core, a documented Risk Assessment involves analyzing security threats and vulnerabilities associated with a C-TPAT member's international supply chain from the point of origin until they reach their final destination in the United States.

The 5 Step Risk Assessment Processes

1. Map Cargo Flow and Identify Business Partners
   (directly or indirectly contracted)
   

   Mapping out the entire supply chain allows the importer to highlight when and where cargo is most vulnerable so they can take action. It is important to analyze all parties involved in a shipment from the point of origin to final destination in order to verify that none have been overlooked, such as foreign inland drayage providers or other agents handling paperwork.

2. Conduct a Threat Assessment
   

   The Threat Assessment is a holistic evaluation of all possible threats to the supply chain, and must be based on quantitative evidence. Evidence from trusted open sourced websites and local, state and federal authorities can be a great resource to identify regional threats.

   A Threat Assessment should be conducted for all regions in the supply chain and should focus on these key items: terrorism, contraband smuggling, human smuggling, organized crime, and any other conditions in a country or region that may foster such threats.

   Threats should be rated as high, medium or low. Not all countries and regions pose the same threat, and as a result, it might be determined that low risk countries do not require analysis under steps 3 and 4.

3. Conduct a Vulnerability Assessment
   

   The Vulnerability Assessment should be of all business partners and service providers throughout the supply chain. Vulnerability should be rated as high, medium or low.

   When warranted by medium or high-level threats, a Vulnerability Assessment is a further evaluation of suppliers' compliance with the C-TPAT minimum security criteria. Such criteria include the following categories: Business Partner Requirements; Securing Instruments of International Traffic; Procedural Security; Physical Security; Physical Access Controls; Personnel Security; Security and Threat Awareness Training; and Information Technology Security. Examples of ways in which a Vulnerability Assessment can be conducted include a security questionnaire, an on-site assessment, a review of cycle times with transit points, or an annual business review.

4. Prepare an Action Plan
   

   When deficiencies or vulnerabilities are discovered in any part of the supply chain, a corrective action plan must be established with service providers to identify the areas of improvement. The next steps are to prioritize the deficiencies, nominate who is responsible, and establish documentation for dates of completion and verification.

5. Document How the Risk Assessment was Conducted
   

   Written procedures must reflect the policies and processes in place for international Risk Assessments. Ownership within the company must be assigned for responsibility of duties. Other things that need to be documented are dates and frequency of assessments, as well as training and follow up procedures. The 5 Step Risk Assessment guide is not inclusive of every scenario or threat that exists. However, it is intended to show the level of planning and effort that is needed to adequately address threats and vulnerabilities. For new applicants, this process must be in place before applying for C-TPAT certification and current C-TPAT members must conduct and confirm risk assessments annually.

Strategies Going Forward

Conducting a Risk Assessment is a combination of evaluating threats, vulnerabilities and consequences. Although it may be difficult for an individual company to mitigate specific regional threats, like political unrest, it is important to understand that companies can focus on correcting vulnerabilities and mitigating consequences through their business partner relationships and through a properly documented Risk Assessment process.

With experience and innovation on our side, Expeditors' wholly owned subsidiary, Tradewin®, can offer guidance on Risk Assessment methodologies required for importers applying to be a part of the C-TPAT program. Our services include full application assistance with access to our proprietary web based service, Vendor Validations. Vendor Validations can process online security questionnaires sent to your suppliers, which can help with cargo flow maps and Vulnerability Assessments.

Jeff Trimble
Tradewin Consultant
jeff.trimble@tradewin.net