IFSECInsider-Logo-Square-23

Author Bio ▼

IFSEC Insider, formerly IFSEC Global, is the leading online community and news platform for security and fire safety professionals.
September 20, 2008

Nothing found. Please check your show/episode id.

Download

State of Physical Access Trend Report 2024

Freedom of movement

Did you know that, at some stage, 93% of the world’s goods are transported by container? Whether it’s a 6,000 TEU (twenty-foot equivalent units) container ship attempting to enter the Port of San Francisco or a 40-tonne haulage vehicle nursing its load across the French/German border, time is always of the essence.

The dynamic of freight movement was altered almost single-handedly by Al-Qaeda’s attack on the World Trade Centre. International organisations began to take a serious look at how they transport goods around the world, and what security they needed to put in place for doing so.

Post-9/11, the first worldwide initiative to ramp up security standards was driven jointly by the International Maritime Organisation (IMO) and the World Customs Organisation (WCO). The International Ship and Port Facility Security (ISPS) Code demands that all vessels weighing over 500 gross tonnes and sailing international waters must have a security certificate attained through a programme of Ship Security Assessments (SSAs) and a Ship Security Plan (SSP).

The ISPS Code also applies to ports servicing such vessels, with all relevant facilities requiring a Port Facility Security Plan (PFSP). Both initiatives are reliant on the introduction of a formal security management system which is risk-based, dynamic and requires re-certification every three years.

For its part, the United States Government elected to introduce a new body – the Department for Homeland Security – from which it derived the US Customs and Border Protection (CBP) service.

The first and, arguably, most effective wave of preventing further terrorist attacks – and, indeed, any criminal activities against US borders – came with the introduction of a number of strategies including the Container Security Initiative (CSI) and the 24-hour rule. Perhaps the most important initiative of them all, though, is the Customs Trade Partnership Against Terrorism (C-TPAT), a radical project first introduced two months after 9/11.

The global supply chain

C-TPAT demands that all international companies wishing to import goods by whatever mode – ie air, land or sea – have to meet stringent regulations and criteria in terms of the protection of the global supply chain prior to the introduction of their goods within the United States.

To achieve C-TPAT status (it’s a voluntary scheme, by the way), importers are required to provide proof they have taken sufficient security and risk management steps to protect those areas of the supply chain pertinent to their goods by introducing an effective security management system. Should imported goods meet C-TPAT requirements, CBP may reduce inspections at the port of entry, expedite processing at the border and/or introduce further significant benefits (such as ‘front of line’ inspection and penalty mitigation) for the ‘client’ in question.

Certification is only granted if importers can deliver C-TPAT Best Practice (10,000 companies now hold such certification). To do so, they must meet certain criteria. For one thing, security measures have to exceed the minimum standards laid down by C-TPAT. Robust and transparent management support must be incorporated as standard.

Written policies and procedures governing the use of security measures have to be in place, with an appropriate system of checks and balances. There must also be measures set down in stone to ensure continuity and contingency effectiveness.

The very basis of C-TPAT certification is to ensure that the potential importer is involved in a robust risk analysis programme that:

  • identifies risks and the creation of remedies;
  • taps into existing resources;
  • makes sure key personnel are always well informed.

The risk analysis itself may be carried out by CBP security specialists or by self-assessment using the risk analysis framework provided by US Customs and Border Protection.

Business Partner Requirements

An extremely important element of the C-TPAT programme is the Business Partner Requirements Initiative, wherein it’s common practice for a certificated company to require that all business partners accept and implement the C-TPAT security criteria if they (ie the Business Partners) wish to continue to do business. That requirement might be part of contractual obligations, rendering Business Partners subject to screening and random security audits that duly verify their compliance with the necessary regulations and laws.

There’s a heavy reliance on technology in terms of container seals – now incorporating Radio Frequency Identification (RFID) risk management technology – and ‘smart boxes’ which alert end users to any tampering with a trailer or illegal access gained as a result. Similarly, there are also reliances placed on robust reporting systems such as the transmission of advanced information, and the establishment of global reporting and incident response procedures.

Certain requirements focus on aspects of physical security, among them screening and vetting, security officer training, standards of operation and all-round security awareness.

Authorised Economic Operators

While C-TPAT is not only a US-based scheme but also a voluntary one, the global overarching initiative which meets the security requirements of the World Customs Organisation (WCO) is the Authorised Economic Operator (AEO) scheme (see panel ‘AEOs: secure traders and reliable partners’).

AEOs who meet criteria specified by customs officials should be entitled to participate in simplified and rapid release procedures on the provision of minimum information. They ought to reap the benefits from this, such as the faster processing of goods by customs (eg through reduced examination rates). In turn, this translates into both time and cost savings.

One of the main tenets of the WCO’s Framework is to create a single set of international standards and establish some degree of uniformity and predictability. It also reduces multiple and complex reporting requirements. These processes will ensure that AEOs see immediate benefits for their investment in good security systems and practices, including reduced risk-targeting assessments and inspections and expedited processing of their goods.

There are a number of stipulations applicant AEOs are required to meet. In terms of security requirements, the potential AEO will be expected to carry out – or have already conducted – a security and risk assessment based on guidelines explained in the Framework.

AEOs must understand the business, clarify the objectives and then identify, assess and respond to risks. In terms of understanding the business, the potential AEO will be expected to prove that relevant Stakeholders have a robust comprehension of what the business actually does. Customs authorities must gain an insight into the operator’s business. An essential part of understanding the business is having a clear view on the operators’ processes (the logistical chain of goods consignments).

In general, whether risks are relevant must be judged in view of the objectives of the customs organisation, and the kind of facilitation and benefits for which the operator is applying. When the objectives are clarified, they can then be explained to the economic operator to determine that expectations are in line with what the AEO programme both requires and offers.

Identify, assess… and respond

In the context of the global supply chain, ‘risk’ means the likelihood of a security threat occurring in connection with the entry, exit and/or transit of goods. When the Customs authorities have an operator in focus and the objectives are clear, they can determine whether potential risks are relevant for that specific individual operator. They can also form an opinion of the measures the operator has instigated to deal with these risks.

All identified risks should be assessed by prioritising them through an evaluation of the likely impact on customs objectives, and the possibility of a given risk materialising.

Risks are part of doing business. It’s the intention that the Customs administration understands the significant risks, sets boundaries for risk taking and applies responses tailor-made for the purpose. In theory, the granting of AEO status complete with the consequent facilitation/simplification may begin as soon as all risks can be covered.

One problem which has been identified, of course, is that not all organisations harbour the skills – or have the time – to carry out the above process as one which is generally covered by professional risk analysts and assessors.

PAS ISO 28000:2005

A potential means towards achieving the necessary security and risk standards demanded by the AEO scheme is to examine the feasibility of PAS ISO 28000:2005, which looks at the introduction of a security management system within the supply chain.

This Publicly Available Specification (PAS) was first developed in response to demand from industry for a security management standard within the supply chain. In essence, it’s a high level management standard that enables an organisation to establish an overall supply chain security management system.

The PAS requires a given organisation to assess the security environment in which it operates, and subsequently determine whether or not adequate security measures are in place. There’s also a consideration of other regulatory requirements that already exist with which the organisation complies.

In terms of the supply chain security risk assessment, this is covered in the holistic standard by the subsidiary ISO 28001 (which deals with Best Practice custody in supply chain security). This section asks a number of pertinent questions and deliberates over a variety of issues, including the identification of existing security measures.

Achieve continuous improvement

The structure of ISO 28000 – and the approach to quality management, albeit with the introduction of a security management system – is seen as compatible with ISO 14001 and ISO 17001. Its implementation shouldn’t be a culture shock to those companies which already have a quality approach.

Implementation means that ISO 28000-accredited logistics companies move very closely to AEO accreditation, and this will impact tremendously on the fast movement of goods throughout Europe.

There’s little doubt that, in the short term, the threats to the global supply chain from either general crime or terrorism are unlikely to recede. Logistics is a fast-moving industry, with freighters having to come to terms with several hurdles while continuing to transit their goods through a number of continents.

In the US, CBP oversees the predominant security initiative which is C-TPAT, whereby importers are perceived to have to jump through a number of security hoops before they can trade. In Europe, there’s going to be a dependency on ISO 28000/AEO status in order that logistics companies may traverse borders with minimum disruption.

It’s hoped that the US authorities will recognise AEO status and, therefore, make it easier for companies to manoeuvre their wares through American ports.

Whether it’s access to a US port or moving across the borders of mainland Europe and beyond, if the freighter is involved in a ‘just in time’ operation then wasted hours at border crossings must be eliminated. They will if forward-thinking logistics companies sign up to AEO status and ISO 28000.

Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted