Is there international security?
01/12/2010
A recent article in Supply China Asia Magazine, looks at how achieving effective global supply chain security is a task fraught with challenge. It is written by Peter Boyce, Senior business manager of security management systems within LRQA Asia.
Achieving effective global supply chain security is a task fraught with challenge. Adoption of national-level regulations by customs authorities is causing growing problems of mutual recognition and spreading uncertainty amongst the millions of SMEs that sit at the heart of the global supply chain.
Article written by Peter Boyce, Senior business manager of security management systems within LRQA Asia.
The world needs secure supply chains. Counterfeiting, smuggling, theft, corruption, contamination and terrorism all present very real risks to the stability of global trade and, in turn, the well-being of the wider communities we live and work in.
The challenges to achieving supply chain security are considerable and it’s an issue recognised by most governments. Today, the World Customs Organisation (WCO) ‘SAFE’ Framework of Standards – that sets out to ‘establish, enable and enhance integrated and robust international supply chain security’ - has received pledges of support from more than 90 percent of WCO’s 175 member countries.
In itself, SAFE is a solid, well-crafted framework that has, at its heart, a set of guidelines for the establishment of an internationally recognised ‘secure trader’ or ‘Authorised Economic Operator’ (AEO) standard. The AEO defines 13 criteria that, when read in context, establish a solid guidance for security objectives. It is also here, within the 13 criteria, where we find the fundamental weakness of the framework.
A world of uncertainty
To date, none of the member countries that have introduced or are in the process of developing an AEO or an equivalent scheme has thus far met the 13 security and operational criteria required by the WCO SAFE for AEO. Of the countries that have implemented an interpreted version of the WCO SAFE AEO, all but one (Taiwan) have imposed requirements that are prescriptive and that are not risk-based or focused on the user’s business security needs. In all, this has resulted in delays in implementing the WCO AEO initiative and has caused concern to supply chain businesses.
Furthermore, there is an inclination by national governments to stamp their individual national interpretation on the WCO SAFE AEO scheme. The resulting national AEO schemes are not comparable and, accordingly, are counter-productive to the development of an effective international AEO scheme. The majority of those affected are SMEs and many businesses are faced with the quandary of which scheme to apply. Where mutual recognition does not exist, or the mutual recognition is qualified (as is the case in most situations) they may be required to implement a number of schemes, depending on where their supply chains lead to.
Another specific requirement under SAFE is that the AEO process is validated by a third-party. Again, this is not occurring in all cases.
The next government-produced obstacle to widespread adoption of AEO is the prescriptive requirements imposed by customs, in checklist fashion, regardless of the size of a business, its location or operational needs. Many customs programmes have interpreted SAFE as being a non-flexible set of requirements with a ‘one–size–fits–all’ outcome. This overlooks the opening paragraph of the WCO AEO guidance, which specifically states that the requirements should be selected -and indeed applied - based on risk.
For example, most AEO schemes specify that the businesses adopting the scheme should conduct a security risk assessment (SRA). There is no mention that the selection and use of the specified security requirements outlined in the national or regional AEO should be based on, or address, the security risk identified through the SRA process and focus on the requirements of the business user. This is in stark contrast to good business practice and contrary to the principles of risk management.
Gulf of needs
Many customs departments are heavily focused on the prevention of terrorism, which in today’s society warrants attention, but it is very rare for commercial and business issues to be brought into this equation. Admittedly, the 9/11, London and Madrid global terrorism focus did not specifically target the average ‘supply chain’ operator but businesses were still affected in some way or other. The fact that customs barely discuss the security issues that affect the international trading community shows the gulf between the supply chain security objectives of governments and the actual everyday commercial needs of businesses.
A different concern is that different government departments, even within a single jurisdiction, are developing separate and at times different security programmes and calling them ‘supply chain security’ schemes. In the food and drug arena both the EU and US are developing or have put in place ‘supply chain security’ programmes. The global chemical industry also has ‘supply chain security’ programmes across different jurisdictions.
All of these differ - and are often not consistent - with the WCO AEO, which in turn poses an additional challenge to business. What mandatory schemes must a business comply with to remain legally compliant and what voluntary schemes should a business comply with to remain commercially competitive? The ever-growing range of security schemes just brings uncertainty to SMEs.
Another challenge for government is the ever-growing set of complex ‘Rules of Origin’ requirements that attempt to verify details of consignor and location of origin. For example, one of the Rules of Origin requirements sets out to establish that ‘Happy Hats of Hainan’ exists, produces hats, is a legitimate business and is located in Hainan. Currently there is no universal mechanism for confirming these requirements.
A solid solution
There is a very good solution, in the guise of ISO 28000 – Security Management Systems for the Supply Chain. ISO 28000 (28K) defines a best practice methodology for managing supply chain security needs. Under 28K, there are three over-arching requirements for establishing the business security management system.
Legal and statutory conformance and compliance with regulatory standards to which the organisation subscribes.
Identify, analyse and evaluate the security risk for the organisation.
Manage the security risks.
The WCO and ISO standards working as one allow for a performance-focused, results-driven outcome that, when applied correctly, addresses the requirements of the national customs departments, but, at the same time, are user-defined and flexible enough to encourage the proactive participation of all business, including SMEs.
The importance of certification and verification
Certification of a supply chain security management system provides an independent demonstration that the supply chain security management system of the organisation:
conforms to specified requirements
is capable of consistently achieving its stated policy and objectives
is effectively implemented
The WCO SAFE clearly states that it is mandatory for a customs AEO scheme to employ a validation or quality accreditation (authorisation) process. Additionally, the WCO SAFE states that although the national customs departments retain authority for accrediting an AEO, independent third party validators may be used to perform the assessments.
Certification of a supply chain security management system provides value to the organisation, its customers and interested parties, including regulators.
Use of third party validators should not inhibit mutual recognition between customs administrations. Registered, competent and accredited certification bodies (CB) are professional auditing organisations highly experienced in the evaluation of performance processes. CBs are required to meet specific audit and internal management guidelines (ISO 17021 & ISO 19011) and should be ‘accredited’ after having been audited against the relevant ISO. With ISO 28000, there are additional internal security and security competency requirements specified in ISO 28003.
But not all accreditation is equal. Customs authorities should not rely on CB ‘accreditation’ and should audit and licence ‘Approved AEO Validators’ as well as monitor ongoing performance. Certification Bodies assessing ISO 28000-based systems (including those with AEO requirements) are required to conduct audits in two stages and continue to confirm performance through periodic surveillance (ISO 28003).
The two-part audit process ensures that organisations first accurately identify security-related risks to their operations and to that part of the supply chain for which they are responsible, and then manage those risks consistent with their operational objectives and legal/regulatory requirements.
It is essential that any certification body delivering services in respect to third party audit of an AEO using ISO 28000 is assessed against ISO 28003 as a suitable service provider in respect to AEO/ ISO 28000 certification.
Critical requirements include but are not limited to the CB having documented processes and procedures for:
guidelines for assessment of the security management systems
service delivery guidelines, including internal quality and performance suitable for multinational delivery
internal security
identification and management of risks associated with service delivery
staff security clearance and identification
information security and integrity
assessor training and competency
internal audit and improvement
The benefits of utilising third party auditing include customs authorities realising measurable resource and cost benefits by auditing and managing a relatively small number of certification bodies, as opposed to thousands of businesses. AEO businesses are not mandated to apply potentially costly security measures unless the risk-based need exists.
Customs authorities will benefit from creating the assurance that the approved certificates from other counties have been issued to the same standards and requirements. This can be achieved by ensuring that the certification bodies in those other countries have been selected and approved using the same selection and management criteria, with international accreditation being the first requirement.
Maintaining security
An advantage for customs and businesses of having an AEO programme managed and certified under ISO 28000 is that under certification requirements there is an ongoing surveillance process over the three-year life of a certificate – that avoids the three-year fix and forget cycle evident in some programmes.
For ISO 28000, surveillance confirms that:
the client has updated their SRA in accordance with their plan and their statement of frequency reflects any major security incident or changes to threats, vulnerabilities and assets, or operational and environmental variations.
The risk treatment plan is reviewed for progress with actions, and that security incidents are managed effectively.
the management review includes consideration of performance measurements and continuous improvement opportunities.
In addition to the requirements specified, appropriate attention is focused on operational controls and that they are fit for purpose and meet the control measure objectives, i.e. what is the purpose of the access control system allowing and/or denying access and egress to persons with differing access rights?
The multiple benefits of a risk-based approach
There are no negative implications in having a globally consistent AEO model that is managed through ISO 28000. Businesses benefit by applying a risk-based approach to identifying and addressing their security issues. Such an approach removes the costly minimum requirements prescribed under some present customs schemes and reduces duplication and uncertainty. In doing so, it offers confidence to the business community to actively participate in establishing internationally recognised security across a supply network.
Customs departments benefit by reducing their exposure to cost and resource extravagances by managing the quality of the global AEO schemes through a focus on the delivery of the performance auditing activities. It also allows customs departments to focus on the management of risk-based targeted inspection processes, regulatory compliance and revenue collection, thus leaving the performance auditing activities within the hands of organisations with a demonstrated competency. And it establishes a global mechanism for addressing a major issue under Rules of Origin.
The WCO SAFE is dependent upon the strengthening of customs/business cooperation and 161 member countries have committed to achieving the SAFE Framework. Yet, at the moment, there appears to be different sets of security standards and businesses seem to be expected to conform to them all. There appears to be a notable lack of cooperation or even understanding by customs authorities as to the plight of businesses, especially in the SME sector – the engine room of the supply chain.
ISO 28000 security management systems for the supply chain alongside WCO SAFE is clearly the practical and workable answer. The question is: why are the current frameworks so fragmented and complicated when a clear, international answer exists -that offers resource and cost saving opportunities for both government and business?
Download the PDF artcile below
Attachments