Supply Chain Security Management Systems The ISO Link

Transcription

1 Supply Chain Security Management Systems The ISO Link

2 Topics Security threats, risks and vulnerabilities Impact on Business Initiatives in the Region. ISO Family of Standards Who s got ISO28000 and who wants it

3 Security threats, risks and vulnerabilities

4 Threats, vulnerabilities and risks Factors impacting upon your security strengths. THREAT Something that presents itself as potentially harmful to your business. Internal threats External threats VULNERABILITY Weaknesses or flaws in the existing protection mechanisms RISK The probability that a threat will be realised and the likely consequences

5 Threat scenarios Intrude or take control of an asset Use of the supply chain as a means of smuggling Information tampering Cargo integrity Unauthorized use of the supply chain Others

6 What are the potential threats? Internal. Employees or contractors with a real or perceived grievance. Business partners with real or perceived grievances. Poor internal security by staff External Organised Crime Theft, smuggling, tampering etc. Criminal opportunists Terrorism Competitors Activist Pranksters

7 What is the potential risk? What is the likelihood of an incident occurring? Threats coupled with vulnerabilities What are the consequences of a major security incident? Damage to tangibles? (physical assets property, products, infrastructure, personnel) Damage to intangibles? (the non-physical assets reputation, market position, goodwill) The harm to business may include; Business integrity Reputation Injury or serious harm to persons and property Clients property Standing in industry community regulatory issues

8 What are the potential vulnerabilities? Weaknesses in the security management system Physical protection deficiencies Flawed access control procedures Not knowing the integrity of staff and contractors Uncontrolled access to data and proprietary information Poor security practices

9 What is adequate security? Depending on the outcome of the security risk assessment to grade and prioritize risks adequate security may vary from; Maximum Security to Natural Features

10 Impact on Business

11 Impact on Business

12 Some figures Global transit losses. $30 to $50billion per year. Typically 2% to 8% income reduction for Fortune 500 companies. Probably 80% of cargo thefts are made to order thefts Threat rated severe in Brazil, Russia, South Africa, Indonesia, Nigeria and Malaysia. Cost of an effective terrorist attack using the supply chain as a vehicle is incalculable but would probably bankrupt some businesses in the chain.

13 More figures Study by Stamford Bridge University into the benefits from investment in supply chain security (Based on South American Trade 2005) Customs inspections down by 48% Automated handling of imports up 43% Transit times down by 29% On time shipping to clients up 30% Theft down 38% Inventory down 14%

14 A study conducted by Massachusetts Institute of Technology in June 2006 quantified the collateral benefits companies could receive from investment in supply chain security. The study showed that those who invest enjoy a 48% reduction in inspections, 50% improvement in asset visibility, 31% shorter problem resolution time, and 38% reduction in theft, loss and pilferage. With results like these it is hard to argue against investing in effective supply chain security.

15 Initiatives in the Region

16 Initiatives in the Region. Canadian Border Services Agency (CBSA) $11.4 m. to be spent to strengthen PIP program to enable members to maximize benefits to enable harmonization with C-TPAT (U.S) announced Jan. 12, 2007 Customs & Border Patrol (U.S.) Sea Carrier Security Criteria (effective March 1, 2006) Business Partner Requirements - - must ensure marine terminal has pertinent security measures in place and adhered to - - must ensure chartered vessels have pertinent security measures in place and adhered to

17 ISO The thread with other International Security Initiatives World Customs Organisation (WCO) 144 signatories to date. SAFE Framework of Standards requires potential Authorised Economic Operators (AEO) to implement security measures including a Security Management System. C-TPAT and CSI (US Customs and Boarder Protection) Requires a Risk based system to be implemented. Resolving infrastructure vulnerabilities and breaches of integrity. ISPS Port Facility Security Plans requires a risk based security management plan to be applied. Canada Border Security Agency (PIP) Partners in Protection CBSA working on compatibility with C-TPAT and WCO requirements

18 Supply Chain Security Initiatives Global WCO SFoS, AEO TAPA Voluntary Global IMO ISPS Dangerous Goods Mandatory Americas C-TPAT, CSI PIP (Canada) BASC (Latin) Voluntary EU StairSec (SE) Secure Operator EU - AEO Voluntary Asia Pacific WCO SFoS C-TPAT STP (Singapore) Voluntary ISO SUPPLY CHAIN SECURITY MANAGEMENT SYSTEM Security Management Physical Security Personnel Security Information Security Goods and Conveyance Security Closed/Secure Cargo Transport Units

19 ISO Family of Standards

20 ISO/DIS 28000

21 The Series Standards and codes of practice for supply chain security These standards have been developed to compliment the various international initiatives to facilitate uniform implementation worldwide. ISO/DIS Supply chain security management Published Sept Risked based model Plan, Do, Check, Act principles Designed for 1st, 2nd & 3rd party auditing ISO/PAS Supply chain best practices Best practice for implementing Supply Chain Security, assessments and plans Aligned with WCO Framework of Standards ISO/PAS Requirements for bodies providing audit and certification. ISO/DIS Guidance for ISO/PAS 28000

22 28000 Family - Summary Developed in response to demand from industry against a background of varying international security regimes. Generic management specification to improve the security in supply chains. Requires organisations to: - assess the security environment in which it operates determine if adequate security measures are in place Improve performance. Designed to be a sound foundation for complying efficiently with other international, national and sector based security requirements and schemes.

23 ELEMENTS OF ISO28000 General requirements Security management policy Security risk assessment and planning Legal, statutory and other security regulatory regulations Security management objectives, targets and programmes

24 ELEMENTS OF ISO28000 Structure authority and responsibilities for security management Competence, training and awareness Communication Document and data control Operational control Emergency preparedness, response and security recovery

25 ELEMENTS OF ISO28000 Security performance measurement and monitoring System evaluation Security related failures, incidents, nonconformances, and corrective and preventive action Control of records Audit program Management review and continual improvement

26 Security Management Security Policy Security Management Plan Including Security Risk Assessments Compliance with industry standards (Nat. & Int.) Information management procedures Business partner security requirements Validation (own & partners)

27 Physical Security Site and building security physical integrity and layout Perimeter security Access control procedures ID cards Security technology Secure storage Asset management Security staff activities

28 Personnel Security Employee security Employee integrity vetting prior and during employment Employee education and training Security awareness Access control procedures physical and IT

29 Information Security Information security procedures Access procedures Data security Shipping data procedures Manifest management procedures Customs data exchange Compliance with regulatory and industry standards

30 Goods and Conveyance Security Security procedures for access management and control Cargo operations supervision Cargo integrity procedures Incident alarm and reporting procedures Use of intelligence procedures

31 Closed/Secure Cargo Transport Units Seal integrity procedures Cargo stuffing Tamper detection Recording Inspection procedures Custody handover Discrepancies procedures Cargo transport unit integrity procedures

32 Who s got ISO28000 and who wants it

33 Dubai Ports World 46 Ports 24 Ports in Asia planned for ISO Hong Kong 1 Korea Remainder in 2008/9 DPW were denied C-TPAT membership when they first applied. After attaining ISO/PAS they have been invited back by the US Customs and Boarder Protection.

34 Who is looking at Implementing ISO presently? As of 1 May 2007 In the USA, 5 Ports are applying for ISO Certification Far East 3 Ports / Terminal Operators (Other than DPW) 1 Airline 2 Government Institution 5 Major international manufacturers 4 Major International Freight Forwarders 7 Logistics Companies.

35 ISO SUPPLY CHAIN SECURITY A RISK MANAGEMENT APROACH security risk assessment a systematic and documented process of determining security threats, vulnerabilities and risk directly relevant to protecting the property, personnel and information of the organization/company.

36 What next for your business? Does your business need a Security Management System? If yes. Confirm senior management commitment, Conduct a gap analysis, Design and deploy a system, Determine roles & responsibilities, Implement training & processes. Plan Do Check Act Should your upstream/downstream supply chain partners also apply the same standard to ensure the continued security of the supply chain?

37 Supply Chain Security Management Systems The ISO Link THANK YOU