Once an enterprise understands its supply chain and analyzed its potential risks, it can implement an effective supply-chain risk management program with its partners, that is, its suppliers, carriers, and logistics providers. Such a program should have at least three elements: protecting the supply chain, responding to events, and continuing business operations while recovering from events.
Protecting and Securing the Supply Chain
An effective supply-chain risk management program must ensure that an enterprise and its partners implement appropriate measures to fully secure goods and their components from the point of origin to final destination. Supply chain security is essential from two perspectives. First, firms need to prevent loss from theft or damage. Second, they need to prevent unauthorized intrusion into shipments that could enable insertion of contraband (drugs, weapons, bombs, human trafficking, counterfeit goods, etc), loss of intellectual property or technology contained in the shipments, and tampering (insertion of harmful elements such as poisons or “Trojan horses” in computing goods).
Effective supply chain security and protection includes basic standards for physical security, access controls, personnel security, education and training, procedural security, information-technology (IT) security, business-partner security, and conveyance security from the point of origin to final destination within your supply chain.
Enterprises and their partners may assess their effectiveness with these measures through self-evaluation. For example, pharmaceutical and electronic goods companies may have high value shipments that are at far more risk for theft than other commodities.
- Physical security. Suppliers, shippers, and logistics partners should have physical-security deterrents to prevent unauthorized access to their facilities and all cargo shipments. Such features may include perimeter fencing, controlled entry and exit points, guards or access controls, parking controls, locking devices and key controls, adequate lighting, and alarm systems and video-surveillance cameras.
- Access controls. Access controls must prevent unauthorized entry to facilities, maintain control of employees and visitors, and protect firm assets. They should include the positive identification of all employees, visitors, and vendors at all points of entry and use of badges for employees and visitors. Firms should have in place procedures to identify, challenge, and address unauthorized persons.
- Personnel security. Enterprises and their partners should screen prospective employees (in ways consistent with local regulations) and verify employment application information prior to employment. This can include background checks on educational and employment background and possible criminal records, with periodic subsequent checks performed for cause or sensitivity of an employee’s position. Firms and their partners should also have procedures in place to remove badges, uniforms, and facility and IT-system access for terminated employees.
- Education and training. Firms and their partners should establish and maintain a security-training program to educate and build employee awareness of proper security procedures. Best practices include training on the threat posed by criminals, terrorists, and contraband smugglers at each point in the supply chain as well as on ethical conduct and the avoidance of corruption, fraud, and exploitation. Enterprises and their partners may especially wish to ensure employees in shipping and receiving understand proper supply-chain security measures. Education and training should also include documented procedure for employees to report security incidents or suspicious behavior.
- Procedural security. As noted above, firms and their partners should establish, document, and communicate procedural security measures to employees. Such documentation may include a security manual, published policy, or an employee handbook. Documentation should include procedures for issuing accessing devices, identifying and challenging unauthorized or unidentified persons, removing access for terminated employees, IT security and standards, reporting of security incidents or suspicious behavior, inspection of containers before packing, and managing access and security to shipping containers. For shipping, such procedures should include security for shipment documentation, shipping and receiving, and packaging.
- IT security. IT security measures should ensure automated systems are protected from unauthorized access and that information related to shipment routing and timing is protected. This should include password protection (including periodic changing of passwords) and accountability (including a system to identify any improper access or alteration).
- Business-partner security. A supply-chain security program must ensure that any supply chain partner, as well as any further sub-contracted suppliers or logistics service providers, employ practices to ensure the security of all shipments. Any partner used in the manufacturing, packaging, or transportation of shipments must have documented processes for the selection of sub-contractors to ensure they can provide adequate supply-chain security. Suppliers should ensure that any parties handling shipments be knowledgeable of and able to demonstrate through written or electronic communication that they are meeting security guidelines.
- Conveyance security. Transportation, particularly drayage (inland truck support), may be the most vulnerable point of the supply chain. Procedures that suppliers and shippers should follow include inspection and sealing of containers (cf. ISO 17712:2010 on sealing containers), storage of containers, and shipment routing through freight forwarders or carriers who are certified in a recognized supply-chain security program or who otherwise demonstrate compliance with a firm’s SCRM guidelines.
