“5SRAP:” Supply Chain Security Risk Assessment
A supply chain security risk assessment (“SCSRA”) examines the security threat environment and operational vulnerabilities associated with a C-TPAT member’s international supply chain. U.S. Customs Border and Protection (“CBP”) created the 5SRAP in order to help the C-TPAT member in evaluating risk.
Even though SCSRA is not a new requirement to the C-TPAT program, it enables C-TPAT members to recognize that evaluating supply chain security risk is not only a domestic issue for examining their own facilities and processes in the US, but it is also an international issue.
The SCSRA is a C-TPAT requirement for membership and maintenance of the program as well as for the validation and revalidation phase.
For the C-TPAT member that does not have a security staff, a C-TPAT budget or an employee dedicated to compliance issues, the 5SRAP is quite overwhelming and extremely time consuming. Many clients have asked “Is this program really worth it and where am I going to find the manpower to manage this new aspect of the C-TPAT program within the framework of their new guidelines?”
Is it worth it? Yes. The C-TPAT program has become the industry norm for companies that are eligible to join. Companies that are not eligible to join have trouble competing for business against companies that are members. As a result, non eligible C-TPAT companies are finding alternate methods of demonstrating to their present or potential customers that they are meeting the minimum security requirements.
How can you find the manpower? If companies have downsized and are cautious about adding new staff and spending a lot of money on a program just to maintain it, Norman Jaspan Associates, Inc. (“NJA”) works with the C-TPAT member as follows:
NJA has transformed Customs’ 5SRAP into a user friendly version that is easy to implement. NJA does not want the C-TPAT member to view the 5SRAP as a separate program but rather as a catalyst to heighten the awareness of all parties involved in the member’s supply chain.
The 5SRAP consists of the following:
1) Map Cargo Flow & Identify Supply Chain Business Partners.
NJA starts the 5SRAP by creating a supply chain flow chart which helps the C-TPAT member identify their exposure to risk. We begin with the foreign shipper and end with the importer or consignee regardless of whether the C-TPAT member is responsible for contracting the supply chain provider. The flow chart is a picture of how the cargo moves from the point of origin to destination. It includes:
- List of countries that cargo is exported from.
- Modes of transportation-air, sea, rail, truck.
- Transit points-consolidators, deconsolidators, ports, CFS
NJA uses this information as the basis for creating a unique procedure and analysis for company flow of goods which clearly explains to both the C-TPAT member’s employees and their Customs Security Specialist (SCSS) their operation flow.
2) Conduct a Threat Assessment
- Review the list of countries that you do business with based on dollar amount, volume and frequency. Verify C-TPAT membership if applicable, or certification in an equivalent security program administered by a foreign customs authority.
- Use the following security threats at the point of origin to identify the risk in the supply chain:
- Terrorism – Political, Bio, Agro & Cyber
- Contraband Smuggling
- Organized Crime
- Theft, pilferage, hijacking and piracy
- Conditions within a country which may foster any of the above threats.
NJA will assist you in calculating the different levels of threat by providing you with reliable sources that rate the risk level which is constantly being updated. Risk is calculated as follows:
The C-TPAT member should monitor the above levels of threat on a yearly basis or more frequently if it deems necessary. If a particular risk status changes to “High Risk”, they should carefully review the particular supply chain and alert the respective members on what actions should be taken to minimize risk.
3) Conduct a Vulnerability Assessment
In order to conduct a vulnerability assessment, you should send a security survey to your business partners who are NOT eligible to join the C-TPAT program, and do NOT participate in the C-TPAT or a “mutual recognition” program. Other sources of information that can be used in conjunction with the security survey are site visits by company representatives overseas personnel/agents or third party supply chain security assessments.
NJA has customized a C-TPAT security survey that incorporates all of the questions which will enable the C-TPAT member to conduct a vulnerability assessment. NJA’s security survey also incorporates an audit function which is a method for an independent party, as defined in NJA’s security survey, to verify the integrity of the answers that were give by the business partner. This function is particularly important for the C-TPAT member when preparing for the validation or revalidation phase.
4) Prepare an Action Plan.
Establish a corrective action plan to address all vulnerabilities found in the business partner’s security program. When creating an action plan, you must make recommendations that will change the status of your business partners from high or medium risk to low risk. Some of the categories that should be covered in the action plan include the following:
- Vulnerability identified
- Corrective action required
- Responsible company Point of Contact (POC)
- Responsible partner POC
- Progress Review date
- Corrective action deadline
- Evidence action taken
- Verified by and date
- Outcome of recommendation
5) Document How Risk Assessments are conducted
The purpose of creating a risk assessment procedure is to ensure that a responsible party as well as a “back up” employee will create and monitor the five step risk assessment on a regular basis. Some of the criteria that should be included in the procedure are as follows:
- Document Preparation
Please contact NJA to set up the 5 Step Risk Assessment program in a cost efficient manner which will minimize both your financial outlay and staffing requirements but will still enable you to identify and reduce risk throughout your whole supply chain.