Now it has.
US Customs and Border recently outlined a Five Step Risk Assessment Process. While not required to follow them blindly or at all (because “The C-TPAT program clearly understands there are a wide variety of business models”), companies applying to C-TPAT would be smart to hew as closely as possible to the five steps to increase their chances of getting certified, and companies already in C-TPAT should do the same to avoid putting their certification at risk.
CBP claims that the five steps are not new, but if not new, the information has never before been set out so clearly. In exchange for providing a “how to,” it certainly appears that CBP is expecting a great deal more from C-TPAT members. C-TPAT is no longer for companies that treat supply chain security with armchair indifference.
For example, you are now supposed to grade the threat level of your sourcing country based on six indicia:
- Terrorism (Political, Bio, Agro, Cyber)
- Contraband Smuggling
- Human Smuggling
- Organized Crime
- Conditions within a country which may foster any of the aforementioned threats (e.g. poverty, social unrest, political instability)
- Other: theft, pilferage, hijacking, piracy, and IPR.
You must assign a grade, or at least find a way to measure, the threat level. CBP suggests the following grades:
Low Risk - No recent incidents/intelligence/information.
Medium Risk – No recent incidents/some intelligence/information on possible activity.
High Risk – Recent incidents and intelligence/information.
While CBP offers a list of free resources to help you assess the threat level to your supply chain, it is clear that your company must expend a great deal of energy and resources collecting and analyzing intelligence on each country that you source from and on every entity in your supply chain. It is hard to imagine that companies will be able to do this on their own without the assistance of legal experts and consultants.
All C-TPAT members (brokers, consolidators, carriers, etc.), not just importers, are expected to abide by the five steps as much as possible. Small companies are not excused, and importers cannot rely on INCOTERMS to get around having to control and ensure supply chain security.
The five steps emphasize that subcontracting logistics and transportation increases your threat level and requires that you take additional due diligence steps to control your “business partners” (a C-TPAT term that does not have the same limited meaning as the legal term). Many international shipments are handled by third party logistics providers who, in turn, may further contract out transportation companies. The five steps do not describe how these companies would remedy the supply chain failing of “business partners,” but do suggest that education plays an important part. Some 3PLs also do not qualify for C-TPAT because they “double broker” and do not own any of the warehousing facilities or means of transportation.
The five steps provide wiggle room for companies that have not quite achieved all the C-TPAT criteria, but are committed to making improvements by “prescribing corrective actions with follow-up procedures to ensure weaknesses have been mitigated.”
CBP prepared an FAQ and a memo on how to do an a risk assessment. The publication offers five sample templates or checklists to help you make sure you are on target.
Here are the five steps:
- Mapping Cargo and Business Partners: Identify Business Partners and how cargo moves throughout the supply chain to include modes of transportation (air, sea, rail, or truck) and nodes (country of origin, transit points).
- Conducting a Threat Assessment: Identify such threats as Terrorism, Contraband / Human Smuggling, Organized Crime, or other Conditions which may increase the probability of a security breach.
- Conducting a Security Vulnerability Assessment: Based on C-TPAT minimum security criteria, determine if Business Partners have gaps, vulnerabilities, or weaknesses which may lead to a security breach.
- Preparing an Action Plan to Address Vulnerabilities: Developing a written strategy to address potential gaps, vulnerabilities, and weaknesses.
- Documenting How the Security Risk Assessment is Conducted: Writing the policies / procedures on who will be responsible for conducting the assessment; what will be included in the assessment; why the assessment must be conducted; when (how often) the assessment will be conducted; where the assessments will be conducted; and how the assessment will be conducted.