Security is a cost of doing business, and it's not going away. The question is: Can security become an inherent design element in our business processes the way safety has?
Jade Rodysill's question is not rhetorical. Rodysill, Accenture's (www.accenture.com) senior manager, supply chain management practice, says we must integrate security into our supply chain management paradigm along with other common elements that are already there: asset-management, inventory management, quality control, import/export compliance, etc.
Reiterating Rodysill's view, other security experts suggest we are living with a false sense of security when it comes to our supply chains. Highly publicized progress on the Container Security Initiative (CSI), the Customs-Trade Partnership Against Terrorism (C-TPAT) and other initiatives notwithstanding, security is still largely a voluntary act and much of the technology that shows promise relative to supply chain security is still in the planning or prototype stages.
As if to counter any skepticism that, "of course security specialists see a gap — they have a product or service to sell," a new al Qaeda threat surfaced in a taped message attributed to Osama bin Laden on January 19.
The taped message from top terrorist bin Laden drives home the point when the speaker claims al Qaeda's failure to carry out further terror attacks in the U.S. has nothing to do with an inability to breach our latest security measures.
U.S. companies are struggling with a benefit-driven point of view that makes it difficult to build a business case for security investments. Among the challenges, shippers don't have an activity-based view of costs relative to security, explains Rodysill. While it's important to build a business case or find potential benefits for applying technology to security, "These tend to be investments people watch," Rodysill continues. "You have to generate a return on investment (ROI) on the first one."
Selling avoidance doesn't put hard numbers to the case. Consistently avoiding a three-hour delay at a border or not having goods stopped for inspection implies a cost, but for a company that has not experienced a plant shutdown or other disruption, the pain may not seem real.
Hardening the target, as security professionals describe the process, can lead to lower cargo losses from theft. Whether a goal of better security or a consequence of efforts to reduce vulnerability to a terror attack, cargo theft can be quantified.
"Cargo theft costs supply chain companies over $50 billion in losses every year," says Denis duNann, CEO of SCIntegrity (www.sc-integrity.net), a supplier of cargo theft prevention solutions.
One logistics professional at a consumer electronics firm says he managed to eliminate cargo theft and inventory shrinkage over a period of months. He took that information to his employer and was told that the data could be an anomaly. After another few months with no losses, he returned with his data to a still-skeptical management. In the end, it took him 18 months to get recognition (and reward) for the accomplishment.
Though he wouldn't offer specifics on prior losses, he did say the figures were in the millions of dollars. Asked if he was able to convince the company's insurance carrier that the reduced risk warranted a lower premium, he laughed and referred to his experience convincing his own management of the benefit of improved security.
Benefits of better security may also be spread across different budgets within the organization, making them hard to root out. However, supply chain risks may be a little easier to target.
High on the U.S. government list of threats is the introduction of a radiologic device or "dirty bomb." The concern is that such a device could be introduced into a container of goods imported into the U.S.
An estimated 30% to 40% of shipments imported to the U.S. are consolidated, multiplying the number of " partners" in the supply chain that must be vetted. Transfer points and drayage moves are points of high vulnerability. The Container Security Initiative has placed U.S. Customs officials at 41 ports around the world with a goal of prescreening suspect containers.
C-TPAT, the government's voluntary program to improve supply chain security, drew 10,000 applicants as of May 2005, says the U.S. Bureau of Customs and Border Protection (CBP) (www.cbp.gov). The imports represented by those companies account for over 40% of imports by value. However, 20% of C-TPAT applicants were rejected. Only 150 of the companies had reached Tier Three, the highest level of compliance under C-TPAT. Also, purely domestic third-party logistics providers (3PLs) aren't eligible for C-TPAT.
To reach Tier Three, a company has to submit a security plan, which is evaluated and approved by CBP. It then has to demonstrate it will meet security requirements. It can have no significant compliance or law enforcement problems. Its security programs must be validated, and it has to pass a security audit. Its security practices must be judged best practice and exceed requirements, and the company has to use "smart boxes" ( containers with intrusion alert technology).
Another high-risk area identified by officials of the Transportation Security Administration (TSA) is hazardous materials transport and storage. The U.S. freight rail system covers 140,000 route miles, says Kip Hawley, assistant secretary of TSA. The nation's railroads haul over 64% of the toxic inhalation hazard chemicals, he adds.
Seeking to avoid problems on the road, TSA screened 2.7 million drivers with hazardous materials endorsements. Only 74 individuals were referred to law enforcement, according to Justin Oberman, assistant director, transportation threat assessment and credentialing at TSA. Only a few of those had links to terrorism.
Since that initial screening, additional fingerprint-based checks have been introduced and are being extended to all new and renewal hazardous materials endorsements.
For hazardous materials received by truck, rail, or water, the U.S. Department of Transportation (DOT) and the U.S. Coast Guard (www.uscg.mil) are requiring site security plans. Attorneys Scott Dismukes and David Rockman of legal firm Eckert Seamans Cherin & Mellott LLC (www.eckertseamans.com) estimate nearly 4,000 sites pose various risks. They say 110 plants pose a risk to populations of over 1 million, over 700 sites pose a risk to communities of over 100,000, and 3,000 sites could affect 10,000 people within one to two miles of the site if an incident were to occur at that site.
The DOT has issued rules requiring written security plans for sites receiving hazardous materials. The plans must assess risk, impose measures to provide security, and train employees and contractors on security plans. The rules also call for background checks on employees and steps to prevent unauthorized access to the site. In addition, the plan must include security of hazardous materials while en route. Deadline for training employees is March 24, 2006.
The U.S. Coast Guard site requirements are even stricter, say Dismukes and Rockman. The Coast Guard requires sites receiving hazardous materials by water to have a security officer responsible for compliance, planning, recordkeeping and implementation. There are minimum requirements for the position based on experience or training. Security plans must be submitted for approval, but when approved they are good for five years. The facility security officer is responsible for performing security drills every three months and at least one security exercise per year.
The pressure is on to make security part of corporate culture or, as Accenture's Rodysill describes it, an inherent design element. If terrorists succeed in another attack on U.S. soil, government officials have offered reassurances that companies with the highest levels of supply chain security will receive priority where imports continue to flow or will be the first to see their flows restored in the case of a disruption.
As difficult as it may be to sell security on not experiencing border delays, not having goods stopped for inspection, not being subject to a fine, and not having cargo stolen, the point where your company experiences quantifiable costs resulting from poor security is a point too far and, depending on the magnitude of the incident, could be a point of no return.
Learn more about supply chain security and technology at: www.logisticstoday.com/regulation.