C-TPAT's Five Step Risk Assessment Process
C-TPAT's Five Step Risk Assessment Process
C-TPAT's Five Step Risk Assessment Process
Risk Assessment
U.S. CUSTOMS AND BORDER PROTECTION
C-TPAT’s Five Step Risk Assessment
Table of Contents
Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Threat Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Action Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
T he Customs-Trade Partnership Against Terrorism (C-TPAT) program is one layer in U.S. Customs and
those Partners that did not adequately address this Action Required were subsequently removed from the
program. Most C-TPAT Partners are conducting a comprehensive domestic risk assessment of their own
facilities and processes in the United States; however, many Partners are not assessing the potential threats
and vulnerabilities that may exist within their international supply chain from the point of manufacture/
packing/stuffing and at each transportation link within the chain, until the cargo reaches the final point of
distribution.
As part of the application process to join the C-TPAT program, applicants must be able to provide a
documented process of how the company assesses risk. Due to the unique nature of every Partner’s business
model, the risk assessments described below are only guides, and all companies should establish a process
that conforms to the needs of their business model, and not simply adopt a generic, externally provided
model. C-TPAT Partners must conduct a risk assessment at least annually in order to remain in the C-TPAT
program.
Even small Partners are required to
have a documented Risk Assessment
Process. In fact, the smaller a Partner
is, the easier it is to conduct a Risk
Assessment. If, for example, a small
highway carrier with an established
business model of hauling from a single
manufacturer to a single U.S. importer,
and not soliciting other clients or using
owner-operator truckers, desires to
establish a Risk Assessment process,
it should take only several hours to
conduct and document an effective
process. The key is that Partners are
expected to implement a proactive
approach and mentality to address risk
in their supply chains, and not simply
shrug the issue off as being out of their
control. Partners should keep in mind they have an important resource to assist them in all security-related
issues — their assigned C-TPAT Supply Chain Security Specialist (SCSS).
Other concepts to keep in mind include that quantity does not necessarily define risk. An importer
who sources 300 shipments a year from a low risk source in a politically stable country with a low risk of
terrorism and smuggling should not disregard the risk of importing two shipments per year from a country
that has recently had a violent turnover in government, a high corruption index, or has a current history of
a low level of security. As a further example, an importer that receives 80% of its shipments from a specific
manufacturer may not have a low risk supply chain if the manufacturer selects foreign ground transportation
providers based solely on cost. From week to week or shipment to shipment, a manufacturer who frequently
changes carriers is much higher risk than a manufacturer who always uses the same foreign trucker who is
certified in an Authorized Economic Operator (AEO) program.
U.S. CUSTOMS AND BORDER PROTECTION
5
INTRODUCTION AND CONCEPTS 5
In addition to security, there are other issues that may cause delays in the movement of goods through
the initial publication many questions and suggestions regarding the other types of Partners in the C-TPAT
program have been received. Thus, this guide is broken into chapters for different types of business models,
though not necessarily by specific C-TPAT entity classifications. This is because some consolidators might
have business models similar to importers, while other consolidators might have models similar to brokers.
Third Party Logistics operators may have models similar to highway carriers or to consolidators, and
exporters may have models similar to foreign manufacturers.
The key to building a successful Risk Assessment Process is to ensure it is unique to your company’s
business model and practices. Generic, one-size-fits-all, “cookie cutter,” externally inflicted procedures can
lead to a false sense of security and an eventual breach of security.
As a lead in to the discussion of risk assessments, we will first define some terminology.
Risk Assessment
A Risk Assessment is analyzing external threats against company procedures to identify where vulnerabilities
exist, and what procedures can be implemented or improved to reduce such risk.
This may include ensuring (through process improvement, retraining, working with business partners,
etc.) that issues identified through analysis and audits as being vulnerabilities are successfully addressed. This
may often be something as simple as clarifying a written policy, automating a process, simplifying a form
to ensure more effective use of the form, or requiring the security guard to manually hold and examine
identification documents (as opposed to viewing ID as a person walks by). A Risk Assessment consists of
several components, including a Threat Assessment, Cargo and Data Flow, Vulnerability Assessment, and
audits of security procedures. These steps are further delineated on the following pages.
A Risk Assessment should also include how security procedures would be affected by natural and man-
made disasters, to include how backup systems will address these vulnerabilities. Such issues include power
outages; weather events such as hurricanes; earthquakes; civil unrest; and terrorist events. Partners seeking
to reduce the impact of such disasters should have documented business resumption procedures in place that
are periodically tested.
You will note throughout the minimum security criteria that expensive technology is not mandatory,
for in the end security relies upon the human component. This is why effective personnel screening and
security training are critical issues. As an example, no matter how complicated a computer password
is required by an Information Technology policy, if employees practice habits such as writing their
passwords on sticky notes or “concealing” them underneath keyboards, security is easily breached.
Threat Assessment
A Threat Assessment is simply identifying threats to a supply chain that exist within a country or
region, that are external and outside the control of the Partner, to a Partner’s business model. Examples
include terrorist activity, drug smuggling, hijacking, corruption levels, and human smuggling. Be aware
threats in one state or province of a country may differ from threats in other states and provinces
within the same country. Below you can see a snapshot of part of a Threat Assessment developed by a
C-TPAT Partner for the region (British Columbia) in which they operate. A full, blank version of this
document can be found for your use on the public CBP.gov website, under the C-TPAT Resource Library
and Job Aids.
U.S. CUSTOMS AND BORDER PROTECTION
7
INTRODUCTION AND CONCEPTS 7
Note: For C-TPAT purposes, a “3” for any Threat Risk Factor below results in a “High Risk” rating for the supply chain.
Partner: SP Trucking
Country/Region: Canada
Threat Assessments should use some type of risk scaling, but this need not be complex. For an importer
with dozens of supply chains, a numerical ranking system of 1–10 may be appropriate. For companies with
few variances in regions of operations, a limited number of supply chains, and a steady business model, a
simple high / medium / low system may be appropriate. The goal is to have a ranked output to determine
where your company should focus time, energy, and resources to reduce and mitigate risk.
In the previous Risk Assessment Guide C-TPAT provided numerous internet sites to aid in developing
a Threat Assessment. In this edition, internet sites are not being provided as there are literally thousands
of useful and informative websites available on this topic. It would thus be presumptive to list only a few
of these sites, and considering the extreme variances and complexities within Partners’ business models,
perhaps counter-effective.
Vulnerability Assessment
A Vulnerability Assessment is identifying weaknesses in a company’s security procedures and supply chain
that can be used to the advantage of terrorists and other criminals identified in the Threat Assessment.
Internal audits and security reviews can be important instruments in identifying vulnerabilities. For example,
an internal audit of the company itself (such as an internal audit during the annual security profile review,
security questionnaires, and site visits conducted during business partner screening), could go into the overall
vulnerability assessment. Corrective actions based on the findings of internal audits and business partner
reviews can be implemented as part of the Action Plan. This is how the various actions taken by C-TPAT
Partners to address program requirements all interact and overlap to strengthen security overall.
U.S. CUSTOMS AND BORDER PROTECTION
8 INTRODUCTION AND CONCEPTS
C-TPAT Partners are required to determine and assess the level of risk business partners bring into the supply
Introduction and Concepts
chain. This is a requirement under the business partner screening section of the minimum security criteria, and
information developed as part of that process should be included in determining risk in the appropriate supply
chain. Typically, business partners should
be analyzed against the appropriate
minimum security criteria. For example,
the highway carrier minimum security
criteria should be used as a tool to
assess the practices of, and risk level of,
foreign and domestic highway carriers,
even if those carriers do not physically
cross a border. Similarly, foreign freight
forwarders and brokers should be
analyzed using the consolidator and/or
broker minimum security criteria.
Consider on a personal basis:
Assigning High Risk Targets
You have recently purchased a new
vehicle. The vehicle appears as number
five on the most frequently stolen vehicle list in the United States for the past two years. This is your Threat
Assessment, the external threat to your vehicle over which you have no control. You may need to further
research this issue on-line, or by contacting local police departments and insurance companies, to determine
if the threat in your area is higher or lower than the national average. Your insurance rate no doubt already
includes risk factors of national and local theft rates.
A Vulnerability Assessment is next, which describes where your vehicle is susceptible to theft, and should
include issues such as:
■■ Do you live in an area known for a high vehicle theft rate?
■■ Do you frequently use street parking at home and at restaurants, or do you lock the vehicle in your garage
and only use secure parking lots or valet parking?
■■ Do you live on an island connected to the mainland via only a single causeway?
Once these vulnerabilities are identified and documented, you are ready to proceed to the next step, completing
an Action Plan that will put into place procedures to reduce or mitigate the threats identified above.
Action Plan
An Action Plan consists of once having identified and documented vulnerabilities, developing and
implementing procedures and/or improvements to reduce those vulnerabilities. In severe instances, a
company may decide to withdraw from a high risk supply chain. In some instances, additional direct
management oversight in daily operations might be deemed adequate to address the risks (e.g., posting
an employee who works directly for the importer at a high-risk foreign manufacturer). In others, the
U.S. CUSTOMS AND BORDER PROTECTION
9
INTRODUCTION AND CONCEPTS 9
Audit
An audit is a periodic documented review to ensure the procedures the company has in place are being
conducted and followed through on, as part of regular, every day procedures, and that records are
completed and properly filed. Audits may reveal security deficiencies, but do not replace, rather enhance,
a company’s Vulnerability Assessment. For a sample Audit procedure incorporating the entirety of the
minimum security criteria, see the chapter on Brokers.
system may be used, but is not appropriate for all business models.
Partners should be aware that Incoterms have little to do with security assessments for terrorism and
criminal activity. Incoterms are primarily directed towards cost, ownership, and insurance purposes. A
terrorist willing to explode a device within a U.S. harbor, or a human trafficker impersonating a legitimate
shipment through identity theft, cares not for legitimate ownership and insurance claims. The C-TPAT
Partners responsible for the importation and exportation of goods across U.S. borders, no matter where the
actual transfer of ownership occurs, are ultimately responsible for the security of that shipment, regardless
of the Incoterms. The acknowledgment of this fact, and the willingness to be proactive and energetic
in addressing supply chain security, is what separates C-TPAT Partners from those who are not Partners.
Companies that feel the requirements of the C-TPAT minimum security criteria are too burdensome are not
suited for the C-TPAT Program. For exporters particularly, it is critical shipments are protected from threats
to U.S. allies to whom shipments are destined. The reputation of the entire U.S. business community rests on
exporters being proactive and conscientious of their responsibilities concerning supply chain security. It is
thus critical for the survival of all C-TPAT Partners to be aware, and selective of, its business partners.
1. Mapping Cargo/Data Flow and Control and Identifying Business Partners(whether directly
or indirectly contracted) and how cargo moves throughout the supply chain to include modes of
transportation (air, sea, rail, or truck) and nodes (country of origin, transit points).
5. Documenting the Procedure for How Risk Assessments are Conducted, to Include Reviewing
and Revising the Procedure Periodically.The process itself should be reviewed and updated as
needed at least annually, and a Risk Assessment should be conducted — and documented — at least
annually, more frequently for highway carriers and high risk supply chains.
It is understood that some C-TPAT Partners have numerous supply chains, which may present a major task
when conducting a comprehensive security risk assessment of their international supply chains. Therefore,
it is recommended that C-TPAT Partners first identify their “High Risk” supply chains by conducting a threat
assessment at the point of origin/region and where the cargo is routed/transshipped, and then conducting
U.S. CUSTOMS AND BORDER PROTECTION
11
INTRODUCTION AND CONCEPTS 11
a comprehensive security vulnerability assessment of those supply chains. Subsequently the Partner should
1. Date the Risk Assessment Process was established by the Partner, and latest revision date.
2. Identify company personnel responsible for keeping the process up-to-date, including “back-up”
personnel.
3. W
hen or how often a Risk Assessment must be conducted (e.g., annually, quarterly (recommended
especially for highway carriers); a new business partner in a supply chain; threat conditions change in a
country or region).
4. R
equired frequency of review and update to the actual Risk Assessment procedure (e.g., annually,
quarterly, etc.).
6. H
ow Vulnerability Assessments on the International Supply Chain are to be conducted (e.g., verification
of C-TPAT/PIP/AEO Status, site visits by Quality Assurance Managers, analysis of completed security
questionnaires).
7. H
ow follow-up is conducted on “action items” (e.g., site visits to address vulnerabilities, termination of
contracts).
Supply Chain Step Type of Service Details About Business Issues to Consider
Provided Partner
Highway Carrier (for Moves cargo from Super Secure Freight, Not eligible for C-TPAT;
both FCL and LCL) factory to consolidator Lebuh Relau, country has no AEO
and port of export 11360 Bayan Lepas, program
Kuala Lumpur, Malaysia
Supply Chain Step Type of Service Details About Business Issues to Consider
Provided Partner
Highway Carrier Moves cargo from Reliable Haulers, Not eligible for C-TPAT;
consolidator to port of 168 Jalan Imbi, country has no AEO
export Kuala Lumpur, Malaysia program
Freight Forwarder Processes paperwork Global Freight Coordinators, Not eligible for C-TPAT;
for cargo export, No 32, 1st Floor, country has no AEO
including ISF BBandung Lepas, program
Kuala Lumpur, Malaysia
Port of Export Stores and handles Pelabuhan Klang, Malaysia Meets ISPS requirements
cargo prior to lading
Ocean Carrier Moves cargo from port Excellent Ocean Carriers, C-TPAT status verified in
to port 626 Joro Blvd, Portal.
Pelabuhan Klang, Malaysia
Transhipment Port Stores and handles Kaohsiung, Taiwan Taiwan AEO Certified,
cargo in between Certificate in Portal
vessel movements Document Exchange
Ocean Carrier Moves cargo from port Pacific Swells, C-TPAT status verified in
to port 5th Floor, No. 2, Portal.
Chung Cheng 3rd Rd.,
Xin-Xing District,
Kaohsiung City, Taiwan
Terminal Operator Handles and stores Smith Terminal Facilities, C-TPAT status verified in
cargo after unlading Pier Z, Portal.
Los Angeles, CA 90809
Domestic Drayage Trucks cargo from Porter Transportation, Not eligible, completed
ocean terminal to 301 Normandie, security questionnaire for
consolidator or ultimate Torrance, CA 90518 this year on file
destination
Deconsolidator Cuts seal and unloads Ochoa Warehousing, Has no bond with CBP,
container prior to 201 Del Amo, thus not eligible. Security
domestic delivery of Wilmington, CA 90512 site visit conducted
cargo. in past three months,
results analyzed and on
file.
Three Actions Required.
Uses outsourced day
laborers; high risk.
Domestic Drayage Trucks cargo from Parsons Parcels and Trucking, Not eligible, completed
ocean terminal to 689 Opp St., security questionnaire on
consolidator or ultimate Los Angeles, CA 90613 file from last month.
destination
Importer This is our company. Everything Importers, This is our company, see
Address of Receiving Facility latest Internal Audit on
security procedures.
F or brokers that do not handle cargo, the primary item they possess and need to safeguard is information.
1. Cargo Mapping
■■ Cargo
handler — similar to importer, with addition of
broker example
■■ Non-cargo handler — use broker example
2. Vulnerability
■■ Cargo
handler — similar to importer, with addition of
broker example
■■ Non-cargo handler — use broker example
3. Threat
■■ Cargo
handler — similar to importer, with addition of
broker example
■■ Non-cargo handler — use broker example
4. Action Plan
5. Documented Procedure
The primary security task for brokers is to control who has access to their data and their clients’ data. A
full assessment of risks to the data can be identified through an internal audit that includes all aspects of
the minimum security criteria, to determine both if procedures are adequate and if security procedures are
being followed by employees. By controlling who the broker does business with and who has access to its
facilities and data systems, the broker can control who can access its information.
security procedures are followed on a daily, systemic basis, and that adherence to these standards is
adequately documented. Persons conducting audits on various processes should not be those responsible
for conducting the work regularly, but someone from another division or assignment. Results of the audits
should be documented, to include possible vulnerabilities identified, and suggestions on how to improve and
revise procedures.
The process used to conduct
the first full risk assessment
audit should be documented
for future use. The process
should be conducted on
a scheduled basis, and
should include the persons
responsible for the completion
of the project and those tasked
with its parts.
All security-related
procedures that have not yet
been documented should be
documented as part of the first
assessment. All procedures and
policies should have issuance
and revision dates. A broker
must consider all aspects of
the minimum security criteria.
A more detailed checklist of
items that should be reviewed,
documented, and followed
up on by the broker may
be found at the end of this
chapter.
Please remember that under
the broker minimum security
criteria, business partners are
broken into two categories:
Importer Clients and Service
Providers.
An Importer Client is a
company that approaches the broker and offers to pay the broker for services rendered to assist in clearing
cargo with CBP.
A Service Provider is a business partner selected by the broker to supply services to the broker. Examples
of the latter include a domestic drayage company; a de-consolidator; or a freight forwarder.
U.S. CUSTOMS AND BORDER PROTECTION
19
BROKERS 19
A visual for possible variations in screening these classes of partners is displayed here:
C-TPAT status queried, verified, and documented? C-TPAT status queried, verified, and documented?
Status in foreign program queried, verified, and Status in foreign program queried, verified, and
documented? documented?
Status within ISO 28000 queried, verified, and Status within ISO 28000 queried, verified, and
documented? documented?
Credit checks verified and documented? Credit checks verified and documented?
Business References verified and documented? Business References verified and documented?
At the end of this chapter is a sample listing of some, but not all, of the items a broker might include on
its Internal Audit Checklist to ensure employees are conforming to company security procedures. The items
are broken down into these general C-TPAT criteria sections:
■■ Business Partners
■■ Procedural Security
■■ Physical Security
■■ Personnel Security
Audit Checklist
Chapter Two — Brokers
Business Partners
■■ Do all C-TPAT Partners show “certified” in the portal? If not, why not?
■■ If a previous C-TPAT partner now shows “not certified,” have the remaining steps in the
business partner screening process been conducted and documented?
■■ For all non-C-TPAT business partners, are records up to date with documented evidence of
the required additional screening? This might include copies of current PIP/AEO certificates;
completed copies of Security Questionnaires; documented reviews and analysis of completed
Security Questionnaire; documented site visits; documented follow up on weaknesses;
results of background queries, such as Specially Designated National queries, and industry
certifications.
■■ Have “extra scrutiny triggers” for the screening of business partners been reviewed and
updated?
■■ Has the company’s Preferred Provider List been rescreened and updated?
■■ Has the updated list been disseminated to employees and old lists destroyed?
■■ Has Outreach/Training on the C-TPAT program been conducted with non-C-TPAT partners?
■■ What topics were covered in the Outreach/Training (e.g., tracking and monitoring, conveyance
inspections, seal procedures, notification to our company and customs/law enforcement with
discrepancies, access controls, internal conspiracies, challenging strangers)?
■■ Have all business partners (both importer clients and service providers) been provided with
the broker’s contact information for security inquiries?
■■ Has the broker’s website been updated with C-TPAT information and valid links to CBP.gov?
Procedural
■■ Importer Security Filing — What score did our company receive on its latest Importer
■■ How and what information was requested from importer clients whose track record
requires improvement?
■■ Entry filing — What is the date of the last audit of entries filed with CBP?
■■ Visitor and Driver Logs — A manual review of all Visitor and Driver logs must be conducted.
■■ Are there additional items it would make sense to add to the logs?
importers. This Procedural Security breakdown is displayed below to assist brokers in drilling down to
determine the level of security procedures in place to protect data.
Physical Security
Chapter Two — Brokers
■■ Was a verification conducted to ensure that security cameras remained pointed on key areas?
■■ Describe what issues were identified and actions taken to address issues:
Access Controls
Access Device Logs
■■ Did a review of the issuance/retrieval of access device logs reveal any discrepancies? (e.g. any
ex-employees still shown as having keys, ID cards, alarm codes?)
■■ Building Inspections
Personnel
Review all personnel files of persons hired and separated since last assessment.
■■ Have all employees received mandatory training for their job position?
■■ What security topics were covered, and was training tailored to the responsibilities/jobs of the
employees?
Documenting
Site Security
Challenging
Inspections
Inspections
Conducting
Suspicious
IT Security
Shipments
Reporting
Strangers
Employee
Activities
Abnormal
Package
Program
Job Title
17-Point
Criteria
C-TPAT
Safety
Mail /
Name
Woods, Operations [Date] N/A N/A [Date] [Date] [Date] N/A [Date] [Date]
Porter Clerk
Adams, Dispatcher [Date] [Date] [Date] [Date] [Date] [Date] N/A [Date] [Date]
John
Fraser, Mechanic [Date] [Date] [Date] [Date] N/A [Date] N/A N/A N/A
Alex
Foss, Driver [Date] [Date] [Date] [Date] [Date] [Date] [Date] N/A N/A
Joseph
N/A — Not applicable, this employee does not perform this activity/task.
[Date] — Last date this training was completed by this employee.
All training should be refreshed periodically, at least annually.
■■ If cloud storage is used, was business partner screening conducted on the provider?
C onsolidator Partners in the C-TPAT program are not required to physically handle cargo, or even be
1. Cargo Mapping
■■ Cargo handler (foreign or domestic) — similar to importer and exporter
■■ Non-cargo handler — similar to broker
2. Vulnerability
■■ Cargo handler (foreign) — similar to foreign manufacturer
■■ Cargo handler (domestic) — similar to importer and exporter
■■ Non-cargo handler — similar to broker
3. Threat
■■ Cargo handler (foreign) — similar to foreign manufacturer
■■ Cargo handler (domestic) — similar to importer and exporter
■■ Non-cargo handler — similar to broker
4. Action Plan
5. Documented Procedure
If the company does not physically handle freight, instead functioning primarily as a freight forwarder
or “paper” consolidator, the Broker Risk Assessment model may best apply. If the consolidator is physically
handling imported freight, the importer model may apply, with modifications. For export-only consolidators,
a risk assessment process closer to that of a U.S. exporter may apply. For consolidators that also control the
operations at a foreign facility for cargo moving to the U.S., concepts from the foreign manufacturer risk
assessment process may be most applicable.
Obviously, consolidators are not typically in the business of selecting foreign manufacturers or foreign
incountry transportation providers. Manufacturers are typically selected by the consolidator’s client-importer,
and foreign in-country transportation providers are often selected by the consolidator’s foreign business
partner agents. To address this lack of control over selecting business partners, it is extremely important for
consolidators to address risk by selecting quality foreign agents, and to have strong and proactive outreach
and education programs on C-TPAT and equivalent AEO programs. “Pushing out” the C-TPAT minimum
security criteria to all levels of the supply chain through outreach and education, including to third and
fourth level business partners, is a critical minimum security criteria element for all C-TPAT Partners, and
becomes especially important when Partners have limited ability to select transportation providers in foreign
countries. The best-case scenario is to require all partners in all links in the supply chain to be AEO or
C-TPAT certified.
U.S. CUSTOMS AND BORDER PROTECTION
30 CONSOLIDATORS
As an example of the dangers of using generic, “cookie cutter” risk assessments, consider a consolidator
Chapter Three — Consolidators
that does not handle cargo and has a single office located in a high-rise office building, but has elected to use
a generic risk assessment process provided by an external advisor. The only valuable item such a consolidator
possesses is information, but the generic process adopted from their advisor is actually formulated for
importers who physically handle their own cargo.
Now consider these vulnerabilities:
■■ Athird-party janitorial service, selected by the building landlord, has metal keys allowing access for
cleaning on Sundays when the consolidator’s office is closed.
■■ The
consolidator has no alarm system to record when the third party employees, who are completely
unknown and unscreened by the consolidator, actually enter and exit the office space.
■■ The consolidator assumes the janitors access the office only on Sunday evenings, but have no method to
verify this.
■■ Novideo camera system exists for the consolidator’s managers to review each morning to determine who
was in the office after hours, and what they were doing.
■■ The
office photocopier’s electronic records are not reviewed to determine if photocopies are made outside
normal office hours.
■■ The consolidator’s IT contractor conducts no special checks or reports to determine if the company’s IT
system has been accessed or used outside normal business hours.
While the company has established a Risk Assessment process, it does not fit the company’s business
model and can lead to a false sense of security and eventual data theft. Is this the type of business partner
with whom you would willingly put your personal bank account or company identity information at risk?
C ross-border highway carriers’ business models have some similarities to brokers, in the sense both
Supply Chain Step Type of Activity Details About Partner Issues to Consider
Transport to border Movement of cargo This is our company. Tight and overlapping
from manufacturer to Internal procedures, tracking and monitoring
border. Loaded trailers especially as related to of trucks must be
never taken to our tracking and monitoring, in place, with direct
storage yard. must address management oversight
vulnerabilities. and written procedures
for when things go
wrong.
Export broker Company that provides Mexico broker. Knows Are Personnel and
border crossing about shipment and IT security at a high
paperwork and may details in advance. level?
transmit data to
government agencies.
Port of Entry to US Wait time What is typical wait and How exposed is
release time at each conveyance while
port of entry? waiting in line?
US Import broker Company that provides US broker. Knows about Are Personnel and
border crossing shipment and details in IT security at a high
paperwork and may advance. level?
transmit data to CBP.
these steps in the carrier’s daily activities to determine where weaknesses and vulnerabilities exist. Once
these vulnerabilities are identified, an Action Plan to address such issues can be documented. A highway
carrier’s risk assessment will have more to do with addressing internal processes and vulnerabilities at points
of loading, as opposed to correcting weaknesses in clients’ internal processes, as the highway carrier is the
service provider. Nevertheless, there may come a time when a client’s processes are so high risk the highway
carrier may determine for its own safety to stop conducting business with that client.
Highway carriers that handle less than trailer load freight and a spoke and hub consolidation network will
have a different set of issues to address than in the example above. Similarly, carriers using a pick up and
deliver (“milk run”) business model will have a more complex series of issues to consider.
■■ Weak oversight at office of tracking and monitoring procedures (e.g. dispatcher over-burdened, improperly
trained, not rotated randomly to avoid collusion with drivers)
■■ Use of subcontractors;
■■ Inappropriate
delegation of authority to employees (e.g. allowing dispatchers to choose or approve clients
and other business partners);
■■ Infrequent visits to business partners at point of loading to discuss and inspect security;
■■ Security where loaded and empty conveyances and tractors are stored overnight;
■■ Time elapsed since last full investigation/check of driver (not simply DOT drug tests)
W here a manufacturer outsources or contracts elements of their supply chain, such as another
Supply Chain Step Type of Service Provided Details About Business Issues to Consider
Partner
Manufacturer Manufacturing/Exporter This is our company, C-TPAT Certified
Francisco Javier Clavijero
Highway Carrier (for both Moves cargo from Pedro Thomas Ruiz de C-TPAT Status Verified in
FCL and LCL) factory to port of export Velasco Portal
Export Broker Processes paperwork for José Guadalupe Posada NEEC Eligible, application
cargo export in process
U.S. Port of Entry Wait time What is typical wait and How exposed is
release time? conveyance while waiting
in line?
U.S. Broker Files import Jose Mendoza Brokers Not C-TPAT, but eligible.
documentation at Why not C-TPAT?
destination Investigation and
Security Assessment
must be conducted. Are
Personnel and IT security
at a high level?
Transport to destination Movement of cargo from This is our company. Tight and overlapping
in U.S. border to destination/ Internal procedures, tracking and monitoring
transfer yard. especially as related of trucks must be
to tracking and in place, with direct
monitoring, must management oversight
address vulnerabilities. and written procedures
Reporting delays and for when things go
suspicious activities wrong.
critical for driver.
Importer/Consignee U.S. Importer client Agerholm Importers C-TPAT Status Verified in
524 Mesquite Drive, Portal
Laredo, Texas
Export Examination
Below is an example of how a U.S. exporter might document their supply chain.
(202) 344-1180
[email protected]