Strategic security

Supply chain security is now, and will continue to be, an integral component of business and trade landscapes. This is evident from a significant increase in regulatory compliance (for example in “voluntary” initiatives such as C-TPAT and Authorised Economic Operator (AEO)), threat awareness and a greater vulnerability of significant supply disruption caused by an unconnected event in another part of the world.

The increasing awareness in the benefits of supply chain security have made supply chain executives more willing to comply with the AEO and C-TPAT initiatives.

This is because the benefits of compliance with such initiatives have proven to have positive effects and can help a company to reduce operating costs and increase profit – when implemented correctly and supported by senior management. Indeed, it has been suggested by insurance companies that noncompliance could result in increased insurance premiums.

Worldwide, over 144 governments are planning to, or have, implemented a supply chain security standard which will be passed to industry for adoption. The “carrot” incentives to comply include expedited customs clearance, reduced inspections and access to other greenlane benefits. The “stick” incentives are obvious – noncompliance would restrict a company’s ability to remain competitive against its compliant peers.

Such has been the industry demand for an overarching, scalable and independently verifiable supply chain security management system that the ISO 28000 series was accelerated through the ISO process. Early adopters of ISO 28000 include DP World and the benefits that they have generated through implementation by Hart and third party certification are well documented.

ISO is not governed by any country or industry group. It can therefore develop standards impartially and objectively, thus providing a truly global standard. The standards produced by ISO are developed through committees consisting of industry experts and interested stakeholders from around the world. When adopted these standards provide a common basis to work from in developing standardised products and processes that can be used worldwide.

Whilst the media spotlight currently shines on terrorism, we cannot forget the more pervasive and statistically more realistic threats to small, medium and large businesses. Theft and other criminal activity, for example, are estimated to cost the maritime and logistics industry between US$30 – $50 billion per year. People and weapon smuggling (in some cases organised by criminal gangs with the profits going to fund terrorism) and the transportation of counterfeit goods are also serious problems.

Companies have three choices when facing supply chain security initiatives and ISO28000.

First of all, they can take the “Head in the Sand” approach, ignoring the necessity of security in the belief that the cost will be too steep in comparison to any benefit and hope that their customers and governments will forget about the importance of supply chain security. But governments are not about to forget – Unfortunately for those companies, supply chain security has become for governments more than an important issue; it has become a strategic issue.

Secondly, we have the “Minimalist” approach. Companies can do only what they are obliged to do – treating security simply as an add-on cost that should be minimized and reduced to the greatest extent possible. This approach, however, will do nothing to enhance their business value. It will also erode the value of supply chain security initiatives, as a chain is only as strong as its weakest list.

Thirdly, companies can be “Opportunists” and embrace ISO 28000 and supply chain security as a strategic issue. In a 2004 Conference Board Study, for example, 61 executives said that security investments can provide value for their companies and a positive return on investment.

And these executives have statistics to back their claim up. In a Stanford University study of 11 manufacturers and three innovative logistic providers, commercial benefits of supply chain security included a 26% reduction in customer attrition and 20% increase in number of new customers, a 38%
reduction in theft, loss and pilferage, a 37% reduction in tampering and a 30% reduction in problem identification and problem resolution time.

As a participant in the drafting committee of ISO 28000 and as a commercial entity itself, Hart understands that any investment a company makes must ultimately translate into commercial value and provide a positive return on that investment. ISO 28000 can be such an investment. Here are a few reasons why:

Companies that embrace ISO 28000, particularly during the early phases of its adoption, stand to benefit through increased market share and through customer retention. ISO 28000 provides an unambiguous demonstration that an organisation takes not only its own security seriously, but also the security of goods its customers expect it to protect. Over time, ISO 28000 will become the international benchmark for companies to demonstrate their commitment to security. Companies adopting the standard have also gained brand equity through the clear demonstration of their commitment to security.

ISO 28000 enshrines risk management as a proactive means of protecting the organisation. The standard takes a pragmatic and business-centric approach to risk management, promoting it as a central component of effective management. Most importantly, the standard ensures that key decision making, particularly in relation to the commitment of resources, is done based on a process of effective risk assessment.

ISO 28000 increases the resilience of the organisation in the face of increasing risk. This reduces the risk that the company will be irreparably damaged by incidents impacting its operations, financial health or reputation.

Implementation of ISO 28000 has significant potential to enhance the effective management of security resources, resulting in cost savings. Companies implementing ISO 28000 will very quickly be in a position to identify wasteful and inefficient resource management practices. This particularly applies to the management of the security budget, where the standard provides for an increased level of accountability at all levels.

Perhaps one of its most important benefits, the implementation of ISO 28000 within an organisation has a direct impact on improving the level of safety and security for employees. This will have an impact on levels of staff satisfaction and retention which will have an impact on customer satisfaction.

Management process compatibility can be integrated into the existing internationally recognised quality management processes of ISO14001 and ISO9001. ISO 28000 also takes into account existing management systems and processes, resulting in a reduction in the time required for implementation.

ISO 28000 has been specifically designed to be flexible and applicable to all tiers of a business from the head office to remote warehouses. The standard can be implemented equally effectively for smaller companies as it can major international organisations.

ISO 28000 will be recognised by US trade security programs, and participants will receive benefits inherent with these programs. DP World’s ISO certification has been recognised by US Customs Border Protection, with the company uniquely being invited to join C-TPAT. US Congress has recognised the relevance of 28k to CTPAT and has tasked its research body, GAO, to confirm technical compatibility. Companies that are ISO 28000 compliant may not have to qualify to join CTPAT but can now enjoy the benefits upon recognition.

In conclusion, by integrating the ISO 28000 security management system into a company’s operation, strategy and process – at an appropriate level to the risk – it has been demonstrated that a security investment can reduce operational costs, increase efficiency and competitive advantage by demonstrating that a company (particularly a logistics provider) is committed to its customers best interests.

A quotation from the Stanford study encapsulates what supply chain security (and ISO 28000) means in commercial terms: “Security measures were adopted more as a business imperative rather than purely to enhance security.”

Euan Air, Head of Business Development – Supply Chain Security, Hart Security eair@hartsecurity.com