Next up for C-TPAT: Warehouses and DCs?

At first glance, C-TPAT appears to be all about carriers and other transportation players. But DC managers shouldn't assume they're off the hook.

By Art van Bodegraven and Kenneth B. Ackerman

A decade ago, supply chain security meant something very different than it does today. Back then, the focus of most security programs was squarely on the basics: protecting people, products, property, and information.

But 9/11 changed all that. In the wake of the terrorist attacks, the government stepped into the picture, introducing a host of programs aimed at patching vulnerabilities in the nation's transportation system—and by extension, the commercial supply chain. In so doing, it redefined the supply chain security challenge. These days, it's not just about protecting people and things; it's also about complying with an array of cargo screening, supply chain credentialing, container inspection, and advance notification requirements (think TWIC, ISF, CSI, PortSTEP, or ACSI).

While many of these initiatives center on the transportation link in the supply chain, warehouse and DC operations shouldn't assume they're off the hook. With some of these programs, there's a good chance they'll be lured into the process as well. A prime example is the Customs-Trade Partnership Against Terrorism (C-TPAT).

Launched by Customs and Border Protection (CBP) in November 2001, C-TPAT is a far-reaching initiative aimed at getting U.S. companies to shoulder part of the supply chain security burden, thereby allowing Customs to concentrate its limited inspectional resources on high-risk shipments. In a nutshell, C-TPAT participants agree to police their own supply chains, attesting that they have strict security procedures in place at every stage in a container's journey, in return for a reduced risk of cargo inspections (and preferential treatment if their containers do get pulled aside for examination).

At first glance, C-TPAT appears to be all about carriers, NVOCCs and ocean transport intermediaries, and customs brokers. But the truth is, it could have important impacts on warehouses and distribution centers as well. Of the dozen classes of businesses eligible to join C-TPAT, the first listed is U.S. Importers of Record. Asset-based third-party logistics service providers and Canadian and Mexican manufacturers are also included, and other foreign manufacturers are likely to be added over time.

To the extent that these eligible businesses involve storage facilities, there's a strong chance their distribution center managers will be drawn into the C-TPAT compliance whirl. There are three reasons for that:

Their business partners demand it. If a distribution facility's customer is a C-TPAT member, that customer may require the DC to join C-TPAT as well to ensure that its entire supply chain is C-TPAT-compliant. Although C-TPAT participation is voluntary, there have been a number of cases in which non-C-TPAT vendors and suppliers have been dropped by major customers.
Management decides it's a selling point. Manufacturers, importers, and service providers are likely to see C-TPAT certification as a marketing advantage. After all, it's a big deal in many dimensions. Using a C-TPAT supplier has the potential to minimize supply disruptions and delays as well as take some of the uncertainty out of the customs processing part of the equation.
The rules of the program change. Today's "voluntary" participation could easily become mandatory in the future.
Getting certified
Let's say a company decides to pursue C-TPAT certification for one of its warehouses or distribution centers. What kind of changes would it mean for the operation? It all depends on the activity. For instance, there would likely be little effect on order fulfillment processes and procedures. But there's a better-than-even chance that existing security measures would need serious upgrading. C-TPAT directives get very specific about tools, techniques, and processes related to securing people, property, product, and information.

The security protocol for importers is much the same as the protocol spelled out for carriers. And much of that deals with business partner requirements and security procedures, conveyance security and inspection, trailer and container security and seals, and conveyance tracking and monitoring.

It also contains a series of requirements for physical access controls that include facilities, and cover employees, visitors, vendors, and service providers. Processes are spelled out for pre-employment verification, background checks, and termination, as well.

Critically, the protocol specifies procedural security measures to ensure the integrity of processes related to cargo handling and storage, including those that restrict access during conveyance and that require reporting anomalies involving truck drivers (including the screening of their luggage and personal effects).

More detail is added for documentation processing, document review, bill of lading/manifesting procedures, and cargo marking.

As for facilities themselves, they are required to employ physical barriers and other deterrents to unauthorized access, including fencing, gates and gate houses, separate private vehicle parking, locking devices and key controls, lighting (with specific requirements regarding placement and brightness), and monitoring/alarm systems for the premises.

There are additional specifications for information and technology security—and accountability. [N.B. The GSA (General Services Administration) publishes standards for federal facilities, which provide a good reference point for security processes and practices.]

Summing up
C-TPAT certification is not a journey for the faint of heart, but it might become a necessity in the not-very-distant future. Despite its carrier focus, it could well have important implications for warehouses and distribution centers, probably operationally positive and quite possibly a lot of work to implement. Those industries likely to be affected earliest and deepest are automotive, aerospace, textiles, and retailing.

For those companies that have not considered what it will take to undergo the process, outside assistance can help to steer them around the inevitable bumps in the road. It can also reduce the risk of unpleasant surprises at a later time—like discovering two years after the fact that the initial certification could not be validated.

And by the way, those old basics of protecting people, product, property, and information are still vitally important, too.

Note: The authors are indebted to Les Glick, partner at Porter Wright Morris & Arthur LLP, and Michael Regan, CEO of Tranzact Technologies, for their insights into supply chain security issues.