Don’t Neglect Supply Chain Security: Interview with Mark Storen

March 15, 2009 by SwizStick  
Filed under Featured

 Print This Post

Leave a comment

As global trade has tanked along with, well, everything else, importers and exporters are hunkering down and slashing costs in an effort to survive the downturn. In these trying economic times, while it’s important to stay focused on the fundamentals of your business, don’t neglect other important areas such as Supply Chain Security.

Recently we had the opportunity to discuss this very subject with noted Supply Chain Security expert Mark Storen, founder and President of Tectus (www.tectus-solutions.com), a consulting firm focused in supply chain security, logistics and compliance. Mark’s career has moved among these disciplines for 25 years. Previously, Mark served as the Director of Global Logistics for Nike, Director of Information Security for Nike, VP of Logistics for Expanets, and various assignments with the United Nations. Mark has controlled the procurement of global freight and third party logistics services, developed higly effective security and trade compliance programs, directed the building of one of the first European centralized distribution facilities, and led the building of various information systems. Mark graduated from the University of Notre Dame in 1985 with a BA in Government, and has worked in refugee camps in the Philippines and Thailand. In addition, Mark has lived and worked in Europe, Asia and the US. So without further introduction, let’s dive into this very important subject.

3plwire: So let’s talk about something that I don’t think enough companies have on the front burner, and that’s supply chain security. Why should companies be thinking about the security of their supply chain?

Mark Storen: Well, there’s a couple of reasons. One has to do with the facilitation of trade. Basically, since 9/11, there have been an increasing number of government regulated initiatives and also voluntary initiatives that are tied to supply chain security, which can help companies that do business internationally, both sourcing internationally and selling internationally. If you look at some of the programs that exist out there, some of the mandatory programs, companies are actually required to be conversant in supply chain security and to have a lot of their processes and infrastructure meet the requirements of these supply chain security programs. So part of it is requirements, and there’s another part of it which are voluntary programs, but which can still help companies in terms of the moving of product across international borders. So that’s one perspective of looking at it.

There’s another perspective which says, look, anytime that you’re focusing on measures to improve supply chain security you’re also diminishing the possibility of theft and pilferage and damage of the products that you move in your supply chain. So any measure that you take to increase supply chain security is going to also have the effect of decreasing the amount of theft and pilferage that occurs in your supply chain. So that’s another reason that is less mandated but is very much true when you look at the companies that made supply chain security a priority.

3plwire: You mentioned government programs, some companies have mandatory programs, there’s voluntary programs out there as well, you and I both know quite a bit about C-TPAT, for those of our readers who may not know anything about this program can you give us a brief run down.

Mark Storen: Sure. C-TPAT is the “Customs-Trade Partnership Against Terrorism”. It was initiated in April of 2002, I think, and basically it’s a program driven by Customs and Border Protection (CBP). The program is voluntary and it basically has a couple of components to it. It involves a company dissecting their supply chain and determining where their vulnerabilities are, and then putting in place an action plan, or remediation plan, to address those vulnerabilities.

And the way it works is, CBP has put out a set of security standards and importers are supposed to meet those security standards or, if you’re a forwarder, a slightly different set of standards you’re supposed to meet, or an NVOCC, basically most companies involved in the supply chain there’s a set of security standards for them to meet. And to become C-TPAT certified a company has to go out and check all of their internal processes and procedures to see if they meet these standards. They have to go out and find out where all of their supply chain partners are in meeting these standards. So that could be all of the factories that are producing goods that you import with, as well as the transportation/logistics service providers you work with. And then you also have to look at your U.S. infrastructure that is involved with the distribution of your foreign sourced goods. So if you have, for example, a primary warehouse on the West Coast that manages all of your goods coming in from Asia, that facility has to meet the C-TPAT security standards as well. So you look at your processes and procedures and you audit those, you look at all of your partners in the supply chain, and you essentially have to do an audit there, and also an audit of your domestic distribution facilities that deal with the internationally sourced goods.

After that fairly extensive audit, those three audits, you determine where your vulnerabilities are, you put in place a plan to address them and then you go out and you knock those items out. You’re then going to fill out an online form with Customs and they’ll hopefully certify you or come back with some clarifications for certification. And then Customs will come back three, six, nine months later and do an actual audit, they don’t call it an audit, they call it a validation but they’re going to go and make sure that all of the things that you said you’ve done are actually being done. They may visit an overseas supplier and logistics service provider, or two if you’re a big company, they could very well come out to your headquarters and talk to the people responsible for the various processes that need to be audited – your transportation people, your HR people, your IT security people, interview all those folks, and they may even go look at your distribution facility that is used for internationally sourced goods whether that’s an owned facility or a third party facility. There have been many times when Customs has gone out to do an onsite audit of the facility. And they’re going to see if you’ve done all the things that you said you were going to do or if those are in process and if you have, then you get validated which gives you some additional benefits in terms of the movement of goods into the U.S.: less audits, less security audits, I believe you get an assigned CBP liaison, you get the ability to move forward with some other Customs programs, so there’s some fairly tangible benefits you get from being initially certified but then validated into the C-TPAT program.

3plwire: You mentioned business partners and I want to talk about for a little bit, particularly in terms of foreign suppliers in regards to the import supply chain. Pre-9/11 I don’t think that many companies knew how their foreign suppliers conducted their daily operations, or for that matter even bothered to visit their suppliers. From my own experience I’ve found that many companies were intimately aware of their suppliers’ showrooms but had never actually visited the manufacturing facility, and as you and I know those two locations can be completely different….

Mark Storen: Yep…

3plwire: Do you think that’s changing? Are import companies doing a better job of getting to really know who their suppliers are?

Mark Storen: I think that in general import companies do that as much as they need to. Right? And there’s a lot of reasons to get out and know your suppliers, it kind of depends on your business model. I mean, the relationship with foreign suppliers, you know, was basically a stool that used to be built on three legs: and that’s the quality of the products, the cost of sourcing the products with that factory, and could they manufacture and deliver those products on time. And what Homeland Security through Customs has said, is that there needs to be a fourth leg on that stool, and that’s security. Because one of the most vulnerable pieces of the supply chain is that factory, right? To answer your question I think that importers get out there and get to know the factories and understand how they do business and walk in those factories and kick the tires as much as they need to in order to fulfill those, used to be three, and now four criteria. And with the C-TPAT program as an example, you or someone you know, that you trust, has to get out and do some on site auditing of the factories, not all of them, but some. But there’s a lot of companies that have been in the factories or in the fabs or in the testing facilities, or whatever, already as a result of issues like quality or on time delivery, right? But companies are only going to go out as much as they have to in order to keep their business going in a competitive manner. So I would say, yes, it’s a lot more now than it has been, but still, if companies can get away with not having to go out there and spending a lot of time then they probably won’t, particularly in the current environment in which everyone has, you know, fiscal constraints.

3plwire: Sure, not everyone has got a bunch of money to be flying staff or third parties around the world to be visiting factories for security concerns.

Mark Storen: Exactly. And there are third party companies that exist out there that can do security audits for you. But if you talk to companies that need to get out to the factories anyway for, you know, quality issues or for issues of on time delivery, then what they would typically do is they would say “I’ve already got a person going out to some of the factories, so I’m going to integrate security into the checklist of things that I’m going to work through when they’re already out there.” I see more and more companies doing that than setting up a specific program just around security. There’s companies that do that, absolutely, but from where I sit in dealing with companies more of them try to integrate security as part of the other reasons of why they’re out there.

3plwire: From my own experience visiting factories overseas I’ve at times been pleasantly surprised and at other times downright shocked at what I’ve found in regards to their security. From your own experience what are some of the things that you’ve found that have surprised you?

Mark Storen: Yeah, uh, I’d say that you and I probably have some similar takes on things. You know I have found factories in countries that are traditionally considered high risk that have just had security absolutely nailed. The Philippines is a good example, the Philippines because of some of the political unrest that they’ve had over the last few decades, you know, is considered more of a high risk than, for example, Taiwan. And I’ve been in some factories in the Philippines that have just had security down. And they’ve done it on their own, not as a result of a program like C-TPAT or, you know, PIP (Partners in Protection in Canada), or anything, just as a result of their own processes they’ve done this.

I’ve also been to factories and logistics centers in Singapore, as an example, which, you know, if I think about Singapore I’m thinking buttoned down, tight, highly secure, that have just had horrible security. No access controls, no checking of visitors going in and out of the facility. So it’s really, I would say that you can not generalize at all based upon industry or based upon country as to how secure a particular facility will be.

3plwire: I agree 100%, that’s actually the point I was hoping to get at, so thank you for illustrating that so clearly. I’ve found the exact same thing, it’s funny how some so-called developing countries that may have some political unrest or there’s something else in their background that somehow make them a higher risk than other origins, I’ve been pleasantly surprised, like you, to find some facilities in these areas in tip-top shape. And then to go somewhere, like a highly industrialized country or origin where you would assume that things are much better, and maybe it’s a part of that, maybe it’s part of that assumption that such-and-such a country or such-and-such an industry, they’re going to be buttoned down, they’re going to be in tip-top shape, maybe there’s something in that assumption that makes people lax in their security. Do you think some of that comes into play, maybe?

Mark Storen: Well, I think so, but again I think that just like a company is only going to visit the factories if they really need to, there is a similar mentality in the factories. “Our job is to make these products. And we’re gonna make them as cheaply as we can and try and meet our clients’ expectations so that our margins can be bigger when we sell it”, right? So if a factory does not have to go through a security audit and really nail down their security for whatever reasons, then I think they’re going to use their money for other priorities: bringing in new molds, or more efficient machinery, or ventilation or whatever. And I would have expected that manufacturing facilities that are involved in really high value products would have been more secure, and I haven’t seen that. And I would have also expected that factories in what we would consider first world countries wouldn’t have security issues but, you know my company Tectus had a client a couple years back who had a couple of containers coming in from Spain and one of those containers got opened up at a port in the Northeast and there were two dead people in it, they were stowaways. So, talk about a security breach at the factory or at the port! And it turned out to be at the factory. You know they were loading the containers and they had people that were trying to get into the United States and that had sadly died in transit. But that was coming out of Spain! Where you would widely consider to be a first world country: more secure, industrialized, not the kind of problems you might see in countries like, some of the more high risk countries. But they opened the container and a couple of dead people came out. So I think there is very little stereotyping that can go on.

3plwire: What is your overall opinion of the foreign suppliers’ supply chains, partly through the post-9/11 lens and in terms of having to meet their customers’ security requirements, whether it’s Europe or the U.S., or some other country, do you think they are improving as a result of all this focus on security? Or do you think they’re just paying lip service, doing just enough to keep the customer happy?

Mark Storen: I think that’s a great question. My opinion is that a lot of suppliers are taking measures needed, particularly in regards to physical infrastructure, in order to meet their customers’ requirements, but that their supply chains that they have are not necessarily more secure. You gotta remember that most of the import supply chain security programs only go back one level in the supply chain. So they really only go back to the factory, like with C-TPAT, you only go back to the factory that the importer is using. But it doesn’t really extend, there’s not a requirement for that factory to go back and secure their supply chain as well. If that factory in Canada or Mexico is trying to become C-TPAT certified then there’s a requirement for it, but the C-TPAT program today only applies to manufacturers in Canada and Mexico. So if you look at the majority of the goods coming into the U.S., those factories don’t have to go back to their raw materials suppliers or their transportation service providers and do any kind of security work. So I would say that when it comes to their facilities, then yeah, there’s probably more of them that are becoming more secure. When it goes further back into their supply chains? I would say no. I’m not seeing it. Are you? Are you seeing that?

3plwire: Um, I would say that I’m seeing it only to the extent that companies are pushing them to go further back into their supply chains. To give you an example, the company I work for now, as part of our internal C-TPAT process, is making sure that the factory has records and has a process for maintaining inventory and making sure that they are receiving what they are supposed to be receiving. And maybe a lot of companies, you know, just ask them that. But when we go visit factories we actually spend quite a bit of time poring over their documents and their internal processes to make sure that they are doing that. To give you an example we visited a factory in Thailand who said “Yeah, we keep good records of our incoming materials and we know what’s coming in.” And when we asked them to show us those records, I kid you not, it literally was a stapled chunk of scrap paper, from the office….

Mark Storen: (chuckling)

3plwire: …with handwritten notes all over it. And when we asked them to clarify they said “well, you know, we order a lot of fabrics and a lot of raw materials and we order from a couple of small suppliers and we do it all over the phone, and we just scribble down the notes of what we ordered and then when it comes in we just put our initials next to that note.” Clearly not an adequate enough inventory management system.

Mark Storen: Sure.

3plwire: So at any given time, they weren’t really sure, I mean they had basically guys showing up with rolls of fabric and they’d say “yeah, that looks like what I ordered” and just accept it. So I think in cases where companies are going that extra step when they do talk to factories or visit them, making sure they actually have implemented some of these process improvements I think that’s an improvement. But again, like you mentioned, the factories are only going to do what they need to do to make their customers happy. For companies that are actually monitoring and pushing process improvements, I think that’s an improvement, but how many companies are actually doing that? I doubt there’s that many and there’s only, how many companies have the time to go through all their suppliers, I mean I certainly don’t. We try to tackle the big boys and some of the larger source origins, but you don’t have time to check every single factory and make sure “do they really know what’s coming into their warehouse or not?”. Some of them, the ones that we get to, sure, but all of them? No.

Mark Storen: Yeah, and I think that’s a good point, that’s probably a good add on, which is: yeah, those foreign suppliers might be making changes to their infrastructure or to their processes in their manufacturing facilities, like you were saying, reconciliation of inventory, but how many of them are going back and vetting their suppliers’ raw material suppliers or local trucking companies to make sure they are meeting the C-TPAT, or the AEO, or TAPA standards. I mean, I’m hardly seeing that at all.

3plwire: Yeah, I agree. Regarding import clients, companies that you deal with, how do you deal with companies that are skeptical about going through the effort to secure their supply chain. I guess what I’m really asking is what are some of the side benefits, or return on investment, for companies that take the time and resources to beef up their security. You kind of addressed this in the beginning when we were talking about C-TPAT. What are some of the arguments you use when talking to companies and trying to convince them that this is a good thing to do?

Mark Storen: You know, most of the time companies are hearing about the program (C-TPAT) as a result of them having either some disruptions in their supply chain or commercial pressures on them. C-TPAT in particular is a program that is a bit of a tough sell if a company has ten priorities and they’re even underfunded to commit to those ten priorities, much less trying to get this one put on as the eleventh one. There’s some ROI cases to be made, Customs has come out with a document that talks about improvements in supply chain, potential savings in being C-TPAT certified, and there’s significant reduced number of inspections that you get.

But I’ve found that in general a company has to feel a little bit of pain before they really take up the program. And that pain can be in the form of lots of inspections or delays on product coming into the U.S. or it can be in the form of their customers buying from them saying “you need to be C-TPAT certified”. And those tend to be the two biggest drivers of the program. To just go into a company that hasn’t seen either of those influencing factors and trying to get them to prioritize the program I just honestly think that it’s a pretty tough sell. But I would say that it’s different if you look at some other supply chain security programs that are regulated as opposed to voluntary. C-TPAT has been termed “the most mandatory voluntary program in the history of Customs”…

3plwire: (laughs)

Mark Storen: …because it’s been pushed very hard by Customs and their is this cascading effect of well, if you’re C-TPAT certified are all the people you’re buying from C-TPAT certified and are all their transportation providers C-TPAT certified…but it’s still a voluntary program. But there are supply chain security programs, particularly in relations to export and trade compliance, which are mandatory and so the sell for those is much easier because, you know, you can go out to Bureau of Industry and Security’s website and look on the compliance page and see all the companies where executives have gone to jail, they’ve been fined millions of dollars, their rights to export have been revoked, they’ve been put out of business, as a result of non-compliance. So if you’re selling supply chain security part of it is really which programs are mandatory and which aren’t. And the mandatory ones tend to be a lot easier to sell.

3plwire: Let’s get a little bit off topic and talk about the economy overall in regards to world trade. In your opinion, how bad is it and how bad do you think it will get?

Mark Storen: Um, yeah, it’s horrible. Some stats have come out about the reduction in trade, I think 90% of all products going around the world move in ocean containers and in the last few months I’ve heard that on major trade lanes there’s been 15-20% reduction in the amount of cargo moving. You were just at the TPM conference, is that some of the stats they were citing?

3plwire: Yeah, more or less.

Mark Storen: And so, you know, it’s bad and it’s anybody’s guess as to when it’s going to get better. I will say that I’ve heard some fairly convincing arguments recently that the severity of the economic cycles are getting greater and shorter. Now, I’m not an economist, but I do try to follow economic theory, and I think there’s some validity to the conversation which says that the highs in terms of economic prosperity seem to be getting higher and also the lows, we seem to be dipping down further, but that these cycles are being compressed more and more because of the inter-relatedness of the global economy and the availability of indicators and technology, right? So if I was a betting man I’d say that we’re not going to be in a 3-5 year recession, that we’ll probably be surprising people a year from now, that we’re pulling out of this. But you know, all I know is what I hear from my clients and that it’s bad for everybody. It’s bad for importers, exporters, logistics providers, transportation providers, all the clients that I have are saying the same thing, that it’s worse than they expected and we’re not at the bottom yet.

3plwire: How has supply chain security evolved in terms of U.S. exporters selling to other markets?

Mark Storen: I think it’s important to talk about a little bit because first of all, it’s regulated, so through the Bureau of Industry and Security (BIS), which, by the way, is aligned under the Department of Commerce, not the Department of Homeland Security, and really, trade and export compliance have to do with not putting into the hands of people that might be hostile to the U.S., technology or products that could be used against us. And that could apply to obvious things, like ammunition, but I think that for the majority of companies selling products overseas it can be anything that can be considered dual-use by BIS. It could be something as innocuous as a hydraulic pump. There was a company about 4-5 years ago that was exporting hydraulic pumps and they got nailed by the BIS because with slight modifications those pumps could be used in nuclear reactors to create material that could be used in nuclear bombs. Well this was going to a civilian, coal-fired reactor in a third world country but they got in trouble because it was considered a dual-use product; it could be used for civilian purposes or military purposes. And whenever that’s the case, there’s a whole set of classification of products that a company has to go through. There are processes where you have to do denied party screening, you have to screen all of the companies that you are potentially shipping these products to, there’s a piece where you have to know who the company you’re selling to is selling to, there’s none of this “I didn’t know who they were”. It can be fuel pumps, it can be ammunition, it can be technology with certain levels of encryption associated with that. The BIS even looks at things like e-mails and file transfers, software downloads and conversations…

3plwire: Interesting, I didn’t know that.

Mark Storen: …as being exports. So you, depending on what you’re talking about with a foreign engineer in a conversation, it could be considered an export and you might need to have a license to have that kind of conversation. So really, export and trade compliance deals with product classification, by the way it’s a completely different product classification than the harmonized code used for imports, and it has to deal with HR, has to deal with information security, it has to deal with knowing your customers, and even tying your shipping system into a software application that checks for who all the bad guys are that you might be shipping to. It’s really very complex and I think the most important piece for your readers is: it’s regulated, and it’s aggressively enforced. So anyone who is exporting products out of the U.S. should check to see if they might be dual-use products and that they’re following these sometimes difficult to navigate regulations. And that’s just as much supply chain security as the import, as the C-TPAT program is, or Authorized Economic Operator in Europe, or PIP in Canada, it all has to do with products, that things un-manifested are not getting into the products or getting things into the hands of people who are going to do damage to the U.S.

3plwire: Mark, thanks very much for taking the time today to speak with us.

CSCMP Interview by Robert Malone

“Crisis Logistics”

Securing the Supply Chain pays off

Keys to China Supply Chain Efficiency