Companies applying for C-TPAT certification must complete a supply chain security risk assessment and report the findings to CBP, and companies enrolled in C-TPAT must complete and report risk assessments annually. The problem has always been that CBP never properly explained how to conduct these risk assessments.
Now it has.
US Customs and Border recently outlined a Five Step Risk Assessment Process. While not required to follow them blindly or at all (because “The C-TPAT program clearly understands there are a wide variety of business models”), companies applying to C-TPAT would be smart to hew as closely as possible to the five steps to increase their chances of getting certified, and companies already in C-TPAT should do the same to avoid putting their certification at risk.
CBP claims that the five steps are not new, but if not new, the information has never before been set out so clearly. In exchange for providing a “how to,” it certainly appears that CBP is expecting a great deal more from C-TPAT members. C-TPAT is no longer for companies that treat supply chain security with armchair indifference.
For example, you are now supposed to grade the threat level of your sourcing country based on six indicia:
You must assign a grade, or at least find a way to measure, the threat level. CBP suggests the following grades:
Low Risk - No recent incidents/intelligence/information.
Medium Risk – No recent incidents/some intelligence/information on possible activity.
High Risk – Recent incidents and intelligence/information.
While CBP offers a list of free resources to help you assess the threat level to your supply chain, it is clear that your company must expend a great deal of energy and resources collecting and analyzing intelligence on each country that you source from and on every entity in your supply chain. It is hard to imagine that companies will be able to do this on their own without the assistance of legal experts and consultants.
All C-TPAT members (brokers, consolidators, carriers, etc.), not just importers, are expected to abide by the five steps as much as possible. Small companies are not excused, and importers cannot rely on INCOTERMS to get around having to control and ensure supply chain security.
The five steps emphasize that subcontracting logistics and transportation increases your threat level and requires that you take additional due diligence steps to control your “business partners” (a C-TPAT term that does not have the same limited meaning as the legal term). Many international shipments are handled by third party logistics providers who, in turn, may further contract out transportation companies. The five steps do not describe how these companies would remedy the supply chain failing of “business partners,” but do suggest that education plays an important part. Some 3PLs also do not qualify for C-TPAT because they “double broker” and do not own any of the warehousing facilities or means of transportation.
The five steps provide wiggle room for companies that have not quite achieved all the C-TPAT criteria, but are committed to making improvements by “prescribing corrective actions with follow-up procedures to ensure weaknesses have been mitigated.”
CBP prepared an FAQ and a memo on how to do an a risk assessment. The publication offers five sample templates or checklists to help you make sure you are on target.
Here are the five steps:
Principal and a founding member of GRVR Attorneys.