Trust, but verify

Trust, but verify

Born hurriedly out of the critical need to assuage public and congressional fears of a potential terrorist attack through our country's international supply-chain, the Customs-Trade Partnership Against Terrorism initiative has endured growing pains both expected and painful.

Launched without the benefit of established operating standards, without either tangible incentives or penalties, and undermanned and lacking formal training in supply-chain security, the program has essentially been in a learn-as-you-go environment. To Customs' defense, one could argue whether - given the magnitude of the Sept. 11 terrorist attacks and the ensuing paranoia of not knowing when and where the next attack would take place - any entity, public or private, could have afforded the time to fully design and execute such a program. Whatever your conclusion, the program is what it is, and through its evolution, it is now entering a most crucial phase.

President Reagan once said, "Trust, but verify." The C-TPAT program will require no less. In fact, I would go so far as to say that the verification process itself will ultimately define the program's legacy, either as a true deterrent of terrorism, or simply so much wasted motion.

There can be little argument that the weakest link in the trade-security chain is at the foreign point of container loading and-or transfer. We know this, and so do terrorists. There can likewise be little argument that the most conclusive method for validation comes from having a pair of eyes on-site. However, the true responsibility for this verification must be borne by the participant and not by the Bureau of Customs and Border Protection. Thus, we have our dilemma: how to ensure that importers are effectively validating that their foreign suppliers and service providers are indeed executing to their company's security plan.

There is the very real danger that companies have already begun to throttle back their efforts with C-TPAT - particularly because, as a voluntary, incentive-based supply-chain security program, many are still waiting for benefits that would at least offset investments in the program. When combined with the lack of any imminent threat, even the most ardent of C-TPAT participants may need to guard against corporate "security fatigue" and internal pressures to reduce resources to meet only the minimum of requirements.

As an ongoing program, internal C-TPAT verifications should be performed at least once a year. To maximize effectiveness, these audits should be random, unannounced and conducted by an independent and-or objective third-party. Companies should explore options to minimize expense, such as the ability to leverage off of any vendor-inspection programs already in place. These may include inspections from one or more of a company's own departments, or from an outside standards auditing entity that has been retained to conduct product quality control and-or container loading certification services.

Periodic internal validation of the importer's security plan fulfills two important functions: First, it provides the participant with the ability to accurately measure the program against key performance indicators necessary for making continuing improvements. As a risk-management tool, it provides the company's executive leadership with the assurance that their corporate obligations under the Sarbanes-Oxley Act are being addressed responsibly.

This leads to an interesting point regarding liability: Because C-TPAT participants are not required to validate that their security plans are being implemented, this important task could be nothing more than a foreign vendor completing a self-assessment questionnaire. Therefore, if there were a serious security breach, this company would technically have satisfied Customs' "reasonable-care" requirements. Unfortunately, unlike commercial trade enforcement, the impact of a company's negligence in trade security could have widespread and devastating results. Any subsequent monetary penalty, whether formally imposed by the government or informally levied through Wall Street and consumer backlash, would be of little consequence.

As C-TPAT continues to grow, I would argue that the next step in C-TPAT's evolution should be to address this gap. The best-designed plan created out of the best of intentions is meaningless if it isn't executed properly and consistently - and there's simply too much at stake.