1 Aug 2007
Standardising Supply Chain Security(HKTDC Enterprise, Vol 08,2007)
The world is becoming an increasingly dangerous place that demands increased vigilance and security by all participants in the product supply chain, be they buyers or suppliers
One of the main challenges currently affecting international business relates to the security hazards in global supply chains that could arise as a result of naturally-occurring or man-made disasters.
Recent well-documented incidents such as earthquakes, hurricanes and the Asian tsunami, as well as terrorist and criminal activities, have served to highlight the need for a systematic, coordinated approach to the problem.
The International Organization for Standardization (ISO) has responded to this challenge and developed a suite of documents that is designed to protect people, goods, infrastructure and equipment (including means of transport) against security incidents, and thereby prevent potentially devastating effects in the supply chain.
The documents were initially published in 2005/2006 as a series of Publicly Available Specifications ("PAS"), after a "fast-track" consensus process through ISO, and are currently being revised for publication as full International Standards.
The first of the 28000 standards to be published was ISO/PAS 28000:2005 Specification for security management systems for the supply chain, which was released at the end of 2005.
The standard was developed by ISO's technical committee TC 8, Ships and Marine Technology, and included inputs from organisations such as the International Maritime Organization, the International Association of Ports and Harbours, the International Chamber of Shipping, the World Customs Organization, the International Innovative Trade Network, the World Shipping Council, and the Strategic Council on Security Technology.
A draft of the updated version of this standard is also available as ISO/DIS 28000, which will be published as a full International Standard later in 2007.
ISO/DIS 28000 defines the supply chain as "the linked set of resources and processes that begins with the sourcing of raw materials and extends through the delivery of products or services to the end-user across the modes of transport.
The supply chain may include vendors, manufacturing facilities, logistics providers, internal distribution centres, distributors, wholesalers and other entities that lead to the end-user."
By applying a process approach and the "Plan-Do-Check-Act" methodology to address potential risks to the supply chain, ISO/PAS 28000 is closely aligned and compatible with other management system standards such as ISO 9001 (Quality Management) and ISO 14001 (Environmental Management).
ISO/DIS 28000 requires the organisation's top management to define an overall security management policy that, among other things, is consistent with the organisation's overall security threat and risk management framework, and appropriate to the threats to the organisation and the nature and scale of its operations.
This policy must then be deployed by security risk assessment and planning, effective implementation and operation, checking and corrective action, followed by management review.
This is shown schematically in the following figure, taken from ISO/DIS 28000:
ISO/DIS 28000 requires the organisation to consider the likelihood of an event and all of its consequences including:
- physical failure threats and risks, such as functional failure, incidental damage, malicious damage or terrorist or criminal action
- operational threats and risks, including the control of the security, human factors and other activities which affect the organisation's performance, condition or safety
- natural environmental events, such as storms and floods, which may render security measures and equipment ineffective
- factors outside the organisation's control, such as failures in externally supplied equipment and services
Once the security risks have been identified and assessed, objectives, targets and programmes have to be established in order to eliminate or minimize their potential effects (in much the same way that ISO 14001 requires the organisation to establish objectives, targets and programmes to minimize the environmental impact of its operations).
Clause 4.4 of the standard addresses topics to ensure the effective implementation and operation of the security management system.
This includes requirements related to:
- organisational structure, authority and responsibilities
- competence, training and awareness
- document and data control
- operational control
- emergency preparedness, response and security recovery
Clause 4.5 addresses topics required to check the system and initiate corrective and preventive actions, as necessary, including requirements for:
- security performance measurement and monitoring
- system evaluation
- security-related failures, incidents, non-conformances
- control of records
Finally, clause 4.6 requires the organisation to carry out periodic management reviews to ensure the continuing suitability, adequacy and effectiveness of the security system.
ISO/PAS 28001 Security management systems for the supply chain - Best practices for implementing supply chain security - Assessments and plans was published in 2006, and supplements the requirements specified in ISO 28000 with practical guidance to allow organisations to make better risk management decisions.
ISO 28001 also provides an option for independent third-party auditing to be used in conjunction with, and to complement, the World Customs Organization's framework of standards to secure and facilitate global trade.
ISO/PAS 28004 Security management systems for the supply chain Guidelines for the implementation of ISO/PAS 28000 - was also published in 2006, and is intended to assist users to understand and implement ISO 28000 and therefore help to maximize its benefits.
ISO 28004 explains the underlying principles of ISO/PAS 28000, and describes the standard's intent, typical inputs, processes and typical outputs.
Although it includes the complete requirements of ISO/PAS 28000 on a clause-by-clause basis, followed by the relevant guidance, it does not create any additional requirements or prescribe mandatory approaches to the implementation of ISO/PAS 28000.
It explains, for example, that the level of detail and complexity of the security management system, the extent of documentation and the resources devoted to it are dependent on the size and complexity of the organisation and the nature of its activities.
It also clarifies that an organisation should have the freedom and flexibility to define its boundaries and may choose to implement ISO/PAS 28000 with respect to the entire organisation, or to specific operating units or activities of the organisation.
Ultimately, however, organisations must always remember that continuity in the supply chain is a key component of today's global marketplace.
The new ISO 28000 series of standards define criteria for organisations to be able to identify and manage the risks associated with natural or man-made disasters in order to minimize their impact.
As such, they adopt the process approach and Plan-Do-Check-Act methodologies that are familiar to those who are involved in quality, environmental, or health and safety management systems, and allow for independent third-party assessment and certification.
WRITTEN BY DR NIGEL H CROFT, ASSOCIATE TECHNICAL DIRECTOR, HONG KONG QUALITY ASSURANCE AGENCY