Supply chain integrity and security: what are the risks? (Part I)

Posted on by

Paul Curwell, CPP, CFE, CISSP

Introduction

Supply Chains are complex involving many levels of suppliers who are typically located in multiple countries around the world. For high reliability industries (such as airlines and oil rigs) or industries where there is a chance of life or death (e.g. defence applications, pharmaceuticals and food products), the introduction of a sub-standard or below specification (non-conforming) product could have serious consequences. Further, many of these industries are highly regulated to protect consumers.

Photo by Markus Spiske on Pexels.com

The nature of global supply chains today presents a real challenge, as illustrated by the global supply chain for the Boeing 787 and Bombardier Global Express in this article from Canada’s Aerospace Review. These challenges are magnified somewhat in relation to security and integrity risks, as explored later in this article. To assist readers unfamiliar with these concepts, a simple product supply chain could be considered as having at least eight categories of actors, as illustrated below:

An illustative example of a simple supply chain

Part I of this article addressses the concept of Supply Chain Integrity. Part II, continued here, examines what we mean by the concept of Supply Chain Security, and how the field is evolving in response to the world’s changing geostrategic climate. Supply Chain Integrity and Security’ (SCIS) is part of the broader domain of Supply Chain Risk Management (SCRM), which is undergoing its own renaissance thanks to COVID-19 and the associated distruptions to global trade and commerce arising from the pandemic.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

What is Supply Chain Integrity and Security?

The concepts of Supply Chain Integrity and Supply Chain Security are often bundled together under the guise of Supply Chain Integrity and Security (SCIS). One example of this is in the life sciences industry, with the following defintion of SCIS being commonly cited from the U.S. Pharmacopea (a compendium of drug information, effectively the standards for all pharmaceutical compounds in the USA whose application is enforced by the US Food and Drug Administration):

Supply Chain Integrity and Security (SCIS) is defined as a set of policies, procedures, and technologies used to provide visibility and traceability of products within the supply chain. This is done to minimize the end-user’s exposure to adulterated, economically motivated adulteration, counterfeit, falsified, or misbranded products or materials, or those which have been stolen or diverted. This is minimized by implementing procedures to control both the forward and the reverse supply chains. SCIS involves reducing risks that arise anywhere along the supply chain, from sourcing materials and products to their manufacture and distribution. The ultimate goal is to detect adulterated, falsified, or counterfeit products and prevent them from entering the supply chain.

Supply Chain Integrity defined

Supply Chain Integrity is sufficiently different from Supply Chain Security to require its own explanation. Supply Chain Integrity is defined by ENISA as providing an “indication of the conformance of the supply chain to good practices and specifications associated with its operations”. When I think about what this means in plain english, I deconstruct the concept of Supply Chain Integrity into three core elements:

  • Provenance – What are the origins of all components or raw materials in my product? For example, a ‘blood diamond’ extracted illegally from a war zone using slave labour is still an authentic diamond, however its provenance is questionable.
  • Authenticity – Is the product what it claims to be, or has it been tampered with or substituted? Have the products or components been “produced with legal right or authority granted by the legally authorized source” (AS6174A)?
  • Traceability – Can I trace the movement of components in my product from raw material to the end user? This is defined in AS6174A as “having documented history of material’s supply chain history. This refers to documentation of all supply chain intermediaries and significant handling transactions, such as from original manufacturer to distributor”
Photo by Pixabay on Pexels.com

As I previously discussed in this article on SAE’s standard AS6174 and which are worth reproducing again here, the World Economic Forum identified “four key questions that must be answered at the product level as part of Supply Chain Integrity (Pickard & Alvarenga, 2012):

  • Integrity of Source – did this product come from where I think it did?
  • Integrity of Content – is the product made the way I think it is?
  • Integrity of Purpose – is the product going to do what I think it will do?
  • Integrity of Channel – did this product travel the way I think it did?”

To address each of the elements of Provenance, Authenticity and Traceability, Supply Chain Integrity programs typically comprise a variety of activities, including:

  • Track and trace programs as well as serialisation to uniquely identify each component and locate where it resides globally in the supply chain at any point in time
  • Quality management programs, to identify conforming vs. non-conforming products
  • Supplier integrity programs, to understand exactly who the seller of a product, part or raw material is and assess what if any integrity risks this poses
  • Market surveillance (market monitoring) – intelligence activities to identify where products are being sold and by whom, to manage the risk of counterfeit or diverted products to end users and the manufacturer’s brand or reputation
Photo by Pixabay on Pexels.com

A taxonomy of Supply Chain Integrity risks

As with any type of risk, it is possible to build a taxonomy of individual risks which reside under the category of Supply Chain Integrity. Based on my research, I have listed fourteen risks associated with Supply Chain Integrity below:

  • Adulteration of products or raw materials
  • Tampering of products, parts or components
  • Introduction of counterfeit material
  • Gray market products
  • Substitution of raw materials, parts, components or products
  • Falsified or fraudulent material
  • Use of substandard material (i.e. non-conforming or below specification)
  • Misbranded or falsely-labelled products
  • Expired products (moved to less-regulated jurisdiction, re-labelled, and then re-sold)
  • Products marked for destruction are diverted, re-labelled then re-sold
  • Ineffective product recall
  • Ineffective product storage and / or transport
  • Supplier integrity

These risks are related to, but also quite different to the risks listed in Part II of this article on Supply Chain Security (see link at the bottom of the page).

The relationship between Supply Chain Integrity and your Quality Management System

I have mentioned the term ‘conformance’ a number of times throughout this document, which is defined by ISO22000 as “a product which filfils a requirement”. Conformance assumes that a buyer goes to market seeking to procure products or services which do a particular thing or meet a particular standard (the requirements), and that a supplier is contractually obligated to provide a product or service which addresses these requirements.

Photo by Karolina Grabowska on Pexels.com

For buyers, Quality Management Systems (QMS) play an important role in ensuring the products which are shipped to your door for use are firstly what you purchased (hopefully addressing your requirements), and secondly what they claim to be. This process is referred to in AS6174A as ‘Product Assurance’ which involves “confirming the authenticity of materiel or its compliance with manufacturer’s specifications” (SAE International, p27) to minimise the likelihood of non-conforming materiel entering the supply chain. Product Assurance is undertaken using one of four methods listed below:

  • Documentation & Packaging Inspection
  • Visual Inspection
  • Non-Destructive Testing (NDT)
  • Destructive Testing (DT)

Readers wanting more information on the Product Assurance process can refer to my previous article. In many organisations, the Product Assurance process is typically performed by a combination of warehouse personnel and / or engineers, scientists or quality management teams upon delivery of new parts or products. Alternately, other organisations perform these inspections before a product leaves the factory, ensuring adequate SCIS processes are in place to mitigate any security or integrity risks that may arise between the shipment leaving the factory and delivery to its final destination.

Failure to properly perform Product Assurance may mean company takes receipt of a non-conforming product or component on day 1, however that this non-conformance is not identified until the product or component is placed into service (potentially some days later). This gap between delivery date and usage date may be an extended period of time during which warranties or guarantees may become voided. Risks here are particularly high for business critical or hard to source parts held in inventory as spares in the event of an in-service part failure, which could provide a false sense of security that sufficient spares are held in case of emergency.

To read Part II of this article, click here.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.