SIST-TP CEN/TR 16412:2012

SLOVENSKI STANDARD
SIST-TP CEN/TR 16412:2012
01-november-2012
Varnost oskrbovalne verige - Navodilo z dobrimi praksami za male in srednje
velike dobavitelje
Supply chain security (SCS) - Good practice guide for small and medium sized operators
Logistik - Handbuch für bewährte Praktiken für die Sicherheit von Lieferketten
Sécurité de la chaine d'approvisionnement - Guide de bonnes pratiques pour les petites
et moyennes entreprises
Ta slovenski standard je istoveten z: CEN/TR 16412:2012
ICS:
03.100.10 Nabava. Dobava. Logistika Purchasing. Procurement.
Management of stock
SIST-TP CEN/TR 16412:2012 en,fr
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST-TP CEN/TR 16412:2012

---------------------- Page: 2 ----------------------

SIST-TP CEN/TR 16412:2012


TECHNICAL REPORT
CEN/TR 16412

RAPPORT TECHNIQUE

TECHNISCHER BERICHT
September 2012
ICS 03.100.10
English Version
Supply chain security (SCS) - Good practice guide for small and
medium sized operators
Sécurité de la chaîne d'approvisionnement - Guide de Sicherheit von Lieferketten - Handbuch für bewährte
bonnes pratiques pour les petites et moyennes entreprises Praktiken für kleine und mittlere Unternehmen


This Technical Report was approved by CEN on 13 August 2012. It has been drawn up by the Technical Committee CEN/TC 379.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.





EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2012 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 16412:2012: E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------

SIST-TP CEN/TR 16412:2012
CEN/TR 16412:2012 (E)
Contents Page
Foreword .3
1 Scope .4
2 Recommended Supply Chain Security Approach .5
3 Crime prevention in supply chains .7
3.1 Introduction .7
3.2 Cargo theft .7
3.3 Counterfeit goods .8
3.4 Terrorism in supply chains .9
3.5 Sabotage in supply chains . 10
3.6 Cross-border duty and tax fraud . 11
3.7 Smuggling of prohibited and restricted goods . 12
3.8 People smuggling . 13
3.9 Document fraud . 13
3.10 Bogus companies . 14
3.11 Cyber crime . 15
4 Supply chain security regulations and programs . 17
4.1 Introduction . 17
4.2 Import Control System (ICS) and Export Control System (ECS) in the EU . 17
4.3 Maritime Security Legislation, ISPS Code in the EU . 18
4.4 Aviation Security Legislation, Air Cargo Supply Chains in the EU . 18
4.5 European Union Authorized Economic Operator (EU AEO) . 19
4.6 Regulated agent, Known consignor and Account consignor in the EU . 20
4.7 ISO 28000 Series of Standards on Supply Chain Security Management Systems . 21
4.8 Transported Asset Protection Association (TAPA) in Europe . 21

2

---------------------- Page: 4 ----------------------

SIST-TP CEN/TR 16412:2012
CEN/TR 16412:2012 (E)
Foreword
This document (CEN/TR 16412:2012) has been prepared by Technical Committee CEN/TC 379 “Supply
Chain Security”, the secretariat of which is held by NEN.
Supply chains move huge quantities and values of products and services between businesses and between
businesses and consumers throughout Europe and between Europe and countries in other continents. These
movements present enormous opportunities for organized crime and terrorists. The intrusion of crime and
terrorist activity has become a major risk in doing business for the majority of operators within the supply
chain, i.e.:
 cargo owners;
 shippers;
 forwarders;
 terminal operators;
 transporters.
3

---------------------- Page: 5 ----------------------

SIST-TP CEN/TR 16412:2012
CEN/TR 16412:2012 (E)
1 Scope
This Technical Report aims to provide Small and Medium sized Enterprises (SMEs) basic knowledge about
how to manage and mitigate the risk of criminal and terrorist activities. This is a shared objective for the
1
private and public sector. For the private sector, companies have gained experience on measures, which can
assist in preventing security breaches from happening, to protect against supply chain interruption. Also some
business standards have been developed identifying measures, which companies can execute in order to
obtain labels which certify business operations and reward them with a security quality label. The public sector
has developed security legislation which companies should either mandatory or voluntary apply into their
business operations.
This Guide provides an easy-to-read overview on:
1) How SMEs can apply a supply chain security approach to their operations (Clause 2).
2) The main crime types in the supply chain including some measures to fight these crime types from
occurring (Clause 3).
3) Supply chain security legislation and programs, with their respective compliance requirements
(Clause 4).

1
In the context of this guide, “supply chain security” covers risk management, crime prevention, security procedures and
technologies, as well as security regulations and programs. The overview and examples in this book are based on recent
academic work and interviews with experts in the field, including CEN SCS Feasibility Study (2010); EU FP7-LOGSEC
Roadmap (2011) and interviews with CEN TC/379 experts.

4

---------------------- Page: 6 ----------------------

SIST-TP CEN/TR 16412:2012
CEN/TR 16412:2012 (E)
2 Recommended Supply Chain Security Approach
How to integrate supply chain security into your business? Various ways are possible and being explored by
companies. Existing guidelines and best practices often refer to the exploitation of risk management
approaches. However, the practical application of these approaches is often difficult to understand and apply
in practice for SMEs. Hence, in this guide a concrete step-by-step approach is explained, with examples of
practical security measures to mitigate specific crime risks, and to comply with specific security regulations
2
and standards. In this guide, the following six steps are recommended :

FIRST, define the context for your supply chain, crime prevention and security management activities. The
major questions being:
 Which business are you in, and how “security sensitive” is it?
 Which geographies and transport modes are included?
 Who are the customers, suppliers, insurance providers, governmental agencies and other key
stakeholders your supply chain operates with?
As an outcome, you create the context before moving on to the next considerations.

2
There is no guarantee that a certain security measure brings a sustainable, positive outcome.
5

---------------------- Page: 7 ----------------------

SIST-TP CEN/TR 16412:2012
CEN/TR 16412:2012 (E)
SECOND, perform a threat and vulnerability analysis, when it comes to actual criminal and terrorist threats
3
in your supply chain. The major questions being:
 Where are the risks of failing today, i.e. where are the gaps calling for enhanced security?
 Which crime types are of particularly high risk in your supply chain? Use statistical sources, if
available, while carrying out such risk assessments.
 What are the realized and/or potential consequences of one or more crime incidents?
4
THIRD, consider regulatory and program aspects. The major questions being:
 Which regulations are required for you to operate successfully in your defined business environment,
and which programs could support achieving your business objectives?
 What do your customers expect from you? What about your suppliers?
 Have your insurance providers established any requirements?
 What about relevant governmental authorities, including customs and police?
FOURTH, create an overarching security plan for your company and/or supply chain, where you consider a
variety of security management aspects, taking into consideration the outcomes of your business context;
threat and vulnerability; as well as security program and regulatory aspects analysis (steps one, two and three
above). The aspects you should take into consideration are:
 Physical security (facilities, vehicles, containers, shipments etc.);
 Data security (in particular systems with supply chain data);
 Human resources security (including selection, training, and exit procedures); - Business partner
security (including selection, and auditing); and
 Process control and monitoring of deviations.
FIFTH, choose the combination of concrete security measures – investments in technologies,
procurement of services, in-house solutions and so forth – and implement them into practice. Embed security
procedures and technologies as much as feasible into daily operations, as part of your overall supply chain,
logistics, and transport management functions.
SIXTH, monitor and measure the security performance and feedback to the planning cycle. Take
corrective actions. Increase security at weak spots, and reduce in the areas where overinvestment has taken
place. Pay attention to the dynamics and changing situations when it comes to criminal focus areas and
“criminal portfolios”; technical and operational improvements - both licit and illicit aspects - and legislative
requirements, and consequences, both for the licit and illicit actors.


3
 Clause 2 helps to increase understanding the types of threats one could be subject to and do something about.
4
 Clause 3 provides an overview of key regulation and programs.
6

---------------------- Page: 8 ----------------------

SIST-TP CEN/TR 16412:2012
CEN/TR 16412:2012 (E)
3 Crime prevention in supply chains
3.1 Introduction
Ten relevant crime types have been chosen fallen under the following five categories:
1) Property theft: Cargo theft; Intellectual property violations.
2) Targeted damage: Terrorism; Sabotage.
3) Cross-border duty and tax fraud
4) Illegitimate transporting / importing and/or exporting: Smuggling of prohibited and restricted
goods; People smuggling.
ϱͿ Crime facilitation: Document forgery; Bogus companies; Cyber crime.
For each crime type, the
 issue (What are the main characteristics and what are the typical products / sectors involved?),
 scope of the problem (Why is it a problem?) and
 actions to take (How to mitigate the risks?)
are being elaborated on. 
3.2 Cargo theft
Cargo theft can be defined as “.any theft of shipment committed during its (surface) transportation or
5
within a warehouse.” . This covers straightforward theft, hijacking, robbery, fraudulent pick-up, and load
6
diversions, etc. . The value of a single load can be anything from a few thousand to few dozen million Euros.
On the other hand, in case of getting caught, cargo crimes often result only in minor legal punishment.
Valuable commodities, which have high demand on the after-market and are easily transportable, are quick to
7
sell and particularly vulnerable for cargo theft . These commodities include consumer electronics, cigarettes,
food, alcohol, brand apparels, precious metals and prescription drugs. Cargo crime incidents can occur in any
part of a supply chain, but truck stops and unsecured parking lots are the most vulnerable spots in the chain
(NICB 2010).
8
In addition to the high financial losses estimated to be over 8 billion Euros in Europe in 2009 , the human
9
suffering caused by threats and violence involved in cargo theft is huge. From the private sector perspective,
cargo theft is commonly considered the most frequent crime threat in supply chains today. All operators can
be usual victims of cargo theft. Manufacturers face material shortages due to theft incidents, resulting in
10
production downtime, missed deliveries and lost sales . For the logistics sector, cargo theft causes liability
and insurance problems, lower customer satisfaction and so on. For the public sector, cargo theft is a cost

5
Cargo Theft Report. Applying the Brakes to Road. Cargo Crime in Europe. Public version excluding Appendix D (Europol
Restricted). The Hague, 2009. Editorial note: term ”surface” is used instead of ”road”.
6
Cargo theft is being perceived as an attractive, high reward, low risk criminal industry FIA 2001, Contraband, Organized
Crime and the Threat to the Transportation and Supply Chain Function
7
Felson and Clarke, 1997, Opportunity makes thief
8
http://www.tapaemea.com/public/
9
IRU 2006 Attacks on Drivers of International Heavy Goods Vehicles
10
Anderson, Bill (2007), Securing the Supply Chain – Prevent Cargo Theft, Security, Vol. 44, N°5, pp. 56-58
7

---------------------- Page: 9 ----------------------

SIST-TP CEN/TR 16412:2012
CEN/TR 16412:2012 (E)
and reputation factor for the police and the legal system. It can be dangerous for consumers, who
unknowingly or knowingly buy stolen goods. As yet, fighting cargo crime has not traditionally been a high
11
priority concern for policymakers .
Measures to mitigate the risk of theft relate to
 Physical security measures for buildings, parking areas, and vehicles are key.
 Selecting low-risk routes, avoiding unnecessary stops, and not picking up unknown people into
trucks are good policies.
 Careful selection and training of personnel and supply chain partners, as well as conducting audits of
security capabilities of the logistics service providers normally helps to mitigate the risks.
 (Hidden) tracking devices among the cargo as well as tracking devices in the vehicle – and even
12
vehicle immobilization systems can help to recover the stolen items.
 Training of warehouse workers and drivers can also be a useful recovery measure.
Further reading on how to reduce cargo theft in the supply chain͗
 IRU Road Transportation Security Guidelines 2005, which is available at
http://www.iru.org/en_guidelines-goods
 TAPA FSR 2011 and TAPA TSR 2008, which are available at http://www.tapaemea.com/
3.3 Counterfeit goods

Counterfeiting can be defined as “the illegal reproduction or imitation of products, given that this
13
illegality is the result of a violation of any type of intellectual property rights” . Counterfeits products
are mostly transported to affluent markets via legitimate supply chains, whereby the production of the
counterfeits often takes place at the upstream of an otherwise legitimate supply chain. Counterfeiting trade
can bring huge profits, while there is a low risk of being caught and moderate punishment in case of being
caught. In some countries, the public perception is that counterfeiting can be socially acceptable. Advances in
14
technology increasingly give counterfeiters the tools to copy.
It has been estimated that since early 1990s, global trade in counterfeits has increased eight times faster than
15
legitimate trade. Today’s global markets for counterfeit products account for 5 % - 7 % of world trade . In a
worst-case scenario, counterfeit products can cause serious damage to human health and safety (even
16
death). Medicines, electronics and software remain the most counterfeited products in the world. .
Counterfeiting can reduce demand of genuine products resulting in lost sales as well as damage the
reputation of the brand owner. This is particularly the case when a customer is deceived and buys a copy
thinking it is a real product with proper functionalities and quality. Consumers buy counterfeit products both
knowingly and unknowingly.

ϭϭ
;ϮϬϬϯͿ͕͞&ƌĞŝŐŚƚƚƌĂŶƐƉŽƌƚƐĞĐƵƌŝƚLJ͕͟ŽŶƐƵůƚĂƚŝŽŶWĂƉĞƌ͕ƵƌŽƉĞĂŶŽŵŵŝƐƐŝŽŶ͕ƌƵƐƐĞůƐ͘
12
Detection and recovery are partially about getting information about an incident as soon and accurately as possible,
for both law enforcement and security service centre follow-up.
13
Nations Interregional Crime and Justice Research Institute (2007). Counterfeiting: a global spread, a
global threat. Turin: UNICRI.
14
http://www.iccwbo.org/id399/index.html
15
World intellectual Property Association, International Anti-counterfeiting Coalition
16
http://www.havocscope.com/black-market/counterfeit-goods/counterfeit-goods-ranking/
8

---------------------- Page: 10 ----------------------

SIST-TP CEN/TR 16412:2012
CEN/TR 16412:2012 (E)
Measures to mitigate the risk of counterfeit goods relate to:
 Prevention of counterfeit goods in the supply chain:
• Close co-operation between the relevant private and public sector actors, i.e. awareness
campaigns, development of international agreements and national legislations.
• Tight contracts with all the supply chain partners to eliminate counterfeit attempts within the
(normally) legitimate supply chain.
 Detection and recovery relying on capabilities to identify counterfeit products at various stages of
the supply chain, in a cost-efficient, non-intrusive and high quality (low false-positives and false-
negatives) manner. Measures include:
• High and low technology means to facilitate the detection process (on product level) including
hologram tags, bar codes, micro text and phone help-desks.
• Monitoring and auditing of consumer sales, auction websites, as well as physical outlets enables
detecting (and seizing) counterfeit products.
&ƵƌƚŚĞƌƌĞĂĚŝŶŐŽŶŚŽǁƚŽƚĂĐŬůĞĐŽƵŶƚĞƌĨĞŝƚƌĞůĂƚĞĚƉƌŽďůĞŵƐŝŶƚŚĞƐƵƉƉůLJĐŚĂŝŶ͗
 The International Trademark Association (INTA) and the International Chamber of Commerce (ICC)
Business Action to Stop Counterfeiting and Piracy (BASCAP) at http://www.bascap.com/
 IP Crime Group: Supply Chain Kit, available at http://www.ipo.gov.uk/ipctoolkit.pdf
3.4 Terrorism in supply chains
Terrorism can be defined as “any act intended to intimidate a population or to compel a government or
17
an international body to act.” Besides destroying (parts of) supply chain itself, terrorism is likely to be
18
connected with a variety of crime types Terrorists may exploit legitimate supply chains to achieve their
malicious objectives. Furthermore, terrorist groups can generate profits and fund their operations with
legitimate or illicit businesses throughout the supply chain. Terrorist networks may also use of the logistic
chain as a conduit to deliver weapons and individual terrorists to a target destination.
Governments across the globe have identified terrorism as unlawful and a major threat to political and social
stability. Since 9/11, a large number of counter-terrorism supply chain security initiatives have been launched.
19
These initiatives also impose a challenge for the private sector operators . First, they must adapt their
operations to a new operating environment with heightened security requirements. Secondly, they have to be
prepared to deal with the aftermath of a major terrorist attack. Supply chain operators do not commonly see
terrorism as an imminent threat. The bill of anti-terrorist measures imposed by government programmes can
be too expensive for companies, especially when these programmes imply monetary investments, or reduce
supply chain efficiency as lead times become longer and more unpredictable, i.e. more stringent customs
inspection at borders.

17
http://news.bbc.co.uk/2/hi/americas/4716957.stm
18
: “To strengthen coordination and cooperation among States in combating crimes that might be connected with
terrorism, including drug trafficking in all its aspects, illicit arms trade, in particular of small arms and light weapons,
including man-portable air defense systems, money-laundering and smuggling of nuclear, chemical, biological, radiological
and other potentially deadly materials.” United Nations. General Assembly. The United Nations Global Counter-Terrorism
Strategy. A/RES/60/288, Distribution on 20 September 2006.
19
Sheffi (2001). Supply Chain Management under the Threat of International Terrorism
9

---------------------- Page: 11 ----------------------

SIST-TP CEN/TR 16412:2012
CEN/TR 16412:2012 (E)
Measures to mitigate the risks of terrorism relate to:
 Prevention: focus on access to cargo at any point in the supply chain (cargo integrity).
 Detection and recovery: diverse monitoring, detection and inspection solutions can be operated at
various stages in the supply chain.
 Contingency and disaster management focus on recovery plans.
Further reading:
 EU-US joint statement on supply chain security, 23.6.2011
http://ec.europa.eu/taxation_customs/resources/documents/common/whats_new/eu_us_joint_statem
ent_protocol_en.pdf
 World Bank Guidebook in Supply Chain Security ,
http://siteresources.worldbank.org/INTPRAL/Resources/SCS_Guide_Final.pdf 
3.5 Sabotage in supply chains
Sabotage refers to a “calculated attack against a predetermined target aiming to damage property, hurt
employees, tarnish reputation or disrupt normal business operations”. Motivations for sabotage can be
of diverse nature. Frustrated former employees may commit sabotage for revenge. Sabotage can also be
used as an instrument for monetary gain and political power. “Professional extortionists” resort to sabotage to
give weight to their claims. Political extremists from left to right, environmental activists and fundamentalist
religious groups may perpetrate sabotage for political reasons, which makes their activities hard to distinguish
from terrorism. Sabotage is also an enabler for other supply chain crimes. Cargo thieves may sabotage power
supply in order to shut down electronic security systems. Sabotage itself can be assisted by insider
knowledge, identity theft, document fraud and corruption.
A sabotage incident causes harm for supply chain operators in terms of cost of damaged assets, lost sales,
and a compromised reputation. At worst, sabotage results in a massive product recall campaign resulting in
broader financial and reputational losses. This was the case in the UK where 250 000 packets of an over-the-
20
counter painkiller were recalled due to suspected sabotage. Pharmaceutical and food supply chains are
particularly prone to sabotage because of their sensitivity to product contamination. Other highly vulnerable
sectors include aviation and rail transportation. Sabotage against electronic systems cause major harm for all
ICT dependent companies. Sabotage poses a significant risk for citizens and societies as a whole. Threat of
product contamination and attacks against infrastructure put citizens’ safety in jeopardy, call for increased
funding for law enforcement and undermine national competitiveness. Police are typically the governmental
agency dealing with sabotage cases.
Measures to mitigate the risk of sabotage relate to͗
 Preventing, i.e. keeping unauthorized companies and persons away from supply chain assets.
Special attention should be paid to specific groups of individuals (e.g. recently sacked employees
which have shown deep anger) and with specific types of companies (e.g. a competitor who has
been placing threats), when it comes to preventing potential sabotage.
 Detection and recovery, continuous security, safety and quality monitoring, combined with business
contingency plans and teams trained to act in case of sabotage incidents, can be helpful.

20
http://www.bbc.co.uk/news/health-14685629

10

---------------------- Page: 12 ----------------------

SIST-TP CEN/TR 16412:2012
CEN/TR 16412:2012 (E)
More information on anti-sabotage approaches:
 Defending food and drink - Guidance for the deterrence, detection and defeat of ideologically
motivated and other forms of malicious attack on food and drink and their supply arrangements.
Available at: http://shop.bsigroup.com/Browse-by-Sector/Food--Drink/PAS-962010/
 C-TPAT – Supply Chain Security Best Practice Catalog Available at:
www.cbp.gov/linkhandler/cgov/./ctpat_best_practices.pdf
3.6 Cross-border duty and tax fraud
21
The expression “the unlawful importation of goods to avoid import duties and taxes” can be used as a
general baseline definition for the illicit avoidance of customs duties and excise taxes in the supply chain. In
general terms, fraud can be characterised as “an irregularity committed intentionally with the intention of
22
illicit gain which constitutes a criminal offence”. Duty fraud refers to deliberate evasion of customs duties
in legitimate trade articles.
23
Governments consider tackling fraud as a key objective in protecting financial interests. Duty fraudsters may
try to evade customs controls by importing goods through clandestine smuggling routes. They may also
transport their goods through legitimate trade lanes and customs checkpoints for example by the aid of
fraudulent documentation and/or complicit customs officers. Duty fraud via the legitimate trade lanes is based
upon false statements in any convenient data field in the import declaration: i.e. tariff code, value, quantity,
country of origin. A dishonest trader can mask a shipment of heavily taxed goods with a cover load of less
taxed commodities. Legal consequences of duty fraud include fines, loss of trade licenses and civil charges
for liable individuals. Most attractive commodities for duty fraud include high-tax commodities that have a
strong and stable demand on the market, including excise taxable goods such as mineral oils, tobacco and
24
alcohol . The biggest (default) liability in duty and excise tax fraud lies with the importer-of-record, which
may commonly be the cargo owner or shipper. If someone from the logistics sector is (knowingly) part of the
duty evasion activities, they will naturally be prosecuted. Governments are tackling the problem by imposing
more stringent regulations on carriers and logistics operators. Customs administration is the main agency that
combats duty fraud at a national level.
Measures to mitigate the risk of duty and tax fraud relate to prevention, detection and recovery:
 Awareness creation and training throughout the supply chain, combined with careful selection of own
personnel and business partners. Having an anonymous tipping line (phone or email) available to all
actors in the chain can act as means of deterrence.
 Risk profiling and targeting IT systems, x-ray and other non-intrusive scanning technologies, random
inspections and specific crime-fighting actions such as operations to catch smugglers and fraudsters.
(often used by public administrations).
Further reading on how to mitigate the risks for customs duty and excise tax fraud͗
 WCO Patterns and Trends report , http://www.mcmullinpublishers.com/downloads/OMD.pdf

21
Presentation by EUROPOL, Criminal Finances and Technology Operations Department.
22
http://ec.europa.eu/anti_fraud/reports/commission/2010/EN.pdf
...