CTPAT- minimum Security Requirements

3. SYNOPSIS
THIS COURSE IS AIMED AT CREATING AWARENESS AMONG THE PARTICIPANTS ON
CUSTOMS AND TRADE PARTNERSHIP AGAINST TERRORISM (CTPAT) SECURITY
REQUIREMENTS IN THE SUPPLY CHAIN DOMAIN. THE FOCUS OF SUCH
REQUIREMENT IS FOR FOREIGN MANUFACTURERS SUPPLYING GOODS TO UNITED
STATES TO OBSERVE SPECIFIC SECURITY GUIDANCE TO ENSURE A SECURE SUPPLY
CHAIN FROM THE POINT OF PACKAGING TO THE POINT OF RECEIPT.
HENCE, THIS TRAINING IS DELIVERED TO PROVIDE KNOWLEDGE AND
UNDERSTANDING ON THE SECURITY PROCESSES AND PROCEDURES INVOLVED IN
ENSURING THE SAFE MANUFACTURE, PACKAGING AND TRANSPORTING OF
GLOVES FROM COMFORT GLOVES TO ITS TRADE PARTNER IN UNITED STATES. THE
SECURITY PROCESSES AND PROCEDURES DISCUSSED SHALL BE WITHIN THE
CONFINES OF STIPULATED CTPAT SECURITY GUIDANCE THAT NEEDS TO BE
COMPLIED WITH INORDER TO ENSURE RISK MINIMIZED, FAST TRACK AND SAFE
ARRIVAL OF GOODS AT THE INTENDED DESTINATION IN UNITED STATES.

4. As the trade environment and security regulations continuously evolve, businesses must adapt
accordingly to remain in compliance and ensure vigilance in supply chain security.
Each course is curated to be straightforward and easily digestible. We understand that keeping up with the
evolving program can be a challenge. CTS Academy CTPAT courses provide clarity around best practices to
help you stay in compliance and optimize your membership benefits.
The Course Serves as a Practical Training Module For
Current CTPAT members hoping to meet the New Minimum Security Criteria, maximize their program benefits or
enhance company-wide understanding of the CTPAT program
Companies that aspire to become CTPAT members and seek practical advice on best practices for security profiles,
validations, and other elements of program participation
Non-CTPAT members who seek to enhance efficiency and security within their supply chains or aim to adhere to
CTPAT standards as required by business partners
Course Content
Overview and history of the CTPAT program
Interactive examples of demonstrated supply chain smuggling scenarios and conveyance vulnerabilities
Updates to the Minimum Security Criteria
Best practices in completing the Security Profile and preparing for validations
An in-depth look at the new Corporate Security Criteria

5. The Course Serves as a Practical Training Module For
Non-CTPAT Member companies seeking to augment their supply
chain security knowledge and understanding of the CTPAT program
Prospective CTPAT Member companies seeking program overview,
best practices, and expert insights before/during the CTPAT
application process.
CTPAT Member companies onboarding additional personnel in
maintaining CTPAT compliance
Course Content
What the CTPAT program is and how it benefits your company ​
How to successfully apply for membership by understanding key
requirements ​
What to do after certification and maintaining your certification
Expert insights from former CTPAT directors

19. IMPLEMENTATION

25. INTRODUCTION
TO
CTPAT
1.

29. https://slideplayer.com/slide/13986361/

30. This report identifies labour issues, and in particular evidence of
forced labour, in the Malaysian medical gloves sector before and
during the COVID-19 pandemic, and evaluates the ways in which
those issues are addressed in the supply chain. The report
focuses on the production of medical examination gloves in
Malaysia (in a value chain where power shifted to the
manufacturers during the pandemic), and supply to the UK’s
National Health Service (NHS), which experienced a fourfold
increase in consumption of gloves from March 2020.

32. 1. INTRODUCTION
CTPAT

34. WHAT IS CTPAT ?
Customs Trade Partnership Against Terrorism (CTPAT) is
but one layer in U.S. Customs and Border Protection's
(CBP) multi-layered cargo enforcement strategy.
Through this program, CBP works with the trade
community to strengthen international supply chains
and improve United States border security.
https://www.process.st/sop-format/#what-is-sop

37. X

38. X
https://www.youtube.com/watch?v=j9MQMVn3FV4&t=516s&ab_channel=TomOlzak
https://www.youtube.com/watch?v=Yvr71HoCNO8&ab_channel=Crimonologyboyfarmer
https://www.youtube.com/watch?v=tyFkj5UrPJQ&ab_channel=TomOlzak

43. DHS and its U.S. Customs and Border Protection (CBP) are responsible for addressing the
threat posed by terrorists smuggling weapons into the United States. To carry out this
responsibility, CBP has in place programs known as the Customs-Trade Partnership
Against Terrorism (C-TPAT) and the Container Security Initiative (CSI). The C-TPAT program
attempts to improve the security of the international supply chain (flow of goods from
manufacturer to retailer). It is a cooperative program between CBP and members of the
international trade community in which private companies agree to improve the security
of their supply chains in return for a reduced likelihood that their containers will be
inspected. C-TPAT membership is open to U.S.- and foreign-based companies whose
goods are shipped to the United States via air, rail, ocean, and truck carriers. The CSI
program specifically addresses the security of oceangoing cargo containers. Under the
program, CBP places staff at foreign seaports to work with foreign counterparts to use risk
assessment information to select, or target, those containers at risk of containing WMD
and inspect them before they are shipped to the United States.

45. WHY CTPAT WAS ESTABLISHED?
The purpose of CTPAT is to partner with the trade
community for the purpose of securing the U.S. and
international supply chains from possible intrusion
by terrorist organizations.
C-TPAT is a voluntary program designed to improve the security of
the international supply chain while maintaining an efficient flow of
goods

46. https://slideplayer.com/slide/1464257/

62. HOW WAS IT ESTABLISHED?
CTPAT is a voluntary public-private sector
partnership program which recognizes that CBP can
provide the highest level of cargo security only
through close cooperation with the principle
stakeholders of the international supply chain such
as importers, carriers, consolidators, licensed
customs brokers, and manufacturers.

63. 2. Security Vision & Responsibility
(Focus on CTPAT Minimum Security Measures Requirement)
Supply chain & transport providers need to manage multiple risks along the sourcing, transport and distribution chain. In
our interconnected world, safety, reliability and efficiency can only be secured through collaboration between industries
and government.
This initiative provides a useful framework to bring together disparate strands of risk, from terrorism, weather, currency
shifts to IT failure, helping corporate boards and governments define priorities. As we develop our capabilities to
understand, mitigate and respond to risks we need continued dialogue among all supply chain and transport actors.

65. What is Security all about?

68. THE NEED FOR CYBER SECURITY

70. Supply chain 4.0 denotes the fourth revolution of supply chain management
systems, integrating manufacturing operations with telecommunication and
Information Technology processes. Although the overarching aim of supply
chain 4.0 is the enhancement of production systems within supply chains,
making use of global reach, increasing agility and emerging technology, with
the ultimate goal of increasing efficiency, timeliness and profitability, Supply
chain 4.0 suffers from unique and emerging operational and cyber risks. Supply
chain 4.0 has a lack of semantic standards, poor interoperability, and a dearth of
security in the operation of its manufacturing and Information Technology
processes. The technologies that underpin supply chain 4.0 include blockchain,
smart contracts, applications of Artificial Intelligence, cyber-physical systems,
Internet of Things and Industrial Internet of Things. Each of these technologies,
individually and combined, create cyber security issues that should be
addressed.

85. Digital Media Platform - Disemination Platform

86. “Risks” are defined in relation to the potentially adverse impacts
of a company’s operations, which result from a company’s own
activities or its relationships with third parties, including
suppliers and other entities in the supply chain.
Adverse impacts may include harm to people (i.e. external
impacts), or reputational damage or legal liability for the
company (i.e. internal impacts), or both. Such internal and
external impacts are often interdependent, with external harm
coupled with reputational damage or exposure to legal liability.

87. World Economic Forum (2012)

88. Supply Risks: Impacts inbound supply, implying that a
supply chain cannot meet the demand in terms of quantity
and quality of parts and finished goods. The outcome is
labeled as a supply disruption.
Demand Risks: Impacts elements of the outbound supply
chain where the extent or the fluctuation of the demand is
unexpected. This is labeled as demand disruption.
Operational Risks: Impacts elements within a supply chain,
impairing its ability to supply services, parts, or finished
goods within the standard requirements of time, cost, and
quality. Transportation disruptions are one of the most
salient operational risks.

89. Environmental Risk: Considered to be that factors
that have among the highest probability of
occurrence and that can be the least effectively
mitigated since they tend to be uncontrollable.
Natural disasters (e.g. earthquakes) and extreme
weather are within this category, including
potential sea level rises. Pandemics are low
probability events, but once they occur, they
become high impact events

90. Geopolitical Risk: Several geopolitical factors
tend to have a high probability, namely conflicts
and trade restrictions. Still, supply chain actors
have a level of influence on the outcome by
electing locations that are less prone to these
risks and by influencing policy.

91. Due diligence is the process through which
enterprises can identify, prevent, mitigate and
account for how they address their actual and
potential adverse impacts.

92. Economic Risk: The most significant economic factors
relate to demand shocks, often associated with sudden
political or economic changes. Price volatility is also a
concern since it has an important impact on input
costs.
Like geopolitical factors, supply chain actors have a
level of influence on the outcome. For instance, trade
restrictions arbitrarily imposed by governments can
have important impacts. Still, the industry is able to
either comply or to put pressures to have these
restrictions changed if they are judged to be
unacceptable.

93. Technological Risk: Transport infrastructure failures
are fairly rare, so the most salient technological
concern involves ICT disruptions. As supply chain
management increasingly relies on information
technologies for its management and operations,
any information system failure has important
ramifications

98. Risk-based
Due diligence should be risk-based:
 The measures that an enterprise takes to conduct due diligence
should be commensurate to the likelihood and severity of the harm.
For example, if an enterprise is sourcing from a country with a
weak labour inspectorate, the measures that the enterprise will
need to take to prevent child labour, forced labour and other labour
impacts will be more extensive than the measures an enterprise
may need to take if sourcing from a supplier operating in a
jurisdiction with a strong labour inspectorate.
 The enterprise may prioritise the order in which it takes action
based on the likelihood and severity of harm.

99. Factors that may affect the nature and extent of due
diligence:
• Sourcing models:
− Direct sourcing: An enterprise holds a direct contractual relationship with its supplier.
− Indirect sourcing: An enterprise sources products (e.g. raw materials or finished goods) through an intermediary.
• Size of the enterprise: For example, the resources, knowledge and capacity to implement due diligence may be
more limited in small and medium-sized enterprises (SMEs) compared to larger enterprises
• Nature of the business: The nature of the enterprise’s business, whether it is a retailer, brand, buying agent,
manufacturer, etc.,
• Meaningful stakeholder engagement
• Collaboration on due diligence

100. A company assesses risk by identifying the factual
circumstances of its activities and relationships and
evaluating those facts against relevant standards provided
under national and international law, recommendations on
responsible business conduct by international organisations,
government-backed tools, private sector voluntary initiatives
and a company’s internal policies and systems. This
approach also helps to scale the due diligence exercise to
the size of the company’s activities or supply chain
relationships.

101. In practice, due diligence is structured around the steps that
companies should take to:
● identify the factual circumstances involved in the extraction,
transport, handling, trading, processing, smelting, refining and
alloying, manufacturing or selling of products that contain
minerals originating from conflict-affected and high-risk areas;
● identify and assess any actual or potential risks by evaluating
the factual circumstances against standards set out in the
company’s supply chain policy (see the Model Supply Chain
Policy, Annex II);

102. Identify actual and potential harms in the enterprise’s
own operations and in its supply chain

104. Product risk factors
Some products hold a higher risk of impact than others due to the processes used to make them. For example, cotton
products may hold a higher risk of hazardous insecticides such as Parathion, Aldicarb and Methamidopho, whereas
polyester products may hold a higher risk of contributing to greenhouse gas emissions.
Country risk factors
Country risk factors are conditions in a particular country or production cluster, or within the industry within a particular
country, which may make the above sector risks more likely. These generally include governance, socio-economic and
industry factors. For example, high rates of migrant labour is a risk factor for child labour, forced labour, non-compliance
with wage legislation and sexual harassment.16 See Section II, modules for country risk factors across sector risks.
Business-model risk factors
The enterprise’s business model, such as the number of product lines that it sells and how often those product lines are
changed (i.e. seasons per year), may affect the risk of harm in the enterprise’s supply chain.

105. Identify the enterprise’s most significant risks of harm
Based on all known information, the enterprise should determine which risks of harm are most significant – in relation to
likelihood and severity of harm – in its own operations and in its supply chain and prioritise those risks for action first.
Severity of harm is judged on scale, scope and irremediable character.
• “Scale” refers to the gravity of the adverse impact.
• “Scope” concerns the number of individuals that are or will beaffected.
• “Irremediable character” means any limits on the ability to restore those affected to a situation at least the same as, or
equivalent to, their situation before the adverse impact.
Given the complexity and diversity of issues within the garment and footwear sector, determining the most significant risks
of harm in the enterprise’s own operations and in its supply chain is likely to entail some judgement on the part of the
enterprise. The enterprise is encouraged to engage with stakeholders and experts in this process. In all cases, the
enterprises should be prepared to justify how it determined and prioritised risks.

106. ● prevent or mitigate the identified risks by adopting and
implementing a risk management plan. These may result in a
decision to continue trade throughout the course of risk
mitigation efforts, temporarily suspend trade while pursuing
ongoing risk mitigation, or disengage with a supplier either
after failed attempts at mitigation or where the company
deems mitigation not feasible or the risks unacceptable.

107. The nature and extent of due diligence that is appropriate will depend on individual
circumstances and be affected by factors such as the size of the enterprise, the location of
the activities, the situation in a particular country, the sector and nature of the products or
services involved. These challenges may be met in a variety of ways, including but not
limited to:
● Industry-wide cooperation in building capacity to conduct due diligence.
● Cost-sharing within industry for specific due diligence tasks.
● Participation in initiatives on responsible supply chain management.3
● Coordination between industry members who share suppliers.
● Cooperation between upstream and downstream companies.
● Building partnerships with international and civil society organisations.
● Integrating the model supply chain policy (Annex II) and specific due diligence
recommendations outlined in this Guidance into existing policies and management
systems, due diligence practices of the company, such as procurement practices, integrity
and know your customer due diligence measures and sustainability, corporate social
responsibility or other annual reporting.

108. Activity: What is High Risk Shipment in Supply Chain?
Current business trends are leading to complex and dynamic
supply chains. Increasing product/service complexity, out-
sourcing and globalization are the reasons that have enhanced
the risk, changed its location and nature in supply chains.

111. List of High Risk
Countries?

112. Managing risk is based on the principles, framework and process outlined in this
document, as illustrated in Figure 1. These components might already exist in full or in
part within the organization, however, they might need to be adapted or improved so
that managing risk is efficient, effective and consistent.

114. Effective risk management requires the elements of Figure 2 and can be further explained as follows.
a) Integrated
Risk management is an integral part of all organizational activities.
b) Structured and comprehensive
A structured and comprehensive approach to risk management contributes to consistent and comparable results.
c) Customized
The risk management framework and process are customized and proportionate to the organization’s external and internal
context related to its objectives.
d) Inclusive
Appropriate and timely involvement of stakeholders enables their knowledge, views and perceptions to be considered. This
results in improved awareness and informed risk management.
e) Dynamic
Risks can emerge, change or disappear as an organization’s external and internal context changes. Risk management
anticipates, detects, acknowledges and responds to those changes and events in an appropriate and timely manner.
f) Best available information
The inputs to risk management are based on historical and current information, as well as on future expectations. Risk
management explicitly takes into account any limitations and uncertainties associated with such information and expectations.
Information should be timely, clear and available to relevant stakeholders.
g) Human and cultural factors
Human behaviour and culture significantly influence all aspects of risk management at each level and stage.
h) Continual improvement
Risk management is continually improved through learning and experience.
PRINCIPLES

115. Framework
General
The purpose of the risk management framework is to assist the organization in integrating risk management into
significant activities and functions. The effectiveness of risk management will depend on its integration into the
governance of the organization, including decision-making. This requires support from stakeholders, particularly top
management. Framework development encompasses integrating, designing, implementing, evaluating and
improving risk management across the organization. Figure 3 illustrates the components of a framework.

116. The organization should evaluate its existing risk management practices and processes, evaluate any gaps and
address those gaps within the framework. The components of the framework and the way in which they work
together should be customized to the needs of the organization.
Leadership and commitment
Top management and oversight bodies, where applicable, should ensure that risk management is integrated into all
organizational activities and should demonstrate leadership and commitment by:
— customizing and implementing all components of the framework;
— issuing a statement or policy that establishes a risk management approach, plan or course of action;
— ensuring that the necessary resources are allocated to managing risk;
— assigning authority, responsibility and accountability at appropriate levels within the organization.
This will help the organization to:
— align risk management with its objectives, strategy and culture;
— recognize and address all obligations, as well as its voluntary commitments;
— establish the amount and type of risk that may or may not be taken to guide the development of risk criteria,
ensuring that they are communicated to the organization and its stakeholders;
— communicate the value of risk management to the organization and its stakeholders;
— promote systematic monitoring of risks;
— ensure that the risk management framework remains appropriate to the context of the organization

117. Top management is accountable for managing risk while oversight bodies are accountable for overseeing risk
management. Oversight bodies are often expected or required to:
— ensure that risks are adequately considered when setting the organization’s objectives;
— understand the risks facing the organization in pursuit of its objectives;
— ensure that systems to manage such risks are implemented and operating effectively;
— ensure that such risks are appropriate in the context of the organization’s objectives;
— ensure that information about such risks and their management is properly communicated.

118. Integration
Integrating risk management relies on an understanding of organizational structures and context. Structures
differ depending on the organization’s purpose, goals and complexity. Risk is managed in every part of the
organization’s structure. Everyone in an organization has responsibility for managing risk.
Governance guides the course of the organization, its external and internal relationships, and the rules,
processes and practices needed to achieve its purpose. Management structures translate governance
direction into the strategy and associated objectives required to achieve desired levels of sustainable
performance and long-term viability. Determining risk management accountability and oversight roles
within an organization are integral parts of the organization’s governance.
Integrating risk management into an organization is a dynamic and iterative process, and should be
customized to the organization’s needs and culture. Risk management should be a part of, and not separate
from, the organizational purpose, governance, leadership and commitment, strategy, objectives and
operations

119. Design
5.4.1 Understanding the organization and its context
When designing the framework for managing risk, the organization should examine and understand its external and
internal context.
Examining the organization’s external context may include, but is not limited to:
— the social, cultural, political, legal, regulatory, financial, technological, economic and environmental factors, whether
international, national, regional or local;
— key drivers and trends affecting the objectives of the organization;
— external stakeholders’ relationships, perceptions, values, needs and expectations;
— contractual relationships and commitments;
— the complexity of networks and dependencies.
Examining the organization’s internal context may include, but is not limited to:
— vision, mission and values;
— governance, organizational structure, roles and accountabilities;
— strategy, objectives and policies;
— the organization’s culture;
— standards, guidelines and models adopted by the organization;
— capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, intellectual property,
processes, systems and technologies);
— data, information systems and information flows;
— relationships with internal stakeholders, taking into account their perceptions and values;
— contractual relationships and commitments;
— interdependencies and interconnections.

120. Articulating risk management commitment
Top management and oversight bodies, where applicable, should demonstrate and articulate their continual
commitment to risk management through a policy, a statement or other forms that clearly convey an organization’s
objectives and commitment to risk management. The commitment should include, but is not limited to:
— the organization’s purpose for managing risk and links to its objectives and other policies;
— reinforcing the need to integrate risk management into the overall culture of the organization;
— leading the integration of risk management into core business activities and decision-making;
— authorities, responsibilities and accountabilities;
— making the necessary resources available;
— the way in which conflicting objectives are dealt with;
— measurement and reporting within the organization’s performance indicators;
— review and improvement.
The risk management commitment should be communicated within an organization and to stakeholders, as
appropriate.

121. Assigning organizational roles, authorities, responsibilities and accountabilities
Top management and oversight bodies, where applicable, should ensure that the authorities, responsibilities and
accountabilities for relevant roles with respect to risk management are assigned and communicated at all levels of
the organization, and should:
— emphasize that risk management is a core responsibility;
— identify individuals who have the accountability and authority to manage risk (risk owners).

122. Allocating resources
Top management and oversight bodies, where applicable, should ensure allocation of appropriate resources for risk
management, which can include, but are not limited to:
— people, skills, experience and competence;
— the organization’s processes, methods and tools to be used for managing risk;
— documented processes and procedures;
— information and knowledge management systems;
— professional development and training needs.
The organization should consider the capabilities of, and constraints on, existing resources.

123. Establishing communication and consultation
The organization should establish an approved approach to communication and consultation in order to support
the framework and facilitate the effective application of risk management. Communication involves sharing
information with targeted audiences. Consultation also involves participants providing feedback with the
expectation that it will contribute to and shape decisions or other activities. Communication and consultation
methods and content should reflect the expectations of stakeholders, where relevant.
Communication and consultation should be timely and ensure that relevant information is collected, collated,
synthesised and shared, as appropriate, and that feedback is provided and improvements are made.

124. Implementation
The organization should implement the risk management framework by:
— developing an appropriate plan including time and resources;
— identifying where, when and how different types of decisions are made across the organization, and by whom;
— modifying the applicable decision-making processes where necessary;
— ensuring that the organization’s arrangements for managing risk are clearly understood and practised.
Successful implementation of the framework requires the engagement and awareness of stakeholders.
This enables organizations to explicitly address uncertainty in decision-making, while also ensuring that any new
or subsequent uncertainty can be taken into account as it arises.
Properly designed and implemented, the risk management framework will ensure that the risk management
process is a part of all activities throughout the organization, including decision-making, and that changes in
external and internal contexts will be adequately captured.

125. Evaluation
In order to evaluate the effectiveness of the risk management framework, the organization should:
— periodically measure risk management framework performance against its purpose, implementation plans,
indicators and expected behaviour;
— determine whether it remains suitable to support achieving the objectives of the organization.

126. 5.7 Improvement
5.7.1 Adapting
The organization should continually monitor and adapt the risk management framework to address external and
internal changes. In doing so, the organization can improve its value.
5.7.2 Continually improving
The organization should continually improve the suitability, adequacy and effectiveness of the risk management
framework and the way the risk management process is integrated.
As relevant gaps or improvement opportunities are identified, the organization should develop plans and tasks
and assign them to those accountable for implementation. Once implemented, these improvements should
contribute to the enhancement of risk management.

127. Process
6.1 General
The risk management process involves the systematic application of policies, procedures and practices to the activities
of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording
and reporting risk. This process is illustrated in Figure 4

128. The risk management process should be an integral part of management and decision-making and integrated
into the structure, operations and processes of the organization. It can be applied at strategic, operational,
programme or project levels.
There can be many applications of the risk management process within an organization, customized to
achieve objectives and to suit the external and internal context in which they are applied.
The dynamic and variable nature of human behaviour and culture should be considered throughout the risk
management process.
Although the risk management process is often presented as sequential, in practice it is iterative.

129. Communication and consultation
The purpose of communication and consultation is to assist relevant stakeholders in understanding risk, the basis on
which decisions are made and the reasons why particular actions are required. Communication seeks to promote
awareness and understanding of risk, whereas consultation involves obtaining feedback and information to support
decision-making. Close coordination between the two should facilitate factual, timely, relevant, accurate and
understandable exchange of information, taking into account the confidentiality and integrity of information as well as
the privacy rights of individuals.
Communication and consultation with appropriate external and internal stakeholders should take place within and
throughout all steps of the risk management process.
Communication and consultation aims to:
— bring different areas of expertise together for each step of the risk management process;
— ensure that different views are appropriately considered when defining risk criteria and when evaluating risks;
— provide sufficient information to facilitate risk oversight and decision-making;
— build a sense of inclusiveness and ownership among those affected by risk.

130. Scope, context and criteria
6.3.1 General
The purpose of establishing the scope, the context and criteria is to customize the risk management process, enabling
effective risk assessment and appropriate risk treatment. Scope, context and criteria involve defining the scope of the
process, and understanding the external and internal context.
6.3.2 Defining the scope
The organization should define the scope of its risk management activities.
As the risk management process may be applied at different levels (e.g. strategic, operational, programme, project, or other
activities), it is important to be clear about the scope under consideration, the relevant objectives to be considered and their
alignment with organizational objectives.
When planning the approach, considerations include:
— objectives and decisions that need to be made;
— outcomes expected from the steps to be taken in the process;
— time, location, specific inclusions and exclusions;
— appropriate risk assessment tools and techniques;
— resources required, responsibilities and records to be kept;
— relationships with other projects, processes and activities.

131. External and internal context
The external and internal context is the environment in which the organization seeks to define and achieve its objectives.
The context of the risk management process should be established from the understanding of the external and internal
environment in which the organization operates and should reflect the specific environment of the activity to which the
risk management process is to be applied.
Understanding the context is important because:
— risk management takes place in the context of the objectives and activities of the organization;
— organizational factors can be a source of risk;
— the purpose and scope of the risk management process may be interrelated with the objectives of the organization as a
whole.
The organization should establish the external and internal context of the risk management process by considering the
factors mentioned in 5.4.1.

132. 6.3.4 Defining risk criteria
The organization should specify the amount and type of risk that it may or may not take, relative to objectives. It should
also define criteria to evaluate the significance of risk and to support decision-making processes. Risk criteria should be
aligned with the risk management framework and customized to the specific purpose and scope of the activity under
consideration. Risk criteria should reflect the organization’s values, objectives and resources and be consistent with
policies and statements about risk management. The criteria should be defined taking into consideration the
organization’s obligations and the views of stakeholders.
While risk criteria should be established at the beginning of the risk assessment process, they are dynamic and should be
continually reviewed and amended, if necessary.
To set risk criteria, the following should be considered:
— the nature and type of uncertainties that can affect outcomes and objectives (both tangible and intangible);
— how consequences (both positive and negative) and likelihood will be defined and measured;
— time-related factors;
— consistency in the use of measurements;
— how the level of risk is to be determined;
— how combinations and sequences of multiple risks will be taken into account;
— the organization’s capacity.

133. Risk assessment
6.4.1 General
Risk assessment is the overall process of risk identification, risk analysis and risk evaluation.
Risk assessment should be conducted systematically, iteratively and collaboratively, drawing on the
knowledge and views of stakeholders. It should use the best available information, supplemented by
further enquiry as necessary.

134. 6.4.2 Risk identification
The purpose of risk identification is to find, recognize and describe risks that might help or prevent an organization
achieving its objectives. Relevant, appropriate and up-to-date information is important in identifying risks.
The organization can use a range of techniques for identifying uncertainties that may affect one or more objectives. The
following factors, and the relationship between these factors, should be considered:
— tangible and intangible sources of risk;
— causes and events;
— threats and opportunities;
— vulnerabilities and capabilities;
— changes in the external and internal context;
— indicators of emerging risks;
— the nature and value of assets and resources;
— consequences and their impact on objectives;
— limitations of knowledge and reliability of information;
— time-related factors;
— biases, assumptions and beliefs of those involved.
The organization should identify risks, whether or not their sources are under its control. Consideration should be given
that there may be more than one type of outcome, which may result in a variety of tangible or intangible consequences.

135. 6.4.3 Risk analysis
The purpose of risk analysis is to comprehend the nature of risk and its characteristics including, where
appropriate, the level of risk. Risk analysis involves a detailed consideration of uncertainties, risk sources,
consequences, likelihood, events, scenarios, controls and their effectiveness. An event can have multiple causes
and consequences and can affect multiple objectives.
Risk analysis can be undertaken with varying degrees of detail and complexity, depending on the purpose of the
analysis, the availability and reliability of information, and the resources available. Analysis techniques can be
qualitative, quantitative or a combination of these, depending on the circumstances and intended use.
Risk analysis should consider factors such as:
— the likelihood of events and consequences;
— the nature and magnitude of consequences;
— complexity and connectivity;
— time-related factors and volatility;
— the effectiveness of existing controls;
— sensitivity and confidence levels

136. The risk analysis may be influenced by any divergence of opinions, biases, perceptions of risk and judgements.
Additional influences are the quality of the information used, the assumptions and exclusions made, any
limitations of the techniques and how they are executed. These influences should be considered, documented
and communicated to decision makers.
Highly uncertain events can be difficult to quantify. This can be an issue when analysing events with severe
consequences. In such cases, using a combination of techniques generally provides greater insight.
Risk analysis provides an input to risk evaluation, to decisions on whether risk needs to be treated and how, and
on the most appropriate risk treatment strategy and methods. The results provide insight for decisions, where
choices are being made, and the options involve different types and levels of risk.

137. 6.4.4 Risk evaluation
The purpose of risk evaluation is to support decisions. Risk evaluation involves comparing the results of the
risk analysis with the established risk criteria to determine where additional action is required. This can
lead to a decision to:
— do nothing further;
— consider risk treatment options;
— undertake further analysis to better understand the risk;
— maintain existing controls;
— reconsider objectives.
Decisions should take account of the wider context and the actual and perceived consequences to external
and internal stakeholders.
The outcome of risk evaluation should be recorded, communicated and then validated at appropriate levels
of the organization.

138. 6.5 Risk treatment
6.5.1 General
The purpose of risk treatment is to select and implement options for addressing risk.
Risk treatment involves an iterative process of:
— formulating and selecting risk treatment options;
— planning and implementing risk treatment;
— assessing the effectiveness of that treatment;
— deciding whether the remaining risk is acceptable;
— if not acceptable, taking further treatment.

139. 6.5.2 Selection of risk treatment options
Selecting the most appropriate risk treatment option(s) involves balancing the potential benefits
derived in relation to the achievement of the objectives against costs, effort or disadvantages of
implementation.
Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances.
Options for treating risk may involve one or more of the following:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing the risk in order to pursue an opportunity;
— removing the risk source;
— changing the likelihood;
— changing the consequences;
— sharing the risk (e.g. through contracts, buying insurance);
— retaining the risk by informed decision.

140. Justification for risk treatment is broader than solely economic considerations and should take into account all of
the organization’s obligations, voluntary commitments and stakeholder views. The selection of risk treatment
options should be made in accordance with the organization’s objectives, risk criteria and available resources.
When selecting risk treatment options, the organization should consider the values, perceptions and potential
involvement of stakeholders and the most appropriate ways to communicate and consult with them. Though
equally effective, some risk treatments can be more acceptable to some stakeholders than to others.
Risk treatments, even if carefully designed and implemented might not produce the expected outcomes and could
produce unintended consequences. Monitoring and review need to be an integral part of the risk treatment
implementation to give assurance that the different forms of treatment become and remain effective.
Risk treatment can also introduce new risks that need to be managed.
If there are no treatment options available or if treatment options do not sufficiently modify the risk, the risk
should be recorded and kept under ongoing review. Decision makers and other stakeholders should be aware of
the nature and extent of the remaining risk after risk treatment. The remaining risk should be documented and
subjected to monitoring, review and, where appropriate, further treatment.

141. 6.5.3 Preparing and implementing risk treatment plans
The purpose of risk treatment plans is to specify how the chosen treatment options will be implemented, so that
arrangements are understood by those involved, and progress against the plan can be monitored. The treatment
plan should clearly identify the order in which risk treatment should be implemented.
Treatment plans should be integrated into the management plans and processes of the organization, in
consultation with appropriate stakeholders.
The information provided in the treatment plan should include:
— the rationale for selection of the treatment options, including the expected benefits to be gained;
— those who are accountable and responsible for approving and implementing the plan;
— the proposed actions;
— the resources required, including contingencies;
— the performance measures;
— the constraints;
— the required reporting and monitoring;
— when actions are expected to be undertaken and completed.

142. 6.6 Monitoring and review
The purpose of monitoring and review is to assure and improve the quality and effectiveness of process
design, implementation and outcomes. Ongoing monitoring and periodic review of the risk management
process and its outcomes should be a planned part of the risk management process, with responsibilities
clearly defined.
Monitoring and review should take place in all stages of the process. Monitoring and review includes
planning, gathering and analysing information, recording results and providing feedback.
The results of monitoring and review should be incorporated throughout the organization’s performance
management, measurement and reporting activities.

143. 6.7 Recording and reporting
The risk management process and its outcomes should be documented and reported through appropriate
mechanisms. Recording and reporting aims to:
— communicate risk management activities and outcomes across the organization;
— provide information for decision-making;
— improve risk management activities;
— assist interaction with stakeholders, including those with responsibility and accountability for risk
management activities.
Decisions concerning the creation, retention and handling of documented information should take into account,
but not be limited to: their use, information sensitivity and the external and internal context.
Reporting is an integral part of the organization’s governance and should enhance the quality of dialogue with
stakeholders and support top management and oversight bodies in meeting their responsibilities. Factors to
consider for reporting include, but are not limited to:
— differing stakeholders and their specific information needs and requirements;
— cost, frequency and timeliness of reporting;
— method of reporting;
— relevance of information to organizational objectives and decision-making.
SOURCE: IEC 31010, Risk management — Risk assessment techniques

150. Due to their scale and connectivity, the following transportation networks are particularly vulnerable:
Air transportation: Such networks are vulnerable to disruptions at major hubs, while disruptions at
smaller hubs will have limited consequences.
Maritime shipping: The vulnerability of maritime networks has different considerations depending on if
the node is a hub or a gateway. Disruptions at a hub will mostly impact maritime shipping networks,
while disruptions at a gateway will mostly impact the hinterland.
Logistical networks: Vulnerable to disruptions impacting one element of the supply chain and the
connected activities that are upstream and downstream.
Road networks: Because of their mesh structure, road networks are not highly vulnerable to
disruptions, unless this disruption is at a wide scale.
Rail networks: While linear rail networks are vulnerable to disruptions, complex rail and transit
networks have a mesh-like structure, making them more resilient.
Power grids: They are usually highly redundant but are subject to a hierarchical vulnerability where the
higher up in the hierarchy, the more extensive the disruption.
Vulnerability in the System: Transportation networks are
particularly vulnerable:

151. Disasters Risk Management, which could reduce disruptions:
Risk Assessment. The likelihood of an event and its potential
impacts should be comprehensively assessed, such as its
probability (low to high) over a defined time frame and a specific
area (e.g. a city or region). This should provide a prioritization of
risks, but it remains a very uncertain process.
Preparedness. In light of the potential risks, a level of preparedness
should be considered in terms of potential responses. This can
involve the warehousing and positioning of relief material, such as
fuel, parts and equipment, and the training of the labor force in
emergency situations.

152. Mitigation. Concerns the immediate reaction to the event and can involve the shutting
down of transport systems (particularly public transit), the evacuation of populations,
and the mobilization of first response resources, namely distributing emergency relief
(food, medical supplies). The goal is to control and attenuate the disruptions caused by
the disaster.
Response. Once the disaster has been mitigated, steps are implemented to bring back
capacity with existing infrastructure. If a mode has been impaired, the usage of
alternative modes and infrastructure has to be considered. The goal is to maintain
operational as many elements of the transport system as possible.
Recovery. Concerns all the steps necessary to recover the transport capacity that was
lost during the disaster. It can involve repairs, the restarting of services that were
discontinued as well as investments in new and improved infrastructures, modes, and
terminals. The goal is to bring back the capacity and level of service to pre-disaster
conditions. With the lessons learned from the disaster, more resilient infrastructure and
networks are a likely outcome.

153. 3. Security Awareness Process
In 2006, the Customs Trade Partnership Against Terrorism
(CTPAT) program published the Supply Chain Security Best
Practices Catalog in an effort to provide Members with up to
date information on highly effective cargo security practices
identified by CTPAT Supply Chain Security Specialists (SCSS)
while conducting validations. Over the next three years, many of
the best practices identified in this catalog essentially became
industry standards.
This led the program to issue the 2009 Best Practices Update, a
pamphlet that identified new best practices in supply chain
security in each of the eight minimum security criteria (MSC)
categories that existed in the program back then.

154. 4. Corporate Security Awareness
STEP 1: ESTABLISH STRONG COMPANY MANAGEMENT SYSTEMS
OBJECTIVE: To ensure that existing due diligence and management systems within companies address risks
associated with minerals from conflict affected or high-risk areas
A. Adopt and commit to a supply chain policy for minerals originating from conflict-affected and high-risk areas.
This policy, for all companies in the supply chain, should include:
B. Structure internal management systems to support supply chain due diligence. Companies in the supply chain
should:
C. Establish a system of controls and transparency over the mineral supply chain.
D. Strengthen company engagement with suppliers.
E. Establish a company level grievance mechanism.

156. Five-Step Framework for Risk-Based Due Diligence
1. Establish strong company management systems. Companies should:
A) Adopt, and clearly communicate to suppliers and the public, a company policy for the supply chain of minerals originating
from conflict-affected and high-risk areas. This policy should incorporate the standards against which due diligence is to be
conducted, consistent with the standards set forth in the model supply chain policy in Annex II.
B) Structure internal management to support supply chain due diligence.
C) Establish a system of controls and transparency over the mineral supply chain. This includes a chain of custody or a
traceability system or the identification of upstream actors in the supply chain. This may be implemented through participation
in industry-driven programs.
D) Strengthen company engagement with suppliers. A supply chain policy should be incorporated into contracts and/or
agreements with suppliers. Where possible, assist suppliers in building capacities with a view to improving due diligence
performance.
E) Establish a company-level, or industry-wide, grievance mechanism as an early-warning risk-awareness system.

157. STEP 2: IDENTIFY AND ASSESS RISKS IN THE SUPPLY CHAIN
OBJECTIVE: To identify and assess risks on the circumstances of extraction, trading, handling and export of minerals
from conflict-affected and high-risk areas.
I. UPSTREAM COMPANIES
Upstream companies are expected to clarify chain of custody and the circumstances of mineral extraction, trade,
handling and export and identify and assess risk by evaluating those circumstances against the model supply
chain policy on minerals

158. A. Identify, to the best of their efforts, the smelters/refiners in their supply chain
B. Identify the scope of the risk assessment of the mineral supply chain.
C. Assess whether the smelters/refiners have carried out all elements of due diligence for responsible supply
chains of minerals from conflict-affected and high-risk areas.
D. Where necessary, carry out, including through participation in industry-driven programs, joint spot checks at
the mineral smelter/refiner’s own facilities.
II. DOWNSTREAM COMPANIES
Downstream companies should identify the risks in their supply chain by assessing the due diligence practices:

159. STEP 3: DESIGN AND IMPLEMENT A STRATEGY TO RESPOND TO IDENTIFIED RISKS
OBJECTIVE: To evaluate and respond to identified risks in order to prevent or mitigate adverse impacts.
Companies may cooperate to carry out the recommendations in this section through joint initiatives.
However, companies retain individual responsibility for their due diligence, and should ensure that
all joint work duly takes into consideration circumstances specific to the individual company.
A. Report findings to designated senior management.
B. Devise and adopt a risk management plan.
C. Implement the risk management plan, monitor and track performance of risk mitigation, report back to
designated senior management and consider suspending or discontinuing engagement with a supplier after failed
attempts at mitigation.
D. Undertake additional fact and risk assessments for risks requiring mitigation, or after a change of circumstances.

160. STEP 4: CARRY OUT INDEPENDENT THIRD-PARTY AUDIT OF UPSTREAM& DOWNSTREAM SMELTER/REFINER’S DUE
DILIGENCE PRACTICES.
1. The scope of the audit:
2.The audit criteria: The audit should determine the conformity of the
implementation of refiner’s due diligence practices against an audit
standard that is based on this Guidance.
3. The audit principles:
a) Independence:
b) Competence:
c) Accountability:

161. STEP 5: REPORT ANNUALLY ON SUPPLY CHAIN DUE DILIGENCE
OBJECTIVE: To publicly report on due diligence for responsible
supply chains of gold from conflict-affected and high-risk areas
in order to generate public confidence in the measures
companies are taking.

162. 5.Transportation Security Protocols
& Challenges

163. 6.Physical Security System
Management

164. 7. Personnel Security Protocols

165. 8. Risk Management Process
2. Identify and assess risk in the supply chain. Companies should:
A) Identify risks in their supply chain as recommended in the Supplements.
B) Assess risks of adverse impacts in light of the standards of their
supply chain policy consistent with Annex II and the due diligence
recommendations in this Guidance.

166. BOARD RESPONSIBILITIES
The Board has overall responsibility in maintaining an appropriate system of risk management and internal control
in the Group. Thus, the Board has been proactive in identifying key business risks, determining risk tolerance, and
deploying of internal control to address the identified risks.
The Board is committed to monitor and enhance its internal control system to ensure its continuing effectiveness.
Periodic testing of the effectiveness and efficiency of the internal control procedures and processes are conducted to
ensure that the system is reliable and robust.
Nonetheless, the Board wishes to point out that all risk management systems and systems of internal control could
only mitigate rather than eliminate risks of failure to achieve business objectives. Therefore, these systems of internal
control and risk management in the Group can only provide a reasonable but not absolute assurance against material
misstatements, frauds, and losses.

167. 3. Design and implement a strategy to respond to identified risks. Companies should:
A) Report findings of the supply chain risk assessment to the designated senior management of the company.
B) Devise and adopt a risk management plan. Devise a strategy for risk management by either i) continuing trade
throughout the course of measurable risk mitigation efforts;
ii) temporarily suspending trade while pursuing ongoing measurable risk mitigation; or
iii) disengaging with a supplier after failed attempts at mitigation or where a company
deems risk mitigation not feasible or unacceptable.
To determine the correct strategy, companies should review Annex II (Model Supply Chain Policy for Responsible Global
Supply Chains of Minerals from Conflict-Affected and High-Risk Areas) and consider their ability to influence, and where
necessary take steps to build leverage, over suppliers who can most effectively prevent or mitigate the identified risk. If
companies pursue risk mitigation efforts while continuing trade or temporarily suspending trade, they should consult
with suppliers and affected stakeholders, including local and central government authorities, international or civil
society organisations and affected third parties, where appropriate, and agree on the strategy for measurable risk
mitigation in the risk management plan. Companies may draw on the suggested measures and indicators under Annex
III of the Due Diligence Guidance to design conflict and high-risk sensitive strategies for mitigation in the risk
management plan and measure progressive improvement.

168. C) Implement the risk management plan, monitor and track
performance of risk mitigation efforts and report back to
designated senior management. This may be done in
cooperation and/or consultation with local and central
government authorities, upstream companies, international or
civil society organisations and affected third-parties where
the risk management plan is implemented and monitored in
conflict-affected and high-risk areas.
D) Undertake additional fact and risk assessments for risks
requiring mitigation, or after a change of circumstances.

169. 4. Carry out independent third-party audit of supply chain
due diligence at identified points in the supply chain.
Companies at identified points (as indicated in the
Supplements) in the supply chain should have their due
diligence practices audited by independent third parties.
Such audits may be verified by an independent
institutionalised mechanism.

170. 5. Report on supply chain due diligence. Companies
should publicly report on their supply chain due diligence
policies and practices and may do so by expanding the
scope of their sustainability, corporate social
responsibility or annual reports to cover additional
information on mineral supply chain due diligence.

171. Suggested Measures for Risk Mitigation and Indicators
for Measuring Improvement

173. 9. Cyber Security Threats and
Measures
https://www.wizer-training.com/employee-security-awareness-videos

198. 10. Conveyance and Instruments of
International Traffic Security

199. 11. Seal Security Process

200. 12. Procedural Security Process

201. 13. Quality Assurance &
Compliance Tools

209. Principles Concerning Multinational Enterprises and Social Policy. In addition, this Guidance may also help enterprises to
satisfy regulatory compliance for doing business in jurisdictions that require due diligence for RBC, including reporting on
non-financial risk. Finally, this Guidance may support business in strengthening their relationships with government,
workers and civil society. Other expected benefits to enterprises implementing this Guidance include:
• increased ability to meet expectations of customers and markets regarding responsible supply chains in the garment and
footwear sector
• improved reputation of participating enterprises and of the sector
• increased ability to manage global operations consistently across a single set of RBC standards and across offices, sites,
countries and regions, thereby supporting greater uniformity of operational outcomes and efficiency and effectiveness of
compliance and in some cases leading to cost savings
• decreased disruptions in the enterprise’s operations and in its supply chain linked to risks on matters covered by the OECD
Guidelines in the long term.

210. https://www.insage.com.my/Upload/Docs/HARTA/HARTA-Annual%20Report%202022.pdf

211. 14. Summary

216. https://www.google.com.my/search?q=comfort+rubber+gloves+industries+sdn+bhd&hl=en&tbm=isch&sxsrf=ALi
CzsZd5tnEt8o6r_OPmqb5icV4GqY4YQ%3A1667292396842&source=hp&biw=1517&bih=694&ei=7NxgY5zuMIKf4-
EP_fySsAE&iflsig=AJiK0e8AAAAAY2Dq_A6mVuN7ZDN8VzQsIb12GUoc2hcC&oq=COMFORT+RUBBER+GLOVE&gs_l
cp=CgNpbWcQARgCMgUIABCABDIFCAAQgAQyBQgAEIAEMgUIABCABDIHCAAQgAQQGDIHCAAQgAQQGDIHCAAQg
AQQGDIHCAAQgAQQGDIHCAAQgAQQGDIHCAAQgAQQGDoHCCMQ6gIQJzoECCMQJzoICAAQgAQQsQM6CAgAELE
DEIMBOgsIABCABBCxAxCDAToHCAAQgAQQAzoGCAAQBRAeOgYIABAIEB46BAgAEB5QsgxYgVJgyIUBaAFwAHgAgAG
BAYgBpgiSAQQxOS4xmAEAoAEBqgELZ3dzLXdpei1pbWewAQo&sclient=img#imgrc=afuC1ERclH86DM