A well-managed supply chain—one that mitigates security risks—is essential to a successful retail operation. But control is put to the test as the supply chain expands, morphs, and becomes increasingly intricate.
Indeed, it’s hard to think of a business challenge today more diverse than supply chain security. From assessing and managing global security risks to those at a customer’s doorstep—and in the miles and stops in between—it is no simplistic call to action. For many LP executives, it could mean stepping up to new challenges and wading into a world with no easy answers. Assessing third-party carriers has become a critical function for a growing number of LP practitioners, for example.
7-Eleven has no delivery fleet of its own, relying exclusively on external parties to complete the thousands of store deliveries that are needed every day to ensure its stores meet the demands of its customers. To this goal, quality assurance is a primary role for Byron Smith, CFI, LPC, corporate asset protection manager. “It’s about making sure that logistics and supply are doing the right things and understanding what your expectations are,” he said.
Scorecards track store deliveries against expectations and hold carriers accountable, which has become a requirement for more retailers and LP practitioners now handling e-commerce orders. “It’s all about the pick rate, how quickly orders get filled, and whether product delivery meets the customer’s expectation,” Smith said.
Pushing the Supply Chain Forward
Whether merchandise ends up where, when, and in the right amount that it’s supposed to starts with a robust process of assessing and selecting those carriers. It’s a challenge that will be a focus of the 2020 conference of the International Supply Chain Protection Organization (ISCPO). At the conference, vendors are given a place inside the session rooms, reflective of the important role they are playing in pushing supply chain security forward.
“You don’t have to walk a football field to where they are; you are right there with them,” said Smith. “It allows everyone to participate, including the solution providers, so they understand what is going on and what people are looking for.”
The ISCPO was born a few years ago, in part out of the growing importance of supply chain integrity for retailers, according to Smith. He serves as ISCPO chairman, and the 7-Eleven Store Support Center in Irving, Texas, is the venue for ISCPO’s sixth annual conference on March 3–5, 2020. “We set up the ISCPO to provide a destination for LP professionals that just didn’t have a home, and to fill a void because no one was focused on addressing supply chain for LP in its entirety,” said Smith.
This gap widened as e-commerce grew, said Smith. Retail security concerns increasingly expanded from the store to far flung places on the globe, and from internal operations to an intricate web of players. “As e-commerce has grown, so has the number of issues, including dealing with third-party logistics players and a loss of control. You may ship out a product to a customer today and never even touch it,” said Smith.
E-commerce has also created or exacerbated other areas of risk for many LP pros, noted Smith, such as safety, workers’ compensation, and liability risks associated with the operation of heavy equipment at large fulfillment centers. Preventing loss and theft in the supply chain is also a distinct challenge from preventing store theft. “It really heightens the importance of having a good risk management perspective and how to manage the growing issues,” advised Smith, which is something the ISCPO conference helps foster. “We really wanted to give visibility to the global supply chain and how the supply chain is modernizing with respect to people, processes, and technology.”
The 2020 ISCPO conference includes a presentation on that topic by a director in Target’s global supply chain and logistics unit. Recent changes at Target—highlighted in a Wall Street Journal profile in December—are intended to help the retailer improve its online order fulfillment. The company told the Journal that a whopping 80 percent of online orders are fulfilled from stores as opposed to warehouses. Store workers handle Internet orders, collecting products from shelves or putting items into boxes in the back room for delivery. Improving the efficiency of stores as fulfillment centers was one driver of a new staffing system and mass retraining program at Target (“Retailers Revamp Staffing as Fewer Shoppers Visit Stores,” Wall Street Journal, Dec. 4).
Security Risk Insights
Another part of retailers’ efforts to modernize their supply chains is in pursuit of efficiencies through integration with external partners. Inter-enterprise cooperation and collaboration can bring benefits and competitive advantage but also poses significant challenges, including expanding an organization’s threat surface even wider, to include cyber security. There is a real question, however, whether cyber-security controls are keeping pace as the retail supply chain becomes more interconnected.
Experts warn that poorly managed supply chain management systems can become a threat vector for cyber attacks, allowing attackers to compromise retailers indirectly, by stealing passcode credentials from supply chain partners, for example. Attacks targeting retailers via less-secure elements in the supply network is a proven threat, including being the source of one of the largest data breaches in the history of the retail industry. They are also growing. Symantec’s Internet Security Threat Report says supply chain attacks increased by 78 percent in 2018.
“As network perimeters have hardened, attackers are increasingly targeting the IT supply chain and partner network,” warned Symantec analysts in the report, Cyber Security for Retail Services. “Retailers should look to evaluate third parties based on the risk they present to the business. Because self-certification processes are proving less reliable, retailers are encouraged to shift to active cyber-risk monitoring and mitigation with third parties in order to neutralize third-party risk.”
Cyber-security vulnerabilities can’t solely be the purview of IT and network security professionals as they often have roots in the physical security realm, warns a new report by BSI, Supply Chain Risk Insights, 2019. The report says the company has recorded specific incidents in which warehouse or other facility employees have been recruited by an outside malicious actor to exploit their access to facilities and knowledge of procedures. While collusion has always been a logistics risk, cyber adds a new layer, with physical or operational vulnerabilities resulting in compromised cyber systems and vice versa.
“Those with the necessary access can abuse their privilege by stealing important data on clients or other sensitive information, or they can access logistical data in order to facilitate a theft of cargo or supply chain terrorism, for example,” notes the BSI report. Disgruntled employees or ex-workers create another vulnerability in the system. “There have been well-documented incidents of recently fired employees retaining access to certain facilities or systems after having been fired, either due to oversight or due to slow procedures,” notes the report.
This type of threat applies to any company in any business sector, but “may be particularly difficult for supply chain security managers,” according to BSI’s new study on supply chain risk. “Not only must companies with complex global supply chains manage these vulnerabilities in their own companies; they must also worry about every business partner at every step in that supply chain and whether they adequately address these vulnerabilities as well.”
Similar complications are observed when examining supply chain security from a global risk perspective. As political upheaval ramps up in countries around the world, including Brazil, the UK, Columbia, and many others, reverberations are likely. “BSI believes that this trend of disruptive policymaking will likely be an issue that will impact supply chains over the next year,” according to the company’s report.
“The breadth of issues facing supply chains is only increasing,” said Tony Pelli, a supply chain risk consultant at BSI in a discussion with LP Magazine on the report’s key conclusions.
“Cyber-security risks that most people did not have to grapple with even five years ago are now front and center and incredibly complex, given the number of vendors and third parties involved in this area for most companies. Similarly, the impact that climate change, and associated events, such as more frequent extreme weather events and mass migration, likely would not have figured in supply chain risk assessments even a few years ago, but their effect on supply chains is becoming increasingly apparent.”
At the strategic center for managing risks is accounting for the fact that the vulnerability of a retail organization today more often depends not only on the protection and security investments it makes but also on what other organizations do—or don’t. This new reality has a profound effect on how protection professionals go about preventing or mitigating security-related events that can cause a disruption in sales activities, a chief security-related concern of senior leaders. Specifically, this evolution requires loss prevention executives to recognize that failures of a weak link in a connected system can reverberate to all parts of it, and to account for interdependencies in risk assessments and strategic planning.
Resilience Planning
Interdependencies and supply chain complexity means the consequences of supply chain disruptions—whether from natural disasters, terrorism, or other unexpected security or crisis events—have a ripple effect on all connected enterprises. Effectively accounting for interdependency in protection and preparedness activities thus becomes critical, such as being able in a global crisis to rapidly pinpoint endangered suppliers and partners and requiring and reviewing the business continuity plans of third-party partners. Without resilience planning, retailers can pay a substantial price, as evidenced by often-cited research that quantified the negative effects of supply chain disruption through empirical analysis and found that companies hit by a disruption experience 33 to 40 percent lower stock returns relative to their benchmarks over a three-year time period.
Political shifts in countries around the world are also likely to affect cargo theft, warn experts. In Mexico’s case, the threat is likely to persist regardless of promises by officials. “Despite [President] Obrador’s anti-corruption and security-focused rhetoric, BSI expects that security challenges will continue to affect businesses in the coming year, in particular in-transit cargo theft.” Much of the company’s advice for Mexico also applies to other countries where in-transit cargo is at heightened risk: adequately monitor business partners located on the ground; understand the complexity of risks faced in the local operating environment; and identify and understand localized route risks.
Globally, cargo theft is expected to follow the manufacturing supply chain as it creeps into new corners of the globe, such as Africa. BSI notes that Egypt is among those countries on the continent that have already seen an influx in relocated manufacturers seeking relief from tariffs and looking to exploit trade benefits, which presents new challenges for professionals charged with securing supply chains with exposure to Africa. Cargo theft, smuggling, and terrorism all present risk, which are “often compounded by rampant corruption found among security and customs personnel in many countries.” The company says it recorded cargo theft incidents in Africa in 2018 that often involved hijackings of cargo trucks or thefts from relatively unsecure facilities, suggesting that an overall lower level of standard security practices is an unaddressed risk. In addition, corrupt security and customs personnel are known to frequently request bribes and often participate in theft schemes outright, says the firm.
Pelli said that companies are often unprepared for the problems they may face when sourcing from new countries, including those in Southeast Asia. “In order to stay on top of risks, I think it’s important for supply chain professionals to have a reliable source of intelligence to keep track of these trends,” said Pelli, whose company offers its Supply Chain Risk Exposure Evaluation Network (SCREEN) tool. He also cited the importance of adaptive, flexible, and risk-agnostic policies, procedures, and systems for managing supply chain risk. Visibility into the supply chain and the ability to rapidly respond to issues as they emerge should be primary objectives, he suggested.
Domestically, the picture of cargo theft is mixed. Although government accounting is incomplete—California, for example, a primary location of cargo theft, isn’t included in the data—FBI statistics on cargo theft yields intelligence on year-to-year trends. Notable from 2018 data is that while the number of reported incidents fell, the value of stolen property substantially increased. Meanwhile, the percentage of the value of property recovered continues to fall. In short, while the risk of being a victim of cargo theft in the US may be lessening, the consequence of being victimized is growing.
As has been the case historically, the latest government data shows that cargo is most at risk in drop lots, parking areas, and garages. More than 42 percent of all cargo incidents tracked by law enforcement occur in these locations. However, cargo theft at retail locations is not uncommon, comprising 16.3 percent of the total number of reported events, with convenience stores being the most frequently hit retail location.
In terms of merchandise targeted by cargo thieves, the past is present. “Not much has changed,” explained Malcolm Beckwith, safety and loss prevention manager for a leading off-price retailer. He noted that traditional schemes persist, like a truck driver accepting a payment to park his or her rig at a designated location and time for it to be compromised. Also similar is the fact that the risk of theft directly corresponds to the cargo being shipped. As in years past, thieves are very focused on the specific products—medical supplies, drugs, electronics—that they can quickly turn into cash on the street. He recounted one recent episode where thieves methodically penetrated layers of security, including cutting through barb wire fencing and trailer locks, only to leave a truckload of home furnishings untouched. “They want stuff they can easily turn into a good amount of cash, selling it for pennies on the dollar,” explained Beckwith.
Aligning security with risk requires an assessment of what goods are being shipped, how, and where, suggests research based on theft data from the Transported Asset Protection Association, Cargo Theft Risk and Security: Product and Location, 2017. “The type of product and transport chain location must be considered to determine the correct level of security,” researchers concluded, adding that data show that product type plays a larger role in cargo theft risk than transport chain location but that there is substantial interaction between the two. “In terms of elements of crime, the target is more important than the location, but a crime cannot occur without a location with insufficient security,” it concludes.
Additionally, the study indicates the importance of assessing the theft of risk at all stages of transport to see if security and risk are in balance. In its sampling, for example, actual security levels were higher for terminal areas than was justified by the theft risk, while the opposite occurred during transport. In wondering why, researchers presumed it was a matter of control. “[Security has been] focused on terminal areas since it is easier to improve security at terminals than along roads.”
Finally, because product type is paramount in cargo theft, it is a dynamic security risk and subject to changes in black market demand and linked to local conditions, according to the study. The lesson? To assess risk to product shipments, you need to know what thieves are after—right now, in your areas.
Consumer Demands
While broad global risk issues are an important part of supply chain security, the issue is also much narrower—and not just at the truck level, but all the way down to whether a customer’s package is on his or her doorstep when they arrive home. The subject, top of mind for many LP executives, will be addressed in the ISCPO conference session, “Cargo Tracking at the Parcel Level.” 7-Eleven’s Byron Smith noted that final-mile delivery options offer very different levels of visibility for retailers and that mechanisms for tracking vary, one element of supply chain security on which LP practitioners find themselves increasingly needing to get schooled.
Beckwith, an ISCPO board member with twenty-five years of senior LP leadership experience, said the association provides a valuable forum for networking around security supply chain issues and getting updates on the latest risk to the supply chain network. One of these is the theft of direct ship merchandise to the customer’s home. “That has become the great concern, making sure the package gets from distribution to the customer; you hear a lot of people talking about packages being stolen from customers’ front porches.”
So-called “porch pirates” are a concern for retailers, requiring orders to be repicked and shipped, eroding margins and frustrating consumers. They are also ubiquitous. According to the 2019 Package Theft Report, based on a survey of 1,052 online shoppers by Shorr Packaging, 24 percent of shoppers have personally experienced package theft. A survey in September by C+R Research of 2,000 online shoppers found an even higher victim rate, 31 percent, with 9 percent reporting they they’ve been victimized by porch pirates more than five times.
“Fulfilling customer orders and meeting their expectations is key,” said Smith. LP may have investigation responsibilities when packages go missing and should play an important role in evaluating third- and fourth-party partners that retailers increasingly rely upon. And as new delivery options are considered, such as using autonomous vehicles for last-mile delivery, LP should be there, consulting and advising on the implications of shipping proposals for security and loss.
Differences between carriers is perhaps most obvious by home deliveries that have the added security measure of sending a visual confirmation to customers via text or email. “Without that, a customer complaint of ‘I never got my package’ would require that order to be reshipped, but now a driver can pull out a phone, take a picture, and the [retailer] can email it to the customer with a note, ‘Hope you enjoy your purchase,’” explained Beckwith. “Those are the kinds of strategic discussions that LP needs to be involved in.”
LP’s role should include developing analytics and metrics to identify theft trends and creating action plans to mitigate the potential loss of merchandise, Beckwith said. “It is essential that the LP team is involved in the early stages of the process so that proactive measures can be put in place to protect the product and provide excellent customer service to the customers.”
As it takes on projects for major retailers, Appriss Retail, a provider of analytics solutions for retail organizations, is learning how fraud and theft is infecting the physical fulfillment of online transactions. Its analytics have uncovered large collusion cases spread across many customers and that lying to get free shipping is common along with e-commerce return fraud and customers claiming that products received weren’t the same as ordered. “In one case, the same person was getting beer through a retailer’s grocery channel, and over and over he’d claim he didn’t receive the beer he ordered,” said David Speights, PhD, chief data scientist. “So the retailer was giving him the same refund week after week.” In a ship-to-home world, it’s the type of fraud at which LP teams need to aim analytics to identify and prevent loss.
New data indicates that the issue of home delivery is sticky for retailers. While many retailers are pushing and having success with buy online, pick up in store (BOPIS) and a new report by CBRE that found a majority of Generation Z prefers it, many customers are stubborn. Despite the existence of more secure alternatives—package lock boxes, in-store pickup, work deliveries—85 percent register a preference for home delivery despite the risk of theft, according to the 2019 theft study. Moreover, many customers don’t want to accept responsibility: 68 percent are unwilling to change purchasing habits around the holidays because of the risk of package theft; 62 percent would not pay extra to retailers or shippers to purchase package insurance despite the risk of theft; and 52 percent think delivery companies aren’t doing enough to prevent package theft. In short, many customers seem to be telling retailers and delivery companies, “You figure it out.”
Robust shipment security is complicated by the enormous pressure retailers feel to meet consumer expectations for near real-time delivery and the competition it has spurred among retailers. Already substantial, pressure is likely to grow as consumers grow accustomed to next-day and same-day delivery and the business value for meeting expectations becomes clear. Last month, for example, a survey of 500 consumers by Radial and CFI Group found that offering faster order delivery can compel 63 percent of consumers to sign up for a retailer’s loyalty program. Often, however, when there is a need for speed, security shortcuts are taken. For example, full truckyards at distribution centers during peak season can demand that retailers locate their trailers in neighboring yards, but a security analysis of those temporary locations may not always occur.
Shortcuts can inflict carriers as well, especially around critical selling seasons. “With seasonal mass hiring or working with partners you don’t typically deal with means they don’t have the same incentive or might be more be willing to cut corners, which can impact integrity,” said Smith.
While distribution and logistics will work out the contract, LP should be at the table when picking partners, added Smith. He said that should include security audits of carrier facilities, “for a wide range of items, like presence of security personnel, whether there are cameras on the docks, whether cameras are functioning, and that it can control access so that no unintended visitors can be a problem,” advised Smith. LP should assess the security implications associated with any third-party arrangement involving the handling of product, and in the purchase of new distribution facilities, advise experts.
Distribution Centers
In their own facilities, interviews suggest that many retailers feel comfortable with the ability of strong physical security to mitigate significant loss. Unlike some complicated new fraud schemes, against which retailers may find their current security processes insufficient, robust controls in distribution centers are typically effective at preventing trailer theft, say experts. It’s typically the failure to put those controls in place or to follow them properly that gives cargo thieves the opportunity they need. Strict adherence to good security policies are even typically effective against more creative theft schemes, such as cargo thieves that set up bogus trucking companies or steal the identity of a legitimate trucking company and book loads and shipments under the company’s name. In this case, thieves hope a distribution center (DC) will think a pickup is legitimate and won’t bother with security checks necessary to uncover the ruse.
“It has to start as soon as the driver pulls up, and asking to see ID, paperwork, and contacting and verifying the pickup schedule with the shipping department,” said Beckwith. “With the right controls measures in place, a trailer theft can rarely happen.” And that’s where the focus of prevention should be, he believes, in establishing proactive security measures that prevent high-consequence events.
“Throughout my career I have seen some loss prevention professions fail when transitioning from stores to managing the LP team at a distribution center. The root cause of their difficulties has been taking a store-based LP program and implementing it within a DC environment,” Beckwith said. While most store-based LP professionals focus on catching shoplifters and dishonest associates to hit their shrinkage goals, the focus at DCs should be on establishing strong physical security programs that minimize theft opportunities, he added. “I’m not advocating that we ignore internal dishonesty at the distribution center, but that our limited resources should be leveraged to achieve the greatest return.” There is a significant disparity between catching five associates each stealing $50 worth of merchandise versus having a trailer stolen with $500,000 worth of merchandise, he noted.
While security is typically strong at large distribution centers, industry analysts have started to see a trend among some retailers, particularly grocery operators, of establishing smaller warehouses near existing stores to deliver goods more efficiently. It’s incumbent on retail security leaders to ensure that security controls at these smaller centers adhere to company standards.
With respect to supply chain protection and meeting goals for preventing loss within the supply chain, Beckwith said his team has always been focused on five key guiding principles—ones that can benefit the industry as it seeks to find control over a very diverse and intricate domain.
- Develop high performance teams.
- Foster collaborative partnerships at all levels of the organization.
- Establish and maintain highly effective physical security programs.
- Develop and implement a comprehensive shrink strategy that focuses on all areas of the operation that contribute to shrinkage.
- Ensure that goals and objectives are aligned with the company’s strategic direction and vision.
High-value collusion cases in DCs present a unique challenge, by providing thieves a way to skirt even thoughtful security controls. Good hiring practices can help, but Beckwith said the strategy has limitations because the motivation to steal often arises well after hire, as the result of a hardship or some other catalyst that wasn’t previously present. Controls may not prevent a security officer from taking $5,000 to look the other way, but they still yield value. “You have to be reactive in collusion cases, but again, with good controls in place, even reactive investigations are made easier,” said Beckwith. “By having the right processes, controls, and practices in place you reduce the possibility of high-value collusion theft from taking place.”
With the proper processes, an investigation into wrongdoing can facilitate recreating the event to learn facts around how it happened and who was involved—and the same is true in investigations of fraudulent injury claims inside retail distribution centers. In these environments, root cause analysis, in conjunction with robust physical security systems, can serve to keep people honest.
“If you have someone saying he hurt his knee, you can see if he came in limping or get the details exactly when and where the injury occurred and then see how that aligns with surveillance,” said Beckwith. “You’re doing the analysis to prevent a similar injury from happening again,” but in that case, LP’s attention to good safety and security practices can make it unnecessary for risk management to direct a costly external investigation to uncover evidence of a fraudulent claim. “All that might not be necessary if you have strong internal controls and investigative processes to follow when someone gets hurt,” he said, adding that it’s important to keep in mind that these cases are not the norm.
Safety in distribution centers “is one of our top priorities as an organization,” said Beckwith, noting that its number one objective is to “ensure that our associates return home to their loved ones in the same condition in which they came to work.” Progress has certainly been made, with both the number and severity of injuries sharply lower than decades ago. Regulations, technology, and safer operations have combined for much safer work environments.
Still, large distribution warehouse environments have risks, as highlighted in November in a report by the Center for Investigative Reporting and The Atlantic on injuries among Amazon warehouse employees. Analyzing Amazon’s internal injury records for 2018 at twenty-three fulfillment centers revealed a rate of serious injuries for those facilities that was more than double the national average, as high as ten serious injuries per 100 workers. “We found broadly that the drive to fulfill orders quickly is injuring [workers] at very high injury rates,” explained investigative reporter Will Evans to NPR.
The culprit, according to the investigation, is the high production quota that requires workers to process hundreds of items an hour for up to twelve-hour shifts. Automation, often credited for reducing injury risks, is also creating safety problems by being so efficient that humans can’t keep pace, the report suggests. “Workers know that if they don’t keep up, they can be fired. And so, they’re basically sacrificing their bodies either through repetitive stress injuries or strains and sprains,” explained Evans. “The speed seems to be the key element. And the former safety managers at Amazon that we talked to said they basically can’t protect the workers when the production demands are so high.”
The Amazon case is a good reminder that the supply chain is fickle. Safety and security risks are dynamic—subject to change as delivery and fulfillment evolves, new alliances are forged, and the supply chain web grows more intricate.
Smith thinks there has been good work done on the supply chain security front, but that practitioners are always being charged to do more. “We’re always searching for answers and challenging our solution providers,” said Smith.
The ISCPO conference is important in that regard, providing a forum for generating ideas, soliciting feedback, and developing the solutions that address specific needs of the industry. “It was a conscious decision by the board early on to keep the ISCPO conference small and personal to allow time for the attendees to engage personally with all the solution providers.”