Adopting the TAPA cargo security standards in the pharmaceutical industry

The Transported Asset Protection Association (TAPA) is a nonprofit, volunteer organization that unites global manufacturers, logistics providers, freight carriers, law enforcement agencies, and other stakeholders with the common aim of reducing losses from international supply chains. [1, 2, 3] TAPA began in 1997, initially focusing on high-value electronics thefts.

In 2013, TAPA exceeded 700 members, encompassing representatives from a variety of industries including pharmaceuticals.

The TAPA standards provide a set of security requirements that are specific enough to be effective, yet appropriate for global use in a variety of risk environments. Having a common set of requirements allows logistics services providers (LSPs) to focus on good security measures that protect a wide variety of high value cargo. A certifiable global standard increases efficiency, transparency, and provides a recognized level of security, both for the LSP and for the customers they serve.

LSPs achieving TAPA certification have demonstrated their commitment to security by complying with the TAPA standards, participating in independent certification audits, and conducting periodic self-audits. Certifications are granted for each individual warehouse or trucking fleet. One well known global LSP has achieved certification at more than 100 facilities. [4] In the future, TAPA expects additional focus on truck fleet certifications as cargo theft frequently involves theft of, or theft from a truck.

Adopting TAPA standards

To maximize flexibility and customize security to risk, the TAPA standards are designed with three performance levels. For example, a warehouse complying with TAPA level A (or a trucking provider performing at Level 1) is the most protective. TAPA B or C level is more appropriate for lower risk locations or products.

The support of an organization’s senior leadership is the number one leading indicator of success when implementing the TAPA standards. It should be noted that implementing TAPA standards in a large global pharmaceutical company is complex. It requires committed leaders and a corporate culture that recognizes the value of secure supply chains. While the organization’s security department may lead the implementation and sustainment of TAPA, the most successful models also include key stakeholders from logistics, procurement, and quality.

Before launching an initiative to implement TAPA standards, there are three key areas for decisionmaking and research: scope, risk, and return on investment.

Scope: Will the TAPA standard be applied to all pharmaceutical products, such as active pharmaceutical ingredients (APIs), physician samples, clinical trial materials, animal health products, and return goods, or will it only apply to commercial human finished products? Will it apply to bulk product or only product in final packaging? Will it apply to company owned facilities or only to third party sites or transporters?

Relative Risk: Will every country or facility be required to perform at TAPA Level 1/Level A or is it acceptable for some lower risk areas to adopt TAPA Level B or C?

To help differentiate risk, one company used a model that recognizes three risk factors commonly referred to as the three Vs: Value, Volume, and Vulnerability. Product Value and Volume, in a particular warehouse or country region, can be confirmed through internal company data. The Vulnerability score can be obtained through external sources that rank particular countries or regions for cargo theft risk, such as the Incident Information Service (IIS) Report published by FreightWatch and/or TAPA. [5] Once the three Vs are quantified for a company’s product portfolio, a review of the data allows a risk ranking, or categorization, to be made.

Whatever risk ranking method is chosen, it should be easily understood, repeatable, and based on data. The organization should update their risk rankings annually or as company operations and risks change over time.

Return on investment: The most important reason for securing pharmaceutical products is to protect patients. However, it is very difficult to estimate the cost impact of such an unfortunate event such as theft, tampering or diversion. Fortunately, in most cases, TAPA standards produce an attractive ROI, even without including the cost of patient impact.

There are four steps to this:

• Make some educated assumptions: If TAPA, or an equivalent standard, is not implemented, how many major warehouse burglaries will occur over a 10-year period? How many truckloads will be stolen each year? How many pallet- or case-level losses can be expected on an ongoing basis?
• Estimate the cost of failure: What does a typical warehouse burglary of finished pharmaceutical products cost? What is the cost of manufactured product, impact to brand, impact to operations, lost productivity, incident response, down time? What is the cost impact of a recall or delays to market? What is the projected cost to insurance rates and the potential regulatory impacts caused by uncontrolled losses? Is the likely loss over a 10-year period $50 million or $200 million?
• Estimate the cost of security: Projected costs can be extrapolated in two ways. One method is to model security at 2—3 warehouses or trucking operations and then simply multiply by the total global count. Another method is to estimate a percentage of the company’s global logistics expenses. For example, if the company spends $100 million per year on logistics, depending on locations and risks, it may be able to estimate a percentage for security expenses (ex: 4% or $4 million).
• Calculate the net impact: The net ROI can be calculated over a five to 10-year period as major losses may not occur every year.

Getting started

When determining ownership, ask “Which functions are most invested in cargo security?” Is it logistics, security, quality, or procurement? In the most successful models, security partners with another key function (e.g., logistics). Cross-functional ownership supports a balanced approach and can provide a broader range of skill sets versus a single function trying to manage it alone.

When identifying key stakeholders, consider which ones are active participants and which are passive supporters (i.e., need to be informed but not active participants). The core group should include at a minimum representatives from security, logistics, warehousing, and quality.

Before launching the initiative, document a project charter and have it approved by whichever functions own the standard (ex: logistics and security). Putting it in writing helps identify any overlooked steps or risks in the project. The project charter should contain a goal statement, scope (in/out), business rationale, business impact, project timeline, project sponsors, project leader, steering team members and functions, working team members and functions, and approvals.

To provide the best governance and oversight of the standards, a critical decision is deciding where the TAPA responsibilities will be hosted internally. Options may include the company’s engineering standards, security standards, or quality standards.

Form a working team

The standards working team should be a relatively small group which includes a knowledgeable representative from each of the key functions (i.e., security, logistics, and quality). Global companies should consider including a representative from each geo-region (i.e., Americas, EMEA, and APAC).

It is during this phase that the TAPA requirements are closely evaluated to be sure they are sufficient for the specific product risk. For example, if highly sensitive or theft-attractive products are being moved by truck, the company may require truck escorts in certain countries, in addition to the TAPA requirements. While the TAPA standards are sufficient for most pharmaceutical products, the working team will provide valuable insight and foster healthy discussions about what level of security is necessary.

Once the standard is drafted, it should be sent out to all appropriate stakeholders across the company for a global review and comment period. If appropriate, consider asking key suppliers to provide comment also. The request for review/comment should include the following supporting information:

• Data or cargo theft trends that support pro-active measures to protect pharmaceutical products from theft
• Senior leadership: quotes or communi-cations about the importance of supply chain security
• Benefits of the TAPA standards -specific enough to be effective -general enough to be globally applicable -global: LSPs can focus on complying with TAPA standards instead of multiple individual customer standards
• Recognition of team members and contacts for follow up.

Consider setting a deadline for comments (e.g., 30 days), to include a simple comment form, and a collaboration site or central repository for comments to be uploaded and permanently archived.

Communication

Mass communications, web meetings and in-person training should begin as soon as the standard is officially approved and published. The launch message should contain another message from senior leadership to reinforce support and accountability for supply chain security:

- What is this?

- Why are we doing this?

- Who does this impact?

- When is this effective?

- How to proceed?

TAPA standards should be referenced in all communications. Global companies should purchase TAPA memberships in each of the TAPA regions (Americas, EMEA, and APAC).

Training

Internal training: Most pharmaceutical companies require mini-training for new standards. This is typically done through the company training system.

External training: It is highly recommended that key stakeholders and practitioners attend a TAPA meeting and receive TAPA standards training (free to members). The additional benefits of attending are benchmarking, networking, and learning about emerging crime trends and countermeasures.

Within two to three weeks after launch message and training roll out, regional web conferences should be held and include the following:

Sustaining the effort

Once the basic initiative is underway, it is helpful to bring in other management perspectives, such as the legal and procurement departments. This phase includes additional communication with, and support from, legal and procurement. From a legal perspective, make the standard (based on TAPA) a legal appendix or addendum to all logistics service contracts. Work with procurement to make logistics security one of the company’s recognized risk events. This will help ensure that procurement professionals appropriately incorporate the standard.

To sustain performance, a compliance monitoring program must be authorized and resourced. Questions to consider include:

• Will compliance be monitored at in-house company locations in addition to third party LSPs?
• Assessment frequency and type: -Self-assessments, onsite audits, or combination? -Every two years for high risk countries? -Less frequent for TAPA certified (i.e. money saver)?
• Decide when compliance monitoring will begin (e.g., six months after implementation phase ends)

Finally, continuous development of best practices and guidelines can drive consistency and save money. Examples may include:

• SOP to prevent fictitious pickups
• How to choose a good trucking company
• Theft response checklist
• Secure pallet design
• Technical requirements/system architecture
• Intrusion detection systems
• Power supplies.

The pharmaceutical industry and its supply chain partners must ensure patient safety.

Adopting the TAPA standards will help protect pharmaceutical cargo from theft, diversion or tampering, thus ensuring the quality, safety and efficacy of the pharmaceutical between the manufacturer and the end user, the patient.

References

[1] TAPA Americas: http://www.tapaonline.org

[2] TAPA APAC: http://www.tapa-asia.org

[3] TAPA EMEA: http://www.tapaemea.com

[4] http://www.dhl.com/en/press/releases/releases_2013/express/dhl_express_receives_100th_tapa_certification_in_europe.html

[5] http://www.Freightwatch.com

ABOUT THE AUTHORS

Rafik Bishara is a Technical Advisor; retired from Eli Lilly as Director, Quality Knowledge Management and Technical Support.

Susan Griggs is Advisor, Global Security, at Eli Lilly and Company, Inc.