Supply Chain Security in Russia: Compliance and ISO Standards

 

June 30, 2024

BRACE Law Firm ©

 

Logistics and cargo transportation are vital components of foreign trade activity. Considering that, in most cases, goods are not delivered directly from the seller to the buyer and follow a long delivery route, supply chain security plays a critical role. Optimally planned logistics ensure the safe delivery of cargo to the final buyer in the shortest possible time, which significantly affects the timely performance of foreign trade contracts.

A supply chain consists of a complex set of logistical components used to deliver goods from a supplier to a final buyer quickly, reliably, and cost-effectively. It includes not only cargo delivery but also planning, inventory management, procurement, warehousing, forecasting, and pricing. Simultaneously, ensuring supply chain security helps avoid transportation risks such as cargo loss, damage, or failure to meet delivery deadlines.

Incidents involving breaches of international supply chain security threaten international trade and the economic growth of trading nations. People, cargo, infrastructure, and equipment, including means of transportation, must be protected from security breaches and their potentially devastating consequences. Such protection benefits both national economies and society as a whole.

Russian Supply Chain Security Requirements

In this regard, Russia has adopted GOST R ISO 28001-2019 Security Management Systems for the Supply Chain[1] (the "GOST R ISO 28001-2019"). This standard enables the establishment and documentation of a reasonable level of security within international supply chains and their components, allowing organizations to make more risk-informed security decisions. According to GOST R ISO 28001-2019, a supply chain represents an interconnected set of resources and processes that begins with the execution of a supply contract, continues through raw material procurement, production, and processing, and ends with the transfer of goods and related services to the end user. A supply chain may include sellers, manufacturing equipment, logistics providers, internal distribution centers, distributors, wholesalers, and other organizations involved in the production, processing, transportation, and delivery of cargo and related services. Security is defined as resistance to intentional acts intended to cause harm or damage to the supply chain. Intentional acts may originate from individuals who may or may not be company employees.

A supply chain may include sellers, manufacturing equipment, logistics providers, internal distribution centers, distributors, wholesalers, and other organizations involved in the production, processing, transportation, and delivery of cargo and related services.

Transport companies and vehicle owners holding internationally recognized certificates or approvals issued pursuant to mandatory international conventions regulating security in various transport sectors must maintain security instructions, plans, and processes that meet the applicable requirements of this standard and do not require an audit to confirm compliance. For shipping companies, ship owners, and port facility owners, certificates or approvals must be issued in accordance with SOLAS XI-2/4 or SOLAS XI-2/10.

An organization within the supply chain must analyze the processes and equipment of its partners to verify the validity of their security declarations. The organization should determine the scope and frequency of such analysis based on an assessment of existing risks and must maintain the results of these analyses. Organizations in the supply chain must have a security plan based on security assessment results, containing documented existing security measures and procedures, as well as countermeasures where applicable to a specific part of the international supply chain.

Given that cargo logistics is a complex process, compliance with supply chain security ensures that cargo is delivered intact and safe, identifies unreliable consequences at various stages, analyzes potential security breaches, trains personnel on such breaches, and eliminates potential violations from the logistics chain. An organization must assess opportunities to improve its security measures as a means of increasing the security of its portion of the supply chain.

Verification of Credentials for All Supply Chain Participants

The accuracy of the credentials for all supply chain participants determines the further logistics of the goods to the final buyer. When delivering cargo by various modes of transport, it is important to reflect the credentials of the sender and recipient during the transfer of goods from one mode of transport to another to ensure the cargo is not lost and is delivered on time.

Even a single error in documentation can lead to delivery to the wrong recipient and additional logistics costs to reroute the cargo to the correct destination.

Verification of All Consignment Contents

Cargo shipped to different countries may contain various components. To ensure that a specific product is being shipped, the carrier verifies the contents of the consignment at the stage of accepting the goods for transportation in the presence of the sender. Joint verification helps avoid conflict situations that may arise regarding the transported goods.

Inspecting the cargo allows for a comprehensive safety assessment, as the consignment may contain substances or goods that are prohibited or restricted for movement.

Advance Notification of Consignees

To ensure the timely receipt of cargo, it is necessary to establish a system for advance notification of the recipient, which should include the recipient's details, cargo weight, delivery address, etc. By notifying the recipient in advance, the transport company reduces the time the cargo is stored in its warehouse, thereby minimizing the risk of adverse consequences associated with cargo storage.

Ensuring Cargo Security in Transit or Storage Using Access Controls, Alarms, Locks, Surveillance, or Tamper-Evident Seals

The safety of goods depends on various conditions, ranging from basic packaging and compliance with storage conditions to cargo access control. Packaging, seals, and locks ensure cargo security in transit. Furthermore, storage facilities often utilize not only surveillance cameras but also alarm systems to prevent unauthorized entry by third parties.

Security assessments must be conducted at specific intervals, and the security plan must be revised as necessary. The security assessment must also cover information systems, documents, and networks related to loading and unloading operations and the movement of cargo while under the organization's control. Existing security measures must be evaluated at all sites and for business partners where a security vulnerability is likely.

Cargo Inspection at Each Stage of the Supply Chain or Shipping Process

The process of delivering cargo from a sender to a recipient may involve moving the goods from one mode of transport to another. To prevent claims from participants in the logistics chain, an inspection must be conducted at each stage of the cargo's movement. Inspections identify the presence of cargo, potential damage, violations of storage conditions, etc.

Inspections may reveal adverse circumstances that can be corrected to deliver the cargo safely to the final recipient. Following any incident related to any part of the international supply chain controlled by the organization, the organization must analyze its security plan. This analysis must:

• Determine the cause of the incident and the necessary corrective action;
• Determine the effectiveness of measures and procedures for ensuring remediation in the security plan;
• Review the findings and reassess those parts of the supply chain.

In the event of a security breach, the organization must, if necessary, follow existing reporting procedures for customs and/or relevant law enforcement authorities, as well as the provisions set forth in the security plan and contractual obligations.

The organization must maintain records of the batch of goods and other necessary supply chain data for the period prescribed by applicable laws and regulations.

Background Checks for All Employees

Given that a large number of employees participate in logistics chains, it is necessary to conduct background checks on them.

The names of the individuals or group members performing the security assessment, as well as their qualifications, must be documented. It is important to note that background checks must comply with the requirements of Federal Law No. 152-FZ dated July 27, 2006, On Personal Data.

Compliance and Security Standards

Organizations must develop and maintain a security plan for their entire portion of the chain. Such a plan may be divided into appendices describing the security of each specific section of the supply chain, including the security measures of the organization's business partners that they must maintain in accordance with their security declarations. The plan or appendices must also contain information on how the organization will monitor and periodically review these security declarations.

When developing their security plans, organizations must analyze and follow the recommendations (guidelines) provided in GOST R ISO 28001-2019.

Regular Risk Assessments for Supply Chain Segments, Suppliers, and Partners

Regular risk assessments help organizations identify, analyze, and mitigate potential risks in their supply chains. An organization must establish, implement, and maintain procedures to identify existing countermeasures to mitigate security threats. The organization must maintain a list of applicable security threat scenarios, including those approved by relevant government authorities. If government authorities did not participate in the assessment, this must be documented.

For each security threat scenario, the organization must evaluate existing countermeasures, determine the likelihood and consequences corresponding to each scenario, and assess the need for additional countermeasures to reduce security risks to an acceptable level.

In addition, the organization must analyze each security declaration submitted by business partners and provide a professional assessment of their knowledge of the facility(ies) and/or regulatory requirements. In determining the applicability of a security declaration, the organization may also obtain and use any other information available to it.

The following information must be documented during the assessment process:

• All security threat scenarios considered;
• The processes used to assess those threats;
• All identified countermeasures and priorities.

Qualified personnel should evaluate security measures in all locations where potential vulnerabilities exist, which should include, but are not limited to, the following:

• Places where goods are manufactured, processed, or loaded before being placed on a transport unit, palletized for transport, or otherwise prepared for shipment;
• Places where goods prepared for shipment are stored or warehoused before transport;
• Places where cargo is transported;
• Places where cargo is loaded onto or unloaded from a vehicle;
• Places where responsibility for cargo control changes;
• Places where documentation or information regarding the transported goods is processed, prepared, or made available;
• Domestic transport routes and various types of transport equipment used during transportation;

Threats in Logistics Chains

The main types of threats in logistics chains include:

• Natural disasters and natural calamities;
• Cyberattacks;
• The human factor;
• The formation of fraudulent schemes;
• Theft;
• Terrorism;
• Geopolitical conflicts, etc.

All of the above threats that may arise during cargo transportation must be considered in operations. Organizations should analyze the impact of these threats, create a "roadmap" for when a specific threat arises, train personnel, and implement response plans.

Training Employees to Identify and Mitigate Supply Chain Security Risks

Personnel are a vital component at all stages of the supply chain, and their activities can determine the security of the entire cargo logistics process. To achieve more effective results, organizations must constantly educate personnel involved in organizing, sending, escorting, and transporting cargo. The benefits of continuous personnel training include:

• Increasing personnel confidence and building trust with clients and suppliers;
• Creating a security culture within the company, where each employee is responsible for security at their stage, thereby increasing the security of the entire logistics chain;
• Reducing the number of disruptions, cargo losses, damage to goods, etc.

Trained personnel maintain composure in critical situations and act according to established rules, which reduces the risks of adverse situations related to cargo delivery. The individual or group performing the security assessment must collectively possess practical experience and knowledge, which should include, but not be limited to:

• Risk assessment methods applicable to all aspects of the international supply chain, from the moment the organization takes control of the cargo until the cargo leaves the organization's control or exits the international supply chain;
• The use of appropriate measures to prevent unauthorized opening of or access to security-sensitive materials;
• Operations and procedures used in production, processing, loading and unloading operations, transportation, and/or related to documentation for goods, as applicable;
• Understanding security threat methodologies and suppression techniques;
• Compliance with GOST R ISO 28001-2019.

To achieve supply chain security, an organization must consider the following aspects related to cargo logistics:

• The supply chain must be transparent, allowing for the tracking and monitoring of the movement and condition of cargo throughout the entire supply chain;
• Supply chain resilience, ensuring the ability to withstand emerging threats, recover from, or adapt to disruptions;
• Collaboration between supply chain partners (suppliers, clients, intermediaries, regulatory authorities, or competitors).

Furthermore, in the context of technological development and artificial intelligence, it is also important to carefully address information security issues. Information protection[2] involves adopting legal, organizational, and technical measures aimed at:

• Ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other unlawful actions regarding such information;
• Maintaining the confidentiality of restricted information;
• Implementing the right to access information.

Security plans, measures, processes, procedures, and records of the organization must be treated as security-sensitive information and protected from unauthorized access or disclosure. Such information should only be available to a specific circle of persons, which may include:

• Individuals who require access to specific confidential security information to conduct activities included in the security plan;
• Individuals undergoing training to perform activities specified in the security plan;
• Individuals monitoring the activities of others performing tasks in accordance with the security plan;
• Participants or persons acting on behalf of a participant who, under the terms of a contract with the organization, have been granted access to confidential information controlled by the organization in accordance with agreed terms and conditions.

International Supply Chain Security Requirements

At the international level, the ISO 28000 Specification for Security Management Systems for the Supply Chain international standard is applied, which serves as the basis for creating a general supply chain security management system. Since the supply chain depends on various participants, the standard aims to reduce risks arising during cargo logistics. Implementing the standard offers the following benefits:

• Increased supply chain security;
• Risk assessment throughout the entire product supply chain;
• Uniform mechanisms for assessing risk levels;
• Minimization of potential damage, etc.

The international standard applies to various organizations that are part of the supply chain:

• Manufacturers of goods;
• Carriers, operators;
• Ports, stations, storage facilities;
• Importers, exporters, freight forwarders, brokers.

Litigation Regarding Supply Chain Security

Establishing supply chain security is a multi-component activity that covers almost all areas of a company's operations, from personnel education to modern information protection methods. In practice, certain court cases reflect the interaction of supply chain participants, for example:

• The presence of intermediaries in a product supply chain cannot automatically serve as evidence of the unreality of business operations;[3]
• The presence of an intermediary, given the factual circumstances of the relationships between the organizations involved in the supply chain as established by the courts, does not allow the company's actions within the disputed business operations to be regarded as having been committed with the intent to obtain an unjustified tax benefit.[4]

A comprehensive approach to ensuring supply chain security allows for high-quality logistics, verification of all its stages, elimination of potential adverse consequences, and minimization of supply chain security breaches.

______________________________

References

[1] Approved and enacted by Order of Rosstandart No. 1433-st dated December 23, 2019, On Approval of the National Standard of the Russian Federation.

[2] Clause 1 of Article 15.9 of Federal Law No. 149-FZ dated July 27, 2006, On Information, Information Technologies, and Information Protection.

[3] Resolution of the Eleventh Arbitration Appellate Court dated August 14, 2023, in Case No. A49-11963/2022.

[4] Ruling of the Judicial Chamber for Economic Disputes of the Supreme Court of the Russian Federation dated March 4, 2015, in Case No. 302-KG14-3432, A33-666/2013.