Magna: On the Audit Trail

> Read original article
Canadian Security Magazine
December 2006

As Magna International contemplates the move towards C-TPAT compliance, Vice-President of Special Projects, Steve Reesor, puts a detailed assessment tool to work taking stock of security systems in the company’s manufacturing facilities.

A big part of good risk assessment is having an understanding of the current state of security in your organization and conducting a thorough risk assessment is a good place to start. When Steve Reesor became Vice-President of Special Projects at Magna International in April 2005, he embarked on a mission to take stock of what systems were in place at the company’s 284 facilities around the world and report back to executive management.

Security is largely decentralized at the automotive systems manufacturer, with each facility’s operations manager responsible for systems such as access control. Reesor’s team provides security policy, guidelines and best practices and assists the divisions, at their request, with doing security assessments, reviewing vendor proposals for intrusion alarms, access control and security cameras and also assists with internal investigations. Ultimately though, it is the general manager of the division that has responsibility for security at the individual plants.

They are like the president of their own company with respect to running their business and being held accountable. Reesor knew he would encounter different levels of security at each facility and that each one posed its own set of challenges — some are located close to large urban areas that pose greater risks, and facilities outside North America provide other challenges. Magna International has 153 facilities in North America, which includes 13 in Mexico, two in South America (Brazil) and 112 sites in Europe and 17 in Asia.

Of the 284 facilities, 60 are product development and engineering centres and 224 are manufacturing operations. Over the years the company has acquired many companies, which means the approach to security was diverse. While plants will typically have a health and safety manager, they don’t necessarily have a security manager. That means the role of security can fall to the health and safety person or the facility manager. In reviewing its sites, Magna has been able to communicate to each facility what Reesor
sees as the minimum standards for security.

“What we want to see in our facilities is the perimeter covered by camera, on employee entrances and the offi ce entrance and shipping and receiving areas. We recommend cameras and alarm system on the offi ce area and we recommend electronic access control in the factory area, so from a security perspective that’s standard and our expectation,” says Reesor, a retired deputy chief from the Toronto Police Service.

Once that recommendation is made, the plant general managers have a certain obligation to show why they haven’t followed the recommendation.

“I think having a secure manufacturing area improves the discipline of the whole operation and workforce in terms of the attitude they have towards their work when they know they are walking into a secured area,” he says.

Reesor uses a site survey tool called Asvaco from Toronto-based FutureShield, which provides software for the private security and public safety industry. He also uses the company’s Customs Trade Partnership against Terrorism (C-TPAT) survey tool which addresses requirements for the U.S.-based program, which was created after 9/11 to improve security of the international supply chain. Reesor believes many customers will soon award contracts only to those partners that are C-TPAT-compliant, so he wants Magna to be prepared to maintain its competitiveness.

The site survey is an in-depth analysis that gets into the installation and operation of access control systems and cameras — some 377 questions in total. The questions examine issues such as facility and contact information, barriers, cameras, lighting, parking lot, locks and keys, access control, signs and trash control. The C-TPAT survey has just over 100 questions.

The Asvaco product is geared towards the needs of manufacturing organizations. Often, manufacturers don’t have their own in-house security team, so FutureShield recently formed a partnership with OBN Security and Investigative Consultants in Toronto, which is now licensing the product to conduct assessments for manufacturers that do not have an internal security team.

It is priced using a calculation based upon the number of assets that need to be assessed and property and building size. “This way, even very small manufacturers can afford to complete their assessments,”
says Cynthia Weeden, president of FutureShield. “For those companies who want to conduct the assessment internally, they can licence the software and conduct a self-assessment. The software is licensed for two 30-day periods. This allows users to conduct an initial assessment, complete the recommended mitigation, and then conduct a fi nal assessment.”

Weeden says numbers from Export Development Canada indicate there are 18,000 exporting manufacturers in Canada and many of these are still in the very early stage of C-TPAT compliance.

“Magna was very astute to not only conduct the C-TPAT review, but also a much more detailed site survey for their internal use and analysis.”

Many manufacturers don’t have internal security teams so conducting risk assessments as Magna is doing can be a daunting task.

Reesor wanted a standardized tool to conduct his audits with the ability to build complete reports he could deliver to the executive team.

“In the past, quite often we would have contracted it out to someone to do a security assessment,” says Reesor.

In fact Magna had recently done just that, but in comparing the two, Reesor feels the assessment generated by using the software program at each facility produced a better report.

“We paid a fair amount of money (for the outsourced audit) and it was more of a risk analysis assessment. I think we ended up with a better product here (with FutureShield). We know our business and understand the way our factories operate and I think we are able to provide a more well-thought out recommendations
for improvement. I also think we have a lot of credibility with the general managers when we put forth a report because they can tell by reading the recommendations that no, we’re not just talking about some theoretical approach to security, we’re giving them some really hands-on practical solutions to enhancing security.”

One issue that came to light in the security audits Reesor conducted was that because most of the plants are open 24 hours because of shift work, there was a challenge in keeping the facility secure after
regular business hours.

“When you’re talking about something like an alarm system, you normally wouldn’t put an alarm system on the whole plant, just on the offi ce area,” says Reesor. “But even with a manufacturing plant, you have employee records and you do have some proprietary information that is stored on computers and laptops and they become attractive targets. Some people didn’t truly understand the risk they were facing by not having an alarm system that was operating properly in the office area.

“In some cases they might have a uniform guard on the premise 24 hours a day. If they have alternative ways of addressing that security risk that has been identifi ed that’s fi ne, we’re not telling them everything they have to do to address the risk. What we’re saying is ‘this is what we recommend’ and I haven’t found much push back.”

Reesor also discovered that by doing a number of assessments in a number of different facilities he was able to discover solutions to security problems that were already implemented at other factories.

“We were able to develop our own internal standards, saying ‘This is the best way to develop this particular security issue and we know that because it’s already working over in this plant.’ We can cheery-pick all the best practices from our various plants and then develop that into a standard that we go out and sell consistently across all of our plants. We can say, ‘This should be the security standard you have in place.’ We’re very decentralized as a company so we can’t dictate or mandate, however we found people very receptive they are all concerned about maintaining a secure environment in the workplace. They want to spend their money wisely and they appreciate that expertise,” he says.

Reesor found that going through the assessment and answering all of the questions posed in the software tool helped him create a knowledge-base of how secure the plants really were.

“With this type of tool you can build up your in-house expertise and you have the confidence that you are covering all of the different areas that should be covered. You are also able to distribute a professional looking product to the client — in my case the internal general managers.”

The assessment will also serve to show each individual plant what kind of investment will be required to reach the point where it would become C-TPAT compliant.

“We do a lot of movement of goods into the states and from the U.S. into Canada and from Mexico into the U.S. and from Mexico into Canada. We are using the C-TPAT tool as a way of hopefully having our facilities meet minimum security standards that are consistent, and use C-TPAT as the reason for why it’s
something they should initiate now instead of waiting until they can afford to do it,” explains Reesor. If a company joins C-TPAT it must, as a minimum requirement, have electronic access control at all facilities.

With the C-TPAT assessment, Reesor started by looking at 14 facilities — 13 in Michigan and one in South Carolina.

“We are trying to determine if we’re going to join C-TPAT or not and we thought that by doing the assessments for this one group it would give us a good understanding of what kind of investments might be required,” he says. “If we decide to join CTPAT we will have to do a separate assessment of every facility.”

Reesor thinks he will probably revisit the assessment process every three or four years.

“The plants change and especially the people in the plants change and when you’re going through this you’re providing a bit of education about security issues and you give them a bit of a guide book on the things they should be looking at so it’s important to review that kind of thing.”

Compared to contracting out, Reesor says conducting the audits himself with the software tool was cost effective and delivered a better end result.

“We can say now that this is what you should have from a security perspective in a manufacturing plant.”

Risk assessments can often disrupt processes that have been in place for a long time, but Reesor says employees welcomed the information.

“I think there’s an appetite there and we have a responsibility to provide that security for our employees.”