Counterfeit Chronicles: Episode 6 – Developing and Implementing a Documented Counterfeit Mitigation Program
What does it take to set up a counterfeit mitigation program in your organization? This episode covers the ins-and-outs of getting a documented counterfeit mitigation program up and running, how to get your entire organization on board and how to make for better customer satisfaction.
This interview was edited and formatted for clarity.
Tyler Fussner, Managing Editor, Supply Chain Connect
Hello, and welcome back to Counterfeit Chronicles. As always, I'm your host, Tyler Fussner, Managing Editor at Supply Chain Connect, and joining me again today is Richard Smith, Vice President of Business Development at ERAI.
Hey, Richard!
Richard Smith, Vice President of Business Development, ERAI
Hey, Tyler. Good afternoon. Hope all as well with you.
Fussner 0:31
Richard, last month we dove into the various standards across the industry that can help organizations navigate the electronics market safely. But today, I wanted to focus on what organizations can do internally to better protect themselves from counterfeit products.
So, whether you have a process in place or not, stay tuned because Richard and I are going to deep dive into what it takes to develop and implement a documented counterfeit mitigation program.
First step, Richard, I'm guessing I need to educate myself, right? So, where do I look? Where do I go in order to start getting some sort of mitigation program up and running for my operations?
Smith 1:08
Well, Tyler, most people hear about this initially from a customer requirement or an industry requirement. And they'll say, “What is your risk mitigation plan?” And if you don't have one, one of the best ways to get started is to visit the ERAI.com public page. Anyone can go there. In the middle of our landing page is a two-minute video talking about our InterCEPT training courses. And I always recommend people look at course CP-01, which is titled, Developing and Implementing a Documented Counterfeit Mitigation Program. That's a really good overview to tell you what you need to get started to develop a plan.
Fussner 1:54
I couldn't agree more. You need to seek out educational material, whether that's training classes or referrals from other industry leaders that are going through this or have gone through this process.
Speaking of the CP-01 part of that InterCEPT program, what is that class all about? Can you tell me more about the developing and implementing a documented counterfeit mitigation program class?
Smith 2:15
It's actually the first step to establishing a counterfeit avoidance program and it forces you to document the process. Some of the various standards out there refer to this document that you'll make as a ‘control plan.’ Some standards call it a ‘policy document.’ Others refer to it as a ‘procedure’ or ‘process.’ Regardless of what you call it, it documents your processes that your organization is going to use to ensure that you do not purchase, sell, install or release a counterfeit electronic part into the supply chain.
Fussner 2:55
And what are some of the core elements of that program? That policy? What does that look like, say, if I were jotting down a checklist of items or aspects that need to be included? What's all on that list?
Smith 3:08
It'll lead all of the students through how to develop and document your policy, how to implement training, supply chain traceability, purchasing procedures, verification of purchased product, quarantining any suspect material that you encounter, the disposition of that material, and the various reporting requirements. All these things are required to have a really comprehensive, useful, counterfeit risk mitigation plan.
Fussner 3:41
Say that I've gone through this, I'm creating a mitigation program for my organization… It can be tricky to introduce new practices or policies to an organization. How do you get your team to buy into this process? Does this new program replace what I've been doing? Or is this more adding on to existing practices? What does the integration look like?
Smith 4:06
A couple of questions I heard in there. One is, when you can explain to all your employees that this is required by the customer makes it a little easier to get on board. And because it's required by the customer, the processes that you put in place will make for a better product and a better company, and a better educated, informed group of employees.
When you're putting this plan together, ideally, you'll get input from all departments. So, there's some buy in there. Your plan can end up being a single document, or multiple documents, but everyone will have an opportunity to speak to that and what it means. Ultimately, your plan must meet all your customer and industry requirements. So, that makes it a little bit easier to get the folks on board.
In the very beginning of the course, it talks about a triangle of quality control. (And I'm getting onto your second question, “Does it replace anything or not?”) Well, it doesn't have to replace anything. They use an example of a triangle. You have policy at the top, procedures, work instructions, and then completed forms, file, and data. Your risk mitigation control plan, ideally, will infiltrate all of those sections of that triangle.
Once you come up with a policy or statement, which I alluded to it earlier, it should be something like, “Our organization will develop and implement procedures to ensure that it does not purchase, sell, install, or release a counterfeit electronic part into the supply chain.” And you want to instill that and incorporate it into any other quality procedure or any other sections of your manual. All departments within the company should have that goal in mind.
Fussner 6:12
It's a strong goal. I think it sends a clear message and it helps shape not only the process, but the day-to-day activity of the entire organization.
Smith 6:22
Yes. And the reality is all departments can contribute to meeting that policy statement, from your purchasing people, the course will teach you how to properly vet a vendor and put policies in place; your production people will learn to look for items in the production of this to make sure that something hasn't gotten past the receiving department; the receiving department will be well trained; the training department will be responsible for getting all the employees up to speed on the new policies and programs and plans. And ultimately, it's being managed by someone at some level of management. It's really good for the entire company to adopt that goal and that policy.
Fussner 7:07
Richard, I'm curious, say I get an email tomorrow and it's a customer asking, “What is your counterfeit mitigation process? What does it look like?” Or say I'm evaluating my current processes in place, and I want to overhaul it. What does that take? How long can this process take to go from learning to building to implementing and then successfully operating under a new documented counterfeit mitigation program?
Smith 7:35
That's a good question and the answer depends and will be different for every organization in every circumstance. If you already have something in place, you can share that with your customer and get in front of it and say, “Look, we're in the process of updating,” or, “We're going to start updating.” If you have nothing in place, it might be wise to say, “Look, we're in the process of looking into that now. We'll give you a copy of our control plan when it's done.”
But in real terms of time, the course that I described to you is one hour long. You can start, stop, reverse, backup… You have up to two months, minimum, to take the course after you've purchased it. If you run through it quickly and do everything that they advise you to, you still need to get input, depending on the size of your entity or organization, you may want to be getting input from other departments, so that could take a couple of days to a couple of weeks depending on how things go and how quickly you move and how large your organization is and if you have the people available to get in on this.
If it's determined by your customer, or your industry, or just your requirements after you've done some research, that you need to be compliant with some of the standards out there, you have to find a copy of the standard, (whether it's AS6081, or MS5553) whatever is most appropriate, you have to find the standard, go through that, get your company in compliance, and then you have to order an audit from an accredited agency to come in and certify you to that standard.
So, I would say, (rough numbers) it can take anywhere from a couple of weeks to several months. And that depends on, again, the size of your organization, what you may or may not currently have in place, the level of commitment from your company and allowing the time for the employees to participate and come up with the answers. In the end, you will have a document that you can share within your organization, send it up to management, send it throughout the company, and you will have all the various department procedures outlined so everybody will know what their responsibilities are. And you can share that document with customers, potential customers, auditors—anyone who may have an interest in the status of your counterfeit risk mitigation.
Fussner 10:12
I think that's a fair assessment. Of course, like you said, it's going to depend on many factors. Not only the size of your company, but also how well of a working document you want in place, right? You can go and maybe just copy/paste someone's existing document out there from a message board or something; you'll find one. But if you want to get audited and certified, if you want to have input from all the departments across your organization, if you want this document to work, it takes some investment. It takes some effort to get everything up and running and in place so that you can mitigate the counterfeit reaching into the supply chain.
Smith 10:48
Absolutely. And if people go to the website and look up this particular course that I've been talking about, CP-01, and if they determine that their organization has deficits in other areas, there are many, many individual classes and bundled courses that are designed to help a company put all this together. For instance, there are courses for Incoming Inspector 1 and 2. That goes into great detail on how to inspect a wide range of components, and the successful students will learn to make an accept-or-reject decision based on information they learned in the course; [there are] various other courses that deal with the overall implementation and training of a counterfeit risk mitigation program.
Ultimately, you're doing this to be a better company; you're doing this to build a better product; you're doing this to increase customer satisfaction and to increase customer base. It's a win-win for everyone.
No one wants to get caught further down the road having an incident where counterfeits have infiltrated their supply chain. The potential loss can be devastating. You'll be fortunate if there's no loss of life. But any material that doesn't work well or fails in the field, you can lose reputation and market share, stock price, rework charges and costs… It's worth it to put these policies and procedures in place in advance, and then all your employees know what to do if they run across a counterfeit part; or if they have any kind of issue with a supplier; or if they have a new supplier, your policy will already have determined who in the organization is allowed to approve a new vendor and what processes they have to go through to become a new vendor. It gets very detailed. It is very broad. But in the long run, everyone wins.
Fussner 12:59
Richard, do you have any tips or suggestions for people that are undertaking this process for the first time? Say that someone is setting up and establishing their very first counterfeit mitigation program in their organization. What advice could you offer them?
Smith 13:14
They certainly need to speak with their customers. Now, I wouldn't blame someone if they didn't want to go talk to their competitors, but if you're able to find out what processes are being incorporated with your competitors, that can be good information. So, you want to talk certainly to your customers, your suppliers, any industry or governing bodies that affect the industry that you're involved in, find out what is expected, and then take that CP-01 course and get started.
The larger concern is to not put it off.
We've seen this evolve quite a bit. In the early 2000s, we were telling defense and aerospace industries, the U.S. government Department of Defense, that there's a problem with counterfeits out there. It really wasn't well received until the early 2000s, about 2005. There were enough incidents that occurred where losses and various things through using counterfeits, them getting into the supply chain, that companies started to pay attention.
Early on from 2000 to 2010, it was primarily defense and aerospace that was jumping on the bandwagon and putting these policies in place. And as time went on, and there were more incidents of counterfeits being noticed and observed in various fields, other industries got on board and got involved.
Currently, ERAI data and InterCEPT training is being used in defense, aerospace, nuclear, medical, commercial, industrial and automotive sectors. The bigger thing is to get started and not put it off.
Fussner 14:55
I couldn't agree more. Don't put this off. Counterfeits do exist; they are involved in every industry. So, open up those lines of communication, learn as much as you can, and get started.
Smith 15:07
Absolutely, Tyler.