Product Diversion in the Healthcare Supply Chain: What’s the Problem and How Big Is It?

Posted on June 17, 2025 by Paul Curwell

Paul Curwell

8 minutes

Key Takeaways:

Healthcare Product Diversion is a multi-billion-dollar problem for MedTech, Pharmaceutical, HealthTech and Consumer Healthcare manufacturers, especially Small-Medium Businesses (SMBs)
Manufacturers are most at risk, but distributors and consumers feel the pain too.
Practical solutions exist—from serialization and contract clauses to better training and audits.

Why Product Diversion is a problem for Healthcare Supply Chains?

Product diversion might sound like a minor logistics glitch, but it’s a growing form of supply chain fraud with serious consequences for manufacturers. It undermines pricing strategies, exposes patients to risk, and silently drains profit from businesses—especially in pharmaceuticals, medtech, and consumer healthcare.

Let’s ground this in reality:

Price Gouging in Grey Markets: A 2012 U.S. Senate investigation revealed that during drug shortages, grey market distributors were marking up prices by up to 650%, creating an exploitative shadow supply chain that directly impacted patient care and manufacturer pricing strategies.
IP and Brand Risk for SMBs: According to a 2013 analysis by Michigan State University’s A-CAPP Center, illicit diversion and counterfeiting in healthcare products pose major threats to brand trust, supply chain security, and IP protection—risks that are especially acute for small and mid-sized companies lacking robust controls and visibility.
Healthcare Product Diversion via Unauthorised Resellers: Unauthorised resellers obtain genuine products through bulk or discounted sales and redirect them into unapproved markets. This undermines pricing and contracts, risks product quality due to improper handling, and threatens supply chain integrity. Such diversion impacts compliance, profitability, and consumer safety.

While precise global loss figures are difficult to pin down due to the covert nature of diversion, the financial and reputational impact is consistently described by regulators, manufacturers, and law enforcement as both significant and growing.

Product diversion is a risk to consumers and HCPs, HCOs. — Photo by Anna Tarazevich on Pexels.com

How does Product Diversion happen in healthcare supply chains?

Healthcare Product Diversion schemes don’t follow a single playbook. Instead, they are creative, persistent, and often involve trusted insiders or third parties exploiting weak points in the supply chain.

Method	How It Happens	Example
Bulk purchasing	Authorised buyers order large volumes, then resell to unauthorized parties	Salon-exclusive beauty products showing up in discount e-commerce sites
Overproduction / shadow batches	Contract manufacturers produce more than authorised, sell off the surplus	Unapproved medical device units reappearing in Southeast Asian markets
Theft and leakage	Products stolen from warehouses or in transit	Fentanyl stolen from hospital stocks and sold on the black market
Geographic arbitrage	Products meant for one country sold in another to exploit pricing differences	EU-only medical device diverted to U.S. via grey market reseller
Expired or defective goods	Meant for destruction, but reintroduced into the supply chain	Expired drugs found in unregulated online pharmacies
Collusion and kickbacks	Sales reps or healthcare providers over-order and resell excess inventory	Institutional drugs diverted to retail pharmacies for profit

Understanding these methods is essential if you want to design effective prevention strategies. They often exploit gaps in oversight, compliance, and contractual clarity.

Towards a taxonomy for product diversion

Real-World Case Studies – Pharmaceuticals, Medtech, and Consumer Healthcare

Product diversion isn’t a hypothetical risk for the global healthcare sector —it’s already happening:

Pharmaceuticals: A 2013 U.S. Senate report detailed how opioids intended for healthcare providers were routinely diverted and sold illicitly, playing a direct role in the national opioid crisis¹.
Medical Devices: EU regulators have flagged instances where temperature-sensitive devices were diverted to regions without the infrastructure to store them safely, leading to degraded product quality and recall risks.
Consumer Healthcare: Brands like Redken and Olaplex have openly addressed diversion issues. Products intended for exclusive sale in salons have appeared on Amazon and eBay, undermining pricing integrity, partner relationships, and consumer trust.

These examples highlight the diverse nature of diversion threats and show that no segment of the healthcare supply chain is immune.

All manufacturers – big and small – are vulnerable to Product Diversion

Manufacturers sit at the top of the risk pyramid.

They suffer the most from product diversion, followed by authorised distributors and, finally, healthcare providers and consumers who must deal with the consequences.

Manufacturers lose direct revenue from diverted sales.

They also face brand damage when mishandled products tarnish reputation, and serious regulatory risk when expired or non-compliant items are resold.
Consumers don’t blame the grey market vendor—they blame the brand.

Small-to-medium-sized manufacturers are even more exposed.

Often, they don’t have dedicated legal or compliance teams, formal diversion programs, or tools like serialisation in place.
Their supply chains are lean and reliant on third-party relationships—relationships built on trust rather than tight oversight.

Unfortunately, this creates the perfect opportunity for diverters to exploit weak links.

The USP/APEC ‘Supply Chain Security Toolkit for Medical Products’

So what? The Business Impact

For manufacturers, the business implications of diversion go well beyond lost sales:

At a strategic level, diversion undermines pricing control, exclusivity agreements, and go-to-market models.
From a financial perspective, every diverted unit is a unit sold outside authorized channels—often at a discount or under different conditions. That distorts revenue forecasts, inflates warranty claims, and creates return headaches.
Operationally, diverted goods often re-enter your returns and recalls process, costing time and money.
From a compliance angle, unauthorized sales might breach your distribution contracts, prompt regulatory investigations, or expose your business to liability if patients are harmed.

If you’re trying to secure IP rights in a new market or negotiating an investment, diversion-related quality or compliance issues can tank your credibility quickly.

Control gaps enable Product Diversion

Understanding what makes your business vulnerable is the first step to fixing it.

Vulnerability	Description
Complex global supply chains	Multiple players and jurisdictions reduce visibility
Weak contractual oversight	Contracts without anti-diversion clauses or penalties
Limited serialization and tracking tech	No way to trace individual units across the supply chain
Insider threats and poor awareness	Employees or partners exploiting gaps in oversight
Market price differentials	High variation in pricing between regions fuels geographic diversion

When multiple vulnerabilities stack up, diverters can exploit your entire supply chain, from production to post-sale support. Fortunately, each of these can be addressed with proportionate controls.

Mitigation Strategies for Product Diversion in Healthcare Manufacturing

Now for the good news. You don’t need to spend millions to protect your supply chain from diversion. Here are six effective, scalable steps:

1. Use Serialization and Digital Tracking

Track-and-trace technology, including QR codes and unique identifiers, allows unit-level visibility. It can deter resale and help identify leak points quickly. Newer tools are cost-effective and accessible to SMBs.

2. Update Contracts

Review your contracts with manufacturers, distributors, and resellers. Include anti-diversion clauses, audit rights, and explicit consequences for unauthorised sales. Legal clarity closes loopholes.

3. Audit and Monitor the Supply Chain

Use a risk-based auditing framework. Start with high-risk partners or geographies. Look for unusual purchasing volumes, inconsistent delivery data, or unauthorised resale complaints.

4. Train Your Staff

Awareness is critical. Your internal teams—from sales to shipping—need to know how diversion happens, why it matters, and what signs to watch for. A single employee spotting something suspicious can save you a lot of pain.

5. Use Incentives and Whistleblower Programs

Encourage internal reporting by rewarding ethical behaviour. Employees and partners are more likely to speak up when they feel safe and supported.

6. Leverage External Expertise

If you don’t have in-house expertise, work with professionals who understand the complexities of IP protection, supply chain risk, and regulatory compliance. Tailored assessments can identify hidden weak points.

Integrating Security into Quality Management Systems

Call to Action: Stop Assuming Product Diversion Is Someone Else’s Problem

If you’re a manufacturer in pharmaceuticals, medtech, or consumer healthcare, it’s time to act.

You don’t need perfection—you just need proportionate protection. Start with serialisation. Tighten your contracts. Educate your teams. The earlier you build diversion awareness into your commercialisation strategy, the better positioned you’ll be to protect your research, technology, and trade secrets.

Let’s connect if you need help building a scalable product diversion program. It doesn’t have to be big to be effective. And the sooner you act, the fewer losses you’ll have to explain.

Diversion of critical technology – a byproduct of global competition?

Posted on October 1, 2023 by Paul Curwell

Paul Curwell

6 minutes

Global competition for science and technology is heating up

Unless you have been sleeping under a rock these past five years or so, you will be aware that the world is again in an era of great power competition. One key area in which this geostrategic competition is playing out is in science and technology. In addition to the omnipresent competition between businesses, nations are now trying to gain the upper hand for economic and national security reasons in a way we haven’t seen since the end of the Cold War.

Developing a high level of scientific and technological capability maturity takes decades and requires substantial infrastructure, starting with basic education systems all the way to post-doctoral research. The research needs to be supported by a legal, regulatory and financial environment conducive to commercialisation, such as Intellectual Property law, sources of capital investment, and the right government policy settings. Lastly, countries need to have companies capable of converting consumer-ready ideas into products, and the ability to take these products to market.

Where countries or companies cannot or do not wish to take a product to market, they use Technology Transfer mechanisms to assign ownership or control. If you can’t or won’t build these capabilities organically, the alternative offers a fast-track option: Steal it. If you want to take the illicit path, you have three main options: Theft, patent infringement and counterfeiting, or diversion.

medival professionals holding test samples — Photo by Tima Miroshnichenko on Pexels.com

What is Diversion in the context of Technology Transfer?

To understand the diversion of critical technology we need to establish some definitions, starting with Technology Transfer. I spent quite a bit of time learning about Technology Transfer at university, but it seems the inherent complexity hasn’t changed in many years. According to a 2011 World Health Organisation (WHO) report, the term “technology transfer has been notoriously difficult to define precisely”.

WHO have chosen to go with a World Intellectual Property Organization (WIPO) definition which defines technology transfer as “a series of processes for sharing ideas, knowledge, technology and skills with another individual or institution (e.g. a company, a university or a governmental body) and of acquisition by the other of such ideas, knowledge, technologies and skills”.

“Diversion” refers to the unauthorised or unintended redirection of technology, confidential information, or components / materiel from its intended (authorised) receipient or use to a different party or for use in a different purpose.

Diversion is different to Theft (although they often arise simultaneously): Theft is effectively taking something that isn’t yours without permission (and often without paying for it). For example, going on a laboratory visit, picking up a laboratory notebook and discreetly putting it in your bag for later is theft, not diversion. Although I cannot find evidence of it being discussed in this way in the literature, I consider Diversion a type of Fraud as it typically involves obtaining a benefit (the confidential information or technology) by deception.

faceless operator examining drone in modern studio — Photo by Pok Rie on Pexels.com

Why should we care about the Diversion of critical technology?

The impact of diverted technology depends on the what the technology actually is and the identity of the perpetrator. Diversion is commonly perpetrated by nation states, competitors, private intelligence collectors, non-state actors (e.g. terrorist groups), and trusted insiders (e.g., employees, supplier’s workforce). Diverted technology can have a number of national security and market competitiveness impacts, which over time erode competitive advantage and can expose companies and countries to undue risk, including:

Military Superiority: Critical technologies often underpin a national defence capabilities. If adversaries or third parties access these technologies, your competitive edge can be eroded.
Economic Competitiveness: Advanced technologies drive economic growth and national competitiveness. At the start of this 4th Industrial Revolution, science and technology goes hand in hand with economic prosperity.
Critical Infrastructure Vulnerabilities: Critical technologies are often used to support critical national infrastructure like energy, transportation, and communication. Diverted technology could be used to identify novel vulnerabilities in systems (including zero-day cybersecurity vulnerabilities), which could be exploited by adversaries leading to widespread disruptions.
Proliferation of Weapons of Mass Disruption and Dual-Use Technologies: Defence and dual-use technologies (those with both military and civil applications) can be diverted to sanctioned groups or nation states, destabilising global security.
Diminished Strategic Autonomy: In this new ere of geostrategic competition, being reliant on another country is a strategic vulnerability (we saw this from the effects of the COVID-19 pandemic). Diversion can lead to increased dependence, potentially compromising a nation’s independence.
Foreign Interference and Espionage: Diverted technology can provide adversaries with insights into a nation’s capabilities, strategies, and operations, potentially undermining its diplomatic and security efforts.

There are many ways in which technology can be diverted, such as False End Users, front companies, use of brokers or intermediaries to obtain information, joint ventures or mergers and acquisitions, IP Licensing agreements, insider threats, foreign student arrangements, and many more. In some cases, once the diverted technology is obtained by the adversary, it will be copied or reverse engineered before going into production (manufacturing). The benefit here means that companies can build a competing product (or military capability) at a cheaper price. without the overheads of having to recover the costs of research and development.

Towards a taxonomy for product diversion

Posted on February 18, 2023 by Paul Curwell

Paul Curwell

What is product diversion?

Those who follow my blog will know that diversion is something I wrote about reasonably often. The reason for this is simple – diversion has a multiplier effect on the business supply chain. It doesn’t just result in a financial loss like theft does, but it also impacts the profitability and engagement of your distributors, the integrity of your channels (in terms of being able to control who sells your product, the quality and integrity of that product, and at what price), and consumer satisfaction in terms of brand perception, warranty coverage and customer service.

black fujifilm dslr camera — Photo by Math on Pexels.com

How does product diversion occur?

I started researching diversion more generally before Oliver May and I wrote our book ‘Terrorist Diversion’ for the non-profit sector. Unfortunately diversion happens everywhere in business, but the way it happens differs by industry and product. One challenge with diversion is that it can be hard to grasp how it actually happens – diversion is part theft, part fraud, and part breach of contract. To illustrate, when I discuss product diversion with clients, there are six main risks I start with, as follows:

Expired, defective or out-of-specification (non-conforming) product is diverted from destruction or reverse supply chains and sold as conforming (on-specification) product
Product authorised for sale in one market (e.g. Country X) is actually sold in another, unauthorised market (e.g. Country Y) in breach of contractual obligations between distributors / end users and the manufacturer
Product is stolen from the distribution or supply chain and diverted (sold)
Product is acquired, repackaged and on-sold by a third party or unrelated party
Product sold by a manufacturer for non-domestic use is subsequently sold or re-imported for sale / use domestically in that country
On-specification (conforming) product is produced by an authorised manufacture (i.e. a third party) without permission from the Intellectual Property Rights Holder, through practices such as overproduction (see my previous article on Shadow Manufacturing), with that excess conforming product being sold without approval

In my previous article on Typologies, I mentioned the importance of getting to what I typically call “level 3 risks” – effectively drilling down to three levels of detail that describes how and where each diversion risk may arise in relation to factors such as your business’s organisational structure, channels, products.

Whilst I won’t be publishing them here due to length, I’ve identified over 25 different ‘Level 3 diversion risks’ at the time of writing. Each of these risks materialises in a different place in the supply chain and has different actors, demonstrating the breadth and complexity of this issue. If your business is experiencing product diversion issues, only focusing on a discreet element of diversion may not solve your broader problem.

If you are concerned about product diversion in your supply chain, you may want to start with my risk taxonomy and customise it to your business. Remember not every risk will apply in your situation, but it is important to understand how and where diversion can occur in your business.

Who perpetrates product diversion?

Product Diversion is predominately a ‘trusted insider risk‘ perpetrated by someone within your organisation or supply chain who has privileged access to your products, processes and information. There are two exceptions to this, one being the involvement of buyers (end users) who purchase conforming product in bulk for unauthorised resale, and the second being criminals who perpetrate cargo or warehouse theft to resell stolen product on the commercial market. Perpetrators of product diversion typically include:

Employees
Contractors
Business Partners
Suppliers and Service Providers (e.g. reverse logistics, repackaging companies)
Organised Crime (warehouse and cargo theft)
Unauthorised End Users (see my previous article on the importance of End User Verification)
Contract Manufacturers

In some cases, collusion between one or more groups will occur, as well as criminal infiltration between external organised crime and trusted insiders. Trying to perpetrate larger scale or ongoing product diversion as an individual may be challenging and lead to early discovery. In this case, networks such as organised fraud sydndicates tend to emerge.

Where does product diversion arise in your supply chain?

As with any crime, we always talk about means, motive and opportunity as three legs of the crime triangle. Without all three elements, crime is unlikely to occur. From my work, I have identified for main ‘motives’ which should be considered alongside the product diversion risk taxonomy I presented above:

Steal for self: where a trusted insider diverts the product for their personal use (this is typically small-scale or opportunistic, and commonly falls under the definition of ‘theft’ or ‘occupational fraud’ as opposed to product diverison, which is generally larger in scale and more organised)
Steal for sale: where a trusted insider with legitimate access to the product (including employees of third parties such as suppliers) diverts the product in a higher quantities for commercial sale
Buy for resale: where a fake end user purchases product, potentially at a discount, for resale in one or more Territories (countries / regions)
Buy then dispose: where a legitimate end user purchases product then resells / disposes of product to liquidation firm (such as a retailer who purchases stock but is unable to sell that stock within an acceptable period)

If you are are responsible for managing these risks in your organisation, remember that some positions in your organisation will provide greater access and / or opportunity to perpetrate diversion than others. For the purposes of your security or insider threat management program, you need to consider these High Risk Roles.

High Risk Roles are those positions in your organisation (or in your supplier or business partners’ organisation) that confer privileged or unsupervised access to your critical assets – in the case of diversion, this could be a warehouse manager or team managing reverse logistics and destruction of expired or non-confirming product. My article on High Risk Roles provides more information here.

Key areas where product diversion can occur include:

Warehouses
Distributors
Wholesalers
Retailers
Factories
Contract Manufacturing Organisations
Third Party Logistics companies
Liquidation companies
Repackaging companies
Product returns companies
End Users (e.g. for resale)
Other resellers

As you can see, product diversion can happen anywhere in the supply chain. However, some of the product diversion risks presented in my taxonomy will only manifest in specific parts of the supply chain and / or involve specific actors. This needs to be considered in any risk assessment and treatment plans.

Conclusion

As you can see, product diversion is a complex type of fraud which requires considered thought and planning in order to mitigate. Understanding how and where risk events may materialise is important, as is understanding the perpetrator and their motives. Access to data, and use of data analytics and intelligence is critical to mitigating your organisation’s risk to within your risk appetite.

What’s the problem with conflicts of interest?

Posted on June 11, 2022 by Paul Curwell

Paul Curwell

What are conflicts of interest?

At their core, conflicts of interest are about integrity. ‘Conflict of interest‘ arise in situations where employees or third party legal entities such as vendors or business partners (including employees of those third parties) could be influenced, or where it could be perceived that they are influenced, by a ‘personal’ interest in carrying out their duty (Commonwealth Ombudsman 2017).

In this sense, ‘personal’ interest refers to perceived or actual benefits being derived, ranging from money to relationships or reputation. There are three forms of conflicts of interest (Commonwealth Ombudsman 2017):

Actual conflict – where a direct conflict arises between an individual or entity’s personal interest and their fiduciary duties
Perceived conflict – situations where others might perceive a conflict (even if an actual conflict does not exist)
Potential conflict – situations which in the future could give rise to an actual or perceived conflict of interest but have not yet happened

Are conflicts of interest fraud?

Conflicts of interest are considered one of four ‘corruption schemes‘ by the Association of Certified Fraud Examiners (ACFE), the other three being bribery, illegal gratuities, and economic extortion. However, unlike some types of fraud, an actual conflict of interest only becomes fraudulent if it is not declared.

Declaring a conflict of interest (whether actual, perceived or potential) provides an opportunity for it to be managed, which could include the conflicted party recusing themselves from the conflicting situation or decision, or declaring this conflict to peers (such as where a board member is conflicted through multiple interests).

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

How do conflicts of interest arise?

Conflicts of interest arise can either intentionally or unintentionally (Commonwealth Ombudsman 2017) :

Intentional conflicts occur where an individual or legal entity knowingly puts itself in a conflicting situation. This could arise where a potential conflict is entered into with the full knowledge of all affected parties (and appropriately managed), or where the party gaining a personal benefit attempts to conceal the conflict (fraud)
Unintentional conflicts arise from poor management or awareness by affected parties, such as where employees do not recieve conflicts of interest awareness training, employers do not have conflicts of interest policies or require attestations.

Declarations – a key part of conflicts management

Conflicts of interest are all about transparency, or the lack thereof. Declarations are a key component of managing conflicts. Irrespective of whether an employee, contractor, supplier or potential business associate, businesses need to understand what (if any) potential conflicts they may have and work through a process to evaluate them.

Typically, the easiest way of managing conflicts of interest is avoiding them, but this is not always possible. Where a conflict does or may arise, it must be evaluated – sometimes this process can be quite onerous.

The U.S. National Academies of Sciences (NAS) notes that “conflicts are not binary (present or absent)”, and that they “can be more or less severe”. The NAS identifies two factors to assist decision makers when evaluating a conflict of interest declaration, being (a) the likelihood of undue influence by the secondary interest, and (b) the seriousness of the outcome. The NAS presents this useful rubric for assessing confict of interests:

Likelihood of undue interest	Severity of potential harm
What is the value of the secondary interest?	What is the value of the primary interest?
What is the scope of the relationship?	What is the scope of the consequences?
What is the extent of discretion?	What is the extent of accountability?

NAS (2009) – Chapter 2 Principles for Identifying and Assessing Conflicts of Interest

Depending on severity or perceived harm, treating a conflict of interest may require removing the conflicted individual / entity from the decision making process, or in other cases severing the business relationship entirely. Exactly how you need to manage a conflict depends on the situation (noting that in some cases there may be applicable legislation which will also govern this).

Good practice requires organisations to collect information on conflicted individuals or entities regularly – there is no set timeframe for this, but an annual declaration coupled with voluntary event-based disclosures by the affected party if they arise, makes sense for most organisations. Any more frequent and the program can be difficult to manage, whilst a longer gap between declarations can give employees the impression that conflicts aren’t important, as well as meaning the organisation is working on out of date information.

Once conflicts are identified and confirmed, managers of those employees or affected contracts (e.g. vendor managers) must be made aware of the conflict and charged with managing the risk in accordance with the organisation’s agreed treatment plan.

The challenge of detecting undeclared conflicts

Managing declared conflicts can be challenging enough for large organisations, however detecting them is something different altogether. Without a properly structured approach it is possible to spend a lot of time, effort and money without identifying anything conclusive.

In the absence of an allegation, such as a tip-off from a whistleblower or competing vendor, organisations seeking to be proactive in detecting potential undeclared conflicts should focus their resources on the business units, processes, people or vendors of highest risk. The ACFE identifies three main types of conflict of interest scheme (Wells, 2007):

Purchasing Schemes – where a conflicted party manipulates the victim’s purchasing process to the benefit of the entity to which they are conflicted
Sales Schemes – where the conflicted party negotiates discounts or processes write-offs to benefit the entity to which they are conflicted
Other schemes – where the conflicted party diverts funds, clients / sales leads, and / or resources such as equipment from their employer to the entity to which they are conflicted for the conflicted entity’s benefit

Each of these categories of scheme is comprised of a number of typologies (perhaps best thought of as variations), some of which are more easily detected than others.

As you can see, conflicts of interest schemes can arise amongst employees in sourcing and procurement or sales and marketing roles; however, this is not exclusively the case. Conflicts of interest are generally quite complex to both detect and investigate. Typical methods of detecting conflicts include fraud data analytics (fraud detection) and investigative techniques including (Wells, 2007):

Supplier vetting or due diligence (and comparison of ownership data with employee and contractor names and other indicators, such as phone numbers)
Matching of supplier / vendor and employee identifiers (eg.g. Address, phone number data)
Identification of employees who are take up employment with a vendor after termination
Tipoffs and complaints, including from other disaffected vendors who are losing work as a result of the corruption scheme as well as employees who notice inconsistencies or favouritism

A well designed integrity program, inclusive of appropriate internal controls in key areas (such as purchasing), awareness programs and annual attestations can help mitigate the risk of these insider threats. Perhaps most importantly though, these same practices must extend to third parties, whether a vendor, business partner or other classification. A third party’s employees or contractors in positions which place the contracting entity at risk must be managed and monitored closely, sometimes with even more scrutiny than may be applied to the contracting entities staff – this decision is dependent on where the risk lies, and the inherent and residual rating of that risk.

Theft of fuel from HMS Bulwark – a diversion case study

Posted on April 30, 2022 by Paul Curwell

Paul Curwell

What happened?

This story broke in the media on 7 April 2022, with multiple articles claiming the theft of fuel from a high security Royal Navy base in the United Kingdom. According to Sky News, “the diesel was siphoned from a tanker in a heist that reportedly “ran for weeks” with most of it having been “flogged on the black market”. Some articles claim the fuel was being used to run diesel generators on HMS Bulkwark whilst it is alongside and undergoing refit.

HMS Bulkwark, Albion-class assault ship, Royal Navy, United Kindgom

Further details on the case are limited, other than the fact that the case is under invetistigation by the UK Ministry of Defence and that the alarm was drawn when a guard at the base became suspicious. Unfortunately the theft of fuel is a common occurance – as a perisable commodity which retains its value in the market, fuel is in high demand and can be readily converted to cash when diverted even in small quantities, or alternately consumed for personal use.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

A case of diversion or shrinkage? Motive is key

The fact that fuel was stolen means this is an offence of theft, or potentially fraud depending on whether deception was used to perpetrate the crime. Given events took place on a secure military base where it is reasonable to assume you cannot simply walk in or out, it is reasonable to assume an element of deception (i.e. fraud).

Either way, whilst details are limited in the public domain it is possible to develop further insights into the crime for the purposes of building this case study. For example, we know this scam went on for weeks. According to Wikipedia, the capacity of a fuel tanker truck ranges from 20,800 to 43,900 litres. Google reveals that the average capacity of an SUV on the road is up to 70 litres.

To provide an order of magnitude, 2% of 43,900 litres is 878 litres, which equates to around 12.5 full SUV tanks. If this scam was perpetrated once a day for 7 days, we are talking about over 6,000 litres of diesel being stolen each week. With current Australian diesel costs averaging $1.95 per litre as at 14 April 2022, this equates to illicit earnings of just under AUD$12,000 per week (AUD$624,00 per annum). To be clear, there is no indication of quantum or order of magnitude in the media, so this is hypothetical and indicative only.

AA van with Jeep SUV broken down in Kensington Gardens by David Hawgood is licensed under CC-BY-SA 2.0

So does this activity equate to shrinkage or diversion?

Shrinkage is an accounting term used to describe when a store has fewer items in stock than in its recorded book inventory (Shopify). Shrinkage can be the result of process or quality issues, as well as theft and fraud.
Product Diversion refers to goods that are redirected from the manufacturer’s intended area of sale or destination to a different geography or distribution channel (Curwell)

In practice, I tend to view shrinkage as being less organised and not ‘commercial’ in scale, whereas diversion is typically more organised and more commercial in nature. Given this has been going on for weeks as well as the volume and illicit revenue estimates outlined above, I would suggest this is clearly a case of product diversion. Further, in my taxonomy of product diversion risks, this is defined as “Product stolen from distribution or supply chain“.

How can these types of product diversion events be detected generally?

Product diversion shares similarities with other frauds. According to the Association of Certified Fraud Examiners (ACFE) Occupational Fraud 2022: Report to the Nations study:

42% of business frauds globally are detected via tip offs,
16% through internal audit, and,
12% through management review.

Interestingly, 5% of cases were detected by accident – exactly how the Royal Navy guard discovered this diversion incident.

When you know what you are looking for, the application of fraud analytics techniques means product diversion can be detected provided you have the right data and you assemble and analyse this data in a manner that will allow you to identify potential indicators of diversionary activity.

Photo by Lou00efc Manegarium on Pexels.com

From my understanding of the situation, there are at least four primary records that, when ‘joined‘ together, could be used to identify similar product diversion cases pertaining to oil and fuel:

Order records – invoices and purchase orders should state the quantity of fuel ordered and the delivery dates. Given this is a military base, there are likely to be some sort of movement records to register in advance the potential delivery.
Tanker truck records – records of how many tanker trucks entered the base and their capacity (this might be captured at the front security gate for emergency management reasons in case of fire).
Fuel transfer records – these should record how much fuel was actually delivered from the tanker to HMS Bulwark, and would likely be maintained by the driver or the fuel tanker company’s order delivery system (most likely a smart phone app). Requirements to supply these to the customer could be mandated in the contract of sale.
Fuel receipt records – these would be maintained by the crew of HMS Bulwark, recording all details of the delivery including fuel quality records through onsite Quality Assurance testing performed by the ship’s engineers as well as the quantity of fuel recieved.

These four datasets could be collected by customers and monitored on a proactive, ongoing basis to identify discrepancies indicative of potential product diversion using data visualisation tools such as Tableau or even Microsoft Excel. Alternately product diversion schemes such as this may also be identified during distributor audits or compliance investigations.

What other preventative and detective controls might be relevant in this scenario?

In addition to the data points outlined above, a range of other preventative and detective controls could be used to identify potential diversion. These measures may be more expensive than the ‘books and records’ approach outlined above, hence their application should be risk-based. Relevant examples include:

Accurate calibration of measures to calculate the volume of fuel delivered – just like petrol stations, fuel delivery measures need regular re-calibration, and in some instances may be tampered with to under- or over- deliver. There may be two such devices in this example – (1) the tanker truck and (2) HMS Bulwark.
Quality checks should be performed by the customer to ensure the diesel is appropriate quality and that product substitution has not occured (e.g. fuel diluted with another substance, fuel sitting on top of a heavier substance to give the appearance of conformance).
GPS monitoring on the tanker truck allows both the vendor and customer to monitor for unscheduled stops, which could be indicative of an accident or unscheduled delay, cargo theft (e.g. hijacking), or collusion with organised crime elements. These systems typically generate an alarm or alert in an operations centre.
IOT sensors may also be attached to fuel lines or guages, to confirm quality and volume of product in real-time as it is decanted from the tanker to the fuel storage tank.
High-value or sensitive facilities should be subject to a range of physical security measures.
Third parties loitering in a secure area, either pre- or post-fuel delivery, are also indicative of suspicious activity that would warrant further investigation (as allegedly occured in this case)

As you can see, the Internet of Things (IOT) and the proliferation of sensors in daily life provide excellent opportunities for detecting product diversion in near real-time.

Lessons learned – what to do about it?

Performing a thorough anti-diversion risk assessment, and then implementing appropriate detective measures to identify potential diversion incidents early, before any substantial loss is the foundation of a proactive approach to managing diverison risk. The data required for detecting this type of diversion is likely to be readily collected in most organisations, and simple tools such as a spreadsheet can help identify anomalies. Detecting diversion in your data can be easy and cost-effective when you know what to look for.

Further Reading

Association of Certified Fraud Examiners (2022). Occupational Fraud 2022: Report to the Nations, http://www.acfe.com.
Curwell, P. (2021). Emerging Supply Chain Integrity Practices: What this means for detecting product diversion, in The Brand Protection Professional, June 2021, Volume 6 Number 2, Michigan State University.
Curwell, P. (2021). The USP/APEC ‘Supply Chain Security Toolkit for Medical Products’, https://paulcurwell.com/2021/08/29/the-usp-apec-supply-chain-security-toolkit-for-medical-products/
Curwell, P. (2022). Los Angeles rail hijackings – a form of cargo theft, https://paulcurwell.com/2022/01/18/los-angeles-rail-theft-an-form-of-cargo-theft/
Sky News (2022). Fuel ‘worth more than £250,000’ stolen from high-security Royal Navy base, 7 April 2022, https://news.sky.com/story/amp/fuel-worth-more-than-250-000-stolen-from-high-security-royal-navy-base-12584280
Vona, L. (2016). Fraud Data Analytics Methodology: The Fraud Scenario Approach to Uncovering Fraud in Core Business Systems, Wiley.

Understanding the risk of organised crime infiltration in your business

Posted on February 1, 2022 by Paul Curwell

Paul Curwell

What is Serious Organised Crime anyway?

The concept of organised criminal infiltration into your business or supply chain is interesting. I’ve worked with a number of critical infrastructure operators in Australia who have this concern: the nature of their business provides a unique opportunity for criminals to exploit their business, or the employees position, to facilitate their own or others criminal activity. Before we start to get carried away that serious groups like the mafia are infiltrating your business, it’s worth understanding key elements of the ‘spectrum of crime’ which forms a basis for any Threat Assessment:

Criminal enterprise – a group of individuals with an identified hierarchy, or comparable structure, engaged in significant criminal activity (FBI)
Opportunistic individuals – individuals who take advantage of internal control gaps or weaknesses and opportuinities of circumstance to perpetrate criminal and / or unethical activity (e.g. fraud or business espionage) (Curwell, 2022)
Organised criminals – “small, organised networks of entrepreneurial offenders, often transitory in nature, that develop to exploit particular opportunities for illegal profit. These groups vary from temporary associations created to commit a time-limited series of offenses, to enduring businesses that invest in on-going criminal activities” (Eck & Clark, 2013, p28).
Organised crime (organised criminal group) – “a structured group of three or more persons, existing for a period of time and acting in concert with the aim of committing one or more serious crimes or offences established in accordance with this Convention, in order to obtain, directly or indirectly, a financial or other material benefit” (Smith 2018 in United Nations 2004: 5).
Transnational Organised Crime – those self-perpetuating associations of individuals who operate transnationally for the purpose of obtaining power, influence, and monetary and/or commercial gains, wholly or in part by illegal means, while protecting their activities through a pattern of corruption and/or violence, or while protecting their illegal activities through a transnational organisational structure and the exploitation of transnational commerce or communication mechanisms (FBI)

Its important to remember that not all crime that happens somewhere like a border, port or airport will be perpetrated by serious organised crime. Anecdotally, a lot of the crime I come across day to day involves opportunistic individuals and organised criminals. These risks are managed through employment screening and internal controls (which might include detection programs – see What can be done about it? below).

Common activities of serious organised crime – is there a nexus with your business?

Understanding the types of activities which commonly involve serious organised crime groups can help businesses assess their likely exposure to this activity. In the following list, I have compiled a list of offences based on information published by the FBI and ACIC:

Bribery
Currency Counterfeiting
Embezzlement
Fraud schemes
Cybercrime
Investment and financial market fraud
Revenue and tax fraud
Credit card fraud
Superannuation fraud
Money Laundering
Murder for Hire
Drug Trafficking
Prostitution
Exploitation of Children
Organised retail crime

Human Trafficking and Slavery
Intellectual Property Crime – including Counterfeit Goods
Illegal Sports Betting
Cargo Theft
Sale and distribution of stolen property
Murder
Kidnapping
Gambling
Arson
Robbery
Extortion
Tobacco and firearms smuggling
Vehicle theft

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

What we know about Serious Organised Crime in Australia today

Access to detailed assessments of the nature and sophistication of serious organised crime in Australia are not publicly available. However, one of the most useful reports is the periodic assessment of Serious Organised Crime released approximately every 5 years by the Australian Criminal Intelligence Commission. This report provides a useful outline of serious organised criminal markets in Australia, as follows:

Illicit Commodities	Serious Financial Crime	Specific Crime Markets	Crimes Against the Person
Narcotics	Cybercrime	Visa & Migration Fraud	Exploitation of Children
Illicit Pharmaceuticals & Anaesthetics	Investment & Financial Market Fraud	Environmental Crime	Human Trafficking & Slavery
Performance Enhancing Drugs (e.g. steroids)	Revenue & Taxation Fraud	Intellectual Property Crime
llicit Tobacco	Superannuation Fraud
Illicit Firearms	Credit Card Fraud

ACIC (2017). Serious Organised Crime in Australia, Canberra

Understanding whether your business, including your supply chain, has a nexus with any of these criminal markets will help inform your threat and risk assessment process in relation to organised criminal infiltration. As with assessing physical security of your office premises or facilities, you may not have a direct nexus with organised crime but your suppliers or neighbouring businesses might. This creation of an indirect nexus should also be considered, as this could have adverse reputation, safety and disruptive effects on your business, employees or customers.

The role of criminal enablers

Some organisations may not be directly of interest to OCG, but they may be recognised as having something or someone who can enable or facilitate their objectives. Examples here include access to information, professional facilitators (eg. lawyers, accountants, trust & company service providers), systems (eg being able to change a database record in a third party system), or sub-leasing warehouse or storage space.

The Australia Criminal Intelligence Commission identifies six enablers of serious and organised crime (ACIC, 2017):

Money laundering
Technology
Professional facilitators
Identity crime
Public Sector corruption
Violence and intimidation

Enablers can be targeted by organised crime either directly (eg group leases warehouse space for its own activities) or in relation to employees in key positions. Employees who have some sort of vulnerability, either at home or at work, may be coerced, bribed, intimidated or extorted to perform acts at the direction of a group.

Photo by ThisIsEngineering on Pexels.com

What can be done about the risk of organised criminal infiltration?

So far in this post, we’ve demystified what constitutes serious organised crime, the types of activities (offences) commonly associated with this activity, the criminal markets where organised crime groups are found, and the professional intermediaries and enablers who might knowingly (or unknowlingly) support them. The next question is what to do about it.

The starting point for any business leader concerned about potential organised criminal infilitration in their business is a thorough, objective and factual assessment of the threats and risks, and their associated likelihood and consequence. Once understood, a proper security plan can be implemented to mitigate these risks.

With infiltration by organised crime there is a potential insider threat. This can materialise within both the employee and contractor / third party populations, including within the extended supply chain. This also needs to be considered when scoping any assessments. Suggested actions for businesses concerned about organised criminal infiltration include:

Perform a Threat Assessment to map your ‘threat universe‘ (i.e. who is likely to target your organisation), and why
Undertake a Security Risk Assessment, which incorporates identifying critical assets, vulnerabilities (control gaps), consequence and likelihood (i.e. which of your assets might serious organised crime groups actually consider attractive) for the various threats identified in the Threat Assessment. For risk such as product theft or product diversion, don’t forget to assess if your products are CRAVED.
Undertake a Personnel Security Risk Assessment – this is commonly separate to your Security Risk Assessment, but identifies high risk positions and roles in the organisation which give acceess to your critical assets, and the types of employment screening (background investigation) and continous insider threat detection programs that may be required to mitigate the risk
Perform due diligence on prospective and current employees, contractors, suppliers and business partners / third parties based on the risks idenitifed in your Security Risk Assessment and Personnel Security Risk Assessment.
Develop a robust intelligence and security program to monitor for ongoing changes to your organisation’s threat landscape (including building capabilities such as media monitoring), and where appropriate, develop partnerships with police and security agencies to help mitigate the risk to within your organisation’s risk appetite.

Following these steps will ensure you know where you need to focus your security effort and resources. It may be that your greatest risk is that of opportunistic individuals and organised criminals (including trusted insiders and employees or contractors of your third parties or business partners) and not serious organised crime, requiring a different treatment strategy. If in doubt, seek assistance from an appropriately qualified professional who is licenced by the State Police to give security advice in the relevant Australian jurisdiction. If in doubt, have a read of this advice from ASIAL, the Australian Security Industry Association.

Los Angeles rail hijackings – a form of cargo theft

Posted on January 18, 2022 by Paul Curwell

Paul Curwell

What is going on?

Recently, there has been substantial coverage of the hijacking of goods trains by thieves on Los Angeles (LA) goods lines (McFarland & Mossburg 2022). Images of damaged or discarded shipments from distributors to consumers (end users) strewn across the train tracks are common, as are photos of railway police trying to apprehend individuals and small groups running along the tracks.

Reportedly, these criminals either force entry to stationary or slow-moving goods trains, ransacking any items which appear to be of value. Since they have been doing this for a while now, one must presume they have learned what more expensive packages look like (e.g. branded shipping boxes, specific logos) and are likely selected over lower value items (see my previous article here). Additionally, media reporting also stated that larger, harder to move goods are discarded on the train tracks over smaller items easily transported by a single human trying to flee the scene quickly. This activity is a form of Cargo Theft.

What is cargo theft?

The prevention of cargo theft is a core pillar of any supply chain security program, ensuring goods are not stolen in transit either from the factor to a distributor (for larger or bulk shipments), or distribution centre to end user (as appears to be seen in this example).

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

How does cargo theft impact brand integrity?

When cargo theft occurs in bulk, there is a real risk the diverted product is moved into grey markets (gray markets) or alternately that stolen product is infiltrated into legitimate supply chains, and then on-sold to end users (see Sugden 2009). An example of the scenario that occurs here is where an authorised distributor is approached by a purported ‘wholesaler’ to purchase legitimate (non-counterfeit) stock at a discount to prices set by the manufacturer or standard wholesale prices.

In this scenario, distributors may knowingly or unknowingly purchase stolen but non-counterfeit product and then sell this to end users, with three potential business impacts:

The manufacturer is disadvantaged through erosion of their profit margins,
A ‘legitimate market’ is created for the stolen goods through poor purchasing controls by the distributor, and,
Potential future revenue leakage and brand damage to the manufacturer through services and warranty fraud, if a customer who purchased the non-counterfeit good from an authorised distributor makes a claim.

Cargo Theft Typologies

According to the latest BSI Survey on Supply Chain Risks (2020), there are four primary cargo theft typologies (note the report does not define each typology, I have added my own definitions here)

Hijacking – where the vehicle (truck, train, plane, ship) carrying the goods is stopped and control is taken of the entire vehicle. Typically, vehicles are typically taken to a third location controlled by the hijackers for unloading and disposal. Hijackers may be working in collusion with trusted insiders (e.g. drivers or warehouse staff).
Theft from a vehicle – whereas hijacking involves the whole vehicle, this typology involves stealing selected goods from the vehicle (e.g. specific boxes), and is what we see in the LAX examples.
‘Slash and grab’ – when cargo is transported in soft skinned trucks, the vinyl or canvas covers can be slashed and any items to hand quickly stolen.
Other – undefined typologies, presumably including theft by employees or third parties as well as fraud (e.g. claims of shipments being damaged as cover for theft).

According to BSI, cargo theft primarily occurs in six geographical locations:

In-transit – whilst the vehicle is moving (e.g. slowed due to traffic congestion, stopped at traffic lights or an accident)
Rest areas – trucks carrying high value cargo without two drivers are at risk when the driver stops for a break or sleep
Warehouse – there are at least two risks here:
- Theft from warehouse by criminals (e.g. breaking & entering) with no insider involvement
- Inventory theft or fraud by trusted insiders (e.g. employees)
Unsecure roadside parking – where a loaded vehicle is parked either at the point of origin or destination
Freight facility – where multiple trucks / trains are unloaded in a single location
Other locations – these are not defined

How do the proceeds of cargo thefts end up in grey markets?

We sometimes see high value goods, such as stolen motor vehicles, being exported from the jurisdiction where the theft occurred (e.g. the USA) to an overseas jurisdiction where the product is in high demand and where criminals can obtain substantial profit margin on the sale of the stolen goods.

It might also be common to see sales of consumer products being sold online (either individually or in bulk) by either a business or individual seller or sold to authorised or unauthorised distributors [an ‘authorised distributor’ is defined as one which has a signed distribution agreement with the manufacturer or Intellectual Property Rights (IPR) owner and is conducting their business operations in the geographic area(s) stated in the agreement].

In the case of the LA activity, the stolen goods seem to be packages shipped from distributors which are stolen before delivery to the consumer (end user), rather than bulk shipments (e.g. multiple copies of the same product). These stolen goods can also be sold online, in person through social networks or street corners, or local flea markets.

What can be done to help mitigate this type of cargo theft?

There are three main strategies that can be employed to mitigate the types of risks seen in Los Angeles, as follows:

Physical Security (including use of tamper evident seals) – appropriate (i.e. risk-based) physical security should be part of any Supply Chain Security program. This may be the responsibility of the logistics provider (i.e. a third party) or the manufacturer. Most shipments are covered by insurance against theft or damage, but this may be subject to exclusions.
Market Surveillance – a robust market surveillance program is essential for the protection of your products, IPRs and ongoing brand integrity. This involves using Open Source Intelligence (OSINT) techniques to monitor physical and online markets (e.g. flea markets, online market places like eBay and Gumtree) as well as social media for sales of your products, monitoring pricing (pricing surveillance), conducting test purchases (to determine the origin of the product for diversion and grey market purposes), and identification of sellers to determine whether they are authorised or unauthorised.
- This data should be added to a Graph database to facilitate Social Network Analysis and other intelligence analysis and investigative methods which might help to identify the criminal value chain and map organised crime groups involved in this activity.
Collection and analysis of incident data – in my previous post on product fraud and security risk assessments, I discussed the importance of capturing current and historical incident data for analysis. The sorts of questions you need to ask of your data here includes whether there are any common themes or trends and whether any specific products are at higher risk than others (e.g. those which are more valuable or CRAVED by thieves).

Conclusion

Whilst cargo theft is a risk, there are controls and other measures which can be implemented to mitigate it. Proper planning is essential, as is the use of security risk analysis to identify where effort (and budget) should be allocated, and the use of intelligence methods to continuously monitor the market and those actors (individuals, legal entities) involved in it. Ideally, any incidents are either prevented, detected or disrupted before a loss is incurred, but in some cases formal investigation may be required.

Product security risk assessments for tangible goods

Posted on December 19, 2021 by Paul Curwell

Author: Paul Curwell

State of art – managing fraud and security risk in relation to products

It makes sense that out of the universe of products on the market globally some products are more attractive to thieves and criminals, including trusted insiders, than others. Whilst working through my holiday reading I came across some research undertaken in 1999 by Ronald Clarke, a leading criminologist.

I’ve been interested in what makes a product vulnerable to security and fraud risks for at least ten years. Take a moment to think about what we do with products: whether a passport or airplane part, we manufacture them before ultimately selling them to consumers, most of whom are free to use them and resell them at will on the secondary market. This means they need some protection against fraud and security threats, especially if your reputation or commercial revenue model is linked to the product’s ongoing integrity.

Whilst working in banking my team would undertake product fraud and security threat and risk assessments, at that stage primarily on the bank’s new fleet of Automatic Teller Machines (ATMs). ATMs are targeted in a number of ways, both physically and virtually, through attack vectors such as ram raids, Plofkraak attacks, and cyber hacking to ultimately access the cash contained inside. More recently, I provided expert review of threat and risk assessments for a suite of financial services and identification products (including digital identities) for another client.

To my knowledge, there is no formal threat and risk assessment methodology for products per se, but Clarke’s methodology seems a good starting point.

What satisifies a criminals cravings?

In his research, Clarke found that products commonly targeted by shop lifters in a retail exhibited six attributes which spell the acronym CRAVED, as follows:

Concealable – this is relative to the situation. Shoplifters might target small items they can easily conceal in clothing (eg watches) over a large TV, but sometimes it’s easier to walk out with something large. I previously did some work with a client involved in international air freight, and one of their risks was that trusted insiders could smuggle large items concealed in something else out of the airport through a legitimate freight shipment.
Removable – to target a product, you need to be able to pick it up and move it. Unlike services, products are generally transportable.
Available – there are two elements to this – products that are widely available, and those that are readily accessible (i.e. not kept in a locked cabinet with inventory or stock in store). Audit logs and access control measures, amongst others, should protect more valuable items.
Valuable – whether trusted insiders or organised fraud rings, criminals generally don’t steal things which are not of value to them. Value is also contextual – whilst a high demand product such as consumer electronics is seen as valuable to a large potential market, some products might be valuable to an individual for a specific purpose. We can reasonably expect the former might be targeted multiple times by one or more actors, whilst the latter category might be targeted only once.
Enjoyable – Clarke’s work looked at products most commonly associated with shoplifting, so there is an element of consumer desire (i.e wants & needs) here. But if our COVID crisis has taught us anything about supply chains, its that Maslow’s hierarchy of needs also plays a role (the repeated hoarding of toilet paper by consumers comes to mind).
Disposable – attractive products are those easily sold, or resold, either for cash or another form of value transfer. There is more demand, hence more of a market, for some products than others. Think of how easy it is to dispose of a second hand (or stolen) fridge over a passport.

Readers will note that CRAVED really applies to security related threats, such as theft, much more than fraud. I’m not aware of any formal product fraud risk assessment methodology.

How can we apply the CRAVED construct to manage product risk?

Clarke’s research was performed in 1999, so it is somewhat dated but the principles likely remain valid. Also, the research focused on retail and is not representative of other industries. Nevertheless, we can use the principles outlined by Clarke to inform the design of any product specific risk assessment methodology: CRAVED provides a starting point.

Based on my experience assessing product risk for fraud and security threats, I offer three tips to consider when designing and / or executing a product risk assessment to address fraud and security threats:

Tip 1: Analyse your historical incidents

Collecting detailed incident data is a foundational element of any fraud, security or risk function. Ideally, you want to capture as much detail as you can at the time of the incident, even if it may not seem relevant now. It may be much harder, or even impossible, to capture some data in the future.

TIP: If you are not doing this already, you should start. Ideally, try to collect as much historical data for say the past 12-24 months as you can, even if it is not complete, and put in place processes and tools to collect rich incident data going forward.

As you start to analyse your historical incident data, ask yourself the following questions:

Which product(s) are most commonly targeted? Assuming the Pareto Principle (’80:20 rule’) applies, a small number of your product models will be targeted more commonly than others. You need to identify these and assign a higher likelihood score during your risk assessment.
Are there any geographical aspects to these incidents? E.g. do they commonly occur in specific locations? This might indicate that some products are more likely to be stolen or attacked in a specific geographical area. The logical follow up question here is why…
Are there specific dates or times when most incidents occurred? In some forms of fraud, it is common to see spikes in fraud incidents in summer and a significant decline in winter. Additionally, some forms of crime are more likely to happen at night. Perhaps you might identify an unusual pattern, such as high rates of theft on a weekend when your business is closed, suggesting a potential insider threat.
How do these incidents occur? You need to get a good understanding of the criminal’s business process, particularly if there is a specific pattern or series of steps that are commonly undertaken which you might be able to disrupt using internal controls (mitigations). You can use a variety of analytical methods here including business process mapping, red teaming and analysis of competing hypothesis to achieve this.
Who is the perpetrator? Even if you can’t identify the perpetrator by name (which is unlikely), try to categorise perpetrators into groups such as opportunistic individuals, organised criminals, organised crime (eg mafia), trusted insiders etc. Over time, as you develop richer data sources and a deeper understanding of your data, you might be able to distinguish groups or sub-categories based on the groups specific behaviours (i.e. their Modus Operandi [MO] or Tactics, Techniques and Procedures [TTPs], such as a specific organised fraud ring.
Why do you think specific products are being targeted? You may need to do some critical thinking here, or alternately comparative case analysis methods would be helpful. You need to understand whether the products that are mainly being targeted (e.g. the 20% – assuming the 80:20 rule applies to your data) are being targeted for a reason. Ask yourself, do they share common attributes (such as the CRAVED attributes identified by Clarke)?

Tip 2: Identify any design attributes which could be modified to reduce the product’s attractiveness to criminals

Sometimes there are design attributes to a product, or even a service (e.g. a business process) that makes one manufacturer’s product more likely to be targeted than a competitor. Additionally, sometimes the design of a product makes it more likely to be targeted – an example could be not having branding or a serial number readily visible, which might allow criminals to ‘rebadge’ it as it is being sold. Repackaging is another area of risk here. Understanding these factors means you can work with product managers and design engineers to modify your product and make it less attractive to criminals, which means it is less likely to be targeted.

Ultimately, your goals here are revenue and brand protection. If you can design your product to be a ‘harder target’ (i.e. less attractive), you might save on downstream fraud and security costs. Alternately, some products are readily counterfeited, with sometimes lethal consequences for unsuspecting consumers. Aside from potentially tragic impacts to consumer’s lives, your organisation’s brand and reputation might be adversely impacted simply because your product design was easy to counterfeit and commercially attractive to counterfeiters.

In this case, the cost of the reputatation or brand damage (such as by consumer boycotts, lost sales) may far exceed the costs of product redesign or implementing additional security measures. Product managers need to know if anything specific makes their product overly attractive to criminals, and if so, do something about it in the design phase.

Tip 3: Understand where the product is most likely to be attacked or compromised

For example, if a product is more at risk during shipment, can better cargo security measures be implemented? If a product is at risk of counterfeiting, product authentication measures such as security packaging and traceability programs could be the solution.

It is very uncommon to encounter situations where managers have unlimited resources – a well-designed product risk assessment methodology can be used to identify those products requiring increased protection based on likelihood and consequence, and those requiring less protection. These insights can be used to efficiently allocate your limited risk management resources, as well as helping product managers understand why their product is at risk.

The USP/APEC ‘Supply Chain Security Toolkit for Medical Products’

Posted on August 29, 2021 by Paul Curwell

Author: Paul Curwell

Introduction

In a previous post, I looked at the anti-counterfeiting and supply chain traceability model proposed by AS6174 for the Aviation and Defence industries. This standard is one of many different standards available, some of which are generically applicable to any industry, and others which are designed to meet the needs of a particular target audience.

This article continues with the current Supply Chain Integrity and Security theme, this time looking at the model developed by the The United States Pharmacopeial Convention (USP) – Asia Pacific Economic Cooperation (APEC) Life Sciences Innovation Forum (LSIF) in 2016.

The United States Pharmacopeial Convention defines Supply Chain Integrity and Security as “a set of policies, procedures, and technologies used to provide visibility and traceability of products within the supply chain. This is done to minimize the end-user’s exposure to adulterated, economically motivated adulteration, counterfeit, falsified, or misbranded products or materials, or those which have been stolen or diverted”.

On first glance, the output of the USP/APEC model is what is referred to as the ‘Supply Chain Security Toolkit for Medical Products’, designed for the pharmaceutical, medical devices, and life sciences industry. This toolbox addresses ten different domains, each of which has a range of sub-components, which align nicely into a Capability Maturity Model that at a high level could be applicable to a range of industries.

In this post, I unpack this USP/APEC toolbox in more detail and explain how the Toolkit could be applied to create an industry-agnostic Capability Maturity Model for Supply Chain Integrity and Security.

The USP/APEC ‘Supply Chain Security Toolkit for Medical Products’

This toolkit itself is a 14-page interactive PDF broken into ten domains, each of which reflects a different element of the supply chain. There are 64 supporting documents from a variety of authors, including the World Health Organisation and APEC, which dive into each element in differing levels of detail. This is available on the Korean National Institute of Food and Drug Safety’s website. The ten elements are as follows:

Good Manufacturing Practices	This section sets out 11 key considerations for supply chain integrity and security in any manufacturing process. Aside from processes like Outsourcing and Repackaging, which are recognised as vulnerable to a variety of supply chain threats from product tampering, to cargo theft, product substitution, product diversion, and grey market / parallel import activity, this section also introduces the concept of “show and shadow factories”. Used here, ‘shadow factories’ refer to businesses which actually perform the manufacturing process (or elements of it), without being declared as such. Aside from the Supply Chain Integrity and Security risks, these practices also expose organisations to Bribery & Corruption risks (such as the Foreign and Corrupt Practices Act and United Kingdom Bribery Act) and Modern Slavery and Human Trafficking risks (such as were workers in ‘shadow factories’ may be trafficked or working in slavery, slave-like, harmful or substandard conditions). See my related posts on modern slavery and associated due diligence practices here.
Good Distribution Practices	This section, along with the Good Manufacturing Practices, is comprehensive and well-constructed. Whereas the real insights the remaining sections are somewhat buried in the supporting documents, this section is cleanly laid out to reflect the steps required across 11 elements of the distribution value chain.
Good Import / Export Practices	Unfortunately this section remains under development so no further guidance or information is available on importing and exporting
Clinical and Retail Pharmacy Practices	This section is interesting because of its focus on the ‘end user’ [see my previous post for details on end user verification], covering the lifecycle from “purchase and receipt to storage, and until the products are dispensed and administered”. The supporting guidance includes another 66-page toolkit which is similar in terms of application to AS6174, as well as incorporating similar concepts around traceability of raw materials and storage as the Australian Code of Good Manufacturing Practice for Veterinary Chemical Products.
Product Security	The term ‘product security’ appears undefined in the Toolkit, yet seems to refer to the variety of measures used to protect products from “cargo theft, intentional adulteration, Product Diversion, Substandard Products [what I refer to as Product Substitution], and Product Tampering. The materials in this section provide advice on both “upstream” and “downstream” issues in the supply chain.
Detection Technology	This section focuses on giving parties in the supply chain the ability to determine the Authenticity and Conformance (including Quality) of any product, with a view to identifying what USP/APEC define as ‘Substandard, Spurious, Falsely Labelled, Falsified and Counterfeit’ (SSFFC) medical products through non-destructive (e.g authentication of packaging) and destructive testing (e.g. chemical analysis) methods. One observation from me is the different language used across industries – whilst this life sciences example uses SSFFC, readers of my previous post may recall that AS6174 used “suspected, fraudulent, and counterfeit” to refer to the same concepts.
Internet sales	The global, unregulated nature of online shopping is a long-standing concern for any Intellectual Property Rights (IPR) Holder, let alone life sciences. TheToolkit highlights a variety of risks to consumers arising from internet sales, including: “(a) not receiving the drug purchased; (b) drugs containing incorrect dosage, i.e. super-potent or sub-potent; (c) or containing no active ingredient at all”. A fourth category, that of containing harmful or toxic ingredients as substitutes (e.g. arsenic), could also be added given this practice is common with many counterfeit pharmaceuticals – see this article published in 2019 from The Guardian.
Track and Trace System	The life sciences industry has a range of industry-specific, regulated requirements around ‘track and trace systems’ such as those mandated by the United States Drug Supply Chain Security Act (DSCSA). Usefully, this Toolkit contains a Gap Assessment documenting selected best practices as well as cost-benefit information that may be of use in any business case.
Surveillance and Monitoring	This element is split into the typical Prevent, Detect and Respond domains common in any security or fraud risk management framework and is primarily focused at the government, as opposed to manufacturer, level. The government focuses likely explains why this model does not address the utility of an ‘intelligence capability’ as a foundation to Identify and Monitor threats before they become material to business. I will cover this in more detail in future posts.
Single Points of Contact	This aspect focuses on building a public-private network for information exchange between regulators, authorities, law enforcement agencies and international bodies. In addition to emphasising reporting, this domain also addresses the need for training and cooperation programs.

Photo by Alexandros Chatzidimos on Pexels.com

Using the Toolkit to build a Capability Maturity Model for Supply Chain Integrity & Security

As outlined above, this is a comprehensive, free toolkit for a highly regulated industry that goes into a substantial amount of detail as to the programs and initiatives that should comprise any Supply Chain Integrity and Security framework for the life sciences sector. The attraction of this Toolkit is that it could be easily converted into a Capability Maturity Model and applied across any industry with similar supply chain risks, such as food & beverages, consumer electronics, or agricultural chemicals.

Whilst subtle industry and jurisdiction-specific differences will exist, any reader charged with the task of reviewing or developing a Supply Chain Integrity and Security program could easily apply the contents of this Toolkit to this task. Additionally, Internal Auditors and functional leads (e.g. Heads of Product or Heads of Security) could benefit from using the Toolkit to benchmark their current programs.

Benchmarking & Capability Maturity Models

Any benchmarking activity should start with the construction of a Capability Maturity Model – effectively a deconstruction of all the major elements in any Supply Chain Integrity and Security framework (e.g. manufacturing, distribution, product security, etc), which identifies each of the sub-elements that comprise each of the major elements. Organisations which lack either a major or sub-element would ordinarily be considered less mature, receiving a lower ‘current state’ score, unless there is a justifiable business need for not performing a particular function.

I have been building and applying Capability Maturity Models since 2006 when I joined Booz Allen Hamilton, and I can personally attest to the tremendous value of Capability Maturity Models in helping functional leads understand what needs to feature on strategic roadmaps or workplans. Just as important as the design of the Capability Maturity Model is what is defined as the ‘target state’ – importantly, you don’t need to have the highest capability maturity score for every major or sub-element. In some cases, a low score may be justifiable.

The whole point of a Capability Maturity Model is to build a capability that meets your strategic and operational requirements, as opposed to having a great capability that is not required given the business’ operational footprint. Capabilities which exceed business requirements can be a waste of money and may be a target for cost reduction or outsourcing.

Magazine article – “Supply Chain Integrity: Detecting Product Diversion”

Posted on July 31, 2021 by Paul Curwell

Author: Paul Curwell

Background

In June 2021, I was privileged to have an article I wrote on Detecting Product Diversion in the quarterly edition of Michigan State University’s Brand Protection Professional (BPP) magazine. BPP is part of the outreach program for the Center for Anti-Counterfeiting and Product Protection at the University.

Read:

Curwell, P. (2021). Emerging Supply Chain Integrity Practices: What this means for detecting product diversion, Brand Protection Professional, June 2021, Centre for Anti-Counterfeiting and Product Protection, Michigan State University.

The Centre for Anti-Counterfeiting and Product Protection (A-CAPP) is a non-profit, interdisciplinary research focused centre which is recognised worldwide as a leader in anti-counterfeiting and brand protection. A-CAPP operates a range of research, outreach and education initiatives including a Professional Certificate in Anti-Counterfeiting and Brand Protection which provides foundational knowledge for professionals new to this area. Reasonably priced, I have taken a few of their short courses which are informative and delivered 100% online at your own pace.

So what is product diversion anyway?

Also known as “illicit diversion”, product diversion “refers to goods that are redirected from the manufacturer’s intended area of sale or destination to a different geography or distribution channel” (Trent and Moyer, 2013). Often this terminology can be used interchangeably with the term “grey market”, despite one term referring to a fraudulent act and the other where the proceeds of that fraudulent act are sold.

The impact of diversion is that legitimate product may be sold into grey markets, in breach of a manufacturer’s sales contracts for that geographical location. This causes margin erosion for manufacturers, erodes legitimate distributors of their market share and deprives them of sales revenue, and can damage the brand through invalid warranties and returns policies for consumers.

Key Takeaways:

Why Product Diversion is a problem for Healthcare Supply Chains?

How does Product Diversion happen in healthcare supply chains?

Real-World Case Studies – Pharmaceuticals, Medtech, and Consumer Healthcare

All manufacturers – big and small – are vulnerable to Product Diversion

So what? The Business Impact

Control gaps enable Product Diversion

Mitigation Strategies for Product Diversion in Healthcare Manufacturing

1. Use Serialization and Digital Tracking

2. Update Contracts

3. Audit and Monitor the Supply Chain

4. Train Your Staff

5. Use Incentives and Whistleblower Programs

6. Leverage External Expertise

Call to Action: Stop Assuming Product Diversion Is Someone Else’s Problem

Further Reading:

Global competition for science and technology is heating up

What is Diversion in the context of Technology Transfer?

Why should we care about the Diversion of critical technology?

Further Reading

What is product diversion?

How does product diversion occur?

Who perpetrates product diversion?

Where does product diversion arise in your supply chain?

Conclusion

Further Reading

What are conflicts of interest?

The challenge of detecting undeclared conflicts

Further reading

What happened?

A case of diversion or shrinkage? Motive is key

How can these types of product diversion events be detected generally?

What other preventative and detective controls might be relevant in this scenario?

Lessons learned – what to do about it?

What is Serious Organised Crime anyway?

Common activities of serious organised crime – is there a nexus with your business?

What we know about Serious Organised Crime in Australia today

What can be done about the risk of organised criminal infiltration?

Further Reading

What is going on?

What is cargo theft?

How does cargo theft impact brand integrity?

Cargo Theft Typologies

How do the proceeds of cargo thefts end up in grey markets?

What can be done to help mitigate this type of cargo theft?

Conclusion

Further Reading

State of art – managing fraud and security risk in relation to products

What satisifies a criminals cravings?

How can we apply the CRAVED construct to manage product risk?

Further reading:

The USP/APEC ‘Supply Chain Security Toolkit for Medical Products’

Using the Toolkit to build a Capability Maturity Model for Supply Chain Integrity & Security

Benchmarking & Capability Maturity Models

Further reading

Background

So what is product diversion anyway?

Further reading