In 2011, President Obama signed the Food Safety Modernization Act (FSMA) into law. It was the most sweeping reform of food safety laws in more than 70 years, with the aim of shifting the focus from responding to food contamination events to actively preventing them. A key component of FSMA is developing a Food Defense Plan, which helps companies mitigate risks and adopt procedures for handling threats appropriately.
While the general purpose of FSMA is clear, many food and beverage professionals are still unsure whether or not their Food Defense Plan is compliant. However, they know that developing a food defense strategy is not simply about checking off boxes for compliance. To be effective, a strategy must also keep the company’s products, people, assets, and brand fully protected.
Let’s begin by reviewing the risks food and beverage companies currently face, including the three main categories of food defense events.
What Is Food Defense and Why Is It Important?
Risks to the food supply can be intentional or unintentional. The FDA has rolled out several initiatives and drafted copious guidance on how organizations can deal with the intentional side of food risk. These Food Defense Initiatives help organizations devise Food Defense Plans, assessments, and training to prevent and prepare for tampering or intentional adulteration (IA) of food. Although the goal is to prevent and restrict IA, there is also guidance to assist facilities with responding to and recovering from these events.
Food defense events are divided into three main categories:
The motivation for industrial sabotage of a food product may not be threats to public safety or health. Unfortunately, however, that is often the result. The actions of a single employee can wreak havoc and damage significant amounts of product. However, the actual cost is often unclear until well after the organization and local, state, or federal agencies have completed tracing and investigation. Perhaps the most insidious aspect of industrial sabotage is that an internal employee chooses to exploit a process or vulnerability from within the organization, often with unclear motivations.
One example of industrial sabotage committed by a single employee is the case of Faye Slye, a former employee at the Gold’n Plump plant in Cold Spring, Minnesota. In 2017, Slye admitted bringing sand and dirt inside the facility from the parking lot. She stated she contaminated the chicken with sand the first evening and the second evening with dirt. Another employee saw the dirty chicken and did report what she saw to authorities after the first night, but the chicken was shipped and sold before the investigation revealed the full extent. Just two contamination incidents by a single employee resulted in a recall of over 27 tons of chicken. Incidents like this cost the organization in traceback and recall costs and can also damage the company’s reputation and the public’s trust in the integrity of their food products.
Economically Motivated Adulteration (EMA)
Economically motivated adulteration is a form of food fraud and is the practice of taking out, omitting or exchanging a valuable food ingredient for another ingredient. A classic example of EMA is if a company sells a product as 100% olive oil but has, in fact, substituted another vegetable oil for part of the product without indicating to customers that it is now a blend. Although the motivations are generally cost-saving—hence the name—the adulteration can and often does have serious health repercussions for consumers.
Olive oil is a common example of EMA because it, unfortunately, happens often, but another incident of EMA rocked parts of Europe when it came to light in late 2012 and early 2013. Testing revealed significant portions of the beef supply to be contaminated with both pork and horsemeat. However, further tests revealed the extent of the scandal. In some meat samples tested, there was little to no beef at all. Frozen lasagna and spaghetti Bolognese manufactured by French company Comigel contained up to 100% horsemeat. They supplied some of the largest and most popular grocery chains in the UK and other parts of Europe. Horsemeat is cheaper meat and is often prohibited from entering the human food supply in the EU because it can contain pharmaceuticals banned for human consumption. When investigations revealed the full extent of the problem, it caused a public outcry, a significant drop in trust, and fundamentally changed consumption patterns.
Threats of Terrorism
In the past several decades, terrorism has taken on a new identity. Since the September 11 attacks in 2001, terrorists have found new ways to threaten and harm the US population. A September 2017 Newsweek article stated that ISIS supporters called for the poisoning of food in grocery stores across the US and Europe. Many countries have joined the US in determining that these incidents represent a genuine threat to public safety and economic stability. The food and beverage industry must take a proactive role against threats and keep our nation and its food supply safe.
Fortunately, there are many ways to proactively take a stance to protect the food supply. An organization can begin by performing self-assessments to determine whether it is a hard or soft target. Criminals could conduct observations of food companies to make this assessment, too, and if your facility is believed to be a hard target, they will likely move on. On the other hand, soft targets make it easier for terrorists to plan and execute attacks.
To determine the best means for protecting food companies, we must first understand the people who could cause harm. Today’s terrorists have become increasingly creative. Now, extremists may even use trucks to inflict harm on the public (which is why it is unsafe to keep the keys in your vehicles’ ignitions while not in use). This group is not limited to external terrorism, of course. It can also include criminals, protestors, rogue or disgruntled insiders, subversives, or other individuals who would compromise their values or beliefs for a benefit.
Why Do You Need a Food Defense Plan?
Building a strategy to mitigate risks, keep the facility safe, and comply with FSMA is your first line of defense. Your strategy should encompass:
- Awareness: Be vigilant, alert, and informed. Your frontline workers are your greatest asset.
- Prevention: Have safeguards in place as well as means of detection to avert danger.
- Preparedness: Develop anticipatory plans to stay ready 24/7.
- Response: Your plan should also encompass countermeasures that you will use to respond.
- Recovery: Finally, cite how the facility will return to normalcy following an attack.
Of course, terrorism may not seem like a genuine threat to the food and beverage industry—until you consider some key facts. According to the CDC, contaminated food in the US is responsible for approximately 48 million illnesses, 128,000 hospitalizations, and 3,000 deaths. Contaminated food issues cost the nation more than $14 billion annually in medical care, lost productivity, chronic health problems, and deaths. While most of these incidents may indeed be unintentional, contaminated food nevertheless has an enormous impact on public health and safety, as well as economic repercussions. Food and beverage companies must adopt more stringent defense measures to limit these instances. Additionally, the Department of Homeland Security has indicated that violent extremists and terrorist groups consider food production and agriculture tempting targets. To protect the food supply and ultimately the population, food companies must develop a goal-based food defense.
Building a Goal-Based Food Defense Plan
A goal-based food defense plan is effective for two key reasons: it satisfies FSMA requirements, and it keeps people, products, assets, and brands protected. The goal of a Food Defense Plan should be to restore a facility to its pre-event state following tampering or another type of event. Yet, instead of returning to a pre-event state after an event, it proactively aims to prevent an event from happening in the first place.
A Food Defense Plan comprises the following steps:
- Identify critical business components
- Conduct a vulnerability assessment at every facility (not just one location)
- Assess threats and opportunities
- Develop protective measures and mitigation strategies
- Prioritize protective strategies
- Implement protective measures
- Plan and train all staff
The Food Defense Plan also encompasses a Food Response Plan, which includes these crucial activities:
- Assemble a Crisis Response Team
- Implement response plans
- Monitor business components
- Assess response capability
- Contain the impact
- Implement mitigation strategies (developed in the Food Defense Plan)
- Return to normalcy
Food Defense Plans share the same goal as food safety plans: to protect the food supply, assets, and brand. While food defense protects against intentional contamination, Food Safety (HACCP) Plans to safeguard against unintentional contamination. For food defense, taking a goal-based approach is most effective.
Goal-based assessments are less subjective than risk-based assessments. With risk-based assessments, the process focuses on identifying risks—which is inherently a subjective process—but not security processes or solutions. If strong security measures are already in place as a result of taking a goal-based approach, there will naturally be significantly fewer risks.
The process of performing a goal-based assessment includes understanding the purpose of the defense plan, establishing appropriate goals to achieve the objective, defining the goals, and finally, defining what an organization must demonstrate to ensure it is achieving the goals of the defense plan.
Because meeting goals is more objective than performing a risk-based assessment, it can produce quantifiable results. These results allow a company to develop benchmarks regarding whether or not it is meeting goals. In addition to providing this clear picture of the efficacy of your mitigation strategies, goal-based food defense plans are also beneficial because they comply with the Intentional Adulteration (IA) Rule of FSMA. This rule states that companies must be able to validate and demonstrate that their mitigation strategies are working.
Assessing Threats to Food Safety
Of course, terrorism is not the only threat for food and beverage companies to consider. There are also criminal, accidental, and natural threats that pose dangers to a facility and its people or products. Once you have identified the types of threats that could occur, you can then develop a sound defense strategy that factors in the likelihood of occurrence for each threat. Keep in mind that this likelihood should not be based on past experience but on the effectiveness of the barriers you have in place. In other words, failing to protect against a specific type of incident simply because it has never happened before is ineffective. Instead, you must ask, “Does our company want to wait until after something has happened to ensure our safety and security?” Most likely, the answer will be no—which is why food defense is based on prevention, not reaction.
Determining Appropriate Levels of Security
A common question in the food and beverage industry is: How much security is enough? While the answer varies from one facility to the next, it should always be dependent on what is being protected. A facility with ready-to-eat food products and bulk ingredients would clearly demand higher levels of security than an empty warehouse. In the coming section, we will cover five goals to help you determine which security measures are appropriate for your facility.
The 5 Goals of Food Defense
Every Food Defense Plan should look slightly different because each facility has its own unique set of risk factors. With that said, you can use the following fundamental goals to help you develop a strong foundation.
Goal 1: Facilitate the Movement of People
Having individuals who are not employees inside your facility creates vulnerabilities. To prevent outsiders from having the opportunity to harm your products, it is essential to enforce control over the areas people can access in your facility. Additionally, companies should have a record of everyone who enters and exits the building.
Start by controlling the movement of people in and around the facility. This monitoring should include employees, contractors, temporary workers, service personnel, and truck drivers. Then, control every access door, emergency exit, egress door, overhead door, window, vent, and other openings which could permit personnel access to deter unauthorized or undetected entry. For FSMA compliance, management should be able to demonstrate that the measures they have in place to facilitate the movement of people are indeed effective.
The goal of background and reference checks is to ensure that the backgrounds of persons who will be allowed unescorted access inside the plant have been properly vetted. Background checks may include verifying the following: information on the employment application, former addresses, former employment, criminal conviction information, and personal references. Be sure that your background checks are compliant with local laws and consider implementing annual background checks to ascertain whether employees have faced any criminal charges while employed by your company.
Goal 3: Site-Specific Vulnerability Assessment
Here, the goal is to ensure that the organization has identified and taken steps to mitigate facility vulnerabilities. To achieve this critical goal, you must have a site-specific vulnerability assessment conducted for each of your locations. Identify any areas requiring additional security measures or solutions and be especially mindful of the four key activity types:
- Bulk liquid receiving and holding
- Liquid storage and handling
- Secondary ingredient handling, including staging areas, preparation areas, or rework areas
- Mixing rooms, blending rooms, and homogenizing rooms.
The FDA emphasizes the safety of these areas because they are the most vulnerable to tampering. In particular, mixing, blending, and homogenizing rooms are at the most significant risk of tampering, which is why these and the other key activity areas should have strong, consistent, and enforced security measures. Restrict access to these “red zones,” and be sure that you can demonstrate the effectiveness of security measures to comply with FSMA.
You should have a third-party entity that can objectively identify potential threats from a fresh perspective to perform a vulnerability assessment. The facility and organization will also benefit from completing portions of the assessment outside of regular business hours, such as on the weekend and at night, when additional vulnerabilities could go unnoticed during the daytime.
Goal 4: Investigate and Mitigate Any Security Breaches
The fourth goal is to identify, report, and mitigate any security breach. Actual or suspected security breaches—such as alarms sounding, obvious break-ins, or strangers found in the building—should be immediately reported to management. Again, facility management should be able to demonstrate the effectiveness of these measures or mitigation strategies for compliance purposes.
Goal 5: Develop Plans, Policies, and Procedures
This final goal is to develop and train all personnel on plans, policies, and procedures. It is recommended that companies provide employee training such as the Global Food Defense Institute’s “See Something, Do Something Awareness” course. Specifically, the goal is to document the facility’s security and Food Defense Plans and develop and document policies, procedures, and training to support these plans. As it is often said with FSMA, “If it isn’t documented, it didn’t happen.”
The US Department of Agriculture, through the Food Safety and Inspection Service (FSIS), also provides extensive training material and tools, and templates for creating a robust Food Defense Plan and employee training. From the FSIS Food Defense Risk Mitigation Tool to online training courses, employers can browse resources and access the Food Defense Plan Builder software.
Once your organization has developed the plans, be sure to test your plans. Then, train your personnel on food defense, including protecting products, people, and assets from individual harm. Your teams, including frontline personnel, should also undergo training on individual security responsibilities, insider threats, workplace violence, and protecting themselves in the event of an active shooter situation.
The 4 Food Defenses
Another methodology for constructing a food defense response is to use the four As:
- Assess: Identify critical control points and weaknesses throughout the supply chain for each point at which a person could intentionally adulterate the food or ingredient. Organizations cannot limit assessment within the facility but must include suppliers, materials, and distributors.
- Access: Recall the incident at Gold’n Plump in 2017, where the employee had access to the product. Facilities must take extra care to monitor the areas of highest risk, especially those identified as being within the four Key Activity Types also mentioned above. Employers must restrict access to these critical areas and support monitoring with other tools, such as physical or video monitoring.
- Alerts: The ability to respond quickly to mitigate potential harm and loss is crucial. Implementing automation and facility-wide sensors and software can be valuable for sending timely notifications.
Audit: Both scheduled and random audits can help organizations determine if facilities maintain compliance. Auditing helps ensure that preventive measures are in place at all times, even when things are “fine.”
5 Ways to Improve Your Goal-Based Security and Food Defense Posture1) Build a food defense and security culture within your organization from top to bottom. This culture should also include your suppliers. Ask to review your suppliers’ site security plans and build plans together. Remember, FSMA applies to the entire supply chain. In order for your company to be compliant, your suppliers must also show demonstrable evidence that they too have food safety procedures in place to maintain compliance.
2) Immediately conduct a site-specific vulnerability assessment. While there is no prescribed formula for conducting the assessment, common sense can help your teams identify the unique vulnerabilities present at each facility.
3) Improve alert and warning systems. Make observations before deciding where to place CCTV systems. Don’t forget about your Key Activity Types. If your company has limited security resources and can only equip specific areas with cameras, choose the locations wisely and be mindful of which places are most vulnerable to tampering threats.
4) Improve information sharing between your local first responders (including police, fire, and EMS) and your members of management. The stronger your working relationship is with your local first responders, the better they will know your company, which will therefore allow them to respond most effectively in the event of an incident.
5) Train your teams on, “Don’t just say something; do something!” Your frontline workers are your greatest asset. Ensure they have the training to know what to do and how to respond to any occurrence that poses a threat to your company.
If an organization lacks a robust Food Defense Plan, there are fortunately many tools available online to help them construct a detailed strategy. It is crucial to determine the goals and specific needs of the organization within the regulatory guidelines, as each organization may approach food safety solutions differently. Finally, even organizations with established and detailed Food Safety Plans can become vulnerable over time as technology, and geopolitical environments change. Organizations must conduct regular reassessments and view the Food Safety Plan as a living document.
Sign Me Up
Join our list to get Industry Webinars Invites, E-Guides, Customer Success Stories, and More.