Principle

Crime can arise either internally within the manufacturing business or externally from those organisations with which it has a commercial interface. In order for the food business operator to understand the degree of food crime risk associated with the products they produce and the ingredients and materials they source, they need to be aware of the potential for criminal activity both within and outside of their organisation. Food business operations need to also consider the wider social and environmental factors that can lead to illicit activity in the food supply chain. Food crime extends beyond the legislation associated with food safety and food labelling to encompass all activities associated with food manufacture and supply.

Introduction

5.1 The United Kingdom (UK) Elliott Review of 2014, written following the 2013 European horsemeat incident, considered the integrity and assurance of food supply networks (see 2.4), stated that food integrity was not only concerned with the nature, substance and quality and safety of food, but also involved other aspects of food production such as the way food has been ‘sourced, procured, and distributed and being honest about those areas to consumers’.¹ The design of food integrity management systems (FIMSs) in food manufacturing is in its infancy as this version of the Guide is being written. The writing of a Codex Alimentarius Commission Standard that focuses specifically on food integrity has begun, but its issue will postdate this Guide.

The concept of food crime is not new. The National Food Crime Unit (NFCU) formed as a result of the recommendations of the Elliott Review uses the following definitions:

Food fraud: A dishonest act or omission relating to the production or supply of food that is intended for personal gain or to cause loss to another party; and

Food crime: Dishonesty relating to the production or supply of food that is either complex or likely to be seriously detrimental to consumers, businesses or the overall public interest.²

The NFCU state that food fraud becomes food crime when the scale and potential impact of the criminal activity is considered to be serious in terms of geographic impact (cross‐regional, national or international reach), there is significant risk to public safety or there is a substantial financial loss to consumers or businesses. For more information on the NFCU see the Food Standards Agency (FSA) website: https://www.food.gov.uk/enforcement/the‐national‐food‐crime‐unit.

5.2 The term ‘food fraud’ has been developed (by John Spink and others) to encompass a range of criminal activity, including:

• misbranding or misrepresentation on labelling, packaging and websites and misleading indications, e.g. by using words and pictures that do not reflect the actual production methods employed to produce the food, incorrect use of the words such as ‘traditional’ and ‘natural’, the intentional sale of eggs from caged reared birds substituted as free range and/or the use of oversized packaging that misrepresents the size of the food portion inside;
• counterfeiting, where the product and packaging is fully replicated to look like the original product and sold on as such;
• simulation, where illegitimate product is designed to look like, but not be an exact copy of, the legitimate product, which could be as a result of poor replication of labelling on an illegitimate product;
• overrun where it is illegitimately used; overrun is a product made in excess of production agreements, which may be a concern for a manufacturer when outsourcing production to another organisation, or where overrun is bought and the indication of minimum durability is altered without sanction by the original manufacturer;
• diverting, where product is sold through non‐prescribed distribution channels. An example of this would be where following overproduction of food products (overrun) these additional products are packed in their original retailer packaging then sold off within that packaging to an alternative customer, e.g. for sale in a street market or car boot sale when the product itself was destined for other markets;
• tampering with malicious intent for personal gain. The potential for this type of food crime has been understood and procedures put in place to mitigate for it for several decades, e.g. the use of tamper‐evident packaging or tamper‐evident seals being placed on transport containers and vehicles;
• substituting one ingredient for another less expensive alternative. This has been a frequent occurrence in history, especially if such activity can be undertaken whilst unnoticed by purchasers and ultimately the consumer. Examples include substituting sawdust in bread in the 1860s, putting antifreeze in wine in the 1980s, or in the recent decade melamine substitution in milk and gluten, white fish substitution for cod or haddock and horsemeat for beef. Intentional substitution of a food product can cause harm, e.g. the undisclosed substitution of peanut powder in almond powder, a risk for those with peanut allergy. However, substitution can be a lucrative activity as it may well go unnoticed if the agent is not harmful to the consumer. This is especially so where there is a lack of awareness in the food industry that the substituting agent in question might be used and thus no product testing is undertaken to determine its potential inclusion. Where the substituting material is neither harmful nor readily tested for, this can be seen by the unscrupulous as a ripe opportunity for financial gain. Substitution is a global issue and with the materials and ingredients they use no manufacturer is without risk in this regard. There is potential for inadvertent substitution as a result of human error or the implementation of lax manufacturing procedures such as the failure to sign off recipe sheets when items are included, the failure to undertake visual checks of ingredients before inclusion, poor labelling of visually similar ingredients in store, weak control of decanted ingredients and a failure to adequately label/identify the material when it is in alternative packaging, and the failure to undertake stock control activities in ingredient stores to determine if the incorrect ingredients have been used before products are released to distribution and so forth. Thus substitution may or may not be intentional, but it is illegal to sell a product that does not comply with the associated labelling information.
• adulterating by intentionally adding extraneous, improper or inferior ingredients to a food product. The term ‘economically motivated adulteration’ (EMA) is used to describe the process of adulteration with the specific intent of reducing the cost of production or misrepresenting a food to increase profits. The scope for intentional adulteration is vast within the food sector and each manufacturing organisation needs to undertake a focused risk assessment to determine both the ingredients that they purchase and the products that they manufacture that are at risk of adulteration. This risk assessment should also be undertaken for all outsourced activities (see Chapter 33). An appropriate source for up‐to‐date information on food adulteration in the UK is the Food Authenticity Network (see http://www.foodauthenticity.uk). The European Union (EU) food and feed alert portal (RASFF) is a useful source for emerging and re‐emerging instances of food adulteration identified in European member states (see https://ec.europa.eu/food/safety/rasff/portal_en) and the United States (US) Food Adulteration Incidents Registry (FAIR) compiles details of both EMA and food defense incidents (see https://foodprotection.umn.edu/fair); and
• simple theft from food premises or the wider supply chain.³

5.3 The foods most vulnerable⁴ to food crime include those that are high‐value ingredients, such as spices, olive oil, fish, honey, wine, coffee etc. where substituting by an alternative ingredient can provide significant financial gain. Foods associated with an ideological, ethnic or religious grouping are also vulnerable, especially if that food can be seen as a representation of that group itself, e.g. kosher or halal products. Intentional ideological food crime of this nature is often termed a food defence issue (see 5.4). Foods are also vulnerable where the supply chain crosses a number of borders or where activities by food criminals could go undetected. Examples of this include foods disseminated or distributed widely though multiple businesses with complex interfaces, foods produced, manufactured and stored in readily accessible or poorly supervised areas or where staff working in those areas have little awareness of the potential for food crime (see Chapter 7), and foods susceptible to tampering or interference where this can go undetected by the inspection, testing, monitoring and verification activities routinely undertaken in the food supply chain.

Food Defence

5.4 Food defence is a term used to describe the activities required to protect a food product or indeed a food supply chain from intentional or deliberate acts of contamination and includes ideological or malicious threat. The Global Food Safety Initiative (2013) describes food defence as ‘the process to ensure the security of food and drink and their supply chains from all forms of intentional malicious attack including ideologically motivated attack leading to contamination or supply failure’.⁵ Thus food defence strategies can be developed at the national, regional, supply chain and organisational level. The US Food and Drug Administration (FDA) has differentiated between national risk assessment models and supply chain or organisational food defense models⁶ (see Chapter 6).

Cybersecurity

5.5 Cybersecurity in its simplest sense is the measures taken to protect a computer system or individual appliance against an intentional malicious target attack and/or unauthorised access and unintentional or accidental access. These measures include developing policies and procedures, undertaking relevant risk assessment approaches, undertaking training and awareness sessions commensurate with an individual staff member’s responsibilities and developing soft or hard controls such as specific software, firewalls, technologies etc. that can protect the organisation’s cyber environment and their electronic assets. This protection includes not only the prevention of damage, but also the ability to restore computers and electronic communication systems. ISO/IEC 27032 (2012) Information technology – Security techniques – Guidelines for cybersecurity defines cybersecurity risks as including social engineering attacks, hacking, the proliferation of malicious software (‘malware’), spyware and other potentially unwanted software. The technical guidance suggests that measures should be adopted to address these risks, including controls for ‘preparing for attacks by, for example, malware, individual miscreants, or criminal organisations on the Internet; detecting and monitoring attacks; and responding to attacks’. Electronic assets include formulae, recipes and specifications for products, electronic controls for key equipment that support the maintenance of food safety systems, and other essential data.

Threat Analysis

5.6 PAS 96:2017⁷ differentiates between accidental contamination of food, which is addressed by hazard analysis critical control point (HACCP) plans (see Chapter 3), and threat assessment critical control point (TACCP), which considers deliberate or intentional acts that affect the integrity of the food and the food supply chain (see Chapter 6). Whilst a hazard is considered to be any agent with the potential to cause loss or harm which arises from a naturally occurring or accidental event or results from incompetence or ignorance of the people involved, a ‘threat’ is defined by PAS 96:2017 as ‘something that can cause loss or harm which arises from the ill‐intent of people’.

PAS 96:2017 identifies the steps that need to be taken to develop food protection and defense procedures and an associated emergency response and business continuity management system (BCMS) to ensure that the business can effectively manage and minimise the disruption caused by a potential incident (see Chapter 27 for more details on BCMS). BS 11200:2014 Crisis management: Guidance and good practice gives guidance to help plan, establish, operate, maintain, monitor, verify and review an organisation’s crisis management plan and its wider capability (see Chapter 27). Business continuity plans are an important element of the manufacturer’s formal management systems. They could be situated within the quality management system (QMS), food safety management system (FSMS) or food integrity management system (FIMS) or an integrated overall management system that covers all areas. In the event of suspected, or actual, illegal activity associated with a food item these plans will ensure the continuity of supply to customers should an incident occur that disrupts ‘normal’ manufacturing activity. The type of potential incident that could occur on the manufacturing site needs to be determined so that a threat analysis assessment can be undertaken using assessment tools such as TACCP similarly to how HACCP might be used as a management tool to undertake food safety hazard analysis.

Types of Food Criminals

5.7 In order to develop a robust, reactive FIMS that is appropriate to the business and the food products it supplies, an understanding of the types of food criminal that might be at work and their motivations is crucial. Food criminals⁸ have been divided into several categories here using the work of Manning et al. (2016).⁹ Recreational criminals undertake crime for its entertainment value. This type of food crime can be mitigated against by implementing appropriate security measures so that the crime becomes harder to perpetrate and then is of higher risk to the criminal in that manufacturing setting compared to other illicit activities they could undertake. Occasional criminals commit crimes infrequently or are opportunistic. This category of criminal can be stopped by implementing simple security procedures at the manufacturing site, e.g. addressing any security doors left open or unknown personnel being on site without being challenged etc., and developing an associated training plan for staff (see Chapter 7).

Occupational criminals commit crime at their place of employment. They may be acting alone, collaborating with others in the organisation or working as part of a wider supply chain network. There are two types of occupational criminal. The first is the type of perpetrator who infiltrates an otherwise legitimate business with the intention that they can then undertake their illicit activities for personal gain. Some individuals may engage in ‘wilful blindness’ about the activities occurring in their own business or other businesses that they engage with, often for their own financial gain. This type of food crime is a major risk to a legitimate manufacturing operation, especially if the individual or their collaborators are in positions within the organisation where their activities can be covered up and can go unnoticed. The second type of occupational criminal is the one that perceives a business culture that accepts illegal activity as part of everyday operations in order to meet the demands and pressures of the wider supply chain. The business culture that is promoted and championed by all levels of management within the manufacturing organisation must be seen at all times to completely condone the taking of shortcuts or trade‐offs that allow non‐compliant or non‐standard product to be despatched, and/or managers deliberately ignoring activities that may be taking place perpetrated by staff in the name of benefiting the organisation, but that in truth are ethically or morally inappropriate or even illegal.

Professional criminals are individuals whose total lifestyle is financed by criminal and illegal activity. They can interact with a manufacturing business with the sole objective of personal financial gain. The legal business may, or may not, be aware of the professional criminals’ illegal activities. With professional criminals, illegal trading in food and food ingredients may only be an element of their overall business activity.

Ideological criminals are those individuals or collaborators who commit criminal acts in order to make an ideological or political statement, to cause economic harm to a specific business, region or country with which they have a personal grievance or seek to create fear or panic in a target population. These individuals may be focused on sabotage, contamination with toxic materials, extortion and blackmail, bioterrorism or other forms of malicious activity.

PAS 96:2017 Guide to protecting and defending food and drink from deliberate attack has its own typology of food criminals and describes them as the extortionist, the extremist, the opportunist, the hacktivist and other cyber criminals (see 5.5), the irrational individual, the disgruntled individual, and the professional criminal. Thus in order to determine a particular threat it is important to consider the motivations of the perpetrator.

Food Integrity Management Systems

5.8 The category of food fraud or food crime and the type of food criminal involved will influence the good manufacturing practice (GMP) controls that need to be adopted to mitigate against the potential for their occurrence. Food crime mitigation through designing, implementing and verifying a FIMS may be considered by many as a new and emerging element of GMP. Whilst historically food crime mitigation has not been explicitly identified as an area of food control and GMP, there has been an implicit requirement to ensure that food is safe, legal and of the required quality. However, this chapter and Chapters 6 and 7, which are new to this edition of the Guide, have been written with specific emphasis on the practical measures that food business operators can undertake to minimise their risk of being victims of food crime. As already outlined in this chapter, the requirement to undertake risk assessment activities in order to inform an effective FSMS is equally the case with the development of a FIMS. As a result, food crime risk assessment models have been developed and continue to be redeveloped so that business operators and retailers can use them to address the potential for food crime and how it can be mitigated (see Chapter 6).

The food industry has developed and adopted many operational prerequisite programmes (PRP), i.e. procedures or protocols to minimise food safety risk and potential harm to the consumer (see 3.2). These PRPs, such as good hygienic practice (GHP) and GMP, together with food inspection techniques will also have a role within a FIMS. Indeed the way to manage food safety, legality and quality issues is often through an integrated approach where the FSMS, FIMS and QMS are formalised together with additional management systems to address personnel health and safety and environmental management in one documented system for the manufacturing organisation. This integrated approach ultimately leads to a streamlined documented system.

5.9 Product identification and traceability (see Chapter 14) and provenance and authenticity (see Chapter 15) can be difficult to maintain in complex global chains, especially where they include national or regional borders over which regulatory requirements and inspection regimes may vary. This makes such chains open to fraud. There is a greater food integrity risk associated with food chains with minimal supplier–customer relationships that are often lacking in transparency, with minimal traceability controls in place and where little or no assurance activity is practiced. Food manufacturers must as part of their food integrity risk assessment activities identify the individual food products and materials that they procure, supply and/or produce which fall into the category of foods vulnerable to food crime (see Chapter 6). Some organisations have developed a risk assessment approach to procurement in terms of assessing vulnerability in order to map their supply chain vulnerability and the degree of risk (see the Elliott Review in Appendix J¹⁰ for examples).

5.10 In order to develop an effective FIMS it is critical that the manufacturer understands and can communicate the organisation’s needs and requirements for establishing a food integrity policy and food integrity objectives that guide the overall FIMS. It is important for the manufacturer to assess the threats and associated risks appropriately that relate to food integrity management, to develop, implement, monitor, review and verify food integrity processes, controls and measures designed to treat and mitigate food integrity risk, and to implement a programme to drive continual improvement in terms of both known and emerging threats.

5.11 A FIMS, in line with FSMS and QMS, needs to include the following elements: a food integrity policy or an integrated organisational policy that addresses food integrity, defined responsibilities for the implementation and verification of the processes designed to treat and mitigate food integrity risk, a clear operating plan that addresses food integrity, a mechanism to ensure awareness of food integrity issues and a training programme that is designed to ensure that staff are competent and have the knowledge and skills required to implement their responsibilities consistently and effectively. There needs to be a formal management review and performance assessment protocol for the FIMS, which is adopted in line with requirements and is appropriate for the threats that are associated with the products and the manufacturing site. Adequate resources must be in place to ensure that the prescribed requirements of the FIMS can be effectively implemented. There must be clear, unambiguous documentation to support the activities required to implement the FIMS and demonstrate its efficacy.

5.12 The management team must develop a formal policy to ensure that the need for food integrity management is adequately addressed and suitable controls are developed and referred to within the FIMS. This policy should define the organisation’s intentions and commitment to supplying legal products and should be signed by the senior management individual with overall responsibility for the safety, legality and quality of the products manufactured. The organisation must demonstrate that it has communicated this policy to all personnel and that they understand its importance. Ongoing refresher and update training must be undertaken with staff, especially when the organisation is aware of supply chain information (intelligence) that may suggest the organisation or the products that they produce could be a potential target for food crime (see Chapter 17). Consideration should be given to cultural differences, and reading or language difficulties of staff when these objectives are communicated.

5.13 The organisation’s strategic policy on food integrity must interface with specific customer (including retailer) code of practice or supplier requirements with regard to food legality, procedures for whistleblowing or other relevant security procedures. For more details on security and countermeasures see Chapter 7.

5.14 The ability of the organisation to effectively manage food integrity should provide an input into the management review and internal audit and verification process (see Chapter 11). The management review and associated verification activities undertaken should determine the degree of management control within the FIMS and its effectiveness, and verify that the organisational objectives associated with food integrity are suitable, realistic and consistently being met. It is also an opportunity to identify any areas for improvement. An internal audit programme should include food integrity audits and associated verification activities. These need not be stand‐alone audits. Instead, the scope of the existing audit programme should be extended to include specific types of food integrity audits in the context of food safety, legality and quality.