Principle

Risk assessment and, more specifically, food safety risk assessment approaches such as hazard analysis critical control point (HACCP) have been used in food manufacturing for over 50 years. Food crime risk assessment (FCRA), however, is a much newer phenomenon and many food manufacturers are developing their own risk assessment approaches and associated food integrity management systems (FIMSs). The mechanisms for FCRA are outlined in this chapter along with how the use of risk management tools to determine organisational vulnerability can then inform appropriate countermeasures and security controls to protect food integrity.

Introduction

6.1 BS EN ISO 31000:2009 Risk management – Principles and guidelines is an international standard for risk management processes and the contents are of value for manufacturers in terms of all aspects of risk assessment. The standard BS EN ISO 31000:2009 provides within the standard principles a framework and a process for managing risk. Risk assessment is influenced by the quality of knowledge and information available on which to base any given risk assessment and also the degree of certainty (or uncertainty) on whether any given event, consequence or likelihood can be adequately determined. BS EN ISO 31000:2009 provides a hierarchy of how risk should be dealt with:

1. avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
2. accepting or increasing the risk in order to pursue an opportunity;
3. removing the risk source;
4. changing the likelihood;
5. changing the consequences;
6. sharing the risk with another party or parties (including contracts and risk financing); and
7. retaining the risk by informed decision.

An understanding of the types of food criminal and their motivations is crucial when undertaking a formal FCRA and then when developing a FIMS. The PAS 96:2017 Guide to protecting and defending food and drink from deliberate attack has its own typology of food criminals and other typologies have been developed too (see 5.7).

6.2 Food manufacturers, as part of their FCRA process, must firstly identify the individual food products that they procure, supply and/or produce which fall into the category of foods that are vulnerable to food crime (see 5.3). Vulnerabilities are the weak points or gaps in the formal management systems, or on the manufacturing site itself, that can be identified by perpetrators where their intentional action to mislead, misinform and/or undertake illegal activity can lead to a realisable threat (see 5.6). These vulnerabilities or weak areas within manufacturing operations or in the wider supply chain are often termed hotspots. Vulnerability risk assessment is the process that determines the weaknesses or exposed elements of a manufacturing organisation or supply chain where illicit activity can take place in order to determine how susceptible the system is to that potential threat and to mitigate such weaknesses where they are identified so appropriate action can be taken to reduce risk. Vulnerability will be reduced if there is a high level of deterrence and this will depend on the security measures and types of countermeasures that are in place (see Chapter 7). Vulnerability risk assessment tools can be applied at national, supply chain and individual business levels and these are now explored in this chapter.

Threat Assessment Critical Control Point

6.3 PAS 96: 2017¹ differentiates between accidental contamination of food, which is addressed by HACCP plans (see Chapter 3), and intentional contamination. A threat is defined by PAS 96:2017 Guide to protecting and defending food and drink from deliberate attack as ‘something that can cause loss or harm, which arises from the ill‐intent of people’. PAS 96:2017 identifies generic threats to food and drink including economically motivated adulteration, malicious contamination with toxic materials causing ill‐health and even death, sabotage of the supply chain, leading to food shortage, and misuse of food and drink materials for terrorist or criminal purposes. Threat analysis critical control point (TACCP), as outlined in PAS 96:2017, is a risk management methodology that aligns with HACCP but focuses on deliberate or intentional acts that affect the integrity of food products themselves and the wider food supply chain. PAS 96:2017 describes TACCP as a ‘systematic management of risk through the evaluation of threats, identification of vulnerabilities, and implementation of controls to materials and products, purchasing, processes, premises, distribution networks and business systems by a knowledgeable and trusted team with the authority to implement changes to procedures’. TACCP aims to:

• reduce the likelihood (chance) of a deliberate attack;
• reduce the consequences (impact) of an attack;
• protect organisational reputation;
• reassure customers, press and the public that proportionate steps are in place to protect food;
• satisfy international expectations and support the work of trading partners; and
• demonstrate that reasonable precautions are taken and due diligence is exercised in protecting food.

For the manufacturer and in comparison with HACCP, PAS 96:2017 states that TACCP should be a team approach that follows 15 specific steps:

1. Assess new information – the team should evaluate all emerging information (intelligence).
2. Identify and assess threats to the organisation – identify individuals and/or groups which may be a threat to the organisation and assess their motivation, capability and determination.
3. Identify and assess threats to the operation – identify individuals and/or groups which may be a threat to the specific operation (e.g. premises, factory, site).
4. Select product – that is representative of a given manufacturing process.
5. Identify and assess threats to the product – identify individuals and/or groups that may want to target the specific product.
6. Devise a flow chart of the product supply chain – consider all aspects, especially those that may be less transparent.
7. Identify key staff and vulnerable points – for each process step in the flow chart identify the vulnerable points where an attacker might target and the people who would have access to the product at that point.
8. Consider the impact of threats identified that are appropriate to the product and assess the impact the process may have in mitigating the threat.
9. Identify which supply points are most critical – either where the threat might have the most effect and/or where the threat might be best detected.
10. Determine if control procedures will detect the threat – assess the likelihood of routine control procedures detecting such a threat.
11. Prioritise based on likelihood versus impact – using a scoring system score the likelihood of the threat and the impact that the threat might have for all products. This will assist in prioritising the threats. The suggested TACCP scoring system is semi‐quantitative, i.e. associates a score (number) to a qualitative statement both for impact and likelihood. A risk matrix approach can then be used to highlight overall summative risk. There is an assumption in this approach that both the characteristics of impact (minor, some, significant, major and catastrophic) and likelihood of threat (unlikely to happen, may happen, some chance, high chance, very high chance) can be determined, i.e. are known and that there is consistency between individuals undertaking risk assessment in how they derive the qualitative term and the associated score. Impact and likelihood can be reduced by the adoption of appropriate countermeasures (see Chapter 7).
12. Identify who could carry the threat out in practice – if the priority is high consider the individuals who have unsupervised access to the product and process and their personal integrity.
13. Decide and implement necessary controls – identify, record confidentially, agree and implement proportionate preventative action (critical controls). Confidentiality is crucial so that weak spots are not readily identified to potential perpetrators (attackers).
14. Review and revise the TACCP plan.
15. Monitor by horizon scanning and identification of emerging risks (return to step 1) – develop an early warning system that can highlight new threats or a change to existing threats.

The term horizon scanning is increasingly being used to consider the supply chain and a given food operation’s food crime vulnerability and the countermeasures that need to be introduced to ensure effective control. Horizon scanning is systematic in nature and considers the existing information, evidence or intelligence available about products, processes and the wider supply chain as well as socio‐economic factors that could influence future trends and scenarios with regard to food crime. Effective horizon scanning considers evidence from this range of sources in order to effectively map potential threats and vulnerabilities and then identify the potential for their occurrence and the means for their control. Horizon scanning is not an on–off exercise. Horizon scanning needs to be a dynamic management approach that can react to changes in the supply chain, with products and ingredients, and within the manufacturing operation itself. It is important to have formalised mechanisms for updating horizon scanning assessments if the evidence base changes in the future and as a result the ranking for a given threat and associated risk changes.

Vulnerability Risk Assessments

6.4 There are a number of methods that have been developed to determine vulnerability as part of a horizon scanning process. These include emerging risk determination, global chain analysis and incident classification matrices.

Emerging risk determination is a systematic approach that uses a protocol, intelligence strategy and expert knowledge to detect emerging risk utilising a set of questions namely:^2,3

What is typical? Identify and characterise the current status within the food chain to form a baseline.

What is exceptional? Use available intelligence to monitor movements against the baseline and identify variance.

How do we prevent recurrence? Determine root causes of reoccurring issues so corrective action is targeted and effective.

What don’t we know? Analyse global food chains and identify vulnerabilities that could lead to future threats.

Global chain analysis (GCA) determines vulnerability and the risk of illicit behaviour at the stages in the food supply chain where food crime could occur.

Incident classification matrices take a risk assessment approach to determine whether a given food crime incident is classified as low, medium or high risk.⁴ The method uses a scoring system based on the criteria of severity (health effects, consumers affected, risk assessment, perceived risk by consumers and the media) and complexity (number of reports, number of products, number of agencies involved, traceability).

These three models operate at the supply chain level as opposed to the organisational level, but a number of risk assessment approaches use a matrix approach at the level of the manufacturing unit.

6.5 The United States (US) Food and Drug Administration (FDA) distinguished between national risk assessment models and supply chain or organisational food defence models.⁵ The model that was developed considers vulnerability specifically with regard to intentional ideological contamination. In the US, the CARVER + Shock method was adopted, where the acronym CARVER stands for:

• Criticality: a measure of the public health and economic impacts of an attack as a result of the batch size or network of distribution;
• Accessibility: the ability to gain physical access and egress where this can change over time and also as a result of the use of countermeasures;
• Recuperability: the ability of a food system to recover from an attack;
• Vulnerability: the ease of accomplishing the attack, which can change over time and as a result of the use of countermeasures;
• Effect: the amount of direct loss from an attack as measured by loss in production;
• Recognisability: the ease of identifying the target, with
• Shock, a combined measure of the health, psychological and collateral national economic impacts of a successful attack on the target system, being the final element.⁶

Risk is determined via a weighted score‐based approach. The FDA and the US Department of Agriculture (USDA) adapted the CARVER + Shock approach to develop facility or process level food defence vulnerability assessment using a vulnerability assessment software (VAS) tool to develop a focused food defence plan for the given operation. In so doing, the VAS tool combined existing FDA tools, resources and guidance to reduce the risk of intentional food contamination. In May 2016, the FSA introduced a further iteration, the Food Defense Plan Builder, a software programme designed to assist food manufacturers to develop personalised food defence plans. This software is available online and includes vulnerability assessment, and the development of a mitigation strategy and associated action plan. It should be noted that a food defence plan is only one aspect of wider controls to mitigate for food crime.

6.6 Decision tools such as vulnerability assessment critical control point (VACCP) and the TACCP approach have been developed based on hazard analysis critical control point (HACCP) principles. There are multiple explanations of how VACCP and TACCP are differentiated from each other in industry texts and standards, and at the time of this new edition of the Guide being written there is no clear focus as to a definitive approach. The aim of this chapter is not to develop a specific critique of this nature, but to explain that many private certification standards, such as the British Retail Consortium (BRC) Global Food Standard (Version 7), require a manufacturer to undertake a vulnerability risk assessment and consider all food raw materials or groups of raw materials at risk of adulteration and substitution (see 5.2 for definitions). This is a much narrower scope than the wider vulnerability risk assessment approaches outlined in this chapter. In this context the BRC Standard (Version 7) describes adulteration as the ‘addition of an undeclared material into a food item for economic gain’. The Standard outlines that the following factors need to be taken into account:

• The nature of the raw material, e.g. solid, liquid, powder, granular, pure or a mixed ingredient product. These factors will not only affect the potential for adulteration or substitution, but also how such activity could take place, e.g. minced meat ingredients for products such as burgers and ready meals will be at higher risk of substitution than carcase meat as substitution will be less visually obvious when, for example, substituting minced beef with minced pork.
• Ease of access to raw materials through the supply chain. The vulnerability of the manufacturing unit and the wider supply chain can be considered using the risk assessment methods described above.
• Historical evidence of substitution or adulteration. Some food ingredients have a much higher historical incidence of adulteration, e.g. milk powder, gluten, minced meat, fish and spices. Manufacturers may have limited access to the intelligence surrounding historic evidence of adulteration although some databases do exist regarding adulteration and substitution incidents (see 5.2). Supplier history, in terms of their performance over time, degree of non‐compliance with specifications and requirements, reliability in other areas such as legislative compliance with labour laws, accounting practices etc., will give an insight for the manufacturer into supplier behaviour and whether materials derived from that supplier are more likely to be illicit. However, just because a food ingredient does not have a recognised history of adulteration does not mean that the material is necessarily low risk and less vulnerable to illicit activity as the activity may have gone on and simply been undetected.
• Sophistication of routine testing to determine food integrity. The degree of sophistication of routine testing needs to be considered by the manufacturer. The manufacturer needs to know what the adulterant is likely to be and an analytical method must be available that will test for that adulterant in that given foodstuff at a sufficient limit of detection that gives validity and confidence to the results. In the fast‐evolving world of economically motivated adulteration (EMA) those criteria are often hard to fulfil. Any given testing regime will have a limit of detection and thus it is not possible in many instances to declare that a product is ‘free from’ a given material. Whilst techniques are being developed to test for certain materials known to be associated with EMA, this technology is in its infancy. When compared to their batch sizes and overall profitability, a small manufacturer may not have the financial ability to access costly analytical tests. From a legal perspective the manufacturer must demonstrate they have precautions in place that are reasonable to ensure that their food complies with labelling and product or process claims (see 1.10). This area is considered more fully in Chapters 15 and 16.
• Economic factors may make adulteration or substitution more attractive. There are multiple economic factors that can influence the degree of vulnerability of a given raw material. Supply chain pressure can arise from market dynamics such as the balance between supply and demand, as shown with the melamine incident (where demand for milk powder in China outstripped supply due to resource scarcity), market competition (e,g, where economies of scale force smaller and/or less competitive organisations to consider substitution or adulteration to remain competitive) and financial pressure from diminishing margins or stakeholder pressure to maintain dividends that leads to rationalisation in the minds of those within the organisation that illicit behaviour is somehow acceptable.

6.7 Vulnerability risk assessment and ranking or prioritisation of risks is not a static process. The vulnerability risk assessment needs to be reviewed formally if there is no non‐compliance on a minimum annual basis. Reactive review is also essential. Reactive review of the vulnerability risk assessment can arise from intelligence concerning a particular new, emerging or existing threat or a breakdown in security measures in the supply chain, identification of increased vulnerability after verification activities such as an audit that countermeasures and other controls are not effective or the need to purchase raw materials from an alternative source with no supplier history. All reviews should be recorded and any necessary action taken as a result.

6.8 All FCRA documents should form part of the controlled documents system defined by the manufacturing system. These documents should be reviewed at designated intervals to ensure their currency and also in the event of an incident.