Audits provide an essential tool for improving and verifying compliance performance. Audits may be used to capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices. An audit is typically part of a broader compliance assurance program and can cover some or all of the company’s legal obligations, policies, programs, and objectives.
Companies come in a variety of sizes with a range of different needs, so auditing standards remain fairly flexible. There are, however, a number of audit program elements and best practices that can help ensure a comprehensive audit program:
- Goals. Establishing goals enables recognition of broader issues and can lead to long-term preventive programs. This process allows the organization to get at the causes and focus on important systemic issues. It pushes and guides toward continuous improvement. Goal-setting further addresses the responsibilities and obligations of the Board of Directors for audit and oversight and elicits support from stakeholders.
- Scope. The scope of the audit should be limited initially (e.g., compliance and risk) to what is manageable and to what can be done very well, thereby producing performance improvement and a wider understanding and acceptance of objectives. As the program is developed and matures (e.g., Management Systems, company policy, operational integration), it can be expanded and, eventually, shift over time toward systems in place, prevention, efficiency, and best practices.
- Committed resources. Sufficient resources must be provided for staffing and training and then applied, as needed, to encourage a robust auditing program. Resources also should be applied to EHSMS design and continuous improvement. It is important to track the costs/benefits to compare the impacts and results of program improvements.
- Operational focus. All facilities need to be covered at the appropriate level, with emphasis based on potential EHS and business risks. The operational units/practices with the greatest risk should receive the greatest attention (e.g., the 80/20 Rule). Vendors/contractors and related operations that pose risks must be included as part of the program. For smaller, less complex and/or lower risk facilities, lower intensity focus can be justified. For example, relying more heavily on self-assessment and reporting of compliance and less on independent audits may provide better return on investment of assessment resources.
- Audit team. A significant portion of the audit program should be conducted by knowledgeable auditors (independent insiders, third parties, or a combination thereof) with clear independence from the operations being audited and from the direct chain of command. For organizational learning and to leverage compliance standards across facilities, it is good practice to vary at least one audit team member for each audit. Companies often enlist personnel from different facilities and with different expertise to audit other facilities. Periodic third-party audits further bring outside perspective and reduce tendencies toward “home-blindness”.
- Audit frequency. There are several levels of audit frequency, depending on the type of audit:
- Frequent: Operational (e.g., inspections, housekeeping, maintenance) – done as part of routine EHSMS day-to-day operational responsibilities
- Periodic: Compliance, systems, actions/projects – conducted annually/semi-annually
- As needed: For issue follow-up
- Infrequent: Comprehensive, independent – conducted every three to four years
- Differentiation methods. Differentiating identifies and distinguishes issues of greatest importance in terms of risk reduction and business performance improvement. The process for differentiating should be as clear and simple as possible; a system of priority rating and ranking is widely understood and agreed. The rating system can address severity levels, as well as probability levels, in addition to complexity/difficulty and length of time required for corrective actions.
- Legal protection. Attorney privilege for audit processes and reports is advisable where risk/liability are deemed significant, especially for third-party independent audits. To the extent possible, make the audit process and reports become management tools that guide continuous improvement. Organizations should follow due diligence elements of the USEPA audit policy.
- Procedures. Describe and document the audit process for consistent, efficient, effective, and reliable application. The best way to do this is to involve both auditors and those being audited in the procedure design. Audit procedures should be tailored to the specific facility/operation being audited. Documented procedures should be used to train both auditors and those accountable for operations being audited. Procedures can be launched using a pilot facility approach to allow for initial testing and fine-tuning. Keep procedures current and continually improve them based on practical application. Audits include document and record review (corporate and facility), interviews, and observations.
- Protocols & tools. Develop specific and targeted protocols that are tailored to operational characteristics and based on applicable regulations and requirements for the facility. Use “widely accepted or standard practice” as go-by tools to aid in developing protocols (e.g., ASTM site assessment standards; ISO 14010 audit guidance; audit protocols based on EPA, OSHA, MSHA, Canadian regulatory requirements; GEMI self-assessment tools; proprietary audit protocol/tools). As protocols are updated, the ability to evaluate continuous improvement trends must be maintained (i.e., trend analysis).
- Information management & analysis. Procedures should be well-defined, clear, and consistent to enable the organization to analyze trends, identify systemic causes, and pinpoint recurring problem areas. Analysis should prompt communication of issues and differentiation among findings based on significance. Audit reports should be issued in a predictable and timely manner. It is desirable to orient the audit program toward organizational learning and continual improvement, rather than a “gotcha” philosophy. “Open book” approaches help learning by letting facility managers know in advance what the audit protocols are and how the audits will be conducted.
- Verification & corrective action. Corrective actions require corporate review, top management-level attention and management accountability for timely completion. A robust root cause analysis helps to ensure not just correction/containment of the existing issue, but also preventive action to assure controls are in place to prevent the event from recurring. For example, if a drum is labeled incorrectly, the corrective action is to relabel that drum. A robust plan should also look for other drums than might be labeled incorrectly and to add and communicate an effective preventive action (e.g., training or posting signs showing a correctly labeled drum).
The FSMA HARPC regulation has been in the implementation phase for approximately a year. Many small and entrepreneurial businesses are in the process of starting or finalizing the development of a food safety plan to comply with FSMA requirements. This includes program development, operational awareness and employee training. Often, small companies find this development more challenging compared to mature companies for several reasons, including a lack of resources or simply not knowing where to start.
A management system is the framework that enables companies to achieve their operational and business objectives through a process of continuous improvement. In its simplest form, a management system implements the Plan, Do, Check, Act/Adjust cycle. Several choices are available for management systems (ISO is commonly applied), whether they are certified by third-party registrars and auditors, self-certified, or used as internal guidance and for potential certification readiness.
Business Benefits of a Well-Documented Management System
The connection between management systems and compliance is vital in avoiding recurring compliance issues and in reducing variation in compliance performance. In fact, reliable and effective regulatory compliance is commonly an outcome of consistent and reliable implementation of a management system.
Beyond that, there are a number of business reasons for implementing a well-documented management system (environmental, safety, quality, food safety, other) and associated support methods and tools:
- Establishes a common documented framework to achieve more consistent implementation of compliance policies and processes—addressing the eight core functions of compliance:
- Permits and authorizations
- Practices in place
- Monitoring and inspection
- Provides clear methods and processes to identify and prioritize risks, set and monitor goals, communicate those risks to employees and management, and allocate the resources to mitigate them.
- Shifts from a command-and-control, centrally driven function to one that depends heavily on teamwork and implementation of a common system, taking into consideration the necessary local differences and building better know-how at the facility level.
- Establishes a common language for periodic calls and meetings among managers, facility managers, and executives, which yields better goal-setting, priority ranking, and allocation of resources to the areas with greatest risk or the greatest opportunity to add business value.
- Empowers facilities to take responsibility for processes and compliance performance without waiting to be told “what” and “how”.
- Enables better collaboration and communication across a distributed company with many locations.
- Enables the selection and implementation of a robust information system capable of tracking and reporting on common activities and performance metrics across the company.
- Employs a design and implementation process that builds company know-how, captures/retains institutional knowledge, and enables ongoing improvement without having to continually reinvent the wheel.
- Creates consistent processes and procedures that support personnel changes (e.g., transfers, promotions, retirements) and training of new personnel without causing disruption or gaps.
- Allows for more consistent oversight and governance, yielding higher predictability and reliability.
Join Kestrel’s food safety experts this July. We would enjoy the opportunity to meet up with you to discuss your food safety challenges. Here’s where you can find us:
International Association for Food Protection (IAFP) Annual Meeting
July 8-11, 2018
Salt Palace Convention Center – Salt Lake City, Utah
Get insights on current and emerging food safety issues, the latest science, innovative solutions to new and recurring problems, and the opportunity to network with thousands of food safety professionals. Plus…don’t miss Kestrel Senior Consultant Melody Ge as she presents, “Sanitation, Did We Do It Right?” on Monday, July 9.
Institute of Food Technologists Annual Meeting (IFT18)
July 15-18, 2018
McCormick Place – Chicago, Illinois
Join food professionals from around the globe and experience powerful presentations, panel discussions, and debates exploring important and timely topics in the science of food.
Webinar: The New SQF Fundamentals Program
July 24, 2018 at 12 p.m. ET
Learn more about SQF’s new Fundamentals Program for small to medium-sized businesses in this webinar. The program provides a step-by-step approach to improve food safety management and will help facilitate retailer acceptance of entrepreneurs and provide additional food safety security and acceptance along the supply chain. Kestrel Senior Consultant Melody Ge will be partnering with SQFI Compliance Manager Chris Sinclair to provide this training.
Kestrel is proud to provide our ongoing support for the manufacture, processing, and distribution of safe food. We look forward to seeing you this July!
Food safety is a critical component of a successful supplier/buyer trading partnership. SQFI has created an approach for small- to medium-size food producers who don’t have a robust food safety program in place that satisfies buyers’ and retailers’ concerns—the new Fundamentals Program for Food Manufacturing and the Fundamentals Program for Primary Producers.
Kestrel Management Senior Consultant Melody Ge will be joining SQFI Compliance Manager Chris Sinclair to walk you through this SQF Fundamentals Program’s step-by-step approach to improve food safety management in a FREE webinar.
The New SQF Fundamentals Program:
Partnering the Global Markets Programme and the SQF Code
Tuesday, July 24, 2018
12:00 p.m. ET
Join us to discuss the new Fundamentals Program and how it can apply to your operation. We will discuss the requirements and provide best practices on how to get started on your certification journey.
- Learn about the new SQF Fundamentals Program for small- and medium-sized businesses
- Understand the requirements of the SQF Fundamentals Program
- Understand who should use the SQF Fundamentals Program and the benefits of the program
- Hear some of the obstacles and best practices on how to get started
This is the third in a series of articles on food product recalls.
One form of protection from the economic and reputational damages of a food recall event can be to transfer risk through an insurance policy that is specifically designed to respond to a recall event.
Are You Covered?
Business Owner’s Insurance Policy “BOP” provides most enterprises with two main forms of coverage: Commercial General Liability (CGL) and Business Property. Many food and beverage companies believe that basic CGL insurance coverage will provide protection in the event of a product recall. In reality, CGL policies typically contain an exclusion (Recall of Products, Work or Impaired Property) that precludes coverage for any claims associated with a product recall or withdrawal.
Because most CGL policies do not cover recall-related losses, separate Product Recall, Business Interruption, or similar types of insurance can provide protection to reduce the potential financial impacts of a recall event. Companies can purchase either first-party or third-party Product Recall policies, or both.
First-party policies provide coverage for the company’s own economic loss incurred due to a recall. These losses may include:
- Business interruption
- Lost profit
- Recall expenses
- Expenses to respond to adverse publicity and rebuild a brand’s image
- Consultant and adviser costs
Third-party coverage applies to economic loss incurred by third parties (e.g., distributors, wholesalers, customers) who may be impacted by a recall event. This could include broad coverage for numerous costs associated with the following:
- Removal of recalled product from stores
- Transportation and disposal of the product
- Notification to third parties of the recall
- Additional personnel/overtime
- Cleaning equipment
- Laboratory analysis
Business Interruption insurance is another coverage that may cover not only catastrophic losses, but also food recall events. If purchased, it is important to make sure that the Business Interruption coverage works hand-in-hand with Product Recall coverage.
What to Look for in a Policy
Product Recall insurance should be specifically tailored to meet the needs of the company. Here are some things that a company should ask when exploring Product Recall/Contamination insurance:
- Will the policy cover recalls where there is limited likelihood of bodily injury (e.g., class II or class III recall that is less severe)? What if a recall is requested (vs. ordered) by the FDA or USDA?
- Will the policy cover loss from an FDA administrative detention?
- What happens if the company experiences financial loss due to a recall and then the facts underlying the recall turn out to be incorrect? Are those losses still covered?
- Does the policy exclude coverage if the recall was due to a problem with a competitor’s product? What if the product breaches a warranty of fitness?
- Does the policy provide coverage for claims by third parties (e.g., customers)?
- Does the policy cover lost profits/revenue? What about logistics and repair costs (e.g., shipping and destruction, public relations, product replacement, and reputation/brand damage)? How is the loss calculated?
This is the second in a series of articles on food product recalls.
The risk for all food companies of being affected by a recall is substantial—and to adequately respond to a recall claim is complex and expensive. Companies should always be prepared to prevent a recall from occurring.
Here are seven tips that can help your company prevent and/or manage a food recall:
- Establish Food Safety Plan using HACCP approach or preventive controls. Always make sure the plan is kept up to date with facility production or product formulation changes to ensure potential risks are controlled.
- Develop and maintain a written Recall Plan, as well as a Crisis Management Plan. These plans should be reviewed, tested, and updated at least annually. Lessons learned should be recorded and analyzed for possible improvements.
- Conduct mock traceability exercises over a certain time period. In case anything occurs from within the supply chain, you should be in control of your own ingredients and finished products.
- Establish a functioning approved supplier program.
- Utilize third-party audit certification to establish a Food Safety Management System (FSMS), and gain senior management commitment and resources for maintaining the FSMS onsite. This may be in the form of commitment to a Global Food Safety Initiative (GFSI) benchmarked standard (e.g., BRC, SQF, FSSC 22000, IFS).
- Implement thorough sanitation and hygiene processes.
- Maintain all related documentation and records.
This is the first in a series of articles on food product recalls.
Salmonella outbreak in eggs; E. coli breakout in romaine lettuce. Both are getting a lot of attention right now. Unfortunately, no food company is immune to encountering situations like this that may lead to government warnings or a food product recall. Even plants with the best controls are at risk—human error, mechanical breakdowns, or sampling failures can happen at any time.
The number and magnitude of product recalls has increased significantly in recent years. According to U.S. Department of Agriculture’s (USDA’s) Economic Research Service report entitled Trends in Food Recalls 2004-2013, the average number of food recalls between 2004 and 2008 was 304/year; the average number between 2009 and 2018 increased to 676/year.
Interestingly, the study does not cite riskier foods as the reason for this upward trend. Rather, the increase of food product recall events can be attributed to the following:
- An increasingly complex and global food supply chain system,
- Technology improvements in the detection of health risks, and
- Passage of two major food policy laws—FALCPA and FSMA—particularly related to the dramatic increase in undeclared allergen recalls.
Product Contamination Consequences
A full-scale recall involving food products can be detrimental to a food manufacturer or retailer. According to a survey conducted by the Grocery Manufacturers Association, 29% of companies that faced a recall within the prior five years estimated that the direct cost of the recall was between $10 million and $29 million—and that cost can be even greater when accounting for indirect costs.
There are three primary consequences of a major product contamination/recall event:
- Product recall expenses – product replacement costs, recall and redistribution expenses, product destruction costs, related crisis management consultation fees
- Business interruption – financial loss due to product unavailability, decontamination downtime, government action, brand damage, and loss of contracts
- Third-party liability – financial loss due to third-party property damage and bodily injury
In many cases, a recall event will result in decreased profits over the short run of 6-18 months. The long-term brand damage, however, can impact earnings over an even longer period. Given these trends and the potential associated impacts, every food business should be concerned with potential contamination risks.
The 20th Annual Food Safety Summit, held earlier in May, proved once again to be an engaging and informative meeting for all in attendance. During the four-day event, food safety professionals participated in interactive sessions focused on food safety in the supply chain.
Throughout the Summit, Kestrel’s food safety experts observed several common themes and challenges that the food industry is facing — challenges that your business may be encountering today. Here are some of our key takeaways:
This year’s Summit featured a supply chain focus. Every company in the food supply chain—those that produce, handle, or distribute food-grade products/ingredients—has an obligation to its customers to provide safe and quality food. The Summit began with six certification programs related to food safety across the supply chain, including Preventive Control for Human Food, Foreign Supplier Verification, Professional Food Safety Auditor Training, Seafood HACCP, HACCP Training, and Certified in Comprehensive Food Safety.
The focus on food safety throughout the supply chain was discussed in lessons learned from recent food safety case studies, as well as in four afternoon workshops focused on departmental cooperation, traceability, effectively managing food safety, and global regulatory systems. In addition, the new Community Cafes provided attendees the chance to meet with the subject matter experts, including experts from Kestrel, for more in-depth conversations about topics focused on the supply chain.
As is evident from the key topics covered at the Summit, the current trend is a much stronger focus on food safety within the global supply-chain, particularly coordination of various global regulatory systems, requirements, and agencies. Steve Mandernach of the Association of Food and Drug Officials (AFDO), Dr. Robert Tauxe of the Centers for Disease Control (CDC), Paul Keicker of the U.S. Department of Agriculture (USDA), and Stephen Ostroff from the U.S. Food and Drug Administration (FDA) participated in sessions on how the agencies are working together on food safety initiatives and the impact food safety. This included a conversation on whole genome sequencing of pathogens as a game changer for disease monitoring and response.
A major concern and ongoing challenge within the food safety community involves training regarding food safety responsibility across all levels of the organization. This not only includes large organizations with individuals who are directly responsible for food safety programs, but also smaller organizations where these responsibilities must be understood and followed by everyone at all levels. This corresponds to the need for food organizations to establish a much more comprehensive and effective food safety culture. The lack of this training, organizational responsibility, and overall culture is considered one of the primary causes of continued contaminated food outbreaks.
In addition to the discussion regarding the use and benefits of whole genome sequencing, enforcement of FSMA and the expanding rules of Intentional Adulteration and Food Fraud Prevention Programs continue to be top areas of regulatory concern. Inspections and investigations related to supporting Food Safety Plans under these requirements will continue to expand, as evidence of compliance is required by all food organizations under the law.
Food Safety Summit 2019
Plans are already being made for the 21st Anniversary of the Food Safety Summit, which will again be held at the Donald E. Stephens Convention Center in Rosemont, IL from Monday, May 6 through Thursday, May 9, 2019. Mark your calendar. Kestrel looks forward to being an active sponsor and participant again next year.
Since it was launched in May 2000 following a number of major food safety scares, the Global Food Safety Initiative (GFSI) has aimed to “provide continuous improvement in food safety management systems to ensure confidence in the delivery of safe food to consumers worldwide.”
GFSI is not a scheme in itself, nor does it carry out any accreditation or certification activities. Rather, a benchmarked scheme (e.g., BRC, SQF, IFS, FSSC 22000) is recognized by GFSI when it meets the minimum food safety requirements, as set out in the GFSI Guidance Document.
Strategy for Certification
Companies have the flexibility to choose which GFSI-recognized scheme they want to adopt, and can achieve certification through a successful third-party audit. Under GFSI’s concept of “once certified, accepted everywhere,” certification to any GFSI-recognized scheme is accepted by many international, national, and regional retailers and suppliers.
The following factors should be considered to ensure a successful GFSI strategy:
- Adequate knowledge of the GFSI standards (e.g., BRC, SQF, IFS, FSSC 22000) and how they work within food manufacturing and packaging companies
- Ability to use and implement document and records management and control
- Training to implement the chosen standard and ongoing training in the standard/key program areas, including Hazard Analysis and Critical Control Points (HACCP) and internal audit
- Meeting the building requirements of the GFSI standard
- An integrated pest management system that meets the requirements of the standard
- Dedicated role of a qualified plant sanitarian
- A strategy that includes management commitment and allocation of budgets and resources
- Proper management review meetings and records
- Compliant food safety and security
- A corrective and preventive action (CAPA) process that meets the requirements of the standard
- Approved supplier programs
- Control of non-conforming product through disposal
- Change management and acceptance by the organization
- Product specifications that meet the requirements of the standard
- Sanitation and chemical control programs
- Deviation and variance tracking, reporting, and response
- Product and raw material storage
- Food-level Good Manufacturing Practices (GMPs), operating prerequisites, and compliance
- Calibration of measurement devices
- Emergency response and contingency plans
The GFSI system provides a high degree of confidence that food safety management systems are adequately designed, implemented, and maintained. Certified companies tend to be more efficient and profitable and have more effective shared risk management tools for brand protection. Ultimately, certification results in improved consumer confidence, simpler buying, and safer food throughout the supply chain.