Auditing is a management tool that can be used to evaluate and monitor the internal performance and compliance of your company with regulations and standards. An audit can also be used to determine the overall effectiveness of an existing system within your company.
How do you incorporate compliance auditing best practices to help maximize compliance, efficiency, and value of your audit? Here are five critical factors for value-added audits.
1. Goal Aligned with Business Strategy
There are many reasons why companies conduct audits:
- Support commitment to compliance
- Avoid penalties
- Meet management system requirements
- Meet corporate or customer mandates
- Support acquisition or divestiture
- Assess organizational structure and competency
- Identify cost saving and pollution prevention opportunities
- Determine alignment with strategic direction
It is vital to define and understand the goal of your compliance audit program before beginning the audit process. Establishing goals enables recognition of broader issues and can lead to long-term preventive programs. Not establishing a clear, concise goal can lead to a waste of resources.
Audit goals and objectives should be nested within the company business goals, key performance objectives, and values. An example of a goal might be to effectively measure environmental compliance while maintaining a reasonable return on investment.
Once the goal is established, it is important to communicate it across all functions of the organization to get company-wide support. Performance measurements should also be communicated and widely understood.
2. Management Buy-in
The audit program must have upper management support to be successful. Management must exhibit top-down expectations for program excellence, view audits as a tool to drive continuous improvement, and work to imbed audits within other improvement processes. Equally important, management must not use audit results to take punitive action against any person or department.
3. Documented Audit Program Systematically Applied
Describe and document the audit process for consistent, efficient, effective, and reliable application. Audit procedures should be tailored to the specific facility/operation being audited. A documented program will include the following:
- Scope. The scope discusses what areas/media/timeframe will be audited. The scope of the audit may be limited initially to what is manageable and can be done very well, thereby producing performance improvement and a wider understanding and acceptance of objectives. It may also be limited by identifying certain procedural or regulatory shifts and changes. As the program is developed and matures (e.g., management systems, company policy, operational integration), it can be expanded and, eventually, shift over time toward systems in place, prevention, efficiency, and best practices. It is important at the scoping stage to address your timeline. Audits should be scoped to make sure you get them done but also to make sure you have audited all compliance areas in an identified timeframe.
- Criteria. Compliance with requirements will clearly be covered in an audit, but what about other opportunities for improvement (e.g., pollution prevention, energy savings, carbon reduction)? All facilities need to be covered at the appropriate level, with emphasis based on potential compliance and business risks. Assess the program strengths, redundancy, integration within the organization, and alignment with the program goal. Develop specific and targeted protocols that are tailored to operational characteristics and based on applicable regulations and requirements for the facility. As protocols are updated, the ability to evaluate continuous improvement trends must be maintained.
- Auditor training (i.e., competency, bias). A significant portion of the audit program should be conducted by knowledgeable auditors (e.g., independent insiders, third parties, or a combination thereof) with clear independence from the operations being audited and from the direct chain of command. For organizational learning and to leverage compliance standards across facilities, it is good practice to vary at least one audit team member for each audit. Companies often enlist personnel from different facilities and with different expertise to audit other facilities. Periodic third-party audits further bring outside perspective and reduce tendencies toward “home-blindness”.
Training should be done throughout the entire organization, across all levels:
+ Auditors are trained on both technical matters and program procedures.
+ Management is trained on the overall program design, purpose, business impacts of findings, responsibilities, corrections, and improvements.
+ Line operations are trained on compliance procedures and company policy/systems.
Consider having auditor training conducted by an outside source to teach people how to decide what to audit and follow a trail. It can also work well to train internal auditors by having them audit alongside an experienced 3rd party.
- Audit conduct (i.e., positive approach). A positive approach and rationale for the audit must be embraced. Management establishes this tone and sets the expectation for cooperation among all employees. Communication before, during, and after the audit is vital in keeping things positive. It is important to stress the following:
- Auditor interviews are evaluating systems, not personal behaviors.
- The audit is an effective tool to improve performances.
- Results will not be used punitively.
- Audit reporting. Information from auditing (e.g., findings, patterns, trends, comparisons) and the status of corrective actions often are reported on compliance dashboards for management review. Audit reports should be issued in a predictable and timely manner. It is desirable to orient the audit program toward organizational learning and continual improvement, rather than a “gotcha” philosophy. “Open book” approaches help learning by letting facility managers know in advance what the audit protocols are and how the audits will be conducted. Documentation is essential, and reporting should always align with program goals and follow legal guidance. There is variability in what gets reported and how based on the company’s objects. For example:
- Findings only vs. opportunities for improvement and best management practices?
- Spreadsheet vs. long format report?
- Scoring vs. prioritization of findings (beware of the unintended consequences of scores!)?
- Recommendations for corrective actions included or left for separate discussion?
- Corrective and preventive action. Corrective actions require corporate review, top management-level attention, and management accountability for timely completion. A robust root cause analysis helps ensure not just correction/containment of the existing issue, but also preventive action to assure controls are in place to prevent the event from recurring. For example, if a drum is labeled incorrectly, the corrective action is to relabel that drum. A robust plan should be to also look for other drums that might be labeled incorrectly and to add and communicate an effective preventive action (e.g., training or posting signs showing a correctly labeled drum).
- Follow-up and frequency. Address repeat findings. Identify patterns and seek root cause analysis and sustainable corrections. Communications with management should be done routinely to discuss status, needs, performance, program improvements, and business impacts. Those accountable for performance need to be provided information as close to “real time” as possible. There are several levels of audit frequency, depending on the type of audit:
- Frequent: Operational (e.g., inspections, housekeeping, maintenance) – done as part of routine day-to-day operational responsibilities
- Periodic: Compliance, systems, actions/projects – conducted annually/semi-annually
- As needed: For issue follow-up
- Infrequent: Comprehensive, independent – conducted every three to four years
4. Robust Corrective Action Program
As mentioned above, corrective actions are a must. If there is no commitment to correction, there is no reason to audit. A robust root cause analysis is essential. This should be a formal, yet flexible, approach. There should be no band-aids. Mistake-proof corrections and include metrics where possible. In the drum example given above, a more robust corrective action program would look at the root cause: Why was the drum mislabeled? Did the person know to label it? If so, why didn’t they do it?
The correction itself is key to the success of the audit program. Establish the expected timeframe for correction (including addressing preventive action). Establish an escalation process for delayed corrections. Corrective actions should be reviewed regularly by upper management using the existing operations review process. There must also be a process for verification that the correction has been made; the next audit cycle may not be sufficient.
Note also that addressing opportunities for improvement, not just non-compliance findings, may increase the return on investment associated with conducting an audit.
5. Sharing of Findings and Best Practices
Audit results should be communicated to increase awareness and minimize repeat findings. Even if conducted under privilege, best practices and corrections can and should still be shared. Celebrate the positives and creative solutions. Stress the value of the audit program, always providing metrics and cost avoidance examples when possible. Inventory best practices and share/transfer them as part of audit program results. Use best-in-class facilities as models and “problem sites” for improvement planning and training.
An audit can provide much additional value and return on organization if it is planned and managed effectively. This includes doing the following:
- Align program goal with business strategy to secure top-down buy-in
- Expand criteria beyond compliance
- Gain goodwill through positive approach
- Document program and results
- Monitor for timely, effective corrective action
- Share opportunities for improvement
Don’t miss this FREE educational opportunity to network with industry peers,
IFS representatives, consultants & IFS PACsecure auditors.
IFS Focus Day
Meet the IFS team to learn about IFS and how they support packaging suppliers through the implementation of the IFS PACsecure Standard requirements.
Learn about chemical migration in packaging; FSMA and how it relates to packaging; how to perform effective and efficient risk assessments.
Hear firsthand from an IFS PACsecure-certified packaging supplier why he chose IFS and the benefits the company has enjoyed since achieving certification.
Who Should Attend?
This IFS Focus Day is for you if you are a:
- Packaging supplier considering a packaging safety certification, already certified with IFS, or in the process of implementing the IFS PACsecure Standard.
- Brand owner wanting to learn about how the IFS PACsecure Standard can reduce your packaging supplier audits, improve quality, and keep your products safe.
- Retailer looking for certifications that will ensure the safety and traceability of your products through the entire supply chain.
Space is limited, attendance is free! Don’t miss out!
(Lunch to be provided.)
The Food Safety Modernization Act (FSMA) is designed to change the culture of food safety in the U.S. from a reactionary to a preventive mindset. It’s come with challenges, but the law is helping evolve this thinking in the U.S. as more food and supplement brands are meeting FSMA requirements. In this recent podcast with Natural Products INSIDER, Kestrel Principal Bill Bremer reviews his upcoming SupplySide West presentation on the implementation of the FSMA, the foreign supplier verification program (FSVP) and international rules for the food and beverage sectors. The podcast discusses:
- The key aspect of FSMA that’s different from other FDA regulations, which makes compliance difficult for brands.
- Why following FSMA rules is a good ROI beyond legal compliance.
- The importance of untangling complex supply chains for food safety and FSMA compliance.
Bill Bremer will be speaking at the SupplySide West Workshop “FSMA and Import Requirements for Food and Supplement Brands” on Wednesday, Oct. 16, 2019 at 9:00 a.m. to noon at SupplySide West in Las Vegas. Visit supplysidewest.com for more information and to get registered.
The interpretation of FSMA compliance for Dietary Supplement (DS) distributors and manufacturers has varied since the law was signed in 2011. As much of the food industry, including FDA, has sought to understand compliance requirements of the various FSMA rules, the DS industry has had even more to assess and determine due to its unique requirements relative to food. This is further complicated by the maturity of specific requirements for the supplement category of products being tested by industry and regulators.
Dual Level of Regulation
Early under FSMA, many DS companies struggled—and many continue to do so—with their compliance to FDA requirements due to their direct regulatory obligations as food and DS companies. Historically, the DS industry enforcement requirements fall under FDA Section 111 GMPs, which require more stringent control of the full production process than what is required for food only. This presents DS with a dual level of regulation, with the DS-specific regulation established years prior to FSMA. In fact, this regulation was well in-place at the signing of FSMA and the additional requirements, which include the 117 GMPs.
The more conservative approach to ensure compliance is to meet requirements under both the FSMA and FDA Food and Dietary statutes concurrently. Alternatively, companies may wait for more clarity on FSMA, as the final rules and compliance dates were pending due to the rulemaking time that was instituted during the rollout phase.
Challenges of Compliance
In meeting the Section 111 GMP requirements for the DS industry, there is significant complexity; however, if managed correctly, Section 111 does address many of the related FSMA requirements. Specific areas required by FSMA but not included in the DS requirements remain, including a complete Food Safety Plan, preventive controls, environmental monitoring, program management updates, and specific organizational roles of Preventive Controls Qualified Individual (PCQI), Qualified Auditor, and Qualified Sanitation Lead.
The challenge of compliance for the DS industry lies in these issues, but also in the variation of company types within the industry (i.e., distributors, manufacturers, suppliers, and the supply chain). For DS companies with many varying aspects, there can be significant variation in requirements due to the various supply chain components. This makes development more challenging based on the proper responsible party for the specifications and the final branded product for distribution. In addition, the situation of making dietary supplements and food in the same plant must be properly addressed. These all must comply with Section 111 requirements. If the Section 111 program ensures a well-qualified supplier program, this can be referenced as 117 compliance for FSMA. Unfortunately, many organizations have not formalized their written and documented programs, as required by Section 111, as well as under FSMA.
To complicate things more, the DS industry is still evolving with rapid expansion of companies, manufacturers, and distributors participating in broad and changing product types. Within the DS supply chain, the functions of product development, specification, manufacturing, operations, and the ultimate responsibility for the product and raw material stages is not easy to determine. This leaves the ultimate responsibility party to be identified—often with overlapped and shared levels of responsibility, from raw material sourcing to final manufacture. Correspondingly, it is vital for DS companies to maintain strict control of suppliers, customers, and product identification at each step of the manufacturing process.
Direct Compliance vs. Third-Party Certification
FSMA maintains its position of direct compliance to the regulations vs. the use of third-party certification for industry-legal interpretation. However, the decision to pursue third-party certification must be evaluated within this rapidly changing industry. Acceptance of these certifications is growing along with FSMA compliance. In fact, many major retail chains require global certification under the Global Food Safety Initiative (GFSI) standards. In line with this, programs must be further defined and developed to meet the GFSI requirements associated with the benchmarked standards (i.e., BRC, IFS, FSSC22000, SQF).
The need for DS companies to be certified to the GFSI through one of the standards will only continue as the distribution channels for DS products grow. These standards are necessary to provide structured requirements and to ultimately simplify the compliance process based on even more research and learning.
Keys to Success
With this rapid evolution of unique DS products, compliance and certification efforts must consider and meet the test of time. This may take several years to establish. DS companies operating under FSMA must make appropriate decisions in the development of their programs to provide evidence that programs and processes have been appropriately implemented.
Key to this is developing and maintaining a documented system with written programs and validation to Section 111 and Section 117 GMPs under FDA to meet all necessary requirements. Sufficient records must be maintained as evidence that programs have been implemented, verified, updated, and maintained as current at all times. Any exceptions addressed by Section 111 or Section 117 compliance must be confirmed and documented within this system. As just one example, in some cases Section 117 cites specific requirements, such as the protection of outside storage containers. If they do not exist, a company must identify this has been determined as an exception.
In addition, it is very important DS companies determine their compliance assessment process for FSMA. These determinations must be made relevant to the existing and verified Section 111 programs and requirements under Section 117. Decisions within any program for FSMA compliance must be clear, verified, and implemented so they can be inspected or audited with proper evidence.
Conducting an internal compliance audit can be a very helpful and important step in confirming all requirements are met and all documented programs and practices are verified and up to date. Any identified risks will lead to program non-conformity, which must be closed to meet the regulatory requirements of Section 111, Section 117, and GFSI, if appropriate. A failure in one compliance situation has the potential to create multiple non-conformances across three areas and, therefore, must be appropriately and quickly addressed.
Mapping Your Requirements
Ultimately, mapping the compliance process for both regulations—and possibly to GFSI certification requirements—must be made, along with a final register of documentation showing all requirements are being met. This requires not only time and resources of the identified qualified personnel, but this effort also must be supported by a well-founded Management Review process to ensure compliance in this rapidly evolving sector.
Kestrel is proud to provide our ongoing support for the manufacture, processing, and distribution of safe food. This fall, we look forward to joining our food industry friends and colleagues at a number of events to promote safe and quality food.
Food Safety Consortium
The Food Safety Consortium is a premiere event for food safety education and networking. The Consortium offers three days of informational sessions on topics including FSMA final rules, FDA inspections under FSMA, food defense, food recalls, new technology, hiring and retaining sanitation workers, building your food safety team, allergen management, proper use of sanitation chemicals, Prop 64, environmental monitoring, GFSI, and more.
- DATE: October 1-3, 2019
- LOCATION: Schaumburg, Illinois
- REGISTER NOW!
PROCESS EXPO with Special Food Safety Training
Kestrel will once again be joining FPSA at PROCESS EXPO, the nation’s largest trade show dedicated to bringing the latest technology and integrated solutions to all segments of the food and beverage processing and packaging industry.
- DATE: October 8-11, 2019
- LOCATION: Chicago, Illinois
- REGISTER NOW!
SupplySide West with Featured Panel Discussion
SupplySide West is all about the science and strategy around the development of finished products that drive the global business economy. Learn about new trends from over 1,300 exhibitors and 140 hours of educational and conference programming. Don’t miss Kestrel’s Workshop: FSMA & Import Requirements for Food & Supplement Brands.
- DATE: October 15-19, 2109
- WORKSHOP DATE: October 16, 9 am – 12 pm
- LOCATION: Las Vegas, Nevada
- REGISTER NOW!
We look forward to seeing you this fall. Contact us if you are interested in learning more about one of these events or setting up a time to meet!
BY: Stacey Pisani
Comments: No Comments
Compliance risk assessment helps to identify and assess risks related to applicable regulatory requirements. Internal and external events or conditions affecting the entity’s ability to achieve objectives must be identified, distinguishing between risks and opportunities. These risks are analyzed, considering the following:
- Size of the risk – where, how big, how often/many?
- Severity of the outcome – to what extent can it impact safety, environmental, operational, financial, customer relations, regulatory compliance?
- Likelihood/probability of each risk – how likely is the occurrence of a negative outcome, considering the maturity of existing controls?
Based on this assessment, management can prioritize risks, select appropriate risk responses (avoiding, accepting, reducing, sharing), and develop a set of actions to align with the entity’s risk tolerance/appetite. An acceptable level of residual risk is considered after selected improvements and controls are applied. From there, policies and procedures can be established and implemented to help ensure the risk responses are effectively communicated so operating managers and individuals can carry out their responsibilities.
A deeper dive compliance program assessment may be performed for those risks that are identified as the company’s most significant.
Compliance Program Assessment
A compliance program assessment looks beyond “point-in-time” compliance to critically evaluate how the company manages compliance programs, processes, and activities, with compliance assurance as the ultimate goal. Capability, capacity, programs, and processes to comply are examined as part of this review. Conducting routine process and compliance audits are also key components of a compliance assurance program.
Compliance program assessment should follow a disciplined and consistent process, resulting in an effective program that guides alignment of activities to an integrated management system for sustained compliance and continuous improvement. An essential part of the assessment, audits capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices.
Compliance program assessment enables a company to define and understand:
- Compliance requirements and where regulated activities occur throughout the organization
- Current company programs and processes used to manage those activities and the associated level of program/process maturity
- Deficiencies in compliance program management and opportunities for improvement
- How to feed review recommendations back into elements of the management system to create a roadmap for sustaining and continually improving compliance
There are six phases associated with a compliance program assessment:
Phase 1 – Regulations, Requirements, and Applicability Analysis: Phase 1 focuses on identifying, organizing, validating, and understanding all of the requirements (legal or other) with which the company must comply. It provides an applicability analysis of the requirements to company operations by functional area and evaluates the associated risks. This stage engages representatives across the company who are responsible for activities subject to the requirements.
Phase 2 – Activities Analysis: This phase involves developing an inventory/profile of all company activities that may trigger the requirements identified in Phase 1. It asks the question, “What activities does the company carry out that are covered by the requirements?”
Phase 3 – Desired Compliance Program Standard: Establishing the company’s expectations for compliance program processes and controls—the desired condition—is essential. This “to-be” standard integrates management system principles into compliance program management. Programs should examine relative risks and ensure that risk-based priorities are being set.
Phase 4 – Actual Compliance Program Condition: In contrast to the desired standard identified in Phase 3, Phase 4 is about describing the company’s current compliance program. It defines how the company performs the activities outlined in Phase 3 (along with who, when, and where)—the “as-is” condition. This is done in the same framework as the desired standard in order to compare them in the next phase.
Phase 5 – Gap Analysis: The gap analysis compares actual compliance program management against the desired standard. It evaluates compliance program management processes, controls, and maturity to determine if they are good as is, need improvement, or are missing. These gaps and opportunities provide the basis for the improvement actions developed in Phase 6.
Phase 6 – Improvement Actions: Phase 6 moves the process along to developing action plans and an approach for ongoing management review that will guide the compliance program development and improvement activities. Compliance program management review is established at the end of this last phase. If there is a management system in place, program review information and action plan tracking can be integrated into that management system.
As a whole, this process will help companies evaluate the degree to which:
- Compliance goals and objectives are set and communicated by management.
- Hazards and risks are identified, sized, and assessed, including an inventory of activities subject to the compliance requirements and the relative risks.
- Existing controls are adequate and effective, recognizing, and addressing changed conditions.
- Plans are in place to address risks not adequately covered by existing controls.
- Plans and controls are resourced and implemented.
- Controls are documented and operationalized across functions and work units.
- Personnel know and understand the controls and expectations, and are engaged in their design and improvement.
- Controls are being monitored with appropriate metrics and compliance auditing and assurance.
- Information system is sufficient to support management system-required functions (e.g., document management and control, action tracking, notifications, training tracking, task calendaring, metrics reporting). Information dashboards can be used for reports to management.
- Deficiencies are being addressed by corrective/preventive action and are being tracked to completion.
- Processes, controls, and performance are being reviewed by management for ongoing improvement, including the maintenance and continual improvement of the integrated management system.
Are you registered for the PROCESS EXPO’s special food safety training courses? Find out why you should be!
Join Kestrel Principals Bill Bremer & Roberto Bellavia and our team of food safety experts on Tuesday, September 10 for a sneak peek into the special food safety training courses being offered as part of PROCESS EXPO 2019. You’ll get an overview of the courses, what you can expect to learn, and why each of these courses is so important to companies operating in the food industry.
Tuesday, September 10, 2019
1:00-2:00 pm CDT
Food Safety Training Courses
This FDA training is designed to help industry, particularly small- and medium-sized companies, to comply with the new preventive controls rules. The following supplemental food safety training courses will be featured at PROCESS EXPO from Monday, October 7 – Wednesday, October 9 and highlighted in the September 10 webinar.
Preventive Controls for Animal Food
This 2.5-day course is being made available in response to FDA’s final rule requiring covered animal food facilities to establish and implement an animal food safety system that includes an analysis of hazards and implementation of risk-based preventive controls. Completing this course meets FSMA requirements for a PSQI.
Foreign Supplier Verification Program (FSVP) Training
This 2.5-day course will provide participants with the knowledge to implement the requirements of the Foreign Supplier Verification Program (FSVP) for Importers of Food for Humans and Animals regulation of FDA’s FSMA. The FSVP course meets FSMA compliance, and FPSA certificates will be issued upon successful completion of the course.
HACCP is a systematic preventive approach to food safety from biological, chemical and physical hazards in production processes that can cause the finished product to be unsafe and designs measures to reduce these risks to a safe level. This is a certified 2-day course based on Global Codex and GFSI requirements.
Produced by the Food Processing Suppliers Association (FPSA), PROCESS EXPO is the nation’s largest trade show dedicated to bringing the latest technology and integrated solutions to all segments of the food and beverage processing and packaging industry.
McCormick Place | Chicago, Illinois
A well-designed and well-executed compliance assurance program provides an essential tool for improving and verifying business performance and limiting compliance risks. Ultimately, however, a compliance program’s effectiveness comes down to whether it is merely a “paper program” or whether it is being integrated into the organization and used in practice on a daily basis.
The following can show evidence of a living, breathing program:
- Comprehensiveness of the program
- Dedicated staff and resources
- Employee knowledge and engagement
- Management commitment and employee perception
- Internal operational inspections, “walkabouts” by management
- Independent insider, plus third-party audits
- Program tailoring to greatest risks
- Consistency and timeliness of exception (noncompliance/nonconformance) disclosures
- Tracking of timely and adequate corrective/preventive action completion
- Progress and performance monitoring
To achieve a compliance assurance program on par with world-class organizations, there are a number of best practices that companies should employ:
Know the requirements. This means maintaining an inventory of regulatory compliance requirements for each compliance program, as well as of state/local/contractual binding agreements applying to operations. It is vital that the organization keep abreast of current/upcoming requirements (federal, state, local).
Plan and develop the processes to comply. Identify and assess compliance risks, and then set objectives and targets for performance improvement based on top priorities. From here, it becomes possible to then define program improvement initiatives, assign and document responsibilities for compliance (who must do what and when), develop procedures and tools, and then allocate resources to get it done.
Assure compliance in operations. The organization needs to establish routine checks and inspections within departments to evaluate conformance with sub-process procedures. Process audits should be designed and implemented to cut across operations and sub-processes in order to evaluate conformance with company policies and procedures. Regulatory compliance audits should further be conducted to address program requirements (e.g., environmental, safety, mine safety, security). Audit performance must be measured and reported, and the expectations set for operating managers to take responsibility for compliance.
Take action on issues and problems. Capture, log and categorize noncompliance issues, process nonconformances, and near misses. Implement a corrective/preventive action process based on the importance of issues. Be disciplined in timely completion, close-out, and documentation of all corrective/preventive actions.
Employ management of change (MOC) process. Robust MOC processes help ensure that changes affecting compliance (to the facility, operations, personnel, infrastructure, materials, etc.) are reviewed for their impacts on compliance. Compliance should be assured before the changes are made. Failure to do so is one of the most common root causes of noncompliance.
Ensure management involvement and leadership. Set the tone at the top. The Board of Directors and senior executives must set policy, culture, values, expectations, and goals. It is just as important that these individuals are the ones to communicate across the organization, to demonstrate their commitment and leadership, to define an appropriate incentive/disincentive system, and to provide ongoing organizational feedback.
Maintaining Ongoing Compliance
The compliance assurance program must be a living, breathing program. As risks change, the program must be refreshed, refined, and redeployed. A management system framework can help ensure operational sustainability. A management system drives the auditing process and helps companies say what they will do, do what they say and, importantly, verify it.
Together, there is a real value at the intersection of a compliance assurance program and management systems. Management systems define the internal controls that are in place to reduce risks, prevent losses, and sustain and improve performance over time through the Plan-Do-Check-Act (PDCA) cycle of continual improvement.
Testing and Monitoring
Testing, monitoring, and measuring are crucial elements of this cycle. Without them, it is difficult to understand what is working and what needs improvement. Robust testing and monitoring programs can serve as early warning systems for identifying potential compliance risks before they become enforcement issues.
Compliance should be tested and monitored throughout each level of the organization. A strong testing program will evaluate the results of the compliance risk assessment and assign compliance risks to the business units and processes where they are most likely to occur, creating clear lines of responsibility and accountability. Key risks and the related controls should be tested periodically using statistically valid sampling methodologies, and monitoring activities should be performed on an ongoing basis. Doing so produces trend data that provides the rationale needed for making changes to underlying business processes, as well as emerging risks.
Ongoing compliance excellence relies on top management, operations managers, EHS personnel, and individual employees throughout the organization working together to build and sustain an organizational culture that places compliance on par with business performance. Senior management must focus on the overall culture of the company in terms of taking the necessary steps to reduce risk and make prevention part of daily operations. While it may be impossible to eliminate all risk exposure, a solid risk framework, assessment methodology, and compliance assurance program can help to prioritize risks for active management, sustained compliance, and positive business impacts.
About 100 years ago, when nutrition labeling first began in a
modest form, the purpose was to provide basic ingredient information about the
product to protect the consumer. Fast forward to today and the goal of nutrition
labels has grown beyond just protection. Now, those labels are intended to protect
and to help guide consumers in their food choices. Labels are designed to
provide facts for nutrients that impact common health concerns, such as weight
control, diabetes and high blood pressure.
Nutrition Labeling and Education Act (NLEA)
The Nutrition Labeling and Education Act (NLEA) was signed into law in 1990. The Act requires most foods to contain nutrition labeling. In addition, it requires all nutrient content claims (i.e., high fiber, low fat, etc.) and health claims be consistent with Food and Drug Administration (FDA) regulations. Compliance with the nutrition labeling regulations is based on the date the product was labeled, as opposed to the date the product is offered for entry into interstate commerce.
NLEA requires information in the following four areas:
- Nutrition Facts Panel
- Ingredient List
- Allergen Statements
- Nutrition Content Claims
Uniform Compliance Dates
It is not uncommon for FDA to issue regulations that sometimes require changes in food labeling. To minimize the economic impacts of responding separately to each change, in 1996 the FDA introduced the concept of uniform compliance dates. The uniform compliance date establishes a final compliance deadline for all new food labeling requirements that are established within a specific time period. Most recently, the FDA established January 1, 2022, as the uniform compliance date for food labeling regulations that are published on or after January 1, 2019, and on or before December 31, 2020.
Note that the FDA sets compliance dates other than
the uniform compliance date, when necessary, such as the final rules for
Nutrition Facts labels for packaged foods, as described below.
Nutrition Facts Labels
All foods sold in packages are required to have a food label. On May 27, 2016, the FDA published final rules on the new Nutrition Facts panel for packaged foods to reflect updated scientific information, including the link between diet and chronic diseases (e.g., obesity and heart disease). As mentioned above, this label is intended to help guide consumers in making more informed food choices.
These labels come with their own deadlines that are separate
from the uniform compliance dates that FDA has established:
- January 1, 2020 for manufacturers with > $10 million in annual sales
- January 1, 2021 for manufacturers with < $10 million in annual food sales
- July 1, 2021 for manufacturers of single-ingredient sugars, such as honey, maple syrup and certain cranberry products
Nutrition labeling can be complex and confusing, particularly for first-time food manufacturers. There are very specific requirements that must be addressed to remain compliant not only with FDA requirements, but also with many vendors who require verification of labeling compliance as a condition of doing business (e.g., Amazon, Wal-Mart, Costco).
The following label components must be developed
and then continually reviewed to identify which labels need further
modification and to ensure ongoing compliance:
- Nutrition Facts Panel is included on all packaging in a place where it can easily
be seen by consumers. The panel includes the following:
- Serving size and servings per container, per FDA guidelines
- Calories per serving
- Nutrient values of the following:
- Total fat (saturated and trans fats)
- Total carbohydrates (dietary fibers and sugars)
- Vitamin A
- Vitamin C
- Ingredient List must include all ingredients and sub-ingredients present in
the product in the order of predominance by weight in the product.
- Allergen Statements present a high-risk area, as they alert the consumer to the
presence of one of more of the top eight allergens:
- Crustacean shellfish
- Tree nuts
- Nutrition Content Claims include statements such as low fat, high fiber, low sodium,
and can help a company positively market food products. However, these claims
must be checked, as each has specific requirements established by the FDA.
In addition, any required instructions for making/preparing the product should be reviewed to ensure they are accurate and properly convey key steps in the process.
At the most basic level, non-compliance can result in products being pulled from store shelves. However, there are other implications to also consider:
- Improper labeling may impact a company’s
ability to supply product to larger retailers with specific requirements.
- It can destroy the integrity of a company who
makes false product claims or provides inaccurate nutritional information.
- It can result in legal action if inaccuracies
present high risks (e.g., allergen statements, nutritional claims).
To ensure compliance, the food manufacturer must assume
responsibility for the following—or work with an experienced food labeling
consultant who can:
- Keep track of the most current regulatory requirements, as well as uniform compliance dates (and any other established compliance dates).
- Develop product labeling to ensure labels include the required information.
- Regularly review product labeling to identify any modifications to maintain compliance, particularly due to regulatory changes.
- Preserve the integrity of the company by ensuring consumers are provided with accurate information regarding all products.
Kestrel has worked with food manufacturers/producers in most food categories including baking, candy/confection, meats/proteins, specialty foods, grains flavors, and many others to help meet FDA and large product retailer food labeling requirements. Join Kestrel at the PROCESS EXPO, as we discuss this topic and others during our special food safety training courses this October in Chicago.
BY: Stacey Pisani
Comments: No Comments
Virtually every regulatory program—environmental, health & safety, security, food safety—has compliance requirements that call for companies to fulfill a number of common compliance activities. While they do not necessarily need to be addressed all at once or from the start, considering the eight functions of compliance (as outlined below) when designing a compliance Information Management System (IMS) helps define the starting point and build a vision for the “end point” when planning IMS improvements. These compliance functions translate into modules—facility profiles, employee counts, training tracking, corrective action tracking, auditing tasks, compliance calendars, documents and records management, permit tracking, etc.—that are instrumental in establishing or improving a company’s capability to comply.
8 Functions of Compliance
- Inventory means taking stock of what exists. The outcome of a compliance inventory is an operational and EHS profile of the company’s operations and sites. In essence, the inventory is the top filter that determines the applicability of regulatory requirements and guides compliance plans, programs, and activities. For compliance purposes, the inventory is quite extensive, including (but not limited to) the following:
- Activities and operations (i.e., what is done – raw material handling, storage, production processes, fueling, transportation, maintenance, facilities and equipment, etc.)
- Functional/operational roles and responsibilities (i.e., who does what, where, when)
- Hazardous materials
- Discharges (operational and stormwater-related)
- Safety practices
- Food safety practices
- Authorizations, permits & certifications provide a “license to construct, install, or operate.” Most companies are subject to authorizations/permits at the federal, state, and local levels. Common examples include air permits, operating permits, Title V permits, safe work permits, tank certifications, discharge permits, construction authorization. In addition, there may be required fire and building codes and operator certifications. Once the required authorizations, permits, and/or certifications are in place, some regulatory requirements lead companies to the preparation and updating of plans as associated steps.
- Plans are required by a number of regulations. These plans typically outline compliance tasks, responsibilities, reporting requirements, schedule, and best management practices to comply with the related permits. Common compliance-related plans may include SPCC, SWPPP, SWMP, contingency, food safety management, and security plans.
- Training supports the permits and plans that are in place. It is crucial to train employees to follow the requirements so they can effectively execute their responsibilities and protect themselves, company assets and communities. Training should cover operations, safety, security, environment, and food safety aimed at compliance with regulatory requirements and company standards and procedures.
- Practices in place involve doing what is
required to follow the terms of the permits, related plans and regulations.
These are the day-to-day actions (regulatory, best management practices,
planned procedures, SOPs, and work instructions) that are essential for
following the required processes.
- Monitoring & inspections provide
compliance checks to ensure locations and operations are functioning within the
required limits/parameters and the company is achieving operational
effectiveness and performance expectations. This step may include some physical
monitoring, sampling, and testing (e.g., emissions, wastewater). There are also
certain regulatory compliance requirements for the frequency and types of
inspections that must be conducted (e.g., forklift, tanks, secondary
containment, outfalls). Beyond regulatory requirements, many companies have
internal monitoring/inspection requirements for things like housekeeping,
sanitation, and process efficiency.
- Records provide documentation of what has
been done related to compliance—current inventories, plans, training,
inspections, and monitoring required for a given compliance program. Each
program typically has recordkeeping, records maintenance, and retention
requirements specified by type. Having a good records management system is
essential for maintaining the vast number of documents required by regulations,
particularly since some, like OSHA, have retention cycles for as long as 30
- Reports are a product of the above
compliance functions. Reports from ongoing implementation of compliance
activities often are required to be filed with regulatory agencies on a regular
basis (e.g., monthly, quarterly, semi-annually, annually), depending on the
regulation. Reports also may be required when there is an incident, emergency, recall,
Reliable Compliance Performance
Documenting procedures on how to execute these eight
functions, along with management oversight and continual review and
improvement, are what eventually get integrated into an overarching management
system (e.g., environmental, health & safety, food safety, security,
quality). The compliance IMS helps create process standardization and,
subsequently, consistent and reliable compliance performance.
In addition, completing and organizing/documenting these
eight functions of compliance provides the following benefits:
- Helps improve the company’s capability to comply
on an ongoing basis
- Establishes compliance practices for when an
- Creates a strong foundation for internal and 3rd-party
compliance audits and for answering outside auditors’ questions (agencies,
customers, certifying bodies)
- Helps companies know where to look for
- Reduces surprises and unnecessary spending on
reactive compliance-related activities
- Informs management’s need to know
- Enhances confidence of others (e.g. regulators,
shareholders/investors, insurers, customers), providing evidence of commitment, capability, reliability and
consistency in the company’s compliance program