Food Fraud Vulnerability Assessment and Prefilter for FSMA, GFSI and SOX Requirements
By John Spink, Ph.D., and Doug Moyer, Ph.D.
Have you completed your food fraud vulnerability assessment (FFVA) for all types of fraud and all your incoming and outgoing products? For the Food Safety Modernization Act (FSMA), you must address all types of food fraud and identify and address “hazards that require a preventive control.” This article presents recent peer-reviewed research on methods to comply with FSMA, the Global Food Safety Initiative (GFSI) and other food safety requirements and initiatives.
Food Fraud Scope
Food fraud is illegal deception for economic gain using food, including economically motivated adulteration (EMA) defined by the U.S. Food and Drug Administration (FDA) to be a “substance” for “economic gain.” FSMA has been less clear on the terminology since the Preventive Controls-Qualified Individual training added new terms of “economically motivated hazard” and “economically motivated food safety hazard.” The general types of food fraud include adulterant substances, theft, tampering, simulation, diversion or gray market, and intellectual property rights counterfeiting.
Compliance History and Requirements
Although FDA’s current focus is on FSMA, there are several compliance requirements that address all types of global food fraud (Table 1). While strict liability and the Park Doctrine have been in effect, there is a new emphasis on criminal liability for the individuals, not just the company. The FDA Office of Criminal Investigation and the U.S. Department of Justice have publicly stated there will be a focus on criminal prosecution for the corporations as well as the individual.
FSMA Preventive Controls rule: As of September 2016, one significant compliance requirement is for vulnerability assessments that address all types of food fraud, specifically, all “agents” that could lead to a “hazard that requires a preventive control” from an act that is “economically motivated.” Sections of the final FSMA rule specifically mention “theft” and “stolen goods.” Additionally, FSMA does not supersede existing regulations such as the Federal Food, Drug, and Cosmetics Act of 1938 (FD&C Act) but instead augments those requirements. Such requirements that are still in effect are specifically noted in the “Adulterated Foods” and “Misbranded Foods” sections.
Compliance Requirement: Vulnerability assessment and comprehensive protection plan for all types of food fraud
Compliance Date: September 2016
FD&C Act: Since 1938, all types of food fraud have been illegal and unfit for commerce per the “Adulterated Foods” and “Misbranded Foods” sections. The original act refers to “fraud jokesters” and was implemented in part due to a highly publicized diethylene glycol (DEG) poisoning incident. Unfortunately, DEG poisoning is still a problem that was listed in the FDA EMA public meeting in 2009 and a concern for FSMA in 2011.
Compliance Requirement: All types of fraud, including misbranding
Compliance Date: 1938
GFSI Benchmarking Requirement Issue 7: GFSI Issue 7 is scheduled to publish in February 2017 and requires an FFVA for all types of food fraud and a food fraud prevention strategy. GFSI stated the intent and scope in the July 2014 “GFSI Position on Mitigating the Public Health Risk of Food Fraud.” The GFSI Board of Directors endorsed food fraud guidance and the FFVA created by the SSAFE organization.5 Some GFSI food standards providers—such as the British Retail Consortium (BRC)—included food fraud prevention requirements as far back as July 2015.
Compliance Requirement: All types of food fraud that could lead to a health hazard
Compliance Date: One year after publication of Issue 7 (January 2018); BRC Global Standards compliance has been in effect since July 2015; new requirements for FSSC 22000 were released in December 2016 and will be required by late 2017
Sarbanes-Oxley Act (SOX or Sarbox): SOX financial and securities regulatory requirements have been implemented since 2002 and were expanded with the Dodd-Frank Act of 2010. Public companies (often private companies also) must manage, document and report enterprise-wide risks. There is clear criminal liability not only for the corporation but also for decision makers, including CEOs, CFOs, boards of directors and even board-level auditors. The Committee of the Sponsoring Organizations of the Treadway Commission (COSO) created a management system called enterprise risk management (ERM) that addresses financial risk such as that posed by food fraud events.
Compliance Requirement: Implement internal controls and an integrated framework that manages risk within a risk appetite; publicly report the risks
Compliance Date: 2002
Other significant requirements regarding food fraud prevention are being implemented or are in development by the European Commission, UK and China, as well as by the Codex Alimentarius Commission and the International Standards Organization (ISO). Although no public details are available, ISO 22000 Food Safety Management is reportedly expanding to include food fraud and food defense.
Food Fraud Requirements
The most detailed explanation of food fraud compliance requirements is provided by GFSI. The GFSI position paper on food fraud states:
Food fraud…is deception of consumers using food products, ingredients and packaging for economic gain and includes substitution, unapproved enhancements, misbranding, counterfeiting, stolen goods or others.
Specific GFSI requirements have been provided in advance of the final publication (Figure 1).
ERM and COSO Resources
Fortunately, the food industry does not need to reinvent the wheel to address food fraud. In conjunction with criminology theories that address crime prevention, there are financial and securities management resources already in place. For example, public food companies are already required to have an enterprise-wide system to identify, manage and report risks. One of the most widely adopted systems was created by COSO/ERM,[6,7] such that food safety systems adapt or translate into ERM systems and not the reverse. This means resource-allocation decision making surrounding food fraud prevention is integral to the corporation’s ERM system.
The most important topic for resource-allocation decision making is the concept formally defined by COSO as “risk appetite.” Essentially, this is the maximum risk the stakeholders are expecting from their investment in your company. Every decision across the corporation is assessed in relation to every other decision. Plotting food fraud on the corporate risk map is risk aggregation that allows for comparison with all other enterprise-wide concerns.
There is a hierarchy of systems that begins with the determination of the corporate risk appetite that is managed within an ERM. This is accomplished in two parts: an initial screening assessment [a prefilter, or the first step of “initial screening” in a food fraud initial screening (FFIS) tool] and when needed, a detailed or full assessment (e.g., FFVA per SSAFE guidance; Figure 2). These vulnerability assessments build from food fraud insight. The insight could be from known or suspicious incidents and internal reports. There are other specific tools or models available, including the U.S. Pharmacopeia adulterant-substance vulnerability assessment focused on food ingredients and others addressing all food fraud types such as cargo theft. Market monitoring and horizon scanning are proactive searches that feed into ongoing assessments, as ERM mandates an iterative process.
Food Fraud Initial Screening Tool
ERM risk assessments occur into two stages: A qualitative initial screening followed by a more detailed quantitative assessment.
The following describes a method for the qualitative initial screening, which is the FFIS. The FFIS provides a prefilter or preliminary review of the entire vulnerability. For some decision makers, detailed information may not be needed for an initial review.
From the FFIS article, the ERM Stage 1 qualitative assessment includes:
Step 1 — Define the Scope and Basic Terms: This includes defining “very high” through “very low” for likelihood and consequence. This includes selecting sample or typical ingredients (incoming goods, raw materials) and finished goods (outgoing products) as well as approximately five geographic regions and five product groups. To meet compliance requirements, the assessment must cover all products and all geographies (for example, suppliers and product groups are combined to cover the full spectrum). If any products or geographies are not covered, then the analysis is incomplete and out of compliance.
Step 2 — Incident Review: Gather summarized (or detailed) food fraud incident information (all types) to the level of precision, accuracy and certainty required by the resource-allocation decision maker.
Step 3 — Conduct the Food Fraud Initial Screening (Figure 3): Assess both health hazards and economic impact for the selected ingredients and finished goods.
Step 3A — Health Hazards (Figure 4): Assess health hazards. For compliance with FSMA’s Preventive Controls rule, this would be to identify “hazards that require a preventive control.” This assessment of health hazards provides insight on the overall economic impact. For example, situations with a higher health hazard would probably also lead to a higher economic impact.
Step 3B — Economic Impact (Figure 5): To apply the ERM system, the food fraud vulnerabilities must be presented in economic terms. This is also a compliance requirement for SOX.
Step 4 — Corporate Risk Rank (Figure 6): The fraud opportunities are posted on the corporate risk map and ranked. COSO formally defines this as “risk aggregation.” Here, red and orange cells are defined as unacceptable vulnerabilities because they exceed the corporation’s risk appetite. Yellow cells include vulnerabilities that are of concern but fall within “actively monitor” actions. The blue and green cells are below the risk appetite but still a concern.
The corporate risk map is a common and recognized chart for CFOs and risk managers. The most valuable feature is that a single chart enables all risks to be evaluated against all other risks. This document presents risks that are unacceptable and must be addressed—or at least publicly acknowledged in an annual report—or the risk manager could face criminal liability. For the CFO, this chart is the financial equivalent of your receiving a positive Salmonella test from a certified lab. In short, if you receive such a report, you know you must act on it or you could be fired—or worse.
All types of food fraud can result in enterprise-wide risks, so an ERM system must address all types of vulnerabilities. The model developed in this article addresses the first stage: the FFIS. Companies should utilize the FFIS as a starting point to meet the compliance requirements of FSMA, the FD&C Act, GFSI and SOX. The GFSI Board endorsed the SSAFE FFVA as a logical next step for a more detailed assessment.
For more information, please see the link to the FFIS scholarly article or more information on www.FoodFraud.msu.edu. Other capacity-building training resources include the International Union of Food Science and Technology scientific information bulletin and video on food fraud prevention, food fraud massive open online courses and executive-education short courses.
John Spink, Ph.D., is the director of the Food Fraud Initiative and an assistant professor at the College of Veterinary Medicine at Michigan State University.
Doug Moyer, Ph.D., is an assistant professor in the Program in Public Health at Michigan State University.
8. Spink, J, DC Moyer and C Speier-Pero. 2016. “Introducing the Food Fraud Initial Screening Model (FFIS).” Food Cont 69:306–314.