Elevating Food Safety Using Enterprise Risk Management Principles: A Primer
By Melanie Neumann, J.D., M.Sc., and Martin Wiedmann, Ph.D., D.V.M.
One of the daily challenges for food safety professionals is being viewed as a cost center (or, as the joke goes, the “profit prevention center”). If you are in a food safety role, you know that nothing could be farther from the truth. If we are viewed as “blocking” or “preventing,” it is because our role is much like an offensive line protecting its quarterback—we defend and protect our company’s customers, brands, and bottom line in nearly everything we do. Then why is it so challenging to obtain a meaningful budget to procure the right equipment to protect those key players? Is there another way to position ourselves and our requests for resources to enhance our food safety game?
The short answer is yes. It is an approach called enterprise risk management (ERM). Unbeknown to many, publicly traded companies are required to manage enterprise risks that may have a material impact on their balance sheet or long-term survivability. What higher risk does a food company have than food itself?
You may be asking whether your company should start integrating your food safety management program into your ERM strategy. We will address three questions to help you give ERM the consideration it deserves.
What Is Enterprise Risk Management?
There are several definitions for enterprise risk management, all of which reflect ERM as a vital risk management process.
As alluded to above, for virtually any food company, food safety should be considered one of the leading, if not the top, enterprise risks. But before we can chastise a company for not having food safety at the top of its playbook, we should acknowledge that this tool is relatively new to food companies.
ERM doesn’t have the same shared, industry-adopted, common definition attached to it, like Hazard Analysis and Critical Control Points. This is at least partially because food safety traditionally speaks in terms of managing hazards (e.g., Listeria monocytogenes), not risk (e.g., the risk of a recall due to Listeria). For food safety to get its legitimate place among all enterprise risks, it is important that a food safety team can discuss risk, and one effective way of doing so is to provide estimates of the likely financial impact of food safety incidents. For example, according to a survey administered by the Consumer Brands Association, the average food recall costs $10 million. Have you run a financial simulation to determine what the cost could be to your company on your highest-selling product if you can’t produce it or have to recall it if there is a food safety issue? This exercise is particularly important to level the playing field for budgetary as well as financial impacts of other enterprise risks that can often be estimated more easily.
A leader in defining and shaping this ERM is a group known as COSO—the Committee of Sponsoring Organizations of the Treadway Commission. COSO created a management system called ERM that addresses material financial risk out of the wake of financial scandals in 2001 and 2002.
COSO describes ERM as:
• An ongoing process
• Applied in strategy setting and across the enterprise
• Designed to identify potential events that, if they occur, will affect the entity in a material way
• A process to manage risk within an organization’s risk appetite
• Providing reasonable assurance regarding the achievement of business objectives
COSO summarizes ERM as:
• A process to assist resource allocation-based decision making designed to identify potential events (risks) that may affect the enterprise; manage risks to fall within the identified risk appetite; and provide reasonable assurances that such risks are being managed and the organization’s objectives are being achieved (metrics) (words in parenthesis and emphasis added by the authors).
While there are other working definitions and ERM frameworks, virtually all can be summarized in the following definition that reflects our proposed definition for the food industry: ERM is the discipline, culture, and control structure an organization has in place to continuously improve its risk management capabilities in a changing business and risk environment.
In addition to food safety, other enterprise-level risks are often found to “compete” with food safety for resources and priority. Cybersecurity is a good example of this. If your company is subject to a material data breach or hacked and held hostage by a ransomware attack, this could present a material balance sheet risk to your organization and potentially cripple or even bankrupt your company. Other enterprise-level risks often offer a similar competitive challenge when food safety is vying for finite funds in budget planning and boardroom requests. See “Other ERM Risks in Food Companies” for additional examples.
Why Do Companies Identify and Manage Food Safety Risks as Enterprise-Level Risks?
If you are publicly traded, you need to. If you are privately held, you will still benefit.
Publicly traded food companies may be more familiar with ERM as a consequence of the accounting scandals at Enron, Arthur Andersen, etc., resulting in billions of dollars in corporate and investor losses. More specifically, due to these scandals, the Sarbanes-Oxley Act of 2002 was born (often referred to as “SOX” or “Sarbox”). The act was expanded by the Dodd-Frank Act of 2010.
This regulation requires public companies to manage, document, and report material enterprise-wide risks to their financial health. It deals with financial governance and accountability, including the need for internal controls to reduce these risks, with a goal “to protect investors by improving the accuracy and reliability of corporate disclosures.”
Penalties for noncompliance with SOX are set forth in various SOX sections and can include fines, removal from listings on public stock exchanges, and invalidation of D&O (Directors and Officers) insurance policies. Per Section 906, CEOs and CFOs who willfully submit an incorrect certification to a SOX compliance audit can face fines of $5 million and up to 20 years in jail.
For food companies, examples of specific enterprise risks include highly visible foodborne disease outbreaks linked to a company’s product, food fraud events, and large recalls that may include temporary or permanent facility shutdown. Yet you may still be asking: What food safety risk could rise to the level of an enterprise risk that could materially impact the financial health of a company, to the point it may risk its overall survivability? You may be surprised. See the Listeria case study in the next question.
Ultimately, SOX requires a set of good practices to identify and manage risk. It requires covered companies to identify and disclose material financial risk, to implement internal controls to reduce that risk in an integrated framework that manages risk within the company’s risk appetite, and to report the risks to its board and other impacted stakeholders.
Isn’t this what we do in food safety risk management every day? So, whether your company is public or private, you will benefit from tying food safety risk management with your overall corporate risk management approach to more formally and effectively manage enterprise risks.
How Is ERM Applied to Food Safety?
Very carefully—but do not be intimidated; it’s not rocket science.
As you can see, ERM is both an art and a science. But there is one aspect that is critical to understand. That is, the results of an ERM assessment are relative; each risk should be compared and ranked relative to all other identified enterprise risks.
While a food safety professional may believe that food safety should be at the top of an ERM list, there is the potential that food safety may not be recognized and classified as a top enterprise risk. There may be legitimate reasons for this—for example, if a company produces very low-risk food products, such as canned products or certain dry or low-water-activity products. However, in many cases, a challenge may be that the food safety team may not be able to effectively communicate why food safety is a major enterprise risk. This is at least partially because food safety traditionally manages hazards, not risks. Below is an example of this “hazard” versus “risk” concept with an illustration of how to present a hazard in terms of risk, particularly financial risk.
A Food Safety Enterprise Risk Case Study:
In addition to the general calculations offered regarding recall risk/cost quantification, consider another example of how you can quantify food safety risks in a way that your C-suite will better understand. Let’s say you have identified Listeria spp. in your environment for the first time. As part of your hazard analysis and risk assessment, you determine that the facility is aging, and the area where the environmental samples were taken shows sign of wear, crevices, and cracks that are ripe for microbial growth. You determine infrastructure improvements are needed to reduce the risk of a larger problem. It is likely that in your conversation with the CEO, you may request resources for infrastructure improvements to eliminate Listeria in this part of the facility. This is a classic example of trying to manage a hazard and positioning your request as a hazard, not in terms of risk. A better way to address the same issue with the CEO may be to estimate the risk of a recall, perhaps something like: “With our current aging infrastructure and based on our environmental monitoring program, we estimate that FDA would likely find Listeria in our environment if they were to perform a swab-a-thon; we estimated the chance of a swab-a-thon happening in a given year is 20 percent, the likelihood of a positive sample as 90 percent, and the likelihood of follow-up investigations by FDA leading to a recall as 25 percent; therefore, under our current system, there is an estimated 4.5 percent risk of a recall in a given year (0.2 × 0.9 × 0.25 = 0.045). Per industry studies, the average cost of a recall is estimated to be $10 million; with a 4.5 percent chance our company could have a recall in a given year, this could be seen as representing an annualized financial risk of $450,000.” Using this as a starting point, one can then estimate the risk reduction that can be achieved by an infrastructure improvement (e.g., reducing this risk of a positive sample from 90 percent to 10 percent, and the likelihood of follow-up investigations by FDA leading to a recall from 25 percent to 10 percent).
Run the numbers; it’s the C-suite’s vocabulary for understanding food safety’s need for resources.
There are other examples of financial costs that impact food safety risk prioritization. A few more are listed below, which is not an exhaustive list:
• Production Downtime (to perform root-cause analysis and corrective actions)
• Product Replacement (producing new, safe product to replace the adulterated product)
• Product Disposition (the costs associated with destroying impacted product; with non-impacted product also being returned or destroyed by your customers)
• Loss of Corporate/Brand Reputation (consumers/customers lose faith, reduce, or cease purchasing impacted product, and worse, non-impacted product)
Leveraging ERM is an extremely effective strategy to ensure an all-hands-on-deck, cross-departmental approach to food safety. It is a tool that creates a “push” and “pull” effect, increasing visibility and importance of food safety from the top down and the bottom up, in turn increasing the likelihood of long-term success of ERM-based food safety management programs.
All this said, ERM is not the magic bullet. It is one tool among many in your food safety toolkit. It also runs a risk of being performed in a manner that stops short of its intended outcome. ERM is a risk management tool. If we stop at identifying and assessing risks without implementing effective controls to manage those risks, and to reduce them to acceptable levels, then ERM is not being optimized.
Enterprise risk management, performed right, is integral to strategy setting and the identification of risk and opportunities to manage it in a way that creates efficiencies and protects enterprise value.
Keep watch for our second and third articles!
A Final Question to Ponder
We leave you with a question to ponder as you finish this article and await the next two articles in this series (the second on the role that testing and advanced testing methods such as whole-genome sequencing play in an ERM approach to food safety, and the third discussing the use of simulations to identify and characterize enterprise-level food safety risks).
It is increasingly recognized that robust food safety programs require a strong food safety culture. If this is the case, can ERM become the tool to help effectuate and indicate behavioral changes needed to enhance food safety culture? As food safety programs become more integrated into ERM programs, will this require the food industry to reevaluate how we define and assess food safety culture? For example, does relative importance and integration of food safety in an ERM program indicate the maturity of a food safety culture? Let us know your thoughts at email@example.com, and a summary of these insights will be shared in subsequent articles in this series.
Melanie Neumann, J.D., M.Sc., is the principal of Neumann Risk Services, a Matrix Sciences Company, and Martin Wiedmann, Ph.D., D.V.M., is the Gellert Family Professor in Food Safety at Cornell University.