How to carry out your FDA Vulnerability Assessment…
In order to comply with the proposed Intentional Adulteration Rule, the food defense plan must include:
ACTIONABLE PROCESS STEPS
FOCUSED MITIGATION STRATEGIES
Our methodology provided in Assessing Threat Vulnerability for Food Defence aligns with the requirements of the Intentional Adulteration Rule. I’m going to work through each of the steps in this methodology for you, to help you carry out a vulnerability assessment and then put a food defense plan in place. In this post we’ll go through the requirements for completing the vulnerability assessment and then in the next post, we’ll explain the elements needed to produce the food defense plan.
Our methodology is aligned with the accepted steps of HACCP, so that they are familiar. The following diagram shows the three stages of this methodology (preparatory stage, assessment stage and continuation stage) and each step within each of the stages.
The stages can then be aligned with the FDA requirements for the vulnerability assessment and the food defense plan, as shown below…
The Vulnerability Assessment
In order to ensure that the correct information is fed into the assessment and the required knowledge and experience is available to carry out the assessment, preparation work is required. The steps of the preparation stage are:
- Obtain senior management commitment
- Define the scope of the study
- Select the team
- Construct the process flow diagram and describe the process
- Define the pre-requisites
Obtain senior management commitment
Without genuine management commitment the vulnerability assessment and subsequent food defense plan is at risk of becoming just a paper exercise. It is likely that additional resources will be required to adhere to the results of the food defense plan, whether that be in people and time resource, or due to the requirement for capex spend.
Define the scope of the study
The scope of the study sets out what is going to be included in the assessment and what it not going to be considered.
Food safety threats in the raw materials due to food fraud in the supply chain, for economic gain would not be in the scope, as this must be dealt with within the HARPC plan.
The scope should include threats of intentional adulteration due to:
- acts where attackers intend to cause large-scale public harm
- acts carried out by disgruntled employees, consumers, or competitors
- acts carried out due economically motivated adulteration (non-food safety only)
Select the team
Using a team approach to carry out the vulnerability assessment will mean that the right range of knowledge and experience is involved. The team should include members who may not typically be on a HACCP or food safety team, such as Human Resources (HR) and Security.
Construct the process flow diagram and describe the process
The process flow diagram can be that same as that used for the food safety plan, there is no need to re-invent the wheel. Just ensure that all steps within the businesses control are covered in the process steps, including an off-site storage or distribution of raw materials and finished product.
Define the pre-requisites
Pre-requisites or Good Manufacturing Practices as defined by the FDA may differ from those detailed in a food safety plan. Additional pre-requisite programs such as People Management (to cover HR activities) or Site Security may be required.
Once the preparatory work has been completed, the team are ready to start conducting the assessment. The assessment stages include:
- Establishing & defining the threats
- Assessing the impact
- Assessing the vulnerability
- Calculating the risk score & establishing significance
Establishing & defining the threats
Working through each process step the team should walk the process and detail the threats that are pertinent to each step.
They should ask questions at each step, such as:
- How complex is the raw material supply chain and how many steps does it include?
- Are agents or brokers used?
- Are raw materials and finished product delivered in a sealed vehicle?
- Is access to the site or area restricted?
- Have there been any instances of malicious contamination?
- Are there any lone workers in the area?
- Is CCTV in use?
When detailing the threat, make sure that it includes how the consumer or business will be affected, how the threat could occur and the motivation of the attacker to carry out the threat. This makes it much easier to carry out the risk assessment at the next steps.
Assessing the impact
When assessing the impact, think about the impact that the threat will have both to the consumer and the business. If threats have been pinpointed which are in line with the FDAs requirements, if the threat were to become real would this cause harm to the public, therefore a high risk score would be assigned for impact to the consumer. If public health was impacted due to this threat, think about what impact that would have on the business. Do you think you would recover from it? Once this has been determined assign a score for impact to the business.
Add the impact score to the consumer and the impact score to the business together, to give an overall impact score.
In the methodology we provide a scoring system for impact which you can use and show you how this can be used and documented.
Assessing the vulnerability
Once the impact score has been established, the score for vulnerability should be assessed.
Vulnerability scoring is made up of two parts (like impact was made up of impact to the consumer and impact to the business). Vulnerability is determined by assessing the motivation of the attacker to carry out the threat and the opportunity for the attacker to make the threat real.
Work out the risk rating of the attacker and assign a score. Then assess the opportunity for the attacker to carry out the threat. Is the raw material or the product open at this time? Could the attacker gain access to it? Once this is determine assign a score.
Add the motivation and the vulnerability score together, to give an overall vulnerability score.
Again, in the book we provide the scoring system for vulnerability; we’ve done all the hard work for you, so you don’t have to come up with your own.
Calculating the risk score & establishing significance
Now we have a score for impact and a score for vulnerability.
Next step is to calculate the overall risk score using the impact and the vulnerability scores, in order to establish if they are significant threats. (Significant threats will need actions in the form of protection measures assigning.)
To calculate the overall risk score we multiply the impact and the vulnerability together.
There is an important reason for multiplying these figures: By multiplying the figures we can mitigate any high impact scores if we have a low vulnerability score.
This is because it doesn’t matter how much impact a threat would have, if you have no vulnerability to it. If you have all the controls in place to protect the product, then it is less likely for the threat to become real.