In this article we’re going to cover what’s new in the incidents section of issue 8 and what we need to do about it. There are two changes:

  1. Cyber security has now been added to the incidents section.
  2. The management of recalls and withdrawals.

Cyber crime

Let’s look at cyber crime first. There is an addition to Clause 3.11.1 which states that our incident procedure now needs to include contingency plans for the failure of digital cyber-security. Where products which have been released from the site may be affected by an incident, consideration shall be given to the need to withdraw or recall products.

So, this means that cyber security now needs to be included in your contingency plans. This means you need to check your incident procedure to make sure that it covers cyber security and also add it into your contingency plans.


To meet the clause you need to have contingency plans for your emergency situations, one of which is cyber security. This part of the requirements is often forgotten, or not robust enough.  We’ve written about this before, so you would like to know more about emergency situations and how to apply contingency, you can read our previous article here

What you need to do…

For cyber security specifically, let’s look at the sort of things you need to think about. Think about what you need to implement firstly to protect yourself, to prevent a cyber attack – you’ll need your IT department to help you here and then, if the worst happens and you are hacked, then you next need to think about how you are going to manage this.

  • Is the data backed up?
  • If it is, how will it be deployed?
  • If the systems are down, how will you carry on production?
  • Do you have manual alternatives that you can use?

Once you have your plan in place, test it and keep testing it routinely, to make sure it works and it’s kept up to date.

Want to hear a story?

You may think that cyber attacks don’t happen and they won’t affect your site, but I’ll tell you a real life story that will scare you!

A site I know was attacked.  When the staff came into work one day, started up the computers to log in, they found all of the folders were empty.  A message had been left for them in the folders, to say that they needed to pay a ransom to get the files back. This included all of the sites quality management system documents. It was all gone.

Luckily the site had some of the management system printed out, so they could re-type the procedures and records.  But they had other documents that were only held digitally. Can you imagine what that felt like?  The realisation that all the documentation is gone and there’s nothing you can do about it?

They had a back up though, so they contacted IT and asked them to restore the files. Their IT department said that the back up happened every 24 hours, so they thought they would be ok.  The really unfortunate thing was that the back up only stored one back up.  So, every 24 hours it was overwritten.  And the back up had already overwritten the files.  Therefore, it had backed up the empty files so it was all gone completely.

The site team had to start again from scratch. Can you imagine writing your quality management system from scratch? I really, really felt for them.  Normally you would only check that there is a back up in place.  Why would you think to ask how many back ups are kept, or if they just overwrite each time?  Unless you’re an IT person, I’m not sure you’d know to ask that question.  But you know now, so go and find out from IT!

Withdrawal and recall

There is also an addition to Clause 3.11.2, which means that we:

  1. Now need have a plan to record the timings of key activities when a withdrawal or recall occurs and,
  2. we need to carry out root cause analysis on withdrawals and recalls, to prevent them from happening again.

Timings of key activities

So, this means that we now need to record what’s happening and when.  This is a bit like writing a diary during the event.  When a withdrawal or recall happens there can be a lot going on and it’s easy to forget what has been done and when.  Writing a timeline of everything that happens helps you to manage the situation, confirm when things have been done and it will also help you when you come to carry out root cause analysis later.

Your procedure now needs to state that you’ll do this and your records should include a section for this to be documented. Remember, you also need to train your team to make sure they know they need to do this and exactly how you want it recording.


Root cause analysis

This is a theme of issue 8.  BRC are really pushing us to make sure that we apply the right preventive actions; by using root cause analysis. You need to check your incident procedure to make sure that it states that root cause analysis will be conducted following a withdrawal or recall.

You also need to make sure that you have a root cause analysis procedure, that states when you’ll carry it out (and this should state following a withdrawal or recall) and how you’re going to carry out the root cause analysis. We’ve written some articles on this subject, which you can read here:

Because those that carry out root cause analysis now need to be trained to do so, you need to make sure when you’ve written your root cause analysis procedure, that you train anyone who will conduct it. Our new Best Practice Internal Auditing course includes root cause analysis training and we also teach you our Smart Analysis Method – so you’ll know how to conduct root cause analysis step-by-step.

As we also explain the requirements for senior management commitment in this course, we even teach you how to carry out a culture plan. It’s the best internal auditing course out there for sure and we have loads of learning formats for you to choose from, from distance learning, eLearning and also in-house courses for your team.  If you’d like more details you can find them here:


If you’ve got any stories or learnings you can share about emergency situations and contingency plans, please do share them with everyone, by adding your comments in the reply box below.  Remember you don’t need to give your real name, so nobody needs to know who you are! Your email address will only be seen by me and I won’t share it 😊


One of our lovely readers told me about Outlook Journals – where you can add emails to a journal and it’ll plot it on a timeline for you!  I’ve looked into it and it looks pretty neat!

When you have Outlook open, in the bottom left panel where you see the mail, calendar, contacts and tasks icons, the far right one you’ll see is three dots …

If you press that a pop up will appear – select folders.  You’ll see journals on the left.  I think you just set up journal folders like you would email folders and when an email comes in regarding the recall you file it in that journal.  It’ll then appear on a timeline view here when you select that journal on the left.  Clever!

Have your say…

5 thoughts on “Incidents management in Issue 8 – the changes

  1. Morning Kassy
    The information you input it is sooooo good and very helpful!
    Thank you for sharing this:-)

  2. Thank you Kassy. Your cyber attack is indeed very scary. I will sure keep that in mind & will share this story with my teams, especially our IT team.

    Here’s one incident that occurred to us during an emergency situation that led to an even worse situation.
    During the crisis, hundreds of us logged on to our network at the same time to gather the information & it crashed.
    IT took hours to resolved the problem while the regulators were impatiently waiting …
    & You can just imagine how the rest of the story went from there.

    1. One thing I would like to add to this is the change to 3.11.4.

      In addition to notifying your certification body in the event of a recall, you must also notify them in the event of a regulatory non-conformance. An example of this would be an enforcement notice from your local authority.

      I have seen a lot of sites receiving non-conformances because the incident managenent procedure does not include notification within 3 days of a regulatory non-conformance.

      Don’t get caught out!

Share your thoughts…

Your email address will not be published. Required fields are marked *

We've tagged this article as: ,