In this article we’re going to cover the changes to issue 6, on the site security section, which is now site security and product defence. These changes are in line with the update to the GFSI benchmarking scheme, where product defence now needs to be covered.
The clauses in this part of the standard have either been replaced, amended or there are new ones added, so let’s go through them.
Addition to clause 4.4.1
Your site must have a product defence procedure which includes:
- Horizon scanning
- a threat assessment
- a product defence plan
- a review process.
The threat assessment must assess:
- Threats of malicious contamination and damage
- threats from internal staff and external people
- if security arrangements are sufficient
- threats from different areas on site.
Where significant threats are identified in the threat assessment, a product defence plan must be developed which puts security measures in place to mitigate these threats.
All staff must be trained on site security measures.
The threat assessment must be reviewed when:
- Horizon scanning identifies a threat
- at least annually.
There is also an addition to the training section of the standard, for product defence, which is…
Addition to clause 6.1.2
All relevant staff must be trained on the product defence procedure.
There’s a great deal that’s changed here, so let’s look at what it all means. First of all, the section has been updated from just site security, to site security and product defence, so let’s understand product defence a little bit more.
Definition of product defence
Although BRC haven’t provided a definition in Issue 6 of the packaging standard, the food standard does define it – this is what they define product defence as:
“Procedures adopted to ensure the safety of raw materials and products from malicious contamination or theft.”
Product defence and product authenticity
There is also a new section in Issue 6 for product authenticity, claims and chain of custody, which is all about fraud. The vulnerability assessment for fraud and the threat assessment for product defence are two different (although similar) things, so we need to also be clear on what product fraud is.
Definition of product fraud
In the packaging standard, BRC haven’t provided a definition of what they mean by product fraud or authenticity, but in the food standard BRC define it as:
“Fraudulent and intentional substitution, dilution or addition to a product or raw material, or misrepresentation of the product or material, for the purpose of financial gain, by increasing the apparent value of the product or reducing the cost of its production.”
What drives the assessment?
So, the BRC see the driver for product fraud, to be financial gain. Whereas they see the driver product defence is to cause harm. Whether that be harm to the consumer, your customer or harm to your business.
So what do you need to do?
The BRC have stated that you now need a threat assessment. The threat assessment needs to identify all the threats that could put your product at risk while it’s your responsibility.
What are the start and end points?
Your vulnerability assessment for product fraud will look at risks to your raw materials and traded products before it arrives with you. Whereas the threat assessment for product defence will look at the risks to your product when arrives on site, while it’s on site and also in the delivery step to your customer, if that’s your responsibility, i.e. if it’s your vehicles that deliver the products. If it’s a third party that delivers them, then it’s their responsibility to do this.
What do you have currently?
Currently, you should have your security risk assessment that was in place for Issue 5, so this is the first thing you need to look at. It’s more than likely that this won’t suffice anymore, and it will probably be easier, to start again. If, however, you’ve already got product defence covered in your security risk assessment, to comply with other standards, such as customer COP’s for example, just make sure it complies with the elements that we’re going to talk through.
A threat assessment is a form of risk assessment. So, the first thing that you’ll need is a risk assessment methodology for threats. If you create your own methodology, there are a number of things you need to take into consideration.
- You need to define what impact the threat will have. Typically, in risk assessment you would think about the severity on the consumer and your customer. But, with threats, the consumer or your customer might not be the only target, as some threats (such as sabotage) are aimed at hurting the business. So, it’s a good idea to consider not just the impact on the consumer and customer, but also the impact on your business too.
- Because you can’t always control a threat, i.e. you cannot stop it from happening, you also have to consider the likelihood of someone detecting that it has occurred. This would be where security measures such as seals or tamper evidence packaging would come in. So, it’s a good idea to include detection, or likelihood in your methodology.
- Make sure your risk assessment method provides a result as to whether the threat that you are assessing, is significant or not. As significant threats would need to go forward (like you do in HACCP) to determine if they need special consideration.
Once you’ve got your methodology organised, you’ll need to create a team. Make sure those responsible for product defence, on site and also in the downstream supply chain are on the team, such as technical, HR, operations and logistics. Your team will also need training in the threat assessment procedure and the protective measures, once you agree them.
You need to make sure there are inputs into the threat assessment, either from industry information or from your team. The threat assessment will need input from your information sources. You will need:
- Information sources from HR regarding the employee moral or contractual changes
- information from security on applicable incidents
- information from the logistics department on internal incidents or external industry incidents
- information from quality or technical where applicable complaints or incidents have occurred
- plus, you’ll need external information sources, so you know what’s going on in the industry and any threats that may have an impact on you.
Where new information comes to light which may impact on the threat assessment, someone needs to highlight this to the rest of the team. Agree a process of who is going to receive the external information, how it’s going to be reviewed and who the information should be reported to – if it needs action.
Identify the threats and apply security measures
As a team, map out the process that the materials go through, from the point at which they arrive to the point at which they are delivered to the customer (if it’s your vehicles that deliver your product), or wherever your responsibility ends. At that point, you can then look at what threats are applicable at each stage, using the information sources from your team or from external industry sources. Once you’ve got your list of threats at each point in the process, you can assess them using your threat assessment methodology.
Outputs of the assessment
The threat assessment needs an output; where a threat is deemed to be significant, as a team you’ll need to decide what security measures you’re going to put in place. Note here, that we have said security measures, not control measures. This is because you cannot always control a threat, as you may not always be able to stop it from happening – so you can’t always protect the product. What you can do, is put security measures in place to protect the customer, such as tamper evident packaging or seals on vehicles – so that where a threat has occurred, it can be detected and managed.
Where monitoring is required, this will also need writing into relevant procedures and records.
In order to comply with 4.2.3 external storage and intake points need to be locked. The BRC have clarified that this must apply to packaging as well as raw materials, work in progress materials and finished product.
Ensure that at a minimum, an annual review is scheduled. But make sure that reviews are conducted and recorded as such, whenever new information comes to light that needs consideration.
Finally, make sure that all on-site personnel are trained in the site’s security procedures and an awareness of product defence as a whole.
We have developed a free product defence awareness course, for you to use to train all of your staff on site. It’s very light-hearted and fun, but gets across the really important points about why product defence is important. It only takes a few minutes to complete and you can set up all of your staff on site, so they can do the quick video and take the test – so you’ll be one step closer to being Issue 6 compliant! Our sign up form is below, if you’d like this training for your site.