This article is written to meet the following sections of the Standards:

BRCGS Food Safety Issue 85.4 Product authenticity, claims and chain of custody
BRCGS Packaging Issue 63.8 Product authenticity, claims and chain of custody
BRCGS Agents & Brokers Issue 3
4.8 Product authenticity
Storage & Distribution Issue 43.5.3 Product fraud risk management
10.3.3 Product fraud risk management
FSSC22000 Version Food fraud mitigation
IFS Food Version 74.20 Food fraud
SQF Edition 92.7.2 Food Fraud

Need help with your fraud mitigation plan?

Our product defence eDocs bring the elements of vulnerability assessment, threat assessment, fraud mitigation plan and the security plan together.

Tell me more

Product defence

What is food fraud?

BRCGS Food Safety defines fraud as:

“Fraudulent and intentional substitution, dilution or addition to a product or raw material, or misrepresentation of the product or material, for the purpose of financial gain, by increasing the apparent value of the product or reducing the cost of its production.”

BRCGS Storage & Distribution defines fraud as:

“Fraudulent and intentional substitution of a product or misrepresentation of the product for financial gain, by increasing the apparent value of the product.”

SQF use the Michigan State University definition:

“The deliberate and intentional substitution, addition, tampering, or misrepresentation of food, food ingredients, feed, or food packaging and/or labelling, product information; or false or misleading statements made about a product for economic gain.”

IFS define fraud as:

“The intentional substitution, mislabelling, adulteration or counterfeiting of food, raw materials or packaging materials placed upon the market for economic gain.”

FSSC22000 use the GFSI definition:

“The deliberate and intentional substitution, addition, tampering or misrepresentation of food, food ingredients, food packaging, labelling, product information or false or misleading statements made about a product for economic gain that could impact consumer health.”

All of the above are fairly similar, although the FSSC (GFSI) definition is interesting – as it talks about consumer health specifically. When fraud doesn’t always mean the food is unsafe, it may just mean it’s not of the specified quality.

The key points to pick out from these definitions, is that fraud is:

  1. carried out on purpose
  2. driven by financial gain

How does food fraud apply to packaging?

If you’re a packaging site you’re probably wondering how you’re meant to do a vulnerability assessment for packaging. If you keep in mind the key points from the definitions above; that fraud is carried out on purpose for financial gain, you should be able to start thinking about how that would apply to your product. And then, if you follow the advice provided here, on how to identify your threats – you should be able to work out what threats would apply to your product.

If you produce printed and branded packaging, your packaging may be at risk from theft. Fraudsters may try to steal this packaging, to pack their substandard product into and sell it as the real thing. This is where your vulnerability assessment and your threat assessment may need to come together, as your protection measures for this would require security measures.

If you don’t produce branded packaging, the packaging doesn’t make any claims and there isn’t any known or plausible threats for your packaging – then you may not be able to identify any threats. That’s fine, just make sure you document this and how you came to that conclusion with your justification.

How does food fraud apply to storage and distribution?

If you’re a storage and distribution site, you’re probably thinking ‘we don’t even make product, so how’s this going to apply to us?’ And to some extent you’re right – especially if you don’t trade products, you only store and transport your customers products.

This really means, that the only vulnerability for fraud is due to theft. If product under your control was stolen and sold on the black market. This therefore means, your threat assessment is crucial here and your security measures are what will protect you.

What’s the difference between fraud and product defence?

Here is an excerpt from our book Assessing Threat Vulnerability for Food Defence to help explain…

“The term ‘food defence’ can be interpreted in differing ways and this has created some confusion in the industry. This publication aims to clarify and re-establish how the term ‘food defence’ should be used and to define the elements that make up a food defence assessment.

It is logical to view and use the term ‘food defence’ as an overarching term to describe and encompass all the activities carried out to protect food from threats. Other methodologies use the term food defence to merely focus on sabotage and use the term ‘food fraud’ to cover supply chain threats. However, it is the authors view, that this leads to similar issues being managed in different systems or silos and hence a lack of joined-up thinking.

A food defence plan is made up of 3 distinct elements:

  • Food fraud
  • Food terrorism
  • Food sabotage

Food defence

To protect food products, raw materials and processes from threats.

Food fraud

Food fraud is a collective term used to describe the deliberate adulteration or misrepresentation of food, food ingredients or raw materials for financial gain.

Food terrorism

“An act or threat of deliberate contamination of food for human consumption with biological, chemical and physical agents or radio nuclear materials for the purpose of causing injury or death to civilian populations and/or disrupting social, economic or political stability” (World Health Organization. Terrorist Threats to Food: Guidance for stablishing and Strengthening Prevention and Response Systems, Food Safety Issues, Revision May 2008).”

Reference: Assessing Threat Vulnerability for Food Defence, Edition 2 by Kassy Marsh & Adele Adams

Food sabotage

The deliberate destruction, damage or disruption of food products or processes with the intention of causing reputational damage or financial loss.

Food defence diagram

This diagram illustrates the different elements of a food defence plan.

What is VACCP?

VACCP stands for vulnerability and critical control point.

We don’t use this term, as it makes absolutely no sense whatsoever! Critical control points are kept just for HACCP. Which means the only part of VACCP that is important is the V – for vulnerability.

Also, don’t get it mixed up with TACCP.

What’s the difference between food fraud and food crime?

There is no legal definition for food fraud or food crime, but below is Chris Elliott’s interpretation.

Food fraud is an act carried out by fraudsters for financial gain, where the food or food packaging is subject to substitution, dilution or misrepresentation (where it’s labelled as something that it’s not, like a brand name). Food fraud is normally a random act, which is borne out of a particular situation and possibly not meant to be deceptive. For example, a manufacturer may have a lack of raw materials to fulfil an order and so, they may substitute an ingredient to get the order out.

Food fraud becomes food crime, when it is no longer just a random act but is organised by a criminal group, with the intention of being deceptive or to injure.

What are the main types of food fraud or food crime?

Substitution: where part or all of the food with a lower value substitute. Such as replacing beef with horse, or other oils in olive oil. Or a recent example when ground nut shells were added to spices.

Addition: adding a component to increase the value of the overall product. One of the most well-known issues of this kind is when milk in China had melamine added, as melamine when tested looks like protein, meaning a higher protein content milk has a higher value. Another example would be the Sudan dye issues when the colour was added to spices to improve their colour, meaning they had a higher value.

False claims: this where products are labelled with fraudulent claims that increase their value, such as organic, welfare friendly, fair trade and provenance claims such as country of origin.

What’s the difference between product fraud and product integrity?

One of the retailers in the UK who tend to lead the way when it comes to driving standards, took a different approach to the horsemeat scandal. Although they weren’t implicated at all, they didn’t rest on their laurels. They looked at what went wrong, took learnings from it and thought about what could go wrong in the future. This lead them to thinking about product integrity.

Product integrity takes the idea of authenticity one step further. It can be defined as “A product that has been produced honestly, following strong moral principles.”

When explaining the difference between fraud and integrity, you need to think about threats first:

A threat is something that is carried out intentionally by someone to cause loss or harm. So, a fraud threat is one where it’s carried out intentionally, to cause loss for financial gain. This can result in the product not conforming with the claims made on pack.

Compare this to integrity, which is:

Caused by an error – which is something that’s done by mistake and is unintentional. An integrity error is where you make a mistake during the production of the product, which means the product doesn’t conform to the claims made on pack.

So, although fraud is linked to integrity, it requires a totally different mindset and that’s why it’s tackled as a completely different topic.

If you’d like to learn more about product integrity, read our ebook Assessing Error Vulnerability for Food Integrity.

Horizon scanning

Horizon scanning is a process of constantly looking out for new information. The idea being, that you then use the information to improve your systems and pre-empt any issues that might be coming your way. A good horizon scanning system will be managed using a well thought out process, which includes information sources and agreed responsibilities for receiving, reviewing and highlighting information for further action.

Information sources

Having information sources that are set up and continuously sending new information to you is key. You don’t have to pay for expensive memberships or systems to do this. Just simple alerts from local authorities and industry bodies is fine.

Twitter is also an amazing source of information, if you pick the right sources. Our favourite is Prof Chris Elliott OBE (who wrote the foreword for our book Assessing Threat Vulnerability for Food Defence).

Product defence

Need help with your fraud mitigation plan?

Our product defence eDocs bring the elements of vulnerability assessment, threat assessment, fraud mitigation plan and the security plan together.

Tell me more

The aim of the vulnerability assessment

The aim of the vulnerability assessment is to:

  • Identify the pertinent threats of fraud.
  • Risk assess them, to establish which are significant.
  • Apply protection measures to mitigate the threats.


The scope of your vulnerability assessment should explain what is included, and what’s not included. For example, the BRCGS Food Safety Standard only states that you need to include food raw materials in your assessment. Which means, (if you want to) you can state in your scope that you’ll only be looking at vulnerabilities to fraud of your ingredients.

Is there a set way of grouping the raw materials?

No. You can group them whichever way suits you. Just make sure that all raw materials are covered and that the threats associated with specific raw materials in a group are covered.

How to work out what threats to include in your vulnerability assessment

It’s really easy to get overwhelmed, if you start thinking about all the things that could possibly go wrong. It’s important keep your assessment really focused and only include the really pertinent threats, otherwise your assessment could go on forever and you’ll tie yourself up in knots.

When identifying what threats need to be included there are three main areas to consider:

  1. Known and plausible threats.
  2. Threats generated from claims on pack.
  3. Threats from the supply-chain.


1.     Known and plausible threats

This is where it’s really easy to get carried away and think of so many things that could go wrong, that you’ll get overwhelmed. Don’t fall into the trap of thinking that you have to put down lots of threats, to get through your audit either. One or two pertinent threats is much better than pages and pages of threats that don’t add any value.

To keep your list of threats focused, work your way through the list of materials or groups of materials and list any threats that have occurred before. These are known threats.

Then work your way through the list again and list all of the plausible threats for each group. Plausible means it’s not happened before, but it’s highly likely that it could.

Be careful here, to not start listing things that are unlikely to occur. It’s important to keep your list of threats focused. You can always (and you should) add more later, as new information is received, and new threats are highlighted to you.

2.     Threats generated from claims on pack

Work your way through the list of the products that you produce, listing all the claims that are made on pack, which are generated by a material. This will give you a list of all the claims that are vulnerable to fraud.

3.     Supply-chain threats

Learnings from the horsemeat scandal taught us that we have to take the supply-chain into account when looking for vulnerabilities. The longer and more complex the supply-chain the greater the vulnerability.

There were 2 key learnings:

  1. Each time a product changes hands, this increases the risk and therefore makes the product more vulnerable.
  2. There is a key step in the supply-chain where the material is transformed from one that we can visually identify, to a product that can no longer be identified by looking at it.

The horsemeat supply-chain was long and complicated. So complicated – that it became nearly impossible to trace exactly where the product came from and each step in its supply-chain. This complex chain of custody gave fraudsters the opportunity to switch beef for horse, without anyone knowing.

The term ‘chain of custody’ is another term for supply-chain – but it essentially means the change of ownership and responsibility for the product, as it passes through each step (link) of the chain.

You don’t need to do supply-chain mapping for each material, or group of materials. The key is to identify the ‘at-risk’ materials. Which you should have done, when you worked out:

  • Your known and plausible threats.
  • Threats generated from claims on pack.

These are your ‘at-risk’ materials, so these are the ones you need to look at – to determine if there’s a risk to them in your supply-chain.

Supply-chain mapping

If you’re a supplier of a product that’s then used for further processing, you’ll most likely have been asked for supply-chain mapping. There is no right or wrong way of doing supply-chain mapping so it can be either very simple or very complex, depending on the chain of custody. When carrying out supply-chain mapping you need to keep an open mind and document it, in a way which suits the supply-chain. It’s unlikely that you’ll be able to use a standard template to document it every time.

To do it properly, it can be an extremely time consuming task. Therefore, it’s important to be pragmatic and really keep in mind what you’re trying to achieve. The following will help you to do that.

Only ‘at risk’ materials need mapping

Not every material needs to have supply-chain mapping, so only carry mapping out on those that really need it. Assess each material to establish which are ‘at-risk.’ An at-risk raw material is one which has a known threat associated with it, or one where there’s a claim on pack that could be compromised if you were sent the wrong material.

If it can be assured at the back door, supply-chain mapping isn’t necessary

The purpose of supply-chain mapping is to establish what the threats are to the material from the supply-chain. If you can check the material when it’s delivered to you and confirm that it is, what it says it is – then supply-chain mapping isn’t necessary.

For example, if you were making Bramley apple pies, the Bramley apples may be at risk, due to the claim of ‘Bramley.’ If the apples are delivered whole and you can check that they are in fact ‘Bramleys’ when they arrive – there’s no need to carry out supply-chain mapping because you can verify that claim at the back door. If the apples arrive pre-prepared (peeled and sliced) you probably wouldn’t be able to tell they’re Bramleys, so supply-chain mapping would be needed.

When is enough, enough?

Knowing how far back in the supply-chain the mapping needs to go – is key. The threat that you’re trying to verify will give you the answer.

For example, let’s take free-range egg mayonnaise. You would need to map back to where the ‘free-range’ egg can be verified. You don’t need to map all the ingredients in the mayonnaise as they don’t add any value to the claim. The egg would need mapping back to the point where the claim can be verified, which would be the farm.

It takes time, so be clear with your expectations

Supply-chain mapping is still new, so nobody has yet gotten used to what is needed or expected. Be clear about what you want to achieve and put together a form that asks all the right questions. When you send this to your supplier, accompany it with some instructions explaining what your aim is, why you need it, what you need them to do and by when.

Review the finished map

Depending on how complicated the supply-chain is, you’re most likely going to have to go backwards and forwards with your supplier to get all the information you need. But once it’s done – it then needs reviewing so look for weaknesses in the supply-chain.

For example, if you’re mapping down to farm level – is it clear how many farms your product is coming from? Do these farms supply other materials that don’t hold the claim (e.g., Does the farm supply ‘free-range’ and ‘non free-range’ eggs?).

  • Are all the farms approved to supply to you?
  • Can you verify which farm your material has come from when it arrives on site, to ensure its one of the approved ones?
  • Are there too many farms to manage?
  • Can the number of farms be reduced to reduce the risk?

Assess each map and make a list of threats – these are the threats you then need to put into your vulnerability assessment.

Vulnerability assessment

Once you’ve got your (short hopefully) list of threats, you then need to assess your vulnerability to them. For this you’ll need a method.

We provide a proven method in our book Assessing Threat Vulnerability for Food Defence.

Whatever method you choose, just make sure you document how you’re going to do it and then do it that way – consistently.

The method needs to identify which of your threats is significant enough to require protection measures.

Protection measures

If you’ve been really focused with your identification of threats and have used a good method to determine which of them are significant – you should really only have a few protection measures to apply.

It’s common at this stage, to assign protection measures that are already in place. Such as supplier management procedures – but please think hard about this. Think about what it would feel like if the worst was to happen and this threat really did come true. Imagine it has all come out and is in the media. Imagine you’ve got your customer sitting across the board room table looking at you and your senior management team, expecting an explanation as to how you let this happen. Would the protection measure you’ve identified really give you the justification, that you did everything you could to protect their product?

HACCP, supplier management and fraud

In the BRCGS Standards, it asks for a risk assessment for fraud, and also in the HACCP section and the supplier management section. This doesn’t mean you need to repeat the risk assessment for HACCP and for your supplier raw material risk assessment, as well as doing it for fraud. Repeating information like this will only lead to unnecessary admin and the risk of inconsistencies in the information. Just reference your vulnerability assessment in your HACCP and your supplier management systems instead. But do make sure, that where any protection measures are identified that would need applying by your suppliers (e.g., through contracted transport) that you check that your suppliers are doing this, as part of the approval process.

Looking back…

It’s important to remember where we’ve come from in the food industry and how we got here, so let’s look at what started the requirement for vulnerability assessments.

The horsemeat scandal

Horse or Beef?In 2013 the horsemeat scandal changed the food industry, when a Tesco beef burger was found to contain 29% horse meat.

It’s thought that the Tesco supplier had agreed supply of Irish beef, through a European company. Allegedly, the company sourced the beef from Poland, and sent it to Ireland.

Both parties believed the other was at fault. Nobody really knows, because the beef didn’t go directly from Poland to Ireland, but it actually went through lots of other places in between. This meant that the ‘swap’ was untraceable.

At the same time Findus contracted a French company to supply them with beef. This company then subcontracted to another, which was then subcontracted again, and so on. The last subcontractor was a man in Cyprus who never actually saw the meat, but acted as an agent using a mobile phone.

29 people in numerous EU member states were arrested, but no one really knows how long it had been going on.

The driver (or the pressure that caused it) is thought to be the economic downturn in Europe, which meant people who owned horses no longer could afford them. This provided an opportunity for organised criminals who realised that they could purchase horses for just a few Euros each. In addition, many horses went missing.

The Elliott Report

Following the horsemeat scandal, Chris Elliott was contracted by the Government to lead the investigation.

Chris proposed 8 pillars in the Elliott Report, which are 8 areas for improvement to protect the UK from future food crime, which are:

  1. Consumer first
  2. Zero tolerance
  3. Intelligence gathering
  4. Laboratory tests
  5. Audit
  6. Government support
  7. Leadership
  8. Crisis management

The following details a summary of his findings as explained at a conference in 2016.

1. Consumer first

UK consumers have lost trust in the UK supply chain. A survey showed that 3 months after the horse meat scandal, consumer trust was at its lowest ever – lower than following the PSE or CJD link, even though horse meat didn’t cause any harm. The first pillar of the Elliott Report is that food safety and food crime has to be the priority over everything else.

2. Zero tolerance

A zero tolerance policy has to be adopted. Chris compared this to crime in the USA, when New York used to be the most dangerous city in the US. When the new Mayor took over, she introduced a zero tolerance policy. By doing this she managed to change the mindset of what was acceptable and within 5 years the crime rate was reduced so that it was no longer number 1. Chris said, “Any cheating be it small or trivial must no longer be acceptable.”

3.  Intelligence gathering

Information is key. When Chris was carrying out the research for the report, the FSA had a hotline to receive this type of information. In 2012 the FSA received 85 tip-offs. Compare this to the Netherlands where their information gathering system received 120,000 tip-offs in 2012. We need this type of system in the UK, where the information is then collated and analysed to produce between 5 and 10 investigations.

4.  Laboratory tests

In the UK we used to have a good public analysis system, which was originally set up due to instances of food fraud. Due to cutbacks in local authorities, the number of laboratories is much reduced, meaning there’s much less surveillance. Chris wants the labs that are left, to come together and work more collaboratively, in order for them to survive.

5.  Audit

During Chris’ research the number of audits on manufacturers was the number one complaint. But none of these audits were looking for food fraud. Chris recommended that audits should be moved from announced, to unannounced.

6. Government support

At the time of writing the Elliott Report, there was no one government department that was responsible for food fraud. Therefore, Chris recommended that the government bring their departments together to talk about the UK supply-chain, as no one department can do it on their own.

7. Leadership

The government need to provide leadership in this area, so Chris recommended that a Food Crime Unit be set up. Today, we now have a Food Crime Unit. Andy Morling has been appointed Head of Food Crime and has 25 years experience in organised crime, as he used to work for the National Crime Agency.

8. Crisis management

When the horse meat scandal struck, because no one person or department was responsible, no one knew who should deal with it. This is why it took 3 months before the police were even involved and hence why there have been zero prosecutions in this country. Therefore, to be able to tackle the future issues more effectively they must have a plan in place. They must know who’s in charge and what needs to be done.

Need help with your fraud mitigation plan?

Our product defence eDocs bring the elements of vulnerability assessment, threat assessment, fraud mitigation plan and the security plan together.

Tell me more

Product defence

Have your say…

One thought on “Everything you need to know about food fraud, authenticity, chain of custody and vulnerability assessment

Share your thoughts…

Your email address will not be published.