This article is written to meet the following sections of the Standards:

BRCGS Food Safety Issue 85.4.2 Vulnerability assessment
5.4.4 Status verification of raw materials
5.4.1 Provision of knowledge and information
BRCGS Packaging Issue 63.8.2 Vulnerability assessment
3.8.1 Obtaining information
BRCGS Agents & Brokers Issue 34.8.2 Vulnerability assessments
4.8.1 Provision of knowledge and information
BRCGS Storage & Distribution Issue Fraud vulnerability assessment Vulnerability assessment Information
FSSC 22000 Version Identify food defence threats Identify food fraud threats
IFS Food Version 74.20.2* Fraud assessment scope
4.20.3* Monitoring of food fraud
6.2* Food defence scope
6.3 Monitoring of food defence
SQF Edition i) and ii) Methods, responsibilities and criteria Food fraud mitigation plan

The requirements

Identifying threats

The product defence plan must identify threats and vulnerabilities from:

  • Historical evidence.
  • Claims which may make fraud more economically attractive.
  • Supply issues which may make fraud more economically attractive.
  • Theft.
  • Malicious contamination due to sabotage or terrorism.

Assessing vulnerability

The product defence plan must assess the identified threats to establish vulnerability, considering:

  • Materials which are purchased from countries that have less regulation or governance and therefore may be more vulnerable to fraud.
  • Formats which make it easier to hide fraud, such as powdered materials.
  • Complexities and weaknesses in the supply-chain which may provide opportunities for fraud.
  • The ability to identify threats on delivery.


Materials which hold a claim tend to demand a higher value. The assessment must define which are at risk such as claims regarding:

  • Certification.
  • Recycled content.
  • Organic.
  • Provenance.
  • Breed and variety.
  • Protected food name status.
  • Production techniques.
  • Identity preserved.
  • Trademarks.
  • Nutritional health claims.
  • Compositional.
  • Allergenic.

Horizon scanning

A systematic process of horizon scanning must be in place, to identify emerging threats in the upstream supply-chain. Where a new or increased threat is identified, this must be fed into the assessment.


The supply-chain is made up of three pieces:

  • Upstream
  • Internal
  • Downstream

The assessment needs to be completed for upstream, internal, and downstream vulnerabilities.

Scope of custody

Just like you must have a scope for HACCP, a scope for your product defence plan is essential as well. This must detail:

  • The type of threats considered – fraud, sabotage, and terrorism.
  • The extent of your business’ accountabilities and responsibilities.
  • Where physical and financial custody is transferred to your business and then on to the next custodian.


Physical custody is where you have possession of the materials.

Financial custody is where you own the materials.

Upstream scope

The scope of the upstream assessment looks at your suppliers and your suppliers, suppliers. It also considers the parts which you’re accountable for. The upstream aspect is typically known as VACCP or your vulnerability assessment – but we explained in Understanding product defence VACCP doesn’t make any sense and you can’t have a vulnerability assessment without considering threats.


The members of the team which are essential for identifying vulnerable threats upstream are the procurement and the technical roles, as they have the necessary knowledge and experience.


The upstream assessment must look at threats from fraud, sabotage, and terrorism. It must identify vulnerabilities from:

  • Known and plausible threats.
  • Materials which generate a claim.
  • The supply-chain.

Supply-chain mapping

The purpose of supply-chain mapping is to identify vulnerabilities in the supply-chain, back to the point of assurance. The point of assurance is where the authenticity of the material can be assured.

Conducting supply-chain mapping is a complicated and time-consuming process, therefore it’s important to only carry it out where necessary – on threats that you’ve identified as vulnerable.

Become a ninja at identifying vulnerabilities upstream

This article is an overview of the subject of identifying vulnerabilities upstream. If you’re looking to gain in-depth knowledge on this subject, we’d recommend you purchase our eLearning course.

Product defence

Identifying vulnerabilities upstream

Upon completion of this course, you’ll be able to identify vulnerabilities in the upstream supply-chain, ready for assessment. Please note, it’s recommended that you complete the mini training ‘Understanding product defence’ before starting this course.

The course explains the two types of custody, so that you can define in your scope of custody what the business is responsible and accountable for.

Buy the identifying vulnerabilities upstream mini training now

Have your say…

2 thoughts on “Identifying vulnerabilities upstream

    1. Hi Louise
      I’m afraid I don’t know of one. Have you set up a Google alert – they’re pretty good…

Share your thoughts…

Your email address will not be published.