As the food industry faces BRCv7, here is my reflection on the new requirements for vulnerability assessments.
I have been privileged recently to meet over 50 technical managers across our customer base, as we held a series of QADEX user forums, to discuss the plans for our new vulnerability assessment module.
It was clear that all food businesses are at various stages of grappling with the new requirements; some are well advanced with a substantial number of vulnerability assessments completed; and some are still figuring out how best to proceed. But overall, everyone was tentative and for a host of reasons that are beyond the scope of this article.
As I reflected on these conversations I reached a worrying conclusion, that many of the concerns were about avoiding audit non-conformances. As an advocate of both BRC and GFSI standards, for the improvement that they bring to food supply chains; we need to be careful that we don’t lose sight of the reasons why vulnerability assessments have been introduced.
Like it or not we have to do vulnerability assessments!
Whether your motivation is to comply with BRCv7, to meet retailer codes of practice, or for brand protection; the new vulnerability assessments are a fact of life.
The risks are real
It seems as though we hear about another food and drink fraud on a weekly basis: the recent arrests across Europe relating to horse meat, cumin issues, wine fraud…..the list goes on and on. Fraud in the food chain has always existed, and will always exist. As long as there are economic opportunities, there will also be criminals taking advantage of them.
Food fraud makes for great media copy
Food related stories sell papers, they touch every reader and will always get noticed. For any newspaper to possess the ability to select food products at random and send to a lab to challenge product label claims, or to identify minute levels of cross-contamination somewhere along the chain, is presenting an almost insurmountable challenge for the industry.
Added to that volatile mixture, are two further ingredients; disgruntled employees who become whistleblowers, and the power-house of social media to take one Facebook or Twitter post and spread it virally in just a few seconds. We have clearly been entered into a whole new era of brand protection challenges.
Should you be thinking beyond compliance?
You have to do a vulnerability assessment as part of your BRCv7 compliance. But should you also use this opportunity to dig deep into your supply chain, to think like a criminal, to identify where real risks exist, and to work more closely with your purchasing colleagues to mitigate these risks.
Or should you instead, write a procedure which complies with the standard, complete vulnerability assessments with everything documented, and present this to the auditor during your audit, to ensure that you do not get a non-conformance. What do you think?
The extra ounce of prevention could well save your business a pound of cure.