Before food can be imported into the U.S., it is subject to FDA inspection. These inspections are intended to ensure food imports are safe, sanitary, and properly labeled. While important in maintaining food safety, this process can be long and onerous. The Voluntary Qualified Importer Program (VQIP) was created by FDA to expedite this process.

What Is VQIP?

In essence, VQIP acts as the “TSA line” for food into the U.S. The voluntary program allows foreign suppliers to get expedited entry for their food products into the U.S., provided importers meet all eligibility criteria, including offering food from a facility certified under FDA’s accredited third-party program (see below).

Why Is VQIP Important?

There are a number of reasons a U.S. importer might choose to participate in VQIP, including the following:

• Enables expedited entry into the U.S. for all foods included in an approved application.
• Limits examination and/or sampling to “for cause” situations in which there is a potential threat to public health; any sampling or examination is done at destination or another location chosen by the importer and laboratory analysis of any samples is expedited.
• Provides assurance that a foreign supplier complies to FSMA rules, avoiding the need to further assess the supplier.
• Incentivizes importers to adopt a robust system of supply chain management.
• Moves any perishable or short shelf-life product through the border quickly.

For foreign suppliers, there are also several benefits:

• Reduces the extra work of proving status as it relates to compliance to FSMA rules.
• Opens doors to new clients by making it easier for a U.S. importer to choose certified products versus a non-certified competitor.

Beyond that, VQIP further benefits public health by allowing FDA to focus its resources on food entries that pose a higher risk to public health.

What Are the Eligibility Requirements?

A company must be a food importer to participate in VQIP (i.e., a person/entity that brings food or causes food to be brought from a foreign country into the U.S.). In addition, the following criteria must be met on the importer and the foreign supplier sides:

• Have 3+ years history of importing food to the U.S.
• Have a Dun & Bradstreet Data Universal Number System (DUNS) number (used as a unique identifier number)
• Use paperless filers/brokers who have received acceptable results during their last FDA Filer Evaluation
• Do not have any food you import subject to detention under an Import Alert or Class 1 recall
• Do not have any ongoing FDA administrative or judicial action, or other history of non-compliance with food safety regulations by the importer, other entities in the supply chain, or food
• Are in compliance with supplier verification and other importer responsibilities under the applicable FSVP or HACCP (i.e., juice, seafood) regulations
• Have not been the subject of any CBP penalties, forfeitures, or sanctions related to the safety or security of any FDA-regulated product imported or offered for import
• Have current facility certification, including farms, issued under FDA’s Accredited Third-Party Certification regulations for each foreign supplier of food in VQIP (see below)
• Develop and implement a Quality Assurance Program (QAP) (see below)

What Is Foreign Supplier Facility Certification?

VQIP is regulated by the FSMA rule on Accredited Third-Party Certification. This is a voluntary, fee-based program for the recognition of third-party auditors to conduct food safety audits and issue certifications of foreign sites and the foods they produce. An accredited third-party can perform audits against the Food, Drug and Cosmetics (FD&C) Act and other FDA applicable regulations, and issue a certificate attesting compliance.

Foreign suppliers must have a facility certification, which would be issued following a regulatory audit conducted by an accredited third-party certification body. This audit attests that the foreign supplier complies with applicable food safety requirements of the FD&C Act and FDA regulations. Note that certifications are not required for Foreign Supplier Verification Program (FSVP) and Preventive Controls rules.

What Is Included in the QAP?

According to the FDA, the VQIP QAP includes all the written policies and procedures the facility will use to ensure adequate control over the safety and security of foods being imported. The QAP should include the following information:

• Corporate quality policy statement relating to food safety and security throughout the supply chain
• Organizational structure, as well as functional responsibilities for those implementing the VQIP QAP
• Food safety policies and procedures to be implemented to ensure food safety from source to entry into the U.S.
• Food defense policies and procedures to ensure compliance with FDA’s intentional adulteration regulation
• Qualification requirements for employees responsible for implementing the VQIP QAP (e.g., knowledge of regulations, understanding of the QAP)
• Procedures for implementing your VQIP QAP
• Procedures for establishing and maintaining records regarding the structure, processes, procedures and implementation of the QAP
• Definitions
• References

How Do I Become Part of VQIP?

Importers must apply between January 1 and May 31 annually to be considered for VQIP. The VQIP fiscal year/benefit period is between October 1 and September 30, following application approval. Participants must submit an application every year; however, you may use data from the previous year’s application.

FDA will conduct a VQIP inspection to verify that you meet all eligibility criteria and have fully implemented food safety and food safety defense systems, as established in your QAP. FDA may also:

• Conduct an FSVP inspection
• Request a copy of food labels for those foods included in the application
• Ask you to submit supporting documentation (e.g., hazard analysis, lab results, food labels)

Additional information on VQIP and the application process can be found on the FDA website.

This is the third in Kestrel’s series of articles about Technology-Enabled Business Solutions.

A decade ago, when “handheld computers” (i.e., smartphones) first became popular, storing appointments and contact information on a portable electronic device was the prime functionality of the smartphone. Convenient? Yes. Robust? Not quite yet.

Mobile technology has clearly come a long way since then. Your smartphone and other mobile devices/tablets are every bit as powerful as any computer you have in the office—perhaps even more so when it comes to collecting real-time data and creating operational efficiencies.

Forms, Checklists, and More

Think about this for a minute…how many forms and checklists do you use in your operations? Maybe it is a daily forklift checklist, near-miss form, behavioral-based safety observation, daily housekeeping checklist, food safety sanitation inspection, hazardous waste inspection checklist, near-miss form, and so on.

What if—instead of taking a clipboard into the plant or field—employees were able to simply pull out a phone, complete the checklist online, and hit submit? What if they were able to do it from anywhere and without any login information? What if management could access the data immediately to run reports and get real-time analytics?

Case Study: There’s an App for That

That is precisely what a large chemical distribution company needed. In the most basic terms, they asked Kestrel to create a mobile form for forklift inspections that would provide:

• Simple electronic access to the forms employees already use daily
• Ability for employees in the field to submit data without logging into the system for ease of use
• Data in CSV format that could be sent immediately via email to management for review/analysis
• Dashboard reporting to show a real-time view of checklist status, outstanding issues, overdue items, and other metrics

By integrating various Office 365 technologies, Kestrel created an app using the company’s familiar forklift inspection form, which can be customized per location. The mobile version allows employees in the field to capture forklift inspection data electronically. The forms are accessible at multiple levels and can be assigned down to an individual location. Importantly, there is no need to log in to submit data, ensuring ease of access and use for all employees. Shortcuts to forms can also easily be added to mobile devices, computers, or other websites for ease of access.

As employees complete the checklists, data is collected and uploaded into the company’s Office 365 compliance information management system (IMS) in real-time. Not only does this eliminate the problems associated with manual data entry and manipulation, it provides real-time access to valuable data. Kestrel has created dashboards that house key metrics on inspections completed and issues identified that are updated immediately and automatically whenever a new checklist is completed. Beyond that, using the simple forklift checklist, we can now automatically create an entire series of events that had traditionally been done manually (e.g., maintenance requests, part orders, inspection requests).

Mobile Technology, Operational Efficiencies

For employees, mobile technology makes completing checklists of almost any type easier and faster in the field. For management, mobile technology takes things a step further by creating operational efficiencies:

• Provides central management of inspection schedule, forms, and other requirements.
• Increases productivity through reductions in prep-time and redundant/manual data entry.
• Improves data access/availability for reporting and planning purposes.
• Allows data to be submitted directly and immediately into SharePoint so it can be reviewed, analyzed, etc. in real time.
• Creates workflow and process automation, including automated notifications to allow for real-time improvements.
• Allows follow-up actions to be assigned and sent to those who need them.
• Integrates with the overall compliance IMS for a comprehensive view of compliance status.

Stay tuned for coming articles in our series, which will continue to dig deeper into functionality, highlight some case studies of Office 365 in action, and tap the insights of Kestrel’s Office 365 developer.

It’s not uncommon to think more is better when it comes to software. It’s also not uncommon for companies to gravitate toward specialty software, whether related to certification support, QEHS compliance, cGMP, food safety, incident management, audits, permit tracking, or any number of other areas.

However, as robust as companies want their information management system to be, a simple and adaptable solution is often a better approach. As the NAEM survey we summarized in our first article in this series stated, some EHS&S software experts are migrating clients away from commercial systems to basic tools such as Microsoft Office 365 and SharePoint, which can be easier to understand, easier to use and navigate, and easier to adapt to ongoing business needs.

Flexibility in the Familiar

Many companies look at software as a silver bullet—a fix for everything. But applying technology to operations isn’t about just finding and buying a software tool. It is about:

• Understanding the business need;
• Customizing and integrating the appropriate tool into existing operations; and
• Deploying it so it is effectively applied.

Information management systems and compliance efficiency tools built on an Office 365 platform offer an adaptable/scalable solution that can meet business and overall compliance needs, while offering the familiarity that encourages employee buy-in.

Robust Functionality

But really, what can Office 365 and SharePoint do? Perhaps surprisingly to many, Office 365 is highly adaptable and, with the right resources, can offer the solutions a company needs to address a plethora of operational and compliance requirements, including the following:

Compliance Management  Many companies—especially those that are not large enough for a dedicated team of full-time staff—struggle with how to effectively resource their regulatory compliance needs. Kestrel’s experience over many years suggests that reliable and effective regulatory compliance is commonly an outcome of consistent and reliable information management system implementation. Office 365 can allow you to more efficiently manage compliance tasks, corrective and preventive actions (CAPAs), and other project activities to ensure you are meeting your compliance requirements. Compliance management components may include:

• Compliance tracking/calendar
• Audit assessment & inspection
• Mobile forms & checklists
• Audit tracking
• Permit management/tracking

Training/Learning Management Having a system that records employee training is critical to compliance, especially to ensure policies, procedures, and work instructions are followed. Office 365 allows for the centralized implementation, management, tracking, scheduling, assignment, and analysis of organizational training efforts. From simply logging and tracking training to creating training plans and generating quizzes, training management ensures that the workforce is knowledgeable and appropriately trained.

Complaint & Issues Management From a quality perspective, it is important to effectively track and manage customer complaints/issues and corresponding follow-up actions, including any resulting nonconformances. Doing so electronically can help you identify and respond to complaints more quickly. With an aligned system, you can also connect nonconformance reports (NCRs) to other systems for CAPA management.

Incident Management Most organizations plan for and continually strive to prevent incidents. Effective incident management provides the opportunity to learn about and improve overall performance. Web-based tools can be particularly helpful in documenting, tracking, and reporting on all incidents and near-misses, including injuries, illnesses, spills, releases, and recalls. What’s better is that this can happen in real-time (thanks to mobile functionality) to ensure compliance with reporting requirements and internal incident management processes.

Document Management Document management is a key tool that will help companies in their efforts to go paperless. However, document management is not only for managing files. A quality document management system can also establish document structure, streamline content creation, create version control, and organize your workflows. Office 365 document management systems are scalable to the organization and designed to store, secure, and ultimately help you make sense of the documents your business uses.

Achieving the Big Picture

By having so many features and applications on a single platform, it is easy to tie them all together into an aligned system and to create multiple functions/uses for the data being collected from so many sources. With an aligned system, achieving the big-picture, desired state (rather than the short-term fix) becomes entirely possible.

This approach offers the following benefits:

• Scalability. Office 365 is scalable to ensure it meets organizational/ business needs, as well as regulatory requirements. Your system can contain the parts and pieces your company needs to operate efficiently and in compliance with regulations, standards, and customer requirements.
• Alignment. The system can be expanded to integrate, connect, and support multiple standards (e.g., ISO, FSSC, SQF, IFS, Responsible Distribution) and/or regulatory requirements. Integration of multiple management systems into a single platform makes management more effective and efficient than when systems operate independently.
• Accessibility. The central, web-based system is accessible from any location. Mobile access and forms allow you to capture data via phones, tablets, or PCs—anytime, anywhere—even in remote locations, where a data connection has not yet been established, or in facilities that do not have consistent wireless connection. Data are automatically synchronized when a connection is made and stored in the Cloud to improve data access/availability, generate real-time analytics, and create workflow and process automation.
• Measurement. Data can be collected and compiled for review and analysis, as well as more sophisticated predictive analytics. Dashboards and reporting capabilities provide insights into system health, operational results, and business performance for senior management. A standardized approach for reporting further creates accountability and ongoing performance monitoring and measurement.
• Easy Adoption. Building off a common Microsoft platform allows for easier adoption due to its familiarity. It also limits the number of solutions, software, and systems needed by a company, as well as the extra fees associated with additional software, such as license, user, and change fees.

The ultimate responsibility for food safety lies with food service providers and their ability to develop and maintain effective food safety management systems. Currently, there is a shift in the emphasis of hazard analysis and preventive controls related to both Process Safety Management (PSM) and Hazard Analysis and Critical Control Points (HACCP). This is of particular concern for the food industry, where many regulations include both EHS and food safety requirements.

Many food operations fall under both PSM and HACCP requirements. In general, PSM is bulk chemical-centric for food operations, while HACCP is food safety risk-centric for maintaining food purity. (Common chemicals subject to both include anhydrous ammonia for cooling and chlorine for sanitation of product and processes. In addition, many large food processing types include process aids at levels under PSM.)

Changing regulations and the increased emphasis on hazard analysis require the food industry to develop well-documented and managed programs that address both PSM and HACCP using common approaches:

• Better use of organizational resources
• Standard programs
• Training efficiency and effectiveness
• Shared knowledge and approaches
• More effective and aligned hazard analysis management

About PSM

PSM is a key risk management practice that must be implemented for qualifying plants. PSM is covered in the recent Executive Order focused on modernization of high-risk sites and, as a result, is under greater scrutiny with regulator focus and recent events. While PSM is a highly visible requirement, it is currently not widely inspected and reviewed—though that may be changing. PSM generally entails a more event-driven inspection by interested parties other than the company. As a growing area of focus and concern, PSM will require plants to reassess and, potentially, update systems and operations to meet requirements.

About HACCP

HACCP, on the other hand, is widely implemented for food processing and is expanding with high visibility. HACCP is the historic requirement providing the accepted food safety plan for some food industries. HACCP is rapidly being advanced with FSMA and GFSI-level requirements, but requirements have not been fully established based on FSMA rulemaking. The complexity of programs is rapidly increasing, while the level of food industry sectors is expanding to include all food contact, packaging, GRAS, and distribution and transportation companies.

Hazard Analysis Methods

The hazard analysis methods under PSM and HACCP are similar but different:

• Process Hazard Analysis (PHA) is associated with high-risk chemicals or materials, and is required for compliance with PSM. A PHA is designed to protect people and the environment from specific hazards. PHA methods vary based on an organization’s determination of the best method for their situation. These methods are directed to the overall process and operating condition by the process step. PHA focuses largely on equipment, instrumentation, utilities, human actions, and external factors that might impact the process. It involves an organized, systematic analysis of potential hazards to improve safety and reduce the potential consequences of those hazards.
• Hazard Analysis and Preventive Control (HAPC) is associated with food safety risk under Hazard Analysis and Risk-based Preventive Controls (HARPC) and is an aspect of HACCP. HAPC is a growing regulatory compliance requirement related to food safety plans (FDA and USDA) that focuses on process, equipment, contamination, procedures, and control points. HAPC involves an organized and systematic analysis of potential risks to food and food materials to improve the purity of food during processing/handling by reducing contamination.

PHA and HAPC are required for facilities, as determined by the regulations, and include the following common requirements:

• Develop preventive control plan
• Perform hazard analysis for foreseeable hazards (written)
• Conduct “what-if” scenarios, rating, and ranking
• Identify and implement preventive controls, as well as intentional hazards and controls

Under both PSM and HACCP, all plans and records may be subject to inspections. Failures to act may be interpreted as willful non-conformance or probable cause for expanded inspection.

Additional Requirements

Companies subject to PSM and HACCP need to consider other related regulatory requirements, as well. This relationship in itself is key under GFSI.

• Records
  • Maintain evidence
  • Conduct development programs and hazard analysis adequately
  • Establish programs to ensure preventive controls
  • Conduct training
  • Validate and verify programs, completed forms
  • Record all key information relevant periods
• Inspections
  • PSM-level inspections can be part of incident follow-up or planned OSHA or NEP inspections; there is state registering of PSM inspections.
  • HACCP will be part of mandatory FDA inspections, by any qualified agency to FSMA, and required under GFSI; customers may also require HACCP as part of their supplier programs.
• Cleanup and Catch-up
  • Monitor effectiveness
  • Establish corrective actions
  • Verify programs and preventive controls
  • Monitor and support SOPs/GMPs
  • Diligently follow and record Management of Change (MOC)

In addition, hazardous materials and communication are key for both EHS and FDA, as well as areas like air quality, water quality, sanitation, and blood borne pathogen/bodily fluids.

The Right Resources

A higher level of compliance requires plans to be reassessed and, subsequently, the resources to reassess them. For many, once programs are developed, they are put into “maintain” mode. Historical knowledge isn’t captured or is lost to turnover.

Beyond that, PSM and HACCP both require that “qualified individuals” develop and manage these systems. Qualified individuals include a designated lead with certain experience and qualifications, as outlined in the requirements. Availability of resources is almost always an issue, as maintaining systems with just one person is very difficult, especially given organizational change.

Keeping qualified resources at the proper certification is difficult. New employees are now typically required to provide both oversight and operational capability. The mix of education, work experience, and certification are all important. The growing approach is to maintain teams with alternates to supplement the leads and to provide coverage for all situations, including daily/weekly schedules. This is an area that must be continually monitored and subjected to corrective action.

Alignment Strategy

The following tips will help to effectively align PSM and HACCP programs and strategies, and provide for efficient compliance with both regulatory programs:

• Establish plans to assess existing programs
• Apply continuous improvement (Plan-Do-Check-Act)
• Take inventory of qualified resources
• Align qualified personnel to PSM and HACCP teams
• Use a sub-team approach to ensure the necessary level of participation and backup
• Maintain multi-year strategy, planning, and training
• Establish a cleanup and catch-up approach for hazard analysis activities to move forward
• Use continuous improvement to maintain validated and verified programs

The Global Food Safety Initiative (GFSI) relies on a number of benchmarked schemes to establish food safety requirements; all are designed to ensure the quality and safety of a company’s products. In order to become certified to one of these GFSI-recognized schemes, a company must undergo a third-party audit by a certified auditor. Kestrel’s experience conducting these audits has revealed that companies who successfully achieve certification demonstrate a number of common attributes—regardless of their chosen scheme:

1. Corrective and preventive actions are up-to-date and current.
2. Continuous improvement/root cause analysis process is in place to make ongoing improvements and to ensure final resolutions to all out-of-control issues or non-conformances to the Food Safety Program.
3. Premises, facility, and building programs are established and operating, including controls, signage, direction, job training, and physical evidence of a fully implemented Food Safety Program.
4. Preventive maintenance system links scheduled maintenance to Hazard Analysis & Critical Control Points (HACCP) critical equipment monitoring requirements.
5. Approved materials and process specifications are managed and controlled.
6. Product identification and traceability processes are in place, including complete records detailing all activities for the production of food product.
7. Document management and control program is updated, validated, and maintained. Developing program management systems helps ensure compliance with document management and control.
8. Food safety program updates and management are completed through annual and multi-year planning for maintaining the Food Safety Program, including management of change, management review, approvals, and internal audit.
9. Records and verification management systems provide access to supporting data, as determined by FDA/FSMA and company programs.
10. Data management of food safety records outlines processes for assuring prompt or immediate access to critical records, as needed, for audit, compliance, or regulatory purposes.

This is the first in KTL’s series of articles about Technology-Enabled Business Solutions.

It goes without saying that change is hard. Even positive change for the better is not without challenges. Change when it comes to Information Technology (IT)/software systems can be flat out painful because of the significant investments of time, money, and resources required. That is why many companies choose to avoid making a change until absolutely necessary.   

How do you know when that time has come? How do you know when you are investing more in your compliance Information Management System (IMS) than you are getting out of it? What are those hot buttons that drive companies to seek a system change? And when seeking a new compliance IMS, what do you look for to ensure it will meet your business needs? 

Why Companies Seek New Systems

According to a March 2019 survey conducted by the National Association for EHS&S Managers (NAEM) entitled Why Companies Replace Their EHS&S Software Systems, the following is the rank order of key reasons why companies seek a new IMS:

• Current system doesn’t perform as advertised.
• New business objective(s) aren’t supported by the current system.
• Current system costs too much to maintain.
• Current system doesn’t integrate well with other business IT systems.
• Platform being used has changed.

Criteria for New Systems

These reasons tie directly to what companies in the NAEM survey say are the most important criteria when shopping for a new software system:

Let’s review a few of these top criteria and why they are so important in any decisions made about implementing a new compliance IMS. We will dig deeper into these reasons throughout our series of articles on compliance information management solutions. 

Integration
As indicated by the NAEM survey, it can be a real challenge to integrate technology, whether it is with hardware, other compliance/certification software, ERP software, global systems, legacy systems, human resources systems, financial/inventory systems, etc. When it comes to having multiple systems, it’s not that you necessarily need one system to manage every business function. However, you do need your systems to talk. Lack of integration can contribute to duplication of effort, data inaccuracy, and business inefficiencies across multiple departmental functions.

Real-Time Metrics Tracking/Mobile Accessibility
With today’s technology, we are accustomed to instant gratification. There should be no reason why your IMS cannot provide that when it comes to real-time metrics tracking. Mobile accessibility allows for data to be collected on-the-go rather than re-entering information from the field back in the office. Data can be collected and compiled in real-time for review and analysis, as well as more sophisticated predictive analytics. Dashboards and reporting capabilities provide insights into system health, operational results, and business performance for senior management. A standardized approach for reporting further creates accountability and ongoing performance monitoring and measurement.

User Friendliness
What does it mean to be user friendly? Is that focused on the end user entering data in the field? Does it pertain to management who is reading reports and metrics? Are we talking about the system administrator? A truly user-friendly system will be something that meets the needs of all parties. If employees are frustrated by lack of understanding, if the system isn’t intuitive enough, if it is hard to put data in or get metrics out, the system will hold little value. In fact, according to NAEM, if a system isn’t user-friendly, employees may end up using workarounds that create more inefficiencies and inaccuracies. 

Customization, Updates & Maintenance Costs
Perhaps the functionality was oversold, perhaps the system cannot handle your data in the ways you anticipated, perhaps the solution you need requires additional customization that you did not anticipate. Whatever the case, not getting what you paid for is an exercise in frustration and a waste of resources. Business priorities and objectives change. If your system cannot adapt to these changes, users will fail to engage, and it will become obsolete. At the same time, if you continually seek customization, it can come at a price—not just for the customization but for the expertise required to maintain a customized solution. Customization can quickly become a money pit that you cannot climb out of. The key is to find an IMS that is simple and adaptable to respond to business changes. 

Simple Solution

It’s not uncommon to think more is better when it comes to software. However, as robust as most companies want their compliance IMS to be, a simple and adaptable solution is often the best approach. According to the NAEM survey, some software experts are helping to migrate clients away from commercial systems to basic tools such as Microsoft Office 365 and SharePoint, which can be easier to understand, easier to use and navigate, and easier to adapt to ongoing business needs.  

The next article in our series will explore the idea of going back to basics and leveraging familiar tools like Office 365 to meet compliance IMS and overall business needs. 

A management system is the organizing framework that enables companies to achieve and sustain their operational and business objectives through a process of continuous improvement. A management system is designed to identify and manage risks—safety, environmental, quality, business continuity, food safety (and many others)—through an organized set of policies, procedures, practices, and resources that guide the enterprise and its activities to maximize business value.

The management system addresses:

• What is done and why
• How it is done and by whom
• How well it is being done
• How it is maintained and reviewed
• How it can be improved

Creating an Effective and Valuable Management System

Each company’s management system reflects its unique culture, vision, and values. To be effective and valuable, the management system must be tailored and focused on how it can enhance the business performance of the organization. It must also be:

• Useful to people in the operations
• Intuitive—organized the way operations people think
• Flexible—making use of methods and tools as they are developed and documented
• Valuable from the outset—addressing the most critical risks and processes
• Linked to the business of the business (not “pasted on”), with ownership at the operational level
• A means to better align operational quality, safety, and environment with the business

Attributes of an effective management system are senior management expectations and guidance coupled with employee engagement. Importantly, a management system involves a continual cycle of planning, implementing, reviewing, and improving the way in which safety, quality, and environmental obligations and objectives are met. In its simplest form, this involves implementing the Plan, Do, Check, Act/Adjust (P-D-C-A) cycle for continuous improvement.

Auditing for Ongoing Compliance

The connection between management systems and compliance is vital in avoiding recurring compliance issues and in reducing variation in compliance performance. In fact, reliable and effective regulatory compliance is commonly an outcome of consistent and reliable implementation of a management system.

Conducting periodic audits is a practical way to test a management system’s implementation maturity and effectiveness. One of the many advantages of audits is that they help identify gaps so that corrective/preventive actions can be put into place and then sustained and improved through the management system.

Audits also help companies with continuous improvement initiatives; properly developed audit programs help measure results over time. To achieve best value, audits should emphasize finding patterns that can yield opportunities for learning and continual improvement, rather than “gotchas” for exceptions that are discovered.

Management System Standards

Several options are available for structuring management systems, whether they are certified by third-party registrars and auditors, self-certified, or used as internal guidance and for potential certification readiness.

The International Organization for Standardization (ISO) standards are some of the most commonly applied. The ISO standards for quality (ISO 9001), environment (ISO 14001), health & safety (OHSAS 18001), business continuity (ISO 22301), and food safety (FSSC 22000) have consistent elements, allowing organizations to more easily align their various management systems. Aligned management systems help companies to achieve improved and more reliable quality, environmental, and health & safety performance, while adding measurable business value.

Certification

Companies can become certified to each of the standards discussed above. Certification has a number of benefits, including the following:

• Meet customer or supply chain requirements
• Use outside drivers to maintain management system process discipline (e.g., periodic risk assessment, document management, compliance evaluation, internal audits, management review)
• Take advantage of third-party assessment and recommendations
• Improve standing with regulatory agencies (e.g., USEPA, OSHA, FDA, and state programs)
• Demonstrate the application of industry best practice in the event of incidents/accidents requiring defense of practices

However, if there is no market or other business driver, certification can lead to unnecessary additional cost and effort regarding management system development. Certification in itself does not mean improved performance—management system structure, operation, and management commitment determine that.

Business Value

There are a number of reasons to implement a management system. A properly designed and implemented management system brings value to organizations in a number of ways:

• Risk management
  • Identify risks
  • Set priorities for improvement, measurement, and reporting
  • Provide great opportunity to identify, share, and learn best practices, while recognizing operational differences
• Protection of people
  • Send people home the way they arrived at work
  • Protect the public and the environment
• Compliance assurance
  • Improve and sustain regulatory compliance
• Business value
  • Continually improve quality, environmental, and safety performance across the organization (employee, public, equipment, infrastructure)
  • Reduce incident costs and accrued liabilities
  • Protect assets
• Reliability
  • Assure processes, methods, and practices are in place, documented, and consistently applied
  • Reduce variability in processes and performance
• Employee engagement
  • Help employees to find and use current versions of all procedures and documents
  • Provide a ready reference for field management to structure location-specific procedures
  • Enable the effective transfer of standards, methods, and know-how in employee training, new job assignments, and promotions

A recent episode of The Daily, a podcast from The New York Times, discussed the safety culture of the Boeing manufacturing plant in Charleston, South Carolina—the plant that builds the 737 MAX 8, the aircraft involved in two fatal crashes worldwide in the last six months.

Concerns About Culture

The Boeing 737 MAX 8 was grounded by the FAA on March 11, 2019 amid concerns that recently introduced flight control software contributed to both crashes. The subsequent scrutiny on the company brought attention to the safety culture of the Charleston plant.

Interviews in the podcast suggest common characteristics of a negative safety culture were present at Boeing. For example, there was reportedly significant pressure to meet production deadlines, including financial incentives for meeting hourly production goals. Some managers allegedly took defective parts and installed them on aircraft to meet these deadlines. One such incident described on the podcast episode included an attempt to rub off the red paint that is applied to defective parts to prevent installation. Related to defective parts, managers were reportedly pressured to reduce the number of parts damaged by employees during manufacturing. A former quality manager interviewed in the episode alleges that this pressure led to damaged parts being installed rather than reported to management or quality control.

Safety culture is often defined informally as “the way we do things around here” when it comes to safety practices. Essentially, safety culture is the product of the shared values, beliefs, norms, and organizational practices in a company about working safely. An organization’s safety culture is ultimately reflected in the way safety is managed in the workplace. The culture breaks down when the disregard for safety becomes “management practice.”

Characteristics of a Strong Safety Culture

A strong safety culture has several characteristics in common. Kestrel’s research into the topic of safety culture has identified two traits that are particularly important to an effective safety culture: leadership and employee engagement. Best-in-class safety cultures have robust systems in place to ensure that each of these traits, among others, is mature, well-functioning, and fully ingrained into the standard practices of the organization.

Organizations with strong safety cultures typically exhibit many of the following attributes:

• Communication. Communication is most effective when it comprises a combination of top-down and bottom-up interaction. Senior management sets the strategic goals and vision for the company’s safety program. It is vital that all levels of management (senior, middle, supervisory) communicate the strategy clearly to the workers who carry out the company’s mission. It is equally important that workers provide feedback on a practical level about what’s working and what’s not.
• Commitment. When it comes to safety, actions truly speak louder than words. A lack of commitment, as demonstrated by action (or lack thereof), comes across loud and clear to staff. For example, requiring staff to work excessive hours or use defective parts to meet productivity goals sends a clear message that productivity is more important than safety.
• Caring. Caring is about doing whatever is necessary to ensure employees return home safely every night. It involves showing concern for the personal safety of individuals, not just making a commitment to the overall idea of safety.
• Cooperation. Safety works best if management and workers are on the same team. Cooperation means working together to develop a strong safety program (e.g., management involving line workers in creating safety policies and procedures). It means management seeks feedback from workers about safety issues—and uses that feedback to make improvements. And it means there is no blame when incidents occur.
• Coaching. Coaching each other—peer to peer, supervisor to employee, even employee to management—is an important way to keep everyone on track. Coaching involves non-judgmentally providing feedback for improvements and, correspondingly, accepting and incorporating that feedback as constructive criticism.
• Procedures. There should be documented, clear procedures for every task. This not only prevents disagreement about what is required, it also shows commitment when things are put in writing. Procedures should be designed jointly by management and workers for practicality and to encourage improved cooperation, communication, and buy-in.
• Training. Training is a more formal, documented process for ensuring that employees follow safety processes and procedures. Formal training should happen frequently enough for employees to feel prepared to safely do their jobs.
• Tools. All equipment and tools should be in good repair, free of debris, and functioning as designed. Inadequate tools directly impact safety/protection and indirectly impact perception of management commitment. Boeing’s alleged practices send a clear message that safety is not as important as productivity.
• Personnel. There must be enough workers to do each task safely. The company should not sacrifice individual safety because of being understaffed (i.e., requiring shortcuts/overtime to meet production goals).
• Trust. Trust in the safety program, in senior management, and in each other is built when each of these characteristics is present and treated as a company-wide priority.

Benefits of a Best-in-Class Safety Culture

Strong safety performance is a cornerstone of any business. When these characteristics come together to create a best-in-class safety culture, everyone wins:

• Fewer accidents, losses, and disruptions
• Improved employee morale
• Increased productivity
• Lower workers compensation and insurance claims
• Improved compliance with OSHA regulations
• Improved reputation to attract new customers and employees and retain existing ones
• Better brand and shareholder value

When business is disrupted, the costs can be substantial. Unfortunately, every organization is at risk from potential operational disruptions—natural disasters, fire, sabotage, information technology (IT) viruses, data loss, acts of violence. Recent world events have further challenged organizations to prepare to manage previously unthinkable situations that may threaten the future of the business.

Securing Company Assets

This goes beyond the mere Emergency Response Plan or disaster recovery activities that have been previously implemented. Organizations must now engage in a more comprehensive process to secure their companies’ assets (e.g., people, technology, products, and services). Today’s threats require implementation of an ongoing, interactive process that assures the continuation of the organization’s core business activities and data center(s) before, during, and, most importantly, after a major crisis event.

Creating a Resilient Organization

Business continuity planning helps ensure that companies have the resources and information needed to maintain service, reliability, and resiliency under adverse conditions. While companies can’t plan for everything, they can take steps to understand and effectively manage events that might compromise their products/services, supply chain, quality, security, and future as an organization.

A Business Continuity Plan ensures that all involved parties understand who makes decisions, how the decisions are implemented, and what the roles and responsibilities of participants are when an incident occurs. Through business continuity planning, companies are able to:

• IDENTIFY the human, property, and operational impacts of potential business threats
• EVALUATE the potential severity of associated risks
• ESTIMATE the likelihood of business threats occurring
• CREATE timelines for restoration and strategies that proactively mitigate the most pressing business threats, take advantage of opportunities that lie ahead, and provide for a more resilient and sustainable future

Systematic Approach

A sound Business Continuity Program relies on a systematic approach to identify and critically evaluate risks/opportunities, as outlined below. This approach broadens the scope of issues beyond mere emergency response and allows companies to budget for and secure the necessary resources to support critical business activities before, during, and after a major crisis event. Ultimately, following this process helps companies to stay in business through a time of crisis.

Sustaining Business for the Long Term

Sustainability is about staying in business for the long term, and today, business continuity is key to sustaining business over time. That is because a well-developed and implemented Business Continuity Plan:

• Keeps employees and the community safe when an incident occurs
• Protects the organization’s important assets (e.g., people, technology, products, services)
• Reduces disruption to critical functions in order to limit financial impacts due to loss of product/service
• Reduces adverse publicity, loss of credibility, and loss of customers
• Reduces legal liability and regulatory exposure
• Reduces the risk of losing critical business data (e.g., historical, operational, customer, regulatory compliance)
• Provides for an orderly and timely recovery by allowing critical decisions to be made in a non-crisis mode
• Helps companies mitigate risks and focus on the future

*****
Guiding Standards

ISO 22301: Societal Security – Business Continuity Management Systems is specifically designed to help organizations protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise. Like other ISO standards, ISO 22301 applies the Plan-Do-Check-Act/Adjust model to developing, implementing, and continually improving a Business Continuity Management System. Following this internationally recognized standard allows organizations to leverage their existing management systems and ensure consistency with any other ISO management system standards that may already be in place (e.g., ISO 14001 – environment, ISO 9001 – quality, ISO 45001 – safety, ISO 22000 – food safety).

The American Society for Industrial Security (ASIS) Business Continuity Management System Standard, National Fire Protection Association (NFPA) 1600: Standard on Disaster/Emergency Management and Business Continuity Programs, and Office of the Comptroller of the Currency (OCC) federal banking requirements for business continuity provide further industry-specific guidance on business continuity management.

Today’s business managers face greater complexities than ever when it comes to making business decisions. For every business decision, there are a number of factors that impact the associated risks. Fortunately, the use of statistics, predictive analytics, and data mining has become increasingly useful in taking the “gut feel” out of making important and often complex business decisions.

Data-Driven Decisions

Most people are familiar with common descriptive statistical techniques, like measures of central tendency (e.g., mean, median, mode) or variability (e.g., interquartile range, standard deviation). More advanced data mining and predictive analytical techniques are increasingly being used to explore and investigate past performance to gain insight for future business decision making.

Data mining draws on large amounts of data to identify patterns, which are often classified as opportunities or risks. Predictive analytics encompasses a variety of statistical techniques that are used to analyze historical data to predict the most probable future events. A few examples of these include the following:

• Discriminant Analysis – a machine learning model where a computer program “learns” a pre-existing data set that includes attributes and outcomes for each individual, and then predicts probable outcomes for individuals in the new data set based on attributes.
• Linear Regression – creates an equation so that one variable can be predicted based on the known values of other variables.
• Logistic Regression – a machine learning model where a computer program “learns” a pre-existing data set that includes attributes and a binary (“yes/no”) outcome for each individual, then predicts “yes/no” outcome for each individual in a new data set, along with a probability associated with the decision.
• Decision trees – machine learning model where a computer program “learns” a pre-existing data set that includes attributes and outcomes (not necessarily binary) for each individual, then predicts outcomes for each individual in a new data set, along with confidence in the decision; also identifies the attributes that are most helpful for making predictions (i.e., those that are best able to discriminate between outcomes).
• Neural networks – similar to decision tree, but more effective if finding the connections between attributes is a concern.

Together, this information can help decision makers to predict the outcome(s) of a decision before it is made—and make smarter decisions based on data instead of gut feelings. The following case studies demonstrate the value that statistics provide when it comes to making important business decisions.

Case Study: Wildfire Risk Index

For a large transportation organization, wildfires have historically presented a unique challenge. The company has worked diligently over the past several years to control its fire risk through research and a number of assessments. To help further minimize the wildfire risk, the company turned to past data and is working with Kestrel to develop a comprehensive Wildfire Risk Index to:

1. Quantify the operational risks of wildfires (i.e., identify environmental conditions, determine areas of concern)
2. Make informed business decisions to help minimize identified risks

Creating the Index requires a significant amount of data from both internal and external resources, including traffic, weather, geography, internal fire incidents, and others. This information is used in several components contained within two main models that create the Wildfire Risk Index. These model components are relatively simple when used on their own. The complexity arises when combining the various models and their components into a single Wildfire Risk Index that reasonably reflects relative risks, while considering all variables.

The ultimate output of the Wildfire Risk Index is a single number that quantifies the relative risk of wildfire by location and by month. This information will help the company to:

1. Identify the areas of greatest risk.
2. Focus resources on those areas.
3. Make more informed decisions regarding operations—like when to plan hot work and when and where to perform vegetation control—to help prevent future incidents.

Case Study: Incident Data

For a large petroleum refining organization, safety and environmental incidents present a significant risk to operations. In order to reduce incident frequency, the company has implemented a robust safety management system, which includes frequent audits and inspections. Despite the company’s best efforts, however, incidents have continued to occur.

To further improve safety and environmental performance, Kestrel is working with the company to conduct detailed reviews of previous incidents using Kestrel’s proprietary Human Performance Reliability (HPR) approach. This approach identifies and classifies the human factors contributing to incidents, as well as the controls associated with those human factors (engineered, administrative, and/or PPE). Once the reviews are finished, the results are statistically analyzed to generate a prioritized list of human factors to be addressed. Kestrel’s Human Factors Integration Tool (HFIT™) software then generates a list of existing controls associated with the top human factors, as well as a list of missing controls that could be created and implemented.

The ultimate output of the incident review process is to help the company identify the human factors contributing to incidents, create or improve associated controls, manage operational risks, and protect the health and safety of workers and the surrounding environment.

Versatility

These examples demonstrate how predictive analytics can be used to support decision making. The versatility of predictive analytics, combined with the variety of statistical techniques available, can be applied to help companies analyze a wide variety of problems and gain insight for future business decision making.