Virtually every regulatory program—environmental, health & safety, security, food safety—has compliance requirements that call for companies to fulfill a number of common compliance activities. While they do not necessarily need to be addressed all at once or from the start, considering the eight functions of compliance (as outlined below) when designing a compliance Information Management System (IMS) helps define the starting point and build a vision for the “end point” when planning IMS improvements. These compliance functions translate into modules—facility profiles, employee counts, training tracking, corrective action tracking, auditing tasks, compliance calendars, documents and records management, permit tracking, etc.—that are instrumental in establishing or improving a company’s capability to comply. 

8 Functions of Compliance

1. Inventory means taking stock of what exists. The outcome of a compliance inventory is an operational and EHS profile of the company’s operations and sites. In essence, the inventory is the top filter that determines the applicability of regulatory requirements and guides compliance plans, programs, and activities. For compliance purposes, the inventory is quite extensive, including (but not limited to) the following:
   • Activities and operations (i.e., what is done – raw material handling, storage, production processes, fueling, transportation, maintenance, facilities and equipment, etc.)
   • Functional/operational roles and responsibilities (i.e., who does what, where, when)
   • Emissions
   • Wastes
   • Hazardous materials
   • Discharges (operational and stormwater-related)
   • Safety practices
   • Food safety practices
2. Authorizations, permits & certifications provide a “license to construct, install, or operate.” Most companies are subject to authorizations/permits at the federal, state, and local levels. Common examples include air permits, operating permits, Title V permits, safe work permits, tank certifications, discharge permits, construction authorization. In addition, there may be required fire and building codes and operator certifications. Once the required authorizations, permits, and/or certifications are in place, some regulatory requirements lead companies to the preparation and updating of plans as associated steps.
3. Plans are required by a number of regulations. These plans typically outline compliance tasks, responsibilities, reporting requirements, schedule, and best management practices to comply with the related permits. Common compliance-related plans may include SPCC, SWPPP, SWMP, contingency, food safety management, and security plans.
4. Training supports the permits and plans that are in place. It is crucial to train employees to follow the requirements so they can effectively execute their responsibilities and protect themselves, company assets and communities. Training should cover operations, safety, security, environment, and food safety aimed at compliance with regulatory requirements and company standards and procedures.
5. Practices in place involve doing what is required to follow the terms of the permits, related plans and regulations. These are the day-to-day actions (regulatory, best management practices, planned procedures, SOPs, and work instructions) that are essential for following the required processes.
6. Monitoring & inspections provide compliance checks to ensure locations and operations are functioning within the required limits/parameters and the company is achieving operational effectiveness and performance expectations. This step may include some physical monitoring, sampling, and testing (e.g., emissions, wastewater). There are also certain regulatory compliance requirements for the frequency and types of inspections that must be conducted (e.g., forklift, tanks, secondary containment, outfalls). Beyond regulatory requirements, many companies have internal monitoring/inspection requirements for things like housekeeping, sanitation, and process efficiency.
7. Records provide documentation of what has been done related to compliance—current inventories, plans, training, inspections, and monitoring required for a given compliance program. Each program typically has recordkeeping, records maintenance, and retention requirements specified by type. Having a good records management system is essential for maintaining the vast number of documents required by regulations, particularly since some, like OSHA, have retention cycles for as long as 30 years.
8. Reports are a product of the above compliance functions. Reports from ongoing implementation of compliance activities often are required to be filed with regulatory agencies on a regular basis (e.g., monthly, quarterly, semi-annually, annually), depending on the regulation. Reports also may be required when there is an incident, emergency, recall, or spill.

Reliable Compliance Performance

Documenting procedures on how to execute these eight functions, along with management oversight and continual review and improvement, are what eventually get integrated into an overarching management system (e.g., environmental, health & safety, food safety, security, quality). The compliance IMS helps create process standardization and, subsequently, consistent and reliable compliance performance.

In addition, completing and organizing/documenting these eight functions of compliance provides the following benefits:

• Helps improve the company’s capability to comply on an ongoing basis
• Establishes compliance practices for when an incident occurs
• Creates a strong foundation for internal and 3^rd-party compliance audits and for answering outside auditors’ questions (agencies, customers, certifying bodies)
• Helps companies know where to look for continuous improvement
• Reduces surprises and unnecessary spending on reactive compliance-related activities
• Informs management’s need to know
• Enhances confidence of others (e.g. regulators, shareholders/investors, insurers, customers), providing evidence  of commitment, capability, reliability and consistency in the company’s compliance program

In May 2016, FDA issued its final rule on Mitigation Strategies to Protect Food Against Intentional Adulteration (IA). This rule requires covered facilities to prepare and implement food defense plans. The first compliance date—for businesses with sales of $10 million or more per year and more than 500 full-time equivalent employees—is July 26, 2019. (Note that small businesses have until 2020 and very small businesses have until 2021.)

Just as important, FDA has announced it will begin routine inspections to verify compliance with the IA rule in March 2020. Given those dates, compliance with this rule should be a top priority for the approximately 3,400 impacted firms that operate 9,800 food facilities.

Requirements: Food Defense Plan

Let’s start by defining food defense and why it is so important. According to FDA, “Food defense is the effort to protect food from acts of intentional adulteration.” Intentional adulteration is any act where there is an intent to cause wide-scale public health harm, including acts of terrorism. As such, the rule is designed to primarily cover larger facilities with products that reach many people.

At its most basic level, the IA rule requires every covered facility to prepare and implement a food defense plan. The food defense plan incorporates four major elements:

1. The vulnerability assessment identifies those areas in the process that pose the greatest IA risks. Each step in the facility’s process should be evaluated for the following:
   • Potential severity and scale of the impact on the public
   • Physical access to the product
   • Ability to successfully alter/contaminate the product
2. Facilities must develop and implement mitigation/preventive strategies at each step in the process to address vulnerabilities and minimize the risks of IA.
3. A system must be put in place to ensure implementation of mitigation strategies and to effectively manage the following:
   • Monitoring mitigation strategies, including frequency
   • Corrective action response
   • Verification activities
4. Appropriate recordkeeping must be maintained for food defense monitoring, corrective actions, and verification, and key personnel must receive appropriate training.

Mock Exercise

Kestrel’s previous article on the Four A’s of Food Defense outlines a proactive approach to food defense that will help meet a key requirement by ensuring the organization is working to avoid the risks associated with food adulteration and contamination.

In addition, when conducting an assessment of food defense, IA, and generally accepted industry vulnerability, threats, and controls, Kestrel suggests completing a mock exercise scenario. This allows companies to:

1. Assess their food defense and IA programs under FSMA;
2. Test to confirm their program’s integrity, as documented and implemented; and
3. Conduct vulnerability scenarios to verify, validate, and make improvements. 

The following areas should be addressed in the assessment, strategies, and plan information:

• Facility
• Materials
• Packaging
• Processing
• Key activities
• Storage
• Transportation and distribution
• Management and personnel

A key aspect is also review of and improvements to training programs for all employees based on responsibility, recordkeeping process, management objectives, and program monitoring.

This activity provides the information needed to develop and implement an effective and compliant food defense and IA program under FSMA. Additionally, it can provide verification of the site’s programs, corrective actions to be implemented, and the necessary records of compliance.

Piece of the Puzzle

Food defense is a big piece of the FSMA puzzle. According to Kestrel Food Safety Principal Bill Bremer, “We have included food defense in virtually all of our program development activities this year for GFSI (all schemes) and now FSMA.” Kestrel has worked with over 400 food sites in passing audits and inspections that have included general or focused food defense and IA management programs in food categories including baking, candy/confection, meat, flavor/ingredients, grain, flour, packaging/contact materials, beverages, beans, chemicals, dietary supplements, commissary/catering, and more.

Doing so directly aligns with FDA’s requirements for companies to assess risk and implement preventive controls on a broad basis. Thinking about risk-based strategies—whether in the supply chain or internal systems or whether you are a grower or an importer—is key for any food company planning for the future. Preventive strategies are the essence of FSMA and HACCP. Proactively creating or updating a food defense and safety plan is the first step to ensure compliance.

Join Kestrel at the PROCESS EXPO, as we discuss this topic and others during our special food safety training courses this October in Chicago.

This is the next article in Kestrel’s series about Technology-Enabled Business Solutions.

What do you do when your company has multiple grandfathered-in systems that don’t talk to each other? How about when not all locations have access to the same systems…and you have over 150 locations and are still growing? What about when employees are spending excess time collecting and combining information manually instead of electronically? What if you can’t correlate data and generate reports because of multiple systems?

Cut Your Losses, Prioritize Your Needs

These things happen—probably more frequently than one might think. For one of Kestrel’s clients, a large chemical distribution company, all these things were happening simultaneously, and the cost to upgrade existing systems to respond to these needs was getting out of hand. How do you manage that? Do you just cut your losses and find a new compliance IMS solution? Do you address one issue at a time, or does that introduce the risk that everything won’t work together? Again.

Transitioning from one system to another—whether in part or completely—isn’t simple. It takes planning and forethought to create a scalable solution that can be adapted to the company’s overall needs. Proactively managing any sort of technology transition—including prioritizing needs and scheduling how quickly modules are developed and rolled out—is key.

From the beginning, Kestrel’s EHS and IT consultants worked to fully understand the company’s operations, existing systems and workflows, and desired outcomes of the overall system before recommending an approach. Without these upfront conversations, this company could’ve ended back in the same situation with a different system. Instead, they are on their way to developing a robust and scalable compliance IMS that can be adapted to the company’s overall needs and will eventually replace their off-the-shelf software. 

Starting with the Data

Our client’s initial request was for dashboard reporting that would:

1. Provide a visual of the Excel reports the company was pulling from multiple independent systems, and
2. Create efficiencies in the data collection and reporting approach.

During initial conversations about the company’s compliance, information management, and overall business needs, it became clear to Kestrel that the existing facility database forms the foundation for the overall system. All content stems from this database. To create the efficiencies and dashboards the company wanted, building the facility database needed to happen first.

Facility information was originally tracked on individual Excel spreadsheets that were later combined to create a quarterly report. This very manual practice presented risks of user error in data entry, data manipulation, analysis, and reporting. Kestrel developed a facility database in SharePoint to serve as a centralized list, with detailed information on each location. Multiple other databases were then created that filter content into each facility page to create a simplified view of all items associated with each facility. Those other databases currently include:

• Employee counts
• Facility audits
• Sustainability reports
• List of storage tanks, with other assets to be added in the future
• Facility images
• Managed requirements

Let’s look at the employee database as one example of data that flows into the facility database. The employee database is used to track the number of employees in each location and each department. Information is filtered into the facility database, updating the employee count section. This employee database is also used to track access/permissions to the company site, look up individuals within other forms, and assign training based on job title.

The facility database now acts as the centralized core to the entire system. Information available here can be used to drive other actions and lists within the site, such as compliance tasks, corrective and preventive actions (CAPAs), inspections, near-misses, incidents, permitting requirements, etc.

Bringing in Forms

Where does all the data in those databases come from? That is where mobile forms and checklists enter the picture. Integrating various Office 365 technologies, Kestrel is creating several mobile forms, such as the near-miss app, to allow employees in the field to capture data electronically. The forms are accessible at multiple levels and can be assigned down to an individual location. Importantly, there is no need to log in to submit data, ensuring ease of access and use for all employees.

As employees complete the forms, data is collected and uploaded into the company’s related database(s) in real-time. All forms and databases are integrated. Not only does this eliminate the problems associated with manual data entry and manipulation, it provides real-time access to valuable data.

Compliance Dashboard

Kestrel has also created a login-driven compliance dashboard that houses key metrics, compliance tasks, and an at-a-glance compliance calendar. The dashboard can be customized for various applications based on the company’s needs as they continue to use the system—employees, management, departments, divisions, facilities, etc.

Currently, various compliance tasks (and associated reminders) are assigned to individuals throughout the 150+ locations. The dashboard filters assigned tasks to the individual logged in, so each employee can view his/her compliance-related tasks. At the same time, management can view outstanding issues that fall under their area(s) of responsibility, and the calendar provides a quick overview of compliance deadlines throughout the year.

The dashboard provides additional visibility for compliance tasks and alerts management to issues that need attention/resolution across the organization. It can also incorporate data analytics to help identify patterns and trends, inform business decisions, and guide resources.

Building for the Future

Now that the company has a solid foundation, work can commence to bring the independent systems into a single platform. Kestrel’s EHS team continues to identify additional compliance management needs, including checklists and mobile forms, internal audits, permit tracking, training tracking, safety meetings, mobile inspection/audit functionality, document control, incident reporting, and more. As these needs are identified, they can be built into the larger compliance IMS to create one integrated system going forward.

As Kestrel’s lead SharePoint Specialist Jaime Doty stated in a recent Q&A, “If you know where you want to end in an ideal world, it becomes a lot easier to find the starting point. It also makes creating a scalable system much more likely, because you are designing the system with the end in mind.”

This has ensured development of a system that:

• Is built from the perspective of the people who will be using them—in the field, in the plant, in the office, in the board room
• Integrates various databases and forms into a single, familiar platform
• Allows information to be shared and tracked in multiple ways 
• Gives the ability to manage sites/facilities/plants/departments for compliance purposes 
• Simplifies the data entry process by providing user-friendly functionality 
• Provides for continual adaptation to meet future data management and reporting needs 

That is exactly the forward-thinking perspective Kestrel takes on all projects—thinking beyond individual efficiency tools, considering the desired state, and determining how technology can make that happen. By coordinating technology and compliance expertise, Kestrel offers unique capabilities and perspective. Our EHS and food safety professionals understand the regulatory obligations, business needs, and needs of the users. This drives design and development of the right compliance IMS and efficiency tools—one that works within the company’s implementation timeline and budget—to reduce compliance risk, create operational efficiencies, and generate business improvement and value.

The discipline required to design and implement a compliant environmental, health & safety (EHS) management system can help organizations improve in many areas over and above the tasks, as defined.

1. Identify and categorize the organization’s EHS risks. Once this information is known, management will be able to prioritize and then pick and choose how to reduce risks and liabilities to acceptable levels. These risks will be better controlled through strict management accounting. Employees will become more attuned to thinking outside the box to help management improve the overall operation.
2. Develop work instructions and/or procedure to guide an employee’s actions and ensure that each EHS task is completed in a disciplined manner approved by management. This will reduce the risk to an organization of an employee accidentally making an environmental, health and/or safety mistake that causes the employee or others to be injured or worse; creates public awareness of the problem; or causes governmental inspections, fines, and loss of business.
3. Provide management assurance that the company does, in fact, know and understand the legal and EHS requirements that the business must meet on a daily basis. These legal requirements will drive improvement in having up-to-date procedures and work instructions for employees to follow every day.
4. Develop meaningful EHS goals and objectives. These objectives drive improvement in environmental and personal health & safety performance. They may also reduce internal costs by reducing trips to the hospital, payments for workers compensation, and employees on disability. Each business will have different goals that should change each year to ensure continuous improvement over time.
5. Develop a strong training program. Well-written procedures and work instructions help define the actions required of employees to meet EPA and OSHA requirements and company directives. A well-trained workforce is a motivated and happy work force. Turnover is reduced, accidents and incidents are reduced, and production efficiencies increase. Employees are very aware when an organization takes time to assure each job requested is completed in the safest and most environmentally sound manner possible.
6. Develop appropriate monitoring and measurement of key characteristics and requirements. These key performance indicators are based on regulations and laws intended to guide the organization’s actions in a direction of continuous improvement and compliance.
7. Allow employees to audit and verify that the EHS management systems are functioning as designed and implemented. By continuously auditing each OSHA program and environmental function, the organization will discover issues of concern and non-conformances prior to an employee being injured or worse, having an environmental spill or incident, or incurring a governmental agency finding. This allows the company to choose a timeframe that will best help improve the situation without undue influence by outsiders.
8. Design a fully functioning corrective/preventive action program to monitor issues of concern and/or non-conformance and the actions used to rectify each situation identified. As employees watch management fix problems, they will learn that management is concerned about continuous improvement and the employees will go back to making improvement suggestions. These suggestions will further drive improvement in areas outside the original EHS management systems.
9. Look at the business model and the EHS management systems in a holistic fashion. By using this self-reflection and identifying improvement opportunities, management can direct responsibilities for improvement actions across many departments within the company. Each of these improvement opportunities will again help the bottom line and reduce the possibility of an EHS liability now or in the future.
10. Know that you have done everything possible to maintain the business in a manner to meet all OSHA and EPA rules and regulations, as well as association requirements. The organization will have done everything possible to assure that the environment and the health & safety of employees are protected every day the doors are open for business. To a business owner, that knowledge is priceless.

Before food can be imported into the U.S., it is subject to FDA inspection. These inspections are intended to ensure food imports are safe, sanitary, and properly labeled. While important in maintaining food safety, this process can be long and onerous. The Voluntary Qualified Importer Program (VQIP) was created by FDA to expedite this process.

What Is VQIP?

In essence, VQIP acts as the “TSA line” for food into the U.S. The voluntary program allows foreign suppliers to get expedited entry for their food products into the U.S., provided importers meet all eligibility criteria, including offering food from a facility certified under FDA’s accredited third-party program (see below).

Why Is VQIP Important?

There are a number of reasons a U.S. importer might choose to participate in VQIP, including the following:

• Enables expedited entry into the U.S. for all foods included in an approved application.
• Limits examination and/or sampling to “for cause” situations in which there is a potential threat to public health; any sampling or examination is done at destination or another location chosen by the importer and laboratory analysis of any samples is expedited.
• Provides assurance that a foreign supplier complies to FSMA rules, avoiding the need to further assess the supplier.
• Incentivizes importers to adopt a robust system of supply chain management.
• Moves any perishable or short shelf-life product through the border quickly.

For foreign suppliers, there are also several benefits:

• Reduces the extra work of proving status as it relates to compliance to FSMA rules.
• Opens doors to new clients by making it easier for a U.S. importer to choose certified products versus a non-certified competitor.

Beyond that, VQIP further benefits public health by allowing FDA to focus its resources on food entries that pose a higher risk to public health.

What Are the Eligibility Requirements?

A company must be a food importer to participate in VQIP (i.e., a person/entity that brings food or causes food to be brought from a foreign country into the U.S.). In addition, the following criteria must be met on the importer and the foreign supplier sides:

• Have 3+ years history of importing food to the U.S.
• Have a Dun & Bradstreet Data Universal Number System (DUNS) number (used as a unique identifier number)
• Use paperless filers/brokers who have received acceptable results during their last FDA Filer Evaluation
• Do not have any food you import subject to detention under an Import Alert or Class 1 recall
• Do not have any ongoing FDA administrative or judicial action, or other history of non-compliance with food safety regulations by the importer, other entities in the supply chain, or food
• Are in compliance with supplier verification and other importer responsibilities under the applicable FSVP or HACCP (i.e., juice, seafood) regulations
• Have not been the subject of any CBP penalties, forfeitures, or sanctions related to the safety or security of any FDA-regulated product imported or offered for import
• Have current facility certification, including farms, issued under FDA’s Accredited Third-Party Certification regulations for each foreign supplier of food in VQIP (see below)
• Develop and implement a Quality Assurance Program (QAP) (see below)

What Is Foreign Supplier Facility Certification?

VQIP is regulated by the FSMA rule on Accredited Third-Party Certification. This is a voluntary, fee-based program for the recognition of third-party auditors to conduct food safety audits and issue certifications of foreign sites and the foods they produce. An accredited third-party can perform audits against the Food, Drug and Cosmetics (FD&C) Act and other FDA applicable regulations, and issue a certificate attesting compliance.

Foreign suppliers must have a facility certification, which would be issued following a regulatory audit conducted by an accredited third-party certification body. This audit attests that the foreign supplier complies with applicable food safety requirements of the FD&C Act and FDA regulations. Note that certifications are not required for Foreign Supplier Verification Program (FSVP) and Preventive Controls rules.

What Is Included in the QAP?

According to the FDA, the VQIP QAP includes all the written policies and procedures the facility will use to ensure adequate control over the safety and security of foods being imported. The QAP should include the following information:

• Corporate quality policy statement relating to food safety and security throughout the supply chain
• Organizational structure, as well as functional responsibilities for those implementing the VQIP QAP
• Food safety policies and procedures to be implemented to ensure food safety from source to entry into the U.S.
• Food defense policies and procedures to ensure compliance with FDA’s intentional adulteration regulation
• Qualification requirements for employees responsible for implementing the VQIP QAP (e.g., knowledge of regulations, understanding of the QAP)
• Procedures for implementing your VQIP QAP
• Procedures for establishing and maintaining records regarding the structure, processes, procedures and implementation of the QAP
• Definitions
• References

How Do I Become Part of VQIP?

Importers must apply between January 1 and May 31 annually to be considered for VQIP. The VQIP fiscal year/benefit period is between October 1 and September 30, following application approval. Participants must submit an application every year; however, you may use data from the previous year’s application.

FDA will conduct a VQIP inspection to verify that you meet all eligibility criteria and have fully implemented food safety and food safety defense systems, as established in your QAP. FDA may also:

• Conduct an FSVP inspection
• Request a copy of food labels for those foods included in the application
• Ask you to submit supporting documentation (e.g., hazard analysis, lab results, food labels)

Additional information on VQIP and the application process can be found on the FDA website.

This is the third in Kestrel’s series of articles about Technology-Enabled Business Solutions.

A decade ago, when “handheld computers” (i.e., smartphones) first became popular, storing appointments and contact information on a portable electronic device was the prime functionality of the smartphone. Convenient? Yes. Robust? Not quite yet.

Mobile technology has clearly come a long way since then. Your smartphone and other mobile devices/tablets are every bit as powerful as any computer you have in the office—perhaps even more so when it comes to collecting real-time data and creating operational efficiencies.

Forms, Checklists, and More

Think about this for a minute…how many forms and checklists do you use in your operations? Maybe it is a daily forklift checklist, near-miss form, behavioral-based safety observation, daily housekeeping checklist, food safety sanitation inspection, hazardous waste inspection checklist, near-miss form, and so on.

What if—instead of taking a clipboard into the plant or field—employees were able to simply pull out a phone, complete the checklist online, and hit submit? What if they were able to do it from anywhere and without any login information? What if management could access the data immediately to run reports and get real-time analytics?

Case Study: There’s an App for That

That is precisely what a large chemical distribution company needed. In the most basic terms, they asked Kestrel to create a mobile form for forklift inspections that would provide:

• Simple electronic access to the forms employees already use daily
• Ability for employees in the field to submit data without logging into the system for ease of use
• Data in CSV format that could be sent immediately via email to management for review/analysis
• Dashboard reporting to show a real-time view of checklist status, outstanding issues, overdue items, and other metrics

By integrating various Office 365 technologies, Kestrel created an app using the company’s familiar forklift inspection form, which can be customized per location. The mobile version allows employees in the field to capture forklift inspection data electronically. The forms are accessible at multiple levels and can be assigned down to an individual location. Importantly, there is no need to log in to submit data, ensuring ease of access and use for all employees. Shortcuts to forms can also easily be added to mobile devices, computers, or other websites for ease of access.

As employees complete the checklists, data is collected and uploaded into the company’s Office 365 compliance information management system (IMS) in real-time. Not only does this eliminate the problems associated with manual data entry and manipulation, it provides real-time access to valuable data. Kestrel has created dashboards that house key metrics on inspections completed and issues identified that are updated immediately and automatically whenever a new checklist is completed. Beyond that, using the simple forklift checklist, we can now automatically create an entire series of events that had traditionally been done manually (e.g., maintenance requests, part orders, inspection requests).

Mobile Technology, Operational Efficiencies

For employees, mobile technology makes completing checklists of almost any type easier and faster in the field. For management, mobile technology takes things a step further by creating operational efficiencies:

• Provides central management of inspection schedule, forms, and other requirements.
• Increases productivity through reductions in prep-time and redundant/manual data entry.
• Improves data access/availability for reporting and planning purposes.
• Allows data to be submitted directly and immediately into SharePoint so it can be reviewed, analyzed, etc. in real time.
• Creates workflow and process automation, including automated notifications to allow for real-time improvements.
• Allows follow-up actions to be assigned and sent to those who need them.
• Integrates with the overall compliance IMS for a comprehensive view of compliance status.

Stay tuned for coming articles in our series, which will continue to dig deeper into functionality, highlight some case studies of Office 365 in action, and tap the insights of Kestrel’s Office 365 developer.

It’s not uncommon to think more is better when it comes to software. It’s also not uncommon for companies to gravitate toward specialty software, whether related to certification support, QEHS compliance, cGMP, food safety, incident management, audits, permit tracking, or any number of other areas.

However, as robust as companies want their information management system to be, a simple and adaptable solution is often a better approach. As the NAEM survey we summarized in our first article in this series stated, some EHS&S software experts are migrating clients away from commercial systems to basic tools such as Microsoft Office 365 and SharePoint, which can be easier to understand, easier to use and navigate, and easier to adapt to ongoing business needs.

Flexibility in the Familiar

Many companies look at software as a silver bullet—a fix for everything. But applying technology to operations isn’t about just finding and buying a software tool. It is about:

• Understanding the business need;
• Customizing and integrating the appropriate tool into existing operations; and
• Deploying it so it is effectively applied.

Information management systems and compliance efficiency tools built on an Office 365 platform offer an adaptable/scalable solution that can meet business and overall compliance needs, while offering the familiarity that encourages employee buy-in.

Robust Functionality

But really, what can Office 365 and SharePoint do? Perhaps surprisingly to many, Office 365 is highly adaptable and, with the right resources, can offer the solutions a company needs to address a plethora of operational and compliance requirements, including the following:

Compliance Management  Many companies—especially those that are not large enough for a dedicated team of full-time staff—struggle with how to effectively resource their regulatory compliance needs. Kestrel’s experience over many years suggests that reliable and effective regulatory compliance is commonly an outcome of consistent and reliable information management system implementation. Office 365 can allow you to more efficiently manage compliance tasks, corrective and preventive actions (CAPAs), and other project activities to ensure you are meeting your compliance requirements. Compliance management components may include:

• Compliance tracking/calendar
• Audit assessment & inspection
• Mobile forms & checklists
• Audit tracking
• Permit management/tracking

Training/Learning Management Having a system that records employee training is critical to compliance, especially to ensure policies, procedures, and work instructions are followed. Office 365 allows for the centralized implementation, management, tracking, scheduling, assignment, and analysis of organizational training efforts. From simply logging and tracking training to creating training plans and generating quizzes, training management ensures that the workforce is knowledgeable and appropriately trained.

Complaint & Issues Management From a quality perspective, it is important to effectively track and manage customer complaints/issues and corresponding follow-up actions, including any resulting nonconformances. Doing so electronically can help you identify and respond to complaints more quickly. With an aligned system, you can also connect nonconformance reports (NCRs) to other systems for CAPA management.

Incident Management Most organizations plan for and continually strive to prevent incidents. Effective incident management provides the opportunity to learn about and improve overall performance. Web-based tools can be particularly helpful in documenting, tracking, and reporting on all incidents and near-misses, including injuries, illnesses, spills, releases, and recalls. What’s better is that this can happen in real-time (thanks to mobile functionality) to ensure compliance with reporting requirements and internal incident management processes.

Document Management Document management is a key tool that will help companies in their efforts to go paperless. However, document management is not only for managing files. A quality document management system can also establish document structure, streamline content creation, create version control, and organize your workflows. Office 365 document management systems are scalable to the organization and designed to store, secure, and ultimately help you make sense of the documents your business uses.

Achieving the Big Picture

By having so many features and applications on a single platform, it is easy to tie them all together into an aligned system and to create multiple functions/uses for the data being collected from so many sources. With an aligned system, achieving the big-picture, desired state (rather than the short-term fix) becomes entirely possible.

This approach offers the following benefits:

• Scalability. Office 365 is scalable to ensure it meets organizational/ business needs, as well as regulatory requirements. Your system can contain the parts and pieces your company needs to operate efficiently and in compliance with regulations, standards, and customer requirements.
• Alignment. The system can be expanded to integrate, connect, and support multiple standards (e.g., ISO, FSSC, SQF, IFS, Responsible Distribution) and/or regulatory requirements. Integration of multiple management systems into a single platform makes management more effective and efficient than when systems operate independently.
• Accessibility. The central, web-based system is accessible from any location. Mobile access and forms allow you to capture data via phones, tablets, or PCs—anytime, anywhere—even in remote locations, where a data connection has not yet been established, or in facilities that do not have consistent wireless connection. Data are automatically synchronized when a connection is made and stored in the Cloud to improve data access/availability, generate real-time analytics, and create workflow and process automation.
• Measurement. Data can be collected and compiled for review and analysis, as well as more sophisticated predictive analytics. Dashboards and reporting capabilities provide insights into system health, operational results, and business performance for senior management. A standardized approach for reporting further creates accountability and ongoing performance monitoring and measurement.
• Easy Adoption. Building off a common Microsoft platform allows for easier adoption due to its familiarity. It also limits the number of solutions, software, and systems needed by a company, as well as the extra fees associated with additional software, such as license, user, and change fees.

The ultimate responsibility for food safety lies with food service providers and their ability to develop and maintain effective food safety management systems. Currently, there is a shift in the emphasis of hazard analysis and preventive controls related to both Process Safety Management (PSM) and Hazard Analysis and Critical Control Points (HACCP). This is of particular concern for the food industry, where many regulations include both EHS and food safety requirements.

Many food operations fall under both PSM and HACCP requirements. In general, PSM is bulk chemical-centric for food operations, while HACCP is food safety risk-centric for maintaining food purity. (Common chemicals subject to both include anhydrous ammonia for cooling and chlorine for sanitation of product and processes. In addition, many large food processing types include process aids at levels under PSM.)

Changing regulations and the increased emphasis on hazard analysis require the food industry to develop well-documented and managed programs that address both PSM and HACCP using common approaches:

• Better use of organizational resources
• Standard programs
• Training efficiency and effectiveness
• Shared knowledge and approaches
• More effective and aligned hazard analysis management

About PSM

PSM is a key risk management practice that must be implemented for qualifying plants. PSM is covered in the recent Executive Order focused on modernization of high-risk sites and, as a result, is under greater scrutiny with regulator focus and recent events. While PSM is a highly visible requirement, it is currently not widely inspected and reviewed—though that may be changing. PSM generally entails a more event-driven inspection by interested parties other than the company. As a growing area of focus and concern, PSM will require plants to reassess and, potentially, update systems and operations to meet requirements.

About HACCP

HACCP, on the other hand, is widely implemented for food processing and is expanding with high visibility. HACCP is the historic requirement providing the accepted food safety plan for some food industries. HACCP is rapidly being advanced with FSMA and GFSI-level requirements, but requirements have not been fully established based on FSMA rulemaking. The complexity of programs is rapidly increasing, while the level of food industry sectors is expanding to include all food contact, packaging, GRAS, and distribution and transportation companies.

Hazard Analysis Methods

The hazard analysis methods under PSM and HACCP are similar but different:

• Process Hazard Analysis (PHA) is associated with high-risk chemicals or materials, and is required for compliance with PSM. A PHA is designed to protect people and the environment from specific hazards. PHA methods vary based on an organization’s determination of the best method for their situation. These methods are directed to the overall process and operating condition by the process step. PHA focuses largely on equipment, instrumentation, utilities, human actions, and external factors that might impact the process. It involves an organized, systematic analysis of potential hazards to improve safety and reduce the potential consequences of those hazards.
• Hazard Analysis and Preventive Control (HAPC) is associated with food safety risk under Hazard Analysis and Risk-based Preventive Controls (HARPC) and is an aspect of HACCP. HAPC is a growing regulatory compliance requirement related to food safety plans (FDA and USDA) that focuses on process, equipment, contamination, procedures, and control points. HAPC involves an organized and systematic analysis of potential risks to food and food materials to improve the purity of food during processing/handling by reducing contamination.

PHA and HAPC are required for facilities, as determined by the regulations, and include the following common requirements:

• Develop preventive control plan
• Perform hazard analysis for foreseeable hazards (written)
• Conduct “what-if” scenarios, rating, and ranking
• Identify and implement preventive controls, as well as intentional hazards and controls

Under both PSM and HACCP, all plans and records may be subject to inspections. Failures to act may be interpreted as willful non-conformance or probable cause for expanded inspection.

Additional Requirements

Companies subject to PSM and HACCP need to consider other related regulatory requirements, as well. This relationship in itself is key under GFSI.

• Records
  • Maintain evidence
  • Conduct development programs and hazard analysis adequately
  • Establish programs to ensure preventive controls
  • Conduct training
  • Validate and verify programs, completed forms
  • Record all key information relevant periods
• Inspections
  • PSM-level inspections can be part of incident follow-up or planned OSHA or NEP inspections; there is state registering of PSM inspections.
  • HACCP will be part of mandatory FDA inspections, by any qualified agency to FSMA, and required under GFSI; customers may also require HACCP as part of their supplier programs.
• Cleanup and Catch-up
  • Monitor effectiveness
  • Establish corrective actions
  • Verify programs and preventive controls
  • Monitor and support SOPs/GMPs
  • Diligently follow and record Management of Change (MOC)

In addition, hazardous materials and communication are key for both EHS and FDA, as well as areas like air quality, water quality, sanitation, and blood borne pathogen/bodily fluids.

The Right Resources

A higher level of compliance requires plans to be reassessed and, subsequently, the resources to reassess them. For many, once programs are developed, they are put into “maintain” mode. Historical knowledge isn’t captured or is lost to turnover.

Beyond that, PSM and HACCP both require that “qualified individuals” develop and manage these systems. Qualified individuals include a designated lead with certain experience and qualifications, as outlined in the requirements. Availability of resources is almost always an issue, as maintaining systems with just one person is very difficult, especially given organizational change.

Keeping qualified resources at the proper certification is difficult. New employees are now typically required to provide both oversight and operational capability. The mix of education, work experience, and certification are all important. The growing approach is to maintain teams with alternates to supplement the leads and to provide coverage for all situations, including daily/weekly schedules. This is an area that must be continually monitored and subjected to corrective action.

Alignment Strategy

The following tips will help to effectively align PSM and HACCP programs and strategies, and provide for efficient compliance with both regulatory programs:

• Establish plans to assess existing programs
• Apply continuous improvement (Plan-Do-Check-Act)
• Take inventory of qualified resources
• Align qualified personnel to PSM and HACCP teams
• Use a sub-team approach to ensure the necessary level of participation and backup
• Maintain multi-year strategy, planning, and training
• Establish a cleanup and catch-up approach for hazard analysis activities to move forward
• Use continuous improvement to maintain validated and verified programs

The Global Food Safety Initiative (GFSI) relies on a number of benchmarked schemes to establish food safety requirements; all are designed to ensure the quality and safety of a company’s products. In order to become certified to one of these GFSI-recognized schemes, a company must undergo a third-party audit by a certified auditor. Kestrel’s experience conducting these audits has revealed that companies who successfully achieve certification demonstrate a number of common attributes—regardless of their chosen scheme:

1. Corrective and preventive actions are up-to-date and current.
2. Continuous improvement/root cause analysis process is in place to make ongoing improvements and to ensure final resolutions to all out-of-control issues or non-conformances to the Food Safety Program.
3. Premises, facility, and building programs are established and operating, including controls, signage, direction, job training, and physical evidence of a fully implemented Food Safety Program.
4. Preventive maintenance system links scheduled maintenance to Hazard Analysis & Critical Control Points (HACCP) critical equipment monitoring requirements.
5. Approved materials and process specifications are managed and controlled.
6. Product identification and traceability processes are in place, including complete records detailing all activities for the production of food product.
7. Document management and control program is updated, validated, and maintained. Developing program management systems helps ensure compliance with document management and control.
8. Food safety program updates and management are completed through annual and multi-year planning for maintaining the Food Safety Program, including management of change, management review, approvals, and internal audit.
9. Records and verification management systems provide access to supporting data, as determined by FDA/FSMA and company programs.
10. Data management of food safety records outlines processes for assuring prompt or immediate access to critical records, as needed, for audit, compliance, or regulatory purposes.

This is the first in KTL’s series of articles about Technology-Enabled Business Solutions.

It goes without saying that change is hard. Even positive change for the better is not without challenges. Change when it comes to Information Technology (IT)/software systems can be flat out painful because of the significant investments of time, money, and resources required. That is why many companies choose to avoid making a change until absolutely necessary.   

How do you know when that time has come? How do you know when you are investing more in your compliance Information Management System (IMS) than you are getting out of it? What are those hot buttons that drive companies to seek a system change? And when seeking a new compliance IMS, what do you look for to ensure it will meet your business needs? 

Why Companies Seek New Systems

According to a March 2019 survey conducted by the National Association for EHS&S Managers (NAEM) entitled Why Companies Replace Their EHS&S Software Systems, the following is the rank order of key reasons why companies seek a new IMS:

• Current system doesn’t perform as advertised.
• New business objective(s) aren’t supported by the current system.
• Current system costs too much to maintain.
• Current system doesn’t integrate well with other business IT systems.
• Platform being used has changed.

Criteria for New Systems

These reasons tie directly to what companies in the NAEM survey say are the most important criteria when shopping for a new software system:

Let’s review a few of these top criteria and why they are so important in any decisions made about implementing a new compliance IMS. We will dig deeper into these reasons throughout our series of articles on compliance information management solutions. 

Integration
As indicated by the NAEM survey, it can be a real challenge to integrate technology, whether it is with hardware, other compliance/certification software, ERP software, global systems, legacy systems, human resources systems, financial/inventory systems, etc. When it comes to having multiple systems, it’s not that you necessarily need one system to manage every business function. However, you do need your systems to talk. Lack of integration can contribute to duplication of effort, data inaccuracy, and business inefficiencies across multiple departmental functions.

Real-Time Metrics Tracking/Mobile Accessibility
With today’s technology, we are accustomed to instant gratification. There should be no reason why your IMS cannot provide that when it comes to real-time metrics tracking. Mobile accessibility allows for data to be collected on-the-go rather than re-entering information from the field back in the office. Data can be collected and compiled in real-time for review and analysis, as well as more sophisticated predictive analytics. Dashboards and reporting capabilities provide insights into system health, operational results, and business performance for senior management. A standardized approach for reporting further creates accountability and ongoing performance monitoring and measurement.

User Friendliness
What does it mean to be user friendly? Is that focused on the end user entering data in the field? Does it pertain to management who is reading reports and metrics? Are we talking about the system administrator? A truly user-friendly system will be something that meets the needs of all parties. If employees are frustrated by lack of understanding, if the system isn’t intuitive enough, if it is hard to put data in or get metrics out, the system will hold little value. In fact, according to NAEM, if a system isn’t user-friendly, employees may end up using workarounds that create more inefficiencies and inaccuracies. 

Customization, Updates & Maintenance Costs
Perhaps the functionality was oversold, perhaps the system cannot handle your data in the ways you anticipated, perhaps the solution you need requires additional customization that you did not anticipate. Whatever the case, not getting what you paid for is an exercise in frustration and a waste of resources. Business priorities and objectives change. If your system cannot adapt to these changes, users will fail to engage, and it will become obsolete. At the same time, if you continually seek customization, it can come at a price—not just for the customization but for the expertise required to maintain a customized solution. Customization can quickly become a money pit that you cannot climb out of. The key is to find an IMS that is simple and adaptable to respond to business changes. 

Simple Solution

It’s not uncommon to think more is better when it comes to software. However, as robust as most companies want their compliance IMS to be, a simple and adaptable solution is often the best approach. According to the NAEM survey, some software experts are helping to migrate clients away from commercial systems to basic tools such as Microsoft Office 365 and SharePoint, which can be easier to understand, easier to use and navigate, and easier to adapt to ongoing business needs.  

The next article in our series will explore the idea of going back to basics and leveraging familiar tools like Office 365 to meet compliance IMS and overall business needs.