Maturity assessments are designed to tell an organization where it stands in a defined area and, correspondingly, what it needs to do in the future to improve its systems and processes to meet the organization’s needs and expectations. Maturity assessments expose the strengths and weaknesses within an organization (or a program), and provide a roadmap for ongoing improvements.

Holistic Assessments

A thorough program maturity assessment involves building on a standard gap analysis to conduct a holistic evaluation of the existing program, including data review, interviews with key staff, and functional/field observations and validation.

Based on Kestrel’s experience, evaluating program maturity is best done by measuring the program’s structure and design, as well as the program’s implementation consistency across the organization. For the most part, a program’s design remains relatively unchanging, unless internal modifications are made to the system. Because of this static nature, a “snapshot” provides a reasonable assessment of the design maturity. While the design helps to inform operational effectiveness, the implementation/operational maturity model assesses how completely and consistently the program is functioning throughout the organization (i.e., how the program is designed to work vs. how it is working in practice).

Design Maturity

A design maturity model helps to evaluate strategies and policies, practices and procedures, organization and people, information for decision making, and systems and data according to the following levels of maturity:

• Level 1: Initial (crisis management) – Lack of alignment within the organization; undefined policies, goals, and objectives; poorly defined roles; lack of effective training; erratic program or project performance; lack of standardization in tools.
• Level 2: Repeatable (reactive management) – Limited alignment within the organization; lagging policies and plans; seldom known business impacts of actions; inconsistent company operations across functions; culture not focused on process; ineffective risk management; few useful program or project management and controls tools.
• Level 3: Defined (project management) – Moderate alignment across the organization; consistent plans and policies; formal change management system; somewhat defined and documented processes; moderate role clarity; proactive management for individual projects; standardized status reporting; data integrity may still be questionable.
• Level 4: Managed (program management) – Alignment across organization; consistent plans and policies; goals and objectives are known at all levels; process-oriented culture; formal processes with adequate documentation; strategies and forecasts inform processes; well-understood roles; metrics and controls applied to most processes; audits used for process improvements; good data integrity; programs, processes, and performance reviewed regularly.
• Level 5: Optimized (managing excellence) – Alignment from top to bottom of organization; business forecasts and plans guide activity; company culture is evident across the organization; risk management is structured and proactive; process-centered structure; focus on continuous improvement, training, coaching, mentoring; audits for continual improvement; emphasis on “best-in-class” methods.

A gap analysis can help compare the actual program components against best practice standards, as defined by the organization. At this point, assessment questions and criteria should be specifically tuned to assess the degree to which:

• Hazards and risks are identified, sized, and assessed
• Existing controls are adequate and effective
• Plans are in place to address risks not adequately covered by existing controls
• Plans and controls are resourced and implemented
• Controls are documented and operationalized across applicable functions and work units
• Personnel know and understand the controls and expectations and are engaged in their design and improvement
• Controls are being monitored with appropriate metrics and compliance assurance
• Deficiencies are being addressed by corrective/preventive action
• Processes, controls, and performance are being reviewed by management for continual improvement
• Changed conditions are continually recognized and new risks identified and addressed

Implementation/Operational Maturity

The logical next step in the maturity assessment involves shifting focus from the program’s design to a maturity model that measures how well the program is operationalized, as well as the consistency of implementation across the entire organization. This is a measurement of how effectively the design (program static component) has enabled the desired, consistent practice (program dynamic component) within and across the company.

Under this model, the stage of maturity (i.e., initial, implementation in process, fully functional) is assessed in the following areas:

• Adequacy and effectiveness: demonstration of established processes and procedures with clarity of roles and responsibilities for managing key functions, addressing significant risks, and achieving performance requirements across operations
• Consistency: demonstration that established processes and procedures are fully applied and used across all applicable parts of the organization to achieve performance requirements
• Sustainability: demonstration of an established and ongoing method of review of performance indicators, processes, procedures, and practices in-place for the purpose of identifying and implementing measures to achieve continuing improvement of performance

This approach relies heavily on operational validation and seeking objective evidence of implementation maturity by performing functional and field observations and interviews across a representative sample of operations, including contractors.

Cultural Component

Performance within an organization is the combined result of culture, operational systems/controls, and human performance. Culture involves leadership, shared beliefs, expectations, attitudes, and policy about the desired behavior within a specific company. To some degree, culture alone can drive performance. However, without operational systems and controls, the effects of culture are limited and ultimately will not be sustained. Similarly, operational systems/controls (e.g., management processes, systems, and procedures) can improve performance, but these effects also are limited without the reinforcement of a strong culture. A robust culture with employee engagement, an effective management system, and appropriate and consistent human performance are equally critical.

A culture assessment incorporates an assessment of culture and program implementation status by performing interviews and surveys up, down, and across a representative sample of the company’s operations. Observations of company operations (field/facility/functional) should be done to verify and validate.

A culture assessment should evaluate key attributes of successful programs, including:

1. Leadership
2. Vision & Values
3. Goals, Policies & Initiatives
4. Organization & Structure
5. Employee Engagement, Behaviors & Communications
6. Resource Allocation & Performance Management
7. Systems, Standards & Processes
8. Metrics & Reporting
9. Continually Learning Organization
10. Audits & Assurance

Assessment and Evaluation

Data from document review, interviews, surveys, and field observations are then aggregated, analyzed, and evaluated. Identifying program gaps and issues enables a comparison of what must be improved or developed/added to what already exists. This information is often organized into the following categories:

• Policy and strategy refinements
• Process and procedure improvements
• Organizational and resource requirements
• Information for decision making
• Systems and data requirements
• Culture enhancement and development

From this information, it becomes possible to identify recommendations for program improvements. These recommendations should be integrated into a strategic action plan that outlines the long-term program vision, proposed activities, project sequencing, and milestones. The highest priority actions should be identified and planned to establish a foundation for continual improvement, and allow for a more proactive means of managing risks and program performance.

Audits provide an essential tool for improving and verifying compliance performance. As discussed in Part 1, there are a number of audit program elements and best practices that can help ensure a comprehensive audit program. Here are 12 more tips to put to use:

1. Action item closure. Address repeat findings. Identify patterns and seek root cause analysis and sustainable corrections.
2. Training. Training should be done throughout the entire organization, across all levels:
   • Auditors are trained on both technical matters and program procedures.
   • Management is trained on the overall program design, purpose, business impacts of findings, responsibilities, corrections, and improvements.
   • Line operations are trained on compliance procedures and company policy/systems.
3. Communications. Communications with management should be done routinely to discuss status, needs, performance, program improvements, and business impacts. Communications should be done in business language—with business impacts defined in terms of risks, costs, savings, avoided costs/capital expenditures, benefits. Those accountable for performance need to be provided information as close to “real time” as possible, and the Board of Directors should be informed routinely.
4. Leadership philosophy. Senior management should exhibit top-down expectations for program excellence. EHSMS quality excellence goes hand-in-hand with operational and service quality excellence. Learning and continual improvement should be emphasized.
5. Roles & responsibilities. Clear roles, responsibilities, and accountabilities need to be established. This includes top management understanding and embracing their roles/responsibilities. Owners of findings/fixes also must be clearly identified.
6. Funding for corrective actions. Funding should be allocated to projects based on significance of risk exposure (i.e., systemic/preventive actions receive high priority). The process should incentivize proactive planning and expeditious resolution of significant problem areas and penalize recurrence or back-sliding on performance and lack of timely fixes.
7. Performance measurement system. Audit goals and objectives should be nested with the company business goals, key performance objectives, and values. A balanced scorecard can display leading and lagging indicators. Metrics should be quantitative, indicative (not all-inclusive), and tied to their ability to influence. Performance measurements should be communicated and widely understood. Information from auditing (e.g., findings, patterns, trends, comparisons) and the status of corrective actions often are reported on compliance dashboards for management review.
8. Degree of business integration. There should be a strong link between programs, procedures, and methods used in a quality management program—EHS activities should operate in patterns similar to core operations rather than as ancillary add-on duties. In addition, EHS should be involved in business planning and MOC. An EHSMS should be well-developed and designed for full business integration, and the audit program should feed critical information into the EHSMS.
9. Accountability. Accountability and compensation must be clearly linked at a meaningful level. Use various award/recognition programs to offer incentives to line operations personnel for excellent EHS performance. Make disincentives and disciplinary consequences clear to discourage non-compliant activities.
10. Deployment plan & schedule. Best practice combines the use of pilot facility audits, baseline audits (to design programs), tiered audits, and a continuous improvement model. Facility profiles are developed for all top priority facilities, including operational and EHS characteristics and regulatory and other requirements.
11. Relation of audit program to EHSMS design & improvement objectives. The audit program should be fully interrelated with the EHSMS and feed critical information on systemic needs into the EHSMS design and review process. It addresses the “Evaluation of Compliance” element under EHSMS international standards (e.g., ISO 14001 and OHSAS 18001). Audit baseline helps identify common causes, systemic issues, and needed programs. The EHSMS addresses root causes and defines/improves preventive systems and helps integrate EHS with core operations. Audits further evaluate and confirm performance of EHSMS and guide continuous improvement.
12. Relation to best practices. Inventory best practices and share/transfer them as part of audit program results. Use best-in-class facilities as models and “problem sites” for improvement planning and training.  The figure below illustrates an audit program that goes beyond the traditional “find it, fix it, find it, fix it” repetitive cycle to one that yields real understanding of root causes and patterns. In this model, if the issues can be categorized and are of wide scale, the design of solutions can lead to company-wide corrective and preventive measures. This same method can be used to capture and transfer best practices across the organization. They are sustained through the continual review and improvement cycle of an EHSMS and are verified by future audits.

Read the part 1 audit program best practices. 

Audits provide an essential tool for improving and verifying compliance performance. Audits may be used to capture regulatory compliance status, management system conformance, adequacy of internal controls, potential risks, and best practices. An audit is typically part of a broader compliance assurance program and can cover some or all of the company’s legal obligations, policies, programs, and objectives.

Companies come in a variety of sizes with a range of different needs, so auditing standards remain fairly flexible. There are, however, a number of audit program elements and best practices that can help ensure a comprehensive audit program:

1. Goals. Establishing goals enables recognition of broader issues and can lead to long-term preventive programs. This process allows the organization to get at the causes and focus on important systemic issues. It pushes and guides toward continuous improvement. Goal-setting further addresses the responsibilities and obligations of the Board of Directors for audit and oversight and elicits support from stakeholders.
2. Scope. The scope of the audit should be limited initially (e.g., compliance and risk) to what is manageable and to what can be done very well, thereby producing performance improvement and a wider understanding and acceptance of objectives. As the program is developed and matures (e.g., Management Systems, company policy, operational integration), it can be expanded and, eventually, shift over time toward systems in place, prevention, efficiency, and best practices.
3. Committed resources. Sufficient resources must be provided for staffing and training and then applied, as needed, to encourage a robust auditing program. Resources also should be applied to EHSMS design and continuous improvement. It is important to track the costs/benefits to compare the impacts and results of program improvements.
4. Operational focus. All facilities need to be covered at the appropriate level, with emphasis based on potential EHS and business risks. The operational units/practices with the greatest risk should receive the greatest attention (e.g., the 80/20 Rule). Vendors/contractors and related operations that pose risks must be included as part of the program. For smaller, less complex and/or lower risk facilities, lower intensity focus can be justified. For example, relying more heavily on self-assessment and reporting of compliance and less on independent audits may provide better return on investment of assessment resources.
5. Audit team. A significant portion of the audit program should be conducted by knowledgeable auditors (independent insiders, third parties, or a combination thereof) with clear independence from the operations being audited and from the direct chain of command. For organizational learning and to leverage compliance standards across facilities, it is good practice to vary at least one audit team member for each audit. Companies often enlist personnel from different facilities and with different expertise to audit other facilities. Periodic third-party audits further bring outside perspective and reduce tendencies toward “home-blindness”.
6. Audit frequency. There are several levels of audit frequency, depending on the type of audit:
   • Frequent: Operational (e.g., inspections, housekeeping, maintenance) – done as part of routine EHSMS day-to-day operational responsibilities
   • Periodic: Compliance, systems, actions/projects – conducted annually/semi-annually
   • As needed: For issue follow-up
   • Infrequent: Comprehensive, independent – conducted every three to four years

7. Differentiation methods. Differentiating identifies and distinguishes issues of greatest importance in terms of risk reduction and business performance improvement. The process for differentiating should be as clear and simple as possible; a system of priority rating and ranking is widely understood and agreed. The rating system can address severity levels, as well as probability levels, in addition to complexity/difficulty and length of time required for corrective actions.
8. Legal protection. Attorney privilege for audit processes and reports is advisable where risk/liability are deemed significant, especially for third-party independent audits. To the extent possible, make the audit process and reports become management tools that guide continuous improvement. Organizations should follow due diligence elements of the USEPA audit policy.
9. Procedures. Describe and document the audit process for consistent, efficient, effective, and reliable application. The best way to do this is to involve both auditors and those being audited in the procedure design. Audit procedures should be tailored to the specific facility/operation being audited. Documented procedures should be used to train both auditors and those accountable for operations being audited. Procedures can be launched using a pilot facility approach to allow for initial testing and fine-tuning. Keep procedures current and continually improve them based on practical application. Audits include document and record review (corporate and facility), interviews, and observations.
10. Protocols & tools. Develop specific and targeted protocols that are tailored to operational characteristics and based on applicable regulations and requirements for the facility. Use “widely accepted or standard practice” as go-by tools to aid in developing protocols (e.g., ASTM site assessment standards; ISO 14010 audit guidance; audit protocols based on EPA, OSHA, MSHA, Canadian regulatory requirements; GEMI self-assessment tools; proprietary audit protocol/tools). As protocols are updated, the ability to evaluate continuous improvement trends must be maintained (i.e., trend analysis).
11. Information management & analysis. Procedures should be well-defined, clear, and consistent to enable the organization to analyze trends, identify systemic causes, and pinpoint recurring problem areas. Analysis should prompt communication of issues and differentiation among findings based on significance. Audit reports should be issued in a predictable and timely manner. It is desirable to orient the audit program toward organizational learning and continual improvement, rather than a “gotcha” philosophy. “Open book” approaches help learning by letting facility managers know in advance what the audit protocols are and how the audits will be conducted.
12. Verification & corrective action. Corrective actions require corporate review, top management-level attention and management accountability for timely completion. A robust root cause analysis helps to ensure not just correction/containment of the existing issue, but also preventive action to assure controls are in place to prevent the event from recurring. For example, if a drum is labeled incorrectly, the corrective action is to relabel that drum. A robust plan should also look for other drums than might be labeled incorrectly and to add and communicate an effective preventive action (e.g., training or posting signs showing a correctly labeled drum).

Read the part 2 audit program best practices. 

A management system is the framework that enables companies to achieve their operational and business objectives through a process of continuous improvement. In its simplest form, a management system implements the Plan, Do, Check, Act/Adjust cycle. Several choices are available for management systems (ISO is commonly applied), whether they are certified by third-party registrars and auditors, self-certified, or used as internal guidance and for potential certification readiness.

Business Benefits of a Well-Documented Management System

The connection between management systems and compliance is vital in avoiding recurring compliance issues and in reducing variation in compliance performance. In fact, reliable and effective regulatory compliance is commonly an outcome of consistent and reliable implementation of a management system.

Beyond that, there are a number of business reasons for implementing a well-documented management system (environmental, safety, quality, food safety, other) and associated support methods and tools:

1. Establishes a common documented framework to achieve more consistent implementation of compliance policies and processes—addressing the eight core functions of compliance:
   • Inventories
   • Permits and authorizations
   • Plans
   • Training
   • Practices in place
   • Monitoring and inspection
   • Records
   • Reporting

2. Provides clear methods and processes to identify and prioritize risks, set and monitor goals, communicate those risks to employees and management, and allocate the resources to mitigate them.
3. Shifts from a command-and-control, centrally driven function to one that depends heavily on teamwork and implementation of a common system, taking into consideration the necessary local differences and building better know-how at the facility level.
4. Establishes a common language for periodic calls and meetings among managers, facility managers, and executives, which yields better goal-setting, priority ranking, and allocation of resources to the areas with greatest risk or the greatest opportunity to add business value.
5. Empowers facilities to take responsibility for processes and compliance performance without waiting to be told “what” and “how”.
6. Enables better collaboration and communication across a distributed company with many locations.
7. Enables the selection and implementation of a robust information system capable of tracking and reporting on common activities and performance metrics across the company.
8. Employs a design and implementation process that builds company know-how, captures/retains institutional knowledge, and enables ongoing improvement without having to continually reinvent the wheel.
9. Creates consistent processes and procedures that support personnel changes (e.g., transfers, promotions, retirements) and training of new personnel without causing disruption or gaps.
10. Allows for more consistent oversight and governance, yielding higher predictability and reliability.

This is the third in a series of articles on food product recalls.

One form of protection from the economic and reputational damages of a food recall event can be to transfer risk through an insurance policy that is specifically designed to respond to a recall event.

Are You Covered?

Business Owner’s Insurance Policy “BOP” provides most enterprises with two main forms of coverage: Commercial General Liability (CGL) and Business Property. Many food and beverage companies believe that basic CGL insurance coverage will provide protection in the event of a product recall. In reality, CGL policies typically contain an exclusion (Recall of Products, Work or Impaired Property) that precludes coverage for any claims associated with a product recall or withdrawal.

Because most CGL policies do not cover recall-related losses, separate Product Recall, Business Interruption, or similar types of insurance can provide protection to reduce the potential financial impacts of a recall event. Companies can purchase either first-party or third-party Product Recall policies, or both.

First-party policies provide coverage for the company’s own economic loss incurred due to a recall. These losses may include:

• Business interruption
• Lost profit
• Recall expenses
• Expenses to respond to adverse publicity and rebuild a brand’s image
• Consultant and adviser costs

Third-party coverage applies to economic loss incurred by third parties (e.g., distributors, wholesalers, customers) who may be impacted by a recall event. This could include broad coverage for numerous costs associated with the following:

• Removal of recalled product from stores
• Transportation and disposal of the product
• Notification to third parties of the recall
• Additional personnel/overtime
• Cleaning equipment
• Laboratory analysis

Business Interruption insurance is another coverage that may cover not only catastrophic losses, but also food recall events. If purchased, it is important to make sure that the Business Interruption coverage works hand-in-hand with Product Recall coverage.

What to Look for in a Policy

Product Recall insurance should be specifically tailored to meet the needs of the company. Here are some things that a company should ask when exploring Product Recall/Contamination insurance:

• Will the policy cover recalls where there is limited likelihood of bodily injury (e.g., class II or class III recall that is less severe)? What if a recall is requested (vs. ordered) by the FDA or USDA?
• Will the policy cover loss from an FDA administrative detention?
• What happens if the company experiences financial loss due to a recall and then the facts underlying the recall turn out to be incorrect? Are those losses still covered?
• Does the policy exclude coverage if the recall was due to a problem with a competitor’s product? What if the product breaches a warranty of fitness?
• Does the policy provide coverage for claims by third parties (e.g., customers)?
• Does the policy cover lost profits/revenue? What about logistics and repair costs (e.g., shipping and destruction, public relations, product replacement, and reputation/brand damage)? How is the loss calculated?

*****
Read:

• Part 1
• Part 2

This is the second in a series of articles on food product recalls.

The risk for all food companies of being affected by a recall is substantial—and to adequately respond to a recall claim is complex and expensive. Companies should always be prepared to prevent a recall from occurring.

Here are seven tips that can help your company prevent and/or manage a food recall:

1. Establish Food Safety Plan using HACCP approach or preventive controls. Always make sure the plan is kept up to date with facility production or product formulation changes to ensure potential risks are controlled.
2. Develop and maintain a written Recall Plan, as well as a Crisis Management Plan. These plans should be reviewed, tested, and updated at least annually. Lessons learned should be recorded and analyzed for possible improvements.
3. Conduct mock traceability exercises over a certain time period. In case anything occurs from within the supply chain, you should be in control of your own ingredients and finished products.
4. Establish a functioning approved supplier program.
5. Utilize third-party audit certification to establish a Food Safety Management System (FSMS), and gain senior management commitment and resources for maintaining the FSMS onsite. This may be in the form of commitment to a Global Food Safety Initiative (GFSI) benchmarked standard (e.g., BRC, SQF, FSSC 22000, IFS).
6. Implement thorough sanitation and hygiene processes.
7. Maintain all related documentation and records.

Read:

• Part 1
• Part 3

This is the first in a series of articles on food product recalls.

Salmonella outbreak in eggs; E. coli breakout in romaine lettuce. Both are getting a lot of attention right now. Unfortunately, no food company is immune to encountering situations like this that may lead to government warnings or a food product recall. Even plants with the best controls are at risk—human error, mechanical breakdowns, or sampling failures can happen at any time.

Growing Epidemic

The number and magnitude of product recalls has increased significantly in recent years. According to U.S. Department of Agriculture’s (USDA’s) Economic Research Service report entitled Trends in Food Recalls 2004-2013, the average number of food recalls between 2004 and 2008 was 304/year; the average number between 2009 and 2018 increased to 676/year.

Interestingly, the study does not cite riskier foods as the reason for this upward trend. Rather, the increase of food product recall events can be attributed to the following:

• An increasingly complex and global food supply chain system,
• Technology improvements in the detection of health risks, and
• Passage of two major food policy laws—FALCPA and FSMA—particularly related to the dramatic increase in undeclared allergen recalls.

Product Contamination Consequences

A full-scale recall involving food products can be detrimental to a food manufacturer or retailer. According to a survey conducted by the Grocery Manufacturers Association, 29% of companies that faced a recall within the prior five years estimated that the direct cost of the recall was between $10 million and $29 million—and that cost can be even greater when accounting for indirect costs.

There are three primary consequences of a major product contamination/recall event:

• Product recall expenses – product replacement costs, recall and redistribution expenses, product destruction costs, related crisis management consultation fees
• Business interruption – financial loss due to product unavailability, decontamination downtime, government action, brand damage, and loss of contracts
• Third-party liability – financial loss due to third-party property damage and bodily injury

In many cases, a recall event will result in decreased profits over the short run of 6-18 months. The long-term brand damage, however, can impact earnings over an even longer period. Given these trends and the potential associated impacts, every food business should be concerned with potential contamination risks.

Read:

• Part 2
• Part 3

The 20^th Annual Food Safety Summit, held earlier in May, proved once again to be an engaging and informative meeting for all in attendance. During the four-day event, food safety professionals participated in interactive sessions focused on food safety in the supply chain.

Throughout the Summit, Kestrel’s food safety experts observed several common themes and challenges that the food industry is facing — challenges that your business may be encountering today. Here are some of our key takeaways:

Key Topics

This year’s Summit featured a supply chain focus. Every company in the food supply chain—those that produce, handle, or distribute food-grade products/ingredients—has an obligation to its customers to provide safe and quality food. The Summit began with six certification programs related to food safety across the supply chain, including Preventive Control for Human Food, Foreign Supplier Verification, Professional Food Safety Auditor Training, Seafood HACCP, HACCP Training, and Certified in Comprehensive Food Safety.

The focus on food safety throughout the supply chain was discussed in lessons learned from recent food safety case studies, as well as in four afternoon workshops focused on departmental cooperation, traceability, effectively managing food safety, and global regulatory systems. In addition, the new Community Cafes provided attendees the chance to meet with the subject matter experts, including experts from Kestrel, for more in-depth conversations about topics focused on the supply chain.

Industry Trends

As is evident from the key topics covered at the Summit, the current trend is a much stronger focus on food safety within the global supply-chain, particularly coordination of various global regulatory systems, requirements, and agencies. Steve Mandernach of the Association of Food and Drug Officials (AFDO), Dr. Robert Tauxe of the Centers for Disease Control (CDC), Paul Keicker of the U.S. Department of Agriculture (USDA), and Stephen Ostroff from the U.S. Food and Drug Administration (FDA) participated in sessions on how the agencies are working together on food safety initiatives and the impact food safety. This included a conversation on whole genome sequencing of pathogens as a game changer for disease monitoring and response.

Ongoing Challenges

A major concern and ongoing challenge within the food safety community involves training regarding food safety responsibility across all levels of the organization. This not only includes large organizations with individuals who are directly responsible for food safety programs, but also smaller organizations where these responsibilities must be understood and followed by everyone at all levels. This corresponds to the need for food organizations to establish a much more comprehensive and effective food safety culture. The lack of this training, organizational responsibility, and overall culture is considered one of the primary causes of continued contaminated food outbreaks.

Regulatory Updates

In addition to the discussion regarding the use and benefits of whole genome sequencing, enforcement of FSMA and the expanding rules of Intentional Adulteration and Food Fraud Prevention Programs continue to be top areas of regulatory concern. Inspections and investigations related to supporting Food Safety Plans under these requirements will continue to expand, as evidence of compliance is required by all food organizations under the law.

Food Safety Summit 2019

Plans are already being made for the 21st Anniversary of the Food Safety Summit, which will again be held at the Donald E. Stephens Convention Center in Rosemont, IL from Monday, May 6 through Thursday, May 9, 2019. Mark your calendar. Kestrel looks forward to being an active sponsor and participant again next year.

Since it was launched in May 2000 following a number of major food safety scares, the Global Food Safety Initiative (GFSI) has aimed to “provide continuous improvement in food safety management systems to ensure confidence in the delivery of safe food to consumers worldwide.”

Recognized Schemes

GFSI is not a scheme in itself, nor does it carry out any accreditation or certification activities. Rather, a benchmarked scheme (e.g., BRC, SQF, IFS, FSSC 22000) is recognized by GFSI when it meets the minimum food safety requirements, as set out in the GFSI Guidance Document.

Strategy for Certification

Companies have the flexibility to choose which GFSI-recognized scheme they want to adopt, and can achieve certification through a successful third-party audit. Under GFSI’s concept of “once certified, accepted everywhere,” certification to any GFSI-recognized scheme is accepted by many international, national, and regional retailers and suppliers.

The following factors should be considered to ensure a successful GFSI strategy:

1. Adequate knowledge of the GFSI standards (e.g., BRC, SQF, IFS, FSSC 22000) and how they work within food manufacturing and packaging companies
2. Ability to use and implement document and records management and control
3. Training to implement the chosen standard and ongoing training in the standard/key program areas, including Hazard Analysis and Critical Control Points (HACCP) and internal audit
4. Meeting the building requirements of the GFSI standard
5. An integrated pest management system that meets the requirements of the standard
6. Dedicated role of a qualified plant sanitarian
7. A strategy that includes management commitment and allocation of budgets and resources
8. Proper management review meetings and records
9. Compliant food safety and security
10. A corrective and preventive action (CAPA) process that meets the requirements of the standard
11. Approved supplier programs
12. Control of non-conforming product through disposal
13. Change management and acceptance by the organization
14. Product specifications that meet the requirements of the standard
15. Sanitation and chemical control programs
16. Deviation and variance tracking, reporting, and response
17. Product and raw material storage
18. Food-level Good Manufacturing Practices (GMPs), operating prerequisites, and compliance
19. Calibration of measurement devices
20. Emergency response and contingency plans

The GFSI system provides a high degree of confidence that food safety management systems are adequately designed, implemented, and maintained. Certified companies tend to be more efficient and profitable and have more effective shared risk management tools for brand protection. Ultimately, certification results in improved consumer confidence, simpler buying, and safer food throughout the supply chain.

The Food Safety Modernization Act (FSMA) Foreign Supplier Verification Program (FSVP) imperatives require companies to assess their foreign supply chain of food production and implement new programs to meet and achieve compliance. These programs must be implemented and ready for inspection under FDA FSMA enforcement by the compliance date. For many companies, that date was May 30, 2017.

FSVP Requirements

Effective May 30, 2017, impacted companies are expected to follow the FSMA FSVP legal requirements or face a disruption in supply, business impacts, possible fines, and penalties. In short, this requires that companies ensure that receipt of foreign food includes the necessary information to be adequately inspected and verified.

Key areas to demonstrate FSVP compliance include the following:

• Determine the receipt information under FSVP to verify approval of each shipment of each product by lot identity.
• Confirm the existing information that may already be required for each shipment, including COA by product lot and FDA registration number (with expiration date).
• Document the actual site of manufacture of the foreign-supplied product, including the location, contact information, operator, and Qualified Individual overseeing the Food Safety Plan.
• Require declarations with each shipment stating that the supplier is in good standing with FDA and their foreign government’s food safety regulations. Provide a list of all programs under FSMA (Food Safety Plan and Section 17 cGMPs) with each shipment under an authorized signature.
• Include any additional information that is required under the FSVP that adequately confirms compliance to the company’s program, product requirements, and FSMA.
• Establish and maintain receipt records on all information that can be accessed and inspected at the request of inspection authorities for at least two years.

Compliance Challenges

At first glance, the FSVP requirements seem basic—foreign supplied food product is approved by meeting the FDA requirements and the requirements of U.S. companies receiving these products. It looks to be the same as existing supplier qualifications for U.S.-supplied food product.

However, the FSVP rule provides much information on “what” is required of companies but not “how” or how to validate and verify these programs. Many FSMA training programs, including the FDA-funded FSPCA, really do not provide a level of guidance for companies to develop and meet the anticipated inspection process, which could include shipments stopped at a foreign port or at the U.S. port of entry. Concurrently, established importers have programs to communicate import shipments based on the requirements prior to FSMA and the FSVP, but many have expressed confusion in determining the changes now required.

Leading up to the May 30th compliance date, many companies of all sizes and scale began to seek ways to best establish their programs to meet the full regulatory requirement. Much of the focus has been on establishing practices that informally address what is really required under the FSVP while making a casual determination of compliance. Other companies have developed programs consistent with the procedural requirements of the FSVP rule, as published.

Some companies have taken the requirements to an extreme by determining new supplier requisite information for each shipment to prove compliance. This has resulted in generating a significant amount of information for each shipment by each product. This level of information is not what FSMA intended. Much of the required information for FSVP is already in the established supplier qualification program and must be maintained but is not required in its entirety with each shipment. In fact, there are issues with the approach of requiring all information with each foreign supply shipment, including:

• Sheer volume of information
• Time required to assemble the information
• Inability of inspectors to assess all the information for compliance

All of this leads to the confusing situation that exists in the market today concerning the FSMA FSVP, where compliant practices have not been developed and newly established requirements have not been tested by enforcement. As a result, reports indicate that many foreign suppliers of varying company size, scale and sophistication are not openly willing to respond without clear, simple instructions from their U.S customers.

Establishing Reasonable Plans

Ultimately, many of the FSVP practice requirements will be developed and refined through the regulatory inspection actions of the rule. That being said, the industry cannot wait. Companies need to have reasonable plans established for all current shipments being made under the FSVP.

Companies should focus on the more fundamental aspects of the FSVP—those requirements that must be verified, recorded, and evident in the documents supporting all foreign shipments of food product under the rule. This information does not need to include the entire policy manual but select summary information.

An important consideration involves understanding how this law is expected to be inspected. Knowing this provides a basis to develop and implement an effective program. The premise is that the foreign shipments may not be stopped for inspection at the border level, but that inspections will more commonly occur at the receiving party location of the product shipment at delivery to their U.S. locations. Regulators will expect to inspect verified, recorded, and legal receipt of the foreign-supplied food product.

Areas to focus on to ensure compliance with the FSVP requirements includes the following:

Receipt of RSVP Products. Focus on verification of the necessary information for receipt of FSVP products based on the law and the company’s defined program. This does not mean all program information but information that adequately meets the level required for compliance.

Shipment Information for Receiving Records. Establish lists of shipment information for all shipments, which includes all products being received under FSVP, as summary forms with current and validated information. Summary information that can be effectively inspected as part of and aligned with the shipping paperwork will provide the necessary information as part of an FSVP receiving record.

Compliance Actions. Establish procedures and work instructions to ensure that compliant practices are approved, verified, and meet the minimum requirements. This will include modifying some existing documents and forms that are specifically required under the FSVP. This level of approved summary information must reflect the documented policies and procedures developed in the company’s FSMA Food Safety Plan and FSVP.

Internal Programs. Maintain internal programs, with oversight verification conducted diligently. All required information must be accounted for and records must be completed and maintained with a high level of accuracy and integrity. Verification must include oversight and multi-level signed approval.