National security has always been an important issue in our country. It continues to become even more important in 2011 as we’re nearly a decade removed from the tragedy of Sept. 11, 2001, and the anthrax attacks that followed. A shift in our mindset forced U.S. citizens into a new heightened awareness of our country’s security and what it means to be safe.
Today, we stand barefoot and belt-less at the airport because of it. Yet, the possible threats to our national security dangers are not just found in airplanes and delivered mail. There is one area rarely considered that will soon see more scrutiny: the food we eat.
In recent years, there has been an evolving concept regarding food safety versus food defense. There have always been concern and regulations for food safety, but now the concept of “food defense” has been introduced. For the first time, the term actually appears in legislation recently passed by Congress and signed into law by the President. Food defense is defined as measures to protect food from deliberate tampering from criminal or terrorist sources.
Existing food guidelines from the FDA and the USDA are intended to keep our food safe and edible. But what are we doing to keep production facilities secure? Those who would do America harm will strategically target whatever they can to spread terror the fastest and most horrific ways possible. America’s food production companies could be a target.
Food industry executives should be prepared to see more government involvement and regulation when it comes to food defense. Scientific and performance standards will be developed to connect the food industry with national security processes. The good news for security experts is that it will make their jobs even more valuable, if they have food and kindred products experience. The bad news is that many food industry executives have a lot on their plates and aren’t familiar with the issues surrounding food defense.
The recently passed Food Safety Modernization Act will bring many changes to food production, packing and distribution facilities. The majority of food facilities will now be required to analyze hazards, produce preventive controls and create a food safety plan before introducing any food into intrastate commerce. Each facility will be held to higher performance standards and a new inspection schedule based on risk. Records of food and those handling it will be under scrutiny, and food tracing programs will be implemented.
Each organization’s food defense plan will have multiple security requirements covering every aspect of the facility, including processing, materials handling, personnel, storage, shipping/receiving, site security, utilities connections and the use of cyber-security.
Here are just a few of the issues food companies should consider and prepare for in the coming years:
- Food can be deemed mis-branded if it was manufactured, processed, packed or held in a facility that is not registered.
- A Food Defense Plan will be required before introducing any shipment of food into interstate commerce.
- Food will be deemed adulterated if it has been manufactured, processed, packed, transported or held under conditions that do not meet performance standards.
- Food will be deemed adulterated if it has been processed, packed, transported, or held under conditions that do not meet safety standards for raw agricultural commodities.
- New tracing programs aim to identify each person who grows, produces, manufactures, processes, packs, transports, holds or sells food.
- Violations of any food tracing system requirements will be prohibited.
- Requirements include refusal of admission of articles that have not complied with food tracing system standards.
- Food can be deemed mis-branded if it is part of a shipment offered for import into the U.S. and such shipment is in violation of provisions requiring a certification of compliance.
What can food companies do, now and in the future?
Preventive controls are one the strongest ways for a company to improve security. Food companies should be taking the time now to re-examine security, sanitation procedures and practices, hygiene training, process controls and manufacturing practices, as well as verification practices and procedures for suppliers and incoming ingredients. That could include onsite auditing of suppliers and testing of incoming ingredients.
New laws will require procedures to be in place for monitoring those preventative controls and a description of the corrective procedures, verification activities, record keeping, recall procedures and tracing methods in case of emergency. Companies could be subject to more random testing. The fines for any civil penalties range from $20,000 to $7.5 million.
A company’s brand awareness and public relations image will be affected in an emergency if it does not adhere to federal recommendations and regulations. Companies should consider converting these guidelines into a firm policy.
McCormick & Company, Inc. is a good example, as they began using goal-based security instead of a risk-based approach. McCormick’s security team found that risk-based security for identifying and quantifying risk is a process that can be somewhat subjective. If it is not properly facilitated, risk-based security may not cover all risks in a security program or could leave management with challenges in prioritizing which risks to address first.
Approaching security with specific goals in mind allows experts to be more objective and achieve quantifiable results. Once basic security measures are in place, additional risks are more easily identified.
Using the goal-based security concept, McCormick’s team was able to better understand the security issues involved, define what results must be demonstrated to ensure goals are met and establish appropriate strategies to address security issues.
General benchmark goals for a food processing operation include:
- Control the operation. Establish a secure perimeter.
- Background checks. Look into the background and character of those who work in the facility.
- Understand vulnerabilities. Identify and control all potential vulnerabilities.
- Ongoing vigilance. Investigate, report and mitigate security breaches.
- Proactivity. Establish plans, policies, procedures and training.
The McCormick team distilled each goal and identified specific measures to achieve them. For example, with goal one, every access door, emergency exit, egress door, overhead door, window, vent or other opening was controlled to deter unauthorized/undetected entry. A facility can easily demonstrate whether that solution is in place.
Another example is goal five — to document the security/food defense plans of the facility and to develop and document policies, procedures and training to support these plans. In order to achieve that goal, McCormick conducted a security audit, vulnerability analysis and risk analysis for the facility to assess what measures were in place and what measures still required implementation. The team also created a timetable for adding those measures.
Keep in mind, food security does not stop with plans and perimeters. A company’s employees (goal two) can be one of the greatest risks, or, conversely, its greatest security assets.
Security and food defense awareness training should be conducted and documented for all employees at least annually. That training should include education on protecting the facility, individual responsibility with regard to access card use, and what actions should be taken if they observe danger.
Whether you use a goal-based or risk-based methodology to establish your security program, it is essential to include some quality assurance measures much like companies dedicate resources to quality assurance in the production of food products. In fact, in a majority of our consultations, we find that very few organizations have the means to know whether a security program is functioning effectively, and most have several common areas for improvement. Some of the common weaknesses observed in food manufacturing facilities include:
- The “No-Incident” Gauge: Because an organization has had little in the way of security incidents, it is easy to conclude that a security program is effective. However, it may just be that no adversary has ever attempted to commit a crime or terrorist act against the organization. When was the last time you simulated a security breach to see how staff or security reacted?
- Flawed Assumptions: Many companies find flaws in their security systems because of flawed assumptions from the beginning about security. For example, company executives often assume that panic alarms are working and that terminated employees no longer have building access. Our assessments of companies’ security systems often find that is not true. Companies spend tens and sometimes hundreds of thousands of dollars on security systems, and there are often flaws in the way these systems are performing. When was the last time your company conducted a check of basic security systems?
To borrow from one of Steven Covey’s habits of highly effective people, one strategy to achieve an effective security program is to “begin with the end in mind.” Whether you use goal or risk-based security, management will want to be actively tracking program performance to ensure security and staff will properly respond to a potential or actual security breach. Through the utilization of performance metrics, management can have true measurements of security’s effectiveness.
For example, by simulating a security breach, management can assess whether security or staff responded positively and grade the results of the drill as a pass or fail. Management may set a target that they wish to have 80 percent pass rate on all security drills. Organizations can set goals as high as they wish depending on the sophistication of its program.
Other performance metrics companies may consider adopting might include:
Performance Metric | Ideal Result |
Percent up-time for installed security systems | 100% |
Inspection of active identification badges to ensure no separated employees still have active cards | 0 active cards for separated employees or contractors |
Percent of employees who have received security awareness training | 100% |
Analysis of reported security incidents to identify victim assisted crimes | Percent continuously declining on an annual basis |
Percent of the time the facility is secure by reviewing door alarm activity (forced, propped) | 100% |
Understanding benchmarks can help companies get started. It is advisable that food companies consider bringing in unbiased security management expertise, particularly those with food industry knowledge not tied to a technology manufacturer or integrator. These experts have the skills and experience to assess an organization’s security needs and conduct security drills/exercises, penetration testing and security system engineering. They can also establish performance metrics to provide management with the confidence that their security programs are performing adequately.
Food executives and facility managers must expect heightened regulations in the coming years. Compliance is going to get more challenging, not more lenient. If food companies expect their security program to be effective, executives must know how to establish performance metrics.
Preparing for unknowns is a priority in all phases of business. Food defense is certainly no exception. Don’t wait until crime happens. Changes to our lifestyles over the past decade should illuminate the importance of food defense in your organization.