Alongside a food safety management system based on the principles of HACCP (Hazard Analysis and Critical Control Points), it is recommended that all food businesses establish a food defence system to ensure that their food is safe to eat and is not affected by food fraud.
Be aware that the steps outlined in this article are general, and may not be suitable for use by all food businesses (especially those that are large or at a high-risk of experiencing food fraud).
The first stage of a food defence study is to identify the types of attacker that pose a threat to an organisation and its systems, especially electronic systems. The team should also identify those who may be a threat to specific operations, such as specific premises.
Once this has been completed, these attackers must be assessed to establish their motivation, capability, and level of determination to carry out an attack.
Once the threats have been identified and assessed, they need to be separated into product-related threats and non-product-related threats. For each of the product-related threats, a product must be selected that is representative of a particular process that could be affected. This can be the same product for multiple threats.
Once the product threats have been established, those individuals and/or groups that may target each one must be identified. This is similar to the identification process carried out in stage 1a, but with a focus on individual attackers and their impact on products.
Once completed, the team should have an exhaustive list of product threats and details of those who may carry each one out.
When identifying potential attackers, the following four groups should be considered:
At this point, a process flow chart must be created for each product that shows its journey through the ‘farm to fork’ process, including stages that the food-related business is not directly involved in. This should be carried out using expertise from both inside and outside of the business, and attention should be paid to the less transparent parts of the process.
A food-related business should also gather information from its suppliers when creating a flow chart, including information on the assurance and audit processes of those suppliers.
This stage requires the food defence team to use the process flow chart to establish the vulnerable points that an attacker may be able to successfully target. To be able to do so successfully, the team must ‘think like a criminal’ and should be aware of the main threats that affect supply chains.
Attention should be paid to extraordinary circumstances, such as a supplier running out of raw materials, because this may reveal additional vulnerabilities that are not immediately apparent.
They should also identify the people that have access to the food product throughout its production, especially so at each of these vulnerable points.
At this point, the food defence team must identify the threats that could impact food production at each stage of processing and assess the impact that the process may have in mitigating these threats. For example, a toxic contaminant that is added may be destroyed or removed by processes such as cooking and/or cleaning.
Now that the threats and vulnerable points have been identified, the critical points must be established. These are the points in the food production process at which the threat will have the greatest effect and the points at which the same threat may be detected.
A food-related business must have an existing food safety management system in place that ensures that the food produced is safe and free from unintentional contamination. This system will require certain control measures and testing procedures to be put in place to detect contamination.
It may be the case that existing procedures are effective for detecting intentional contamination and other food-related threats. For example, routine laboratory tests could detect the presence of added water or unusual fats and oils in a food product. At this stage, a food defence team must assess whether existing procedures will detect each threat and, if so, how reliably they will do so.
After completing the previous stages, a business should have a clear idea of who could affect it and how they may do so. It should also have a list of all potential threats that it could face, including product-related and non-product-related threats.
At this point, each of these threats must be arranged to determine their priority, which is done by assigning each threat a likelihood and impact score. This allows a business to focus its efforts on targeting those threats that are more likely to occur or will have the greatest impact.
For those risks that are determined to have a significant or a high priority, the food defence team must identify who has unsupervised access to the relevant products or processes. Each of these people with access must be assessed to determine their trustworthiness and whether this trust can be justified. It must also be established whether this access is required for the individual in question to carry out their role.
At this point, the threat analysis is complete. This means that the food defence team must identify, agree upon, implement and maintain the proportionate preventative actions required to eliminate or reduce the risk of a food-related attack occurring. These measures may include implementing additional site security measures and scrutinising external suppliers using assurance and audit systems.
The form that these measures can take will vary significantly between businesses, so external expertise may be required at this point.
Once the control measures have been decided on, an action plan should be created that details what these control measures are and why they are in place. This is so that information can be communicated easily to employees and suppliers.
Alongside control measures, a business must create and implement an incident management plan. This plan should contain information on what to do in the event of an attack occurring. Specifically, it should detail how to:
It is important that this plan is rehearsed regularly, before an attack takes place, so that every person involved knows what their role is and that they are able to act quickly and effectively in the event of an incident.
Once the control measures have been implemented, the food defence team must decide on the review arrangements for the system. Reviews should happen annually and when prompted by a trigger. These triggers include:
Horizon scanning is an ongoing process in which the food defence team maintains a routine watch of official and industry publications that can give a business early warning of new threats, or changes to existing ones, that could impact them. Food businesses should also monitor and follow the guidance of other organisations such as the Food Standards Agency, Food Standards Scotland and the World Health Organization.
For more information on food safety management or food defence systems, and how to create effective systems for your business, consider taking one of our training courses shown below: