The Food Safety Modernization Act (FSMA) “Mitigation Strategies to Protect Food Against Intentional Adulteration” or IA Rule, as it is commonly known, specifies that covered food facilities are required to perform a vulnerability assessment prior to developing a Food Defense Plan as part of the published regulation final rule.
There is a reason why the FSMA calls for an assessment rather than the more typically performed audit. Frankly, I have struggled with food industry approaches to audits used to best “measure” preparedness of food safety and food defense responsibilities, policies, and procedures, along with identification and assignment of risk/threat mitigations, as prescribed by FDA regulations.
How can the industry best determine if a food facility obtains an accurate picture of their real exposure to adverse internal and external risks and threats? How can a food business, religiously following its food protection plans and operational implementation of these plans, have full confidence they have accomplished, in operational practice, what they are supposed to do to best protect their valued assets? How committed is management to want to know and understand their business risk? Does it insist that assessments performed within their own site use the best means accurately determine the probability, severity, and criticality of hazards and risks and their mitigation strategies that expose their people, product, or the food facility to situations that could cause serious injury or death in humans or animals?
In my 47 years of wrestling with the merits of various risk/threat management approaches, I find fault in our overreliance upon internal and external audits to measure our confidence level as the fundamentally accepted way to verify that our food protection risk and threat detection systems are “always on” and working effectively.
Food Audits and Food Assessments
We need to first understand the difference between an audit and an assessment from a proven historical event perspective. We now rely upon industry food safety and food defense (and economically motivated adulteration, or EMA) standards organization audit formats. Those used are based upon requirements found in the Global Food Safety Initiative (GFSI) or often specified in supplier requirements. These formats are not designed, nor do they probe, long-standing gaps and system flaws that are deeply-rooted, often unnoticeable but often critical, in the identification of risk and threats in any given operational environment. Generally, even well-performed audits are more likely to miss what a true assessment for system weaknesses can uncover.
An audit, according to Merriam-Webster, is “a careful check or review of something.” I believe an audit consists of an evaluation of an organization’s systems, processes, and controls, performed against the set standard or documented process, often a generic, one-size fits-all approach. A food defense and EMA audit is designed to verify whatever standard is in place and is often set up using a checklist approach to ensure product, personnel, and facility security. An audit may also provide a gap analysis of the operating effectiveness of the internal controls in meeting a system or control requirement.
Audits are designed to provide an independent evaluation of system processes and controls using personnel with expert knowledge about the system or process. But they are addressed with pre-scripted audit tools that limit the ability to identify other hidden system hazards/risk/threats. By design, audits may identify system and control gaps, but only provide limited feedback from the auditor as to how to best mitigate such gaps. Worse, full reliance on audit results may allow unintentional and nondetectable food safety breakdowns to occur.
An assessment, as defined by Merriam-Webster, is an “action or an instance of making a judgment about something.” For example, a food defense vulnerability assessment is a fundamental, risk-based review and gap analysis of site or a system control strengths that could cause failure in achieving the underlying criteria used to set a system standard or process control. This process involves the identification and classification of both the known and unknown product security vulnerabilities that may impact the site or its system functions.