Vulnerability assessments are a key provision of the FSMA final rule, Mitigation Strategies to Protect Food Against Intentional Adulteration. With this requirement comes the “identification of vulnerabilities and actionable process steps” that must be taken to mitigate potential threats. During the IAFP annual meeting Lance Reeve, senior risk management consultant for food safety and defense at Nationwide Agribusiness Insurance Co., reviewed the important and sometimes-overlooked areas that companies should be looking at when conducting vulnerability assessments.
Inside the Plant
To start, vulnerability assessments should be conducted at different times of the day, and the process should involve a team approach, said Reeve. Food defense cannot effectively be managed by a single person within a facility: It needs to involve all departments, from human resources to IT to production to warehousing, and extend to outside suppliers and vendors. How is the flow of employees and visitors around the facility managed? Do staff members wear color-coded badges? Some companies have a color-coding plan to prevent contamination, but it is also a useful tool to ensure that unauthorized employees, outside contractors and visitors aren’t in restricted areas. For example, the maintenance shop may contain deadly food contaminants—do you really want general employees to be able to get into this area? Consider using electronic technology such as biometric access control to limit access based on employee/security credentials.
Working with the human resources department is a critical part of protecting a facility. Does your company have the capability to conduct thorough background checks on all employees? In addition, with all the different types of contractors and vendors who enter your facility it’s important to find out whether your contracting companies are doing the same level of background checks as your organization when they hire employees. And finally, examine how the culture within the organization. Do employees challenge the presence of visitors who shouldn’t be on the premises?
Outside the Facility
In many cases, companies will look at the inside of their facility for potential hazards and vulnerabilities, but what about the perimeter? How are you controlling the people who are coming onto company property? While this may seem obvious, Reeve recommended physical objects to establish authority: Fences (establish physical border), signs (establish where control begins), and CCTV cameras (establishes security). And when looking at the outside of the building itself, how secure is the roof? What access does a potential attacker have into the facility via the roof? How often are security checks conducted here (if at all)?
Throughout any given day, a company can receive several cargo shipments from a variety of different suppliers. Are you familiar with the food safety programs of your suppliers? They play a critical role in food defense strategies. And when your company receives shipments, Reeve advised that companies go beyond looking at the seals on trucks and examine the transportation system itself. Is cargo removed in a secure area? Is an authorized employee supervising the process or is it left in the hands of the third-party driver?
And finally, a critical part of your mitigation strategy should be to challenge the system. Once you think you may have found all the vulnerabilities, conduct penetration testing.