Tag Archives: Focus Article

Nicole Keresztes James

Five Tips to Prepare for Your Next Audit

By Nicole Keresztes James
No Comments
Nicole Keresztes James

For food manufacturers, passing a third-party food safety and quality audit supports both business growth and the ability to obtain new customers. Many retailers have made certification to a GFSI-benchmarked standard a minimum requirement of their suppliers. Working towards compliance with a third-party audit, let alone a GFSI-benchmarked certification, is a journey that requires significant preparation. Understanding the typical mistakes companies make on this journey, and taking action to avoid them can go a long way in properly preparing for and successfully passing the audit. Here are five essential tips to help businesses prepare for a food safety audit.

1. Start Early

Procrastination is on one of the most common causes of an audit failure. Starting the preparation process too late can cause significant challenges. The first step in preparing for an audit should be to set a timeline well in advance, identifying key checkpoints and milestones to ensure activities meet compliance.

If you have the option, choose an audit standard that fits with the facility and meets the end goal. Some questions to ask in your selection process include:

  • Is the certification to a GFSI-benchmarked standard required?
  • Is a completed third-party food safety and quality audit sufficient?
  • Is a customer-specific audit needed?

Once you’ve decided on the audit standard, select a third-party certification body or audit firm to deliver an audit to the standard’s requirements. Ensuring that the certification body or audit firm you choose is qualified to conduct the audit (e.g., accredited or approved by the standard) is crucial.

Next, secure a copy of the selected standard. With GFSI-aligned programs (including GFSI and non-GFSI benchmarked standards), standard expectations are available freely and directly from the certification program owners. In the case of proprietary third-party audit and customer standards, the chosen certification body or audit firm can assist with providing the necessary expectations.

2. Get Up to Speed

It is extremely important to thoroughly review and familiarize yourself with the standard or expectations manual, especially if the standard or manual is new to the facility. If the audit is a reassessment, ensure you have the most recent version of the standard or manual and thoroughly read it, as updates may have been made since the last audit.

Subscribe to the Food Safety Tech weekly newsletter to stay up-to-date on the latest food safety and regulatory news.

One mistake we sometimes see is failing to designate an internal core team for the audit. Doing so can help ensure the timeline is followed and critical tasks are assigned accordingly. If you are doing a reassessment, ensure that all internal organizational changes have been documented and that organization charts and rosters have been updated.

For reassessments, it’s also important to revisit any nonconformances from previous audits and the reports of any other assessments or internal audits completed. Doing so ahead of time can confirm that corrective actions have been fully implemented and preventive actions put in place, minimizing the recurrence of nonconformances.

3.Complete a Self-Assessment

Conduct an internal audit using the audit standard or expectations manual to identify compliance gaps. Address any deficiencies through corrective actions, focusing on areas such as sanitation and cleanliness, facility condition, pest management programs and maintenance protocols. Looking at each of these areas, identify and address opportunities for improvement. Issues in these areas are very often cited as nonconformances during audits.

Before the audit, meet with your third-party service providers to ensure programs are up to date and that there is awareness of any issues. Even when programs, such as pest control, are outsourced to third-party organizations, the facility remains responsible for overseeing such programs.

4. Prepare Documentation and Ensure Implementation

Documentation is critical for audit success. Ensure a comprehensive review of your food safety systems (e.g., HACCP and FSMA PC) to ensure that they are current and valid. Review the efficiency of your process implementation and verify that the documentation and processes are aligned.

Training is a must-have for audit compliance; therefore, confirm that internal training has occurred and been documented. This includes training not just for the team escorting the auditor during the audit but for all employees, as during the visit employees in functions key to the audit’s scope may be called on by the auditor to answer questions. Remember, well-trained employees are confident in conducting and describing their processes and how they connect to food safety and quality. They must also follow the procedures as stated in the documented programs and policies.

5. Collaborate and Ask for Help

Failures occur when assumptions are made. Many audits are unsuccessful because facility management and employees assume they understand and have implemented the necessary requirements.

When in doubt, ask for help. As stated above, preparing for any audit is a significant undertaking. Expert resources can help with that preparation and assist with avoiding gaps and the rework that occurs when expectations are not clearly understood. Check with the certification body or audit firm that has scheduled the audit—many will offer separate consulting and training services to help with audit preparation.

It is important to note that one facility is just one point in the overall supply chain and that stakeholders include both suppliers and customers of the facility. These suppliers and customers can play a role in the success of an audit. Ensure that communication with all involved parties is part of the preparation.

Keep the Momentum Going

Once you complete an audit, celebrate and congratulate the team. At the same time, remember that the work doesn’t end once the audit is complete. Even after completing the corrective actions, you should start preparing for the next audit by keeping documents and records updated. Adequate food safety and quality assurance are only possible when activities connected to these concepts are carried out every day. Keeping compliance top-of-mind daily has the additional significant benefit of always being audit-ready.

As the adage says, “Fail to plan, plan to fail.” This certainly rings true with audit readiness. However, it is key to remember that an audit is merely a data point on the spectrum of a robust food safety and quality system that is constantly evolving and improving. This comprehensive system does not come about just because there is an audit to plan for. It is a product of daily work to ensure that procedures and policies are being followed and a cross-functional team that is striving to make a facility’s food safety culture stronger and ever more capable of preventing food safety and quality incidents.

Liz Figueredo

Preparing for the USDA Strengthening Organic Enforcement Rule’s Implementation

By Liz Figueredo
No Comments
Liz Figueredo

Businesses in the organic food supply chain have just weeks to prepare for the upcoming implementation of the United States Department of Agriculture (USDA)’s Strengthening Organic Enforcement (SOE) Rule. This updating regulation, which goes into effect on March 19, 2024, aims to fortify the integrity of USDA organic products. From manufacturers to retailers, businesses across the supply chain must adjust their procedures and practices to comply with the updated rule.

The SOE Rule calls for the implementation of more rigorous certification practices for various types of businesses, including key links in the organic supply chain such as importers, exporters, brokers, traders and storage facilities. Because these organizations have not historically been required to be certified, it’s likely there will be an increase in last-minute organic certification applications. To accommodate the incorporation of these new entities, USDA-accredited certifying agents are now offering expanded services, including on-site inspections with enhanced authority to prevent fraud and non-compliance.

Changes Throughout the Supply Chain

Business activities that encompass any form of aggregating, culling, packaging, repackaging, storing or related processes of USDA organic products are now required to obtain certified organic status. In addition to a broader spectrum of handlers throughout the supply chain requiring certification, low-risk businesses in the exempt category must still adhere to stringent contamination prevention protocols and maintain meticulous records. This underscores the integral role of record-keeping and anti-fraud systems throughout the supply chain. To find out if your business should seek organic certification, try NSF’s interactive online decision tree tool.

Next Steps to Compliance

The USDA estimates that 1,000 domestic businesses will need to achieve organic certification prior to the Rule going into effect. Businesses must work with an independent, third-party certification body that is accredited by the USDA, such as Quality Assurance International (QAI), an NSF company, to secure certification. Once certified, labels—including non-retail and bulk labels—must be updated to demonstrate compliance.

The organic certification process involves completing an application, submitting documentation, an on-site inspection and technical review. To achieve certification, the applying business must resolve any noncompliances in a timely manner. After successfully completing the inspection and technical review process, the business will receive an official, numbered certificate and can then use the organic mark on its product labels. The certificate will also be added to the Organic Integrity Database and will be downloadable by the public. Each certificate includes a Scope and Product Summary Addendum.

The SOE Rule also calls for a mandatory electronic National Organic Program (NOP) Import Certificate for any organic product entering the US, regardless of the country of origin.

A crucial component of compliance with the Rule is creating or updating an Organic Systems Plan (OSP). An OSP acts as both an economic management tool and a contract between certifiers and certified operations and comprises a description of practices, list of substances, monitoring practices, recordkeeping systems, contamination prevention plans and specific information pertaining to an operation. This document safeguards organizations through supply chain traceability and organic fraud prevention procedures and is required for organic certification.

In addition to the requirements for businesses under the SOE Rule, USDA–accredited certifiers will provide enhanced oversight through possible unannounced inspections, inspector training, trace-back and mass balance audits, and new rules specifically for grower groups.

QAI and NSF offer a free SOE Rule toolkit to support organizations across the supply chain. The toolkit includes an interactive decision tree, FAQs, readiness checklist and links to educational webinars.

Jennifer Allen

Consumers: A New Food Labeling Authority

By Jennifer Allen
No Comments
Jennifer Allen

Pop quiz. Who regulates food? You’re probably going through an alphabet soup of agencies in your head right now, and you wouldn’t be wrong. FDA, USDA, FTC, state and local agencies, all play a role in regulating the food we eat. But how many of you thought of the consumer? In recent years, consumers have increasingly become a de facto regulatory agency by harnessing the power of the courts. Statements on your labels that may pass muster with FDA and other agencies are falling afoul of consumer expectations, and consumers are seeking, and sometimes obtaining, redress in the courts. Although there have been some more promising rulings lately suggesting that some courts at least are beginning to rein in these types of claims, food manufacturers should nevertheless be vigilant.

Take, for example, the case of Mantikas v. Kellogg Company. There, a group of consumers sued the manufacturer of Cheez-It crackers. The crackers were available in a version that contained the language “Whole Grain” in large font in the middle of the principal display panel, with smaller language stating “Made with 8G of whole grain per serving” in the corner. But the ingredients panel showed that enriched white flour was the primary ingredient. The Second Circuit Court of Appeals held that the consumers had stated a claim under their states’ consumer protection laws. Even though the product did in fact contain 8 grams of whole grains, and even though the consumer could look to the ingredient panel to learn that the primary ingredient was white flour, the court explained that the purpose of the back and side panels is to offer more detailed information than that on the front panel, not to correct a misconception caused by a misleading representation on the front panel. The “whole grain” representation was clearly intended to mislead the consumer into believing that the product was made predominantly or entirely with whole grains when that was not in fact true. The fact that the consumer could figure that out by reading the ingredients panel was not enough to satisfy the court.

Consumers are also on the attack against terms like “real,” “natural,” “good for you,” “pure,” and “wholesome,” terms that are not explicitly regulated by FDA. What each of these terms has in common is that they are vague and hard to prove or disprove. What does “real” even mean? Under one definition, all food is real unless it’s the plastic food in a child’s toy box. Cyanide is natural, and may even be pure, but we wouldn’t want to eat it. And almost everything we eat could be good for us in the sense that it helps stave off starvation. You see where I’m going with this. These terms are wildly open to interpretation, and the chances of you and your consumer interpreting them the same way are slim. Better to stick to narrower terms that you can substantiate. For example, you might say that your popsicles are flavored with the juice of real fruit, though, like Cheez-Its, beware of making that claim if the majority of the flavor is not from real fruit juice.

And consumer suits go way beyond the content of the product. Take, for example, the case of Broomfield v. Craft Brew Alliance, Inc. In that case, a group of consumers sued over labeling that deceived them into believing that Craft Brew’s beer was made in Hawaii. While the defendant did manufacture beer in Hawaii, the beer it sold on the mainland was made on the mainland. The court sided with the consumers. While pictures of surf boards and the phrase “Liquid Aloha” weren’t enough to make the case, Craft Brew went far beyond that, with a map of Hawaii depicting the location of its brewery, a Hawaiian address, and an invitation to visit the brewery when in Hawaii.

So what’s a manufacturer to do? When coming up with that enticing label, first, think like a consumer. What might that consumer believe or, at least, what might they be able to convince a court that they believed? Second, conduct a risk/benefit analysis. Is that “all natural” label expected to generate enough extra sales to justify the risk of a consumer lawsuit. Finally, ask your attorney to check on the existing legal landscape. Has another manufacturer run into legal problems using the very same language you want to use? If so, did the court suggest ways in which the manufacturer could have cured the problem? If in doubt, use specific, verifiable statements over vague pronouncements of “healthiness.” And above all, don’t play games with the consumer. If you’re trying to make your product look healthier than it is, there are plenty of plaintiffs’ lawyers ready and waiting to challenge you in court.

Bob Lijana

Checklists: Useful Tools or Traps?

By Bob Lijana
No Comments
Bob Lijana

Everyone knows a “checklist” when they see it: a systematized tool that lists things, components, steps or criteria whose presence or quantitative amount are essential to the performance of a specific task. The order of items in a checklist may or may not be critical in terms of the sequence of tasks which need to occur.

Checklists serve the wonderful purpose of identifying the important and critical steps needed to manufacture fresh food, fly a plane, perform a surgery or run a nuclear plant. They serve the purpose of helping to make sure that no important step is forgotten, and all critical steps are performed in the right order. Having a high “checklist intelligence” means that checklists are used proactively and dynamically, and that they drive continuous improvement in practices and procedures. And this occurs regardless of personal or organizational biases.

Let’s review some of the published literature on checklists.

A popular book on checklists is “The Checklist Manifesto” (Picador, 2009) by surgeon Atul Gawande. As noted in the book, checklists are very useful when there is a lot to get right, that is, when there is a high degree of complexity for certain actions. For example, commercial airplanes have “become too much airplane for one person to fly.” Hence, the industry uses a number of checklists, especially pre-flight, to address possible risks before the airplane takes to the air. Food manufacturing is similar, especially given its impact on public health.

A distinct disadvantage is that checklists can drive a tyranny of the urgent, i.e., simply checking a box to be done with it.

A distinct advantage of checklists is that they can be built by the “wisdom of a group” of experienced people, and therefore do not rely solely on a single individual’s memory or experience base. A distinct disadvantage is that checklists can drive a tyranny of the urgent, i.e., simply checking a box to be done with it.

Western Michigan University (2017) has an Evaluation Checklist Project with a number of excellent resources showing how to develop checklists for evaluating programs and projects. These include a “checklist for formatting checklists” and scholarly presentations on the logic behind checklists. Their suggestions can easily be re-applied to the food industry.

There are many published articles which address bias in decision making. For example, Ely et al. (2011)[1] studied the use of checklists to reduce diagnostic errors in hospitals, clinics and emergency rooms. Of note, the authors delve into cognitive processes to identify the inherent biases and reliance on intuition that often drive decision-making. They remind checklist developers to take into account “Type 1” thinking processes which are fast, reflexive and intuitive (and usually subconscious) and “Type 2” processes which are analytic, slow and deliberate (and usually take very focused attention).

Application of Checklists in the Food Industry

Checklists are widely used in the food industry. The USDA (2014) has a label submission checklist that helps companies avoid common labeling mistakes, and clarifies what is needed. The agency also has a guideline checklist for the cooking of meat and poultry products.

In 2020, FDA published an Employee Health and Food Safety Checklist in response to the COVID-19 pandemic. In 2001, the agency developed the Allergy Inspection Guide, a checklist for inspection of food companies which manufacture products potentially susceptible to contamination by allergenic ingredients, and now has a draft guidance/checklist for evaluating the public health importance of allergens.

Employees in factory

In the food manufacturing setting, companies often conduct their FSMA-related GMP audits by having employees walk around the plant using a checklist of equipment, documents and practices to look for. Companies making prepared foods have checklists that operators must follow to ensure that proper cooking and cooling procedures have been followed (these are also called SOPs, or Standard Operating Procedures, which are, in essence, checklists). Similarly, sanitation teams follow strict SOPs/checklists to ensure the right sanitizers are used in the right concentrations and for the right durations. Line changeovers often use checklists to prevent allergen cross-contamination. The same is true for pre-production equipment assembly. And product development/chef teams use checklists to ensure that the right ingredients are used, with proper consideration given to allergens, glutens, GMOs and organic product needs.

Finally, some of the most widely used checklists in the food industry are standards, including those developed by the Global Food Safety Initiative (GFSI), Safe Quality Foods (SQF) and the British Retail Consortium Global Standard (BRCGS).

Checklists as an Indicator of Food Safety Audit Maturity

Companies going through the GFSI certification process (e.g., SQF) often follow a three-phase audit maturation process that highlights how checklists can help or hinder food safty. In the first phase, the company is new to the process and therefore may not have systems in place to handle all of the requirements inherent to the standard. Thus, the company may “shotgun” their approach based on where they think they have gaps (by their own evaluation and/or with the help of third-party consultants). In this phase, the SQF Code may not be looked at in its totality nor in its intent, and certain requirements may be looked at as more important than others (with the insidious side effect of some requirements being missed).

In the second phase of the growth curve, the company recognizes that the food safety requirements are laid out in a very organized and helpful manner: the SQF Code. They realize that if they can match each requirement in the code with practices and procedures, then they can essentially use the code as a checklist. Many companies in this phase build their programs and their audit readiness exactly in the order of the code, and solely to meet the specific requirements detailed in each section of the Code. This ensures that when the SQF auditor comes in, the company will have addressed each and every requirement. This approach serves those companies well who are still in the learning phase of building a strong food safety plan and food safety culture, and generally helps most companies “pass” their food safety audit.

The right culture drives the right entries on the checklists. Not the other way around.

All is well until there is a food safety incident, trade withdrawal or public recall, which can happen in spite of a company checking every box on the SQF “checklist.” A major negative event, or even the recognition that such an event could happen, can therefore rightly push a company into the third phase of using the SQF Code.
In the third phase, a company uses and views checklists as valuable tools (and likely still structures its audit readiness in the same order as the SQF Code). However, the company has critically realized that it needs to go beyond checklists to drive the right food safety culture in the organization. Additional practices, procedures, documentation and systems are put in place to drive the right culture. These in turn make sure that the checklists get checked. Said another way, the right culture drives the right entries on the checklists. Not the other way around.

A Checklist for Checklists

Let’s consider creating a checklist for checklists. Each of the following provides perspective on the value, and the warnings, of using checklists to drive and improve an organization’s food safety culture and therefore its “checklist intelligence.”

Checklists Can Speak the Truth. If the results from a completed checklist are pointing out significant issues, then at the basic level the checklist is working. This is not a time to alter the checklist, which can happen in low-maturity organizations as a way to hide an issue, or an excuse to fill out the checklist incompletely. Rather, complete results should be heralded as validation that the checklist is performing as it should.

Learn From Failures. Something going wrong despite the use of a checklist is a good clue that the wrong things are being checked or that something is missing. This should be discussed broadly and cross-functionally and drive a root-cause analysis, which can markedly point out what got missed, which in turn allows for continual improvement of the checklist.

There Is No “One-Off.” All experienced auditors have heard “this is the first time that this has happened.” Or “there are many unusual things going on at the same time, and this caused the issue; it won’t happen again.” There is no one-off! A root cause analysis should be performed. Checklists must be able to help the organization identify and diagnose root causes.

Check the Checker. Is the person filling out the checklist being driven by the checklist to look for the right food safety behaviors, or is the person merely checking the boxes since that’s the job? Perhaps more insidious, employees might follow a checklist quite diligently—observing just those tasks which are on the list—yet miss faulty or risky behaviors. This may not be the fault of the checklist, but it is certainly the fault of the organization and its training. Relying solely on a checklist can still allow egregious and unwanted behaviors. If the employees are trained only to follow the checklist and make sure it gets filled out, significant untoward behaviors get missed. In this regard, checklists become shackles.

Checklist

Check the Documents. Critical to some checklists are documents which are meant to substantiate that a particular task on the checklist was taken care of. The utility of these documents is only as good as the value of having them on the checklist to begin with. Time must be taken to identify which procedures or cooking logs, for example, need to be checked as part of a checklist. This is independent of having these documented as part of the organization’s food safety plan.

Honor the System. Checklists are just that: lists. They are not roadmaps, graphs or linkages to knowledge bases. They are static, rather than dynamic systems that drive action and resolution of issues. In general, checklists can be ill-equipped to capture systemic behaviors and the culture of an organization. This is especially true if the checklists are from a third-party and/or have not been adapted to specific organizations and facilities. Hence, checklists should be used for what they can bring—no more, no less.

The Law of Unintended Consequences. An oft-quoted phrase is “you get what you measure.” And this is certainly in play for checklists. If the item on the checklist is wrong, or is directing the wrong behavior, measuring it regularly could serve the unwanted purpose of instilling that behavior as “correct.”

Defeating the Checklist

By now you realize that checklists in the food industry can serve as a crutch or as a divining-rod for continuous improvement of food safety practices and procedures. Following are some indicators that a checklist is not working or is not as effective as it should be.

Too burdensome. A very common checklist used in food manufacturing is the “GMP audit checklist.” This is typically a long list of behaviors and practices which the organization believes it should be engaging in to meet the GMP regulations and produce safe food. Most organizations commit to conducting such audit checklists as part of their promises to the auditing organization. The list gets longer and gets spread across more functions, and all of this work becomes quite burdensome. When it is time for the GFSI audit, missing or incomplete checklists may get pencil-whipped, leading the auditor to believe that the company has been using the checklists regularly.

Pencil-Whipping. As much as putting false entries on a form is unethical, and usually illegal, it can still occur under the right stressors or employee attitudes. Simply checking the boxes on a checklist does no one any favors and can provide a false sense of security.

Complacency. Organizations that rely on the data from checklists could develop a false sense of security and become complacent about corrective actions. Although not necessarily unethical or illegal, someone checking a box as “complete” just because it always has been in the past is misleading (if not outright wrong) if the checker really did not check. Understanding this risk can help define the items in the checklist, including those things needed to ensure that the checklist checker is focused and paying attention.

Pressure to “get back to work” can be one of the quickest means to defeat a checklist.

Inaccurate documents. Practices and procedures change over time, and often the documents that go along with them do not get updated on the production floor. Continual vigilance is needed to ensure that the most up to date documents are aligned with current practices and the details on the checklist. In fact, one of the items on a checklist might be checking the issue dates of key documents being used by operators.

Stress. Pressure to “get back to work” can be one of the quickest means to defeat a checklist. This could be due to senior management’s communications, a team’s own leadership or individuals believing they need to hurry up so that they can resume their “real job.”

The End-Game: A Game of Checkers

To win at the game of checkers (or draughts), there are a number of strategies which experts often espouse, most of which apply to checklists in the food industry.

Control the center: Focus on the stuff that counts, not the stuff on the edges.

Play offense, not defense: Attack the issues that strive to undermine the food safety program.

The goal is to get to the end of the board: The checklist must be completed in its entirety.

Checker Board

Be willing to sacrifice: If an item on the checklist is not working, take it off.

Advance as a group: Don’t just leave checklists to one group (e.g., QA); build and use them based on input from experts from all functions.

Realizing the value of checklists requires the right culture, rules and execution as well as recognition that checklists are tools to maximize risk identification and risk management. Building your organization’s “checklist intelligence” will help in the development of the checklists, the effectiveness of those checking the checklists and in increasing the assurance of those checking the checkers.

The game never ends, which means that with the right strategy you can win all the time.

References:

[1] Ely, John, Graber, Mark, and Croskeey, Pat (2011): Checklists to Reduce Diagnostic Errors, Academic Medicine, 86:307.

 

Olvia Pitts

Tips for Building a Robust Internal Audit Program

By Olivia Pitts
1 Comment
Olvia Pitts

Developing an internal audit program does not have to be a dauting task. With a small amount of work upfront a program can be developed and implemented in a matter of weeks. In this article we discuss the key elements of a successful program and provide guidance to ensure that audits add value to the daily operations across the facility.

Have a Plan in Mind

The first step in any successful audit program is to identify the overall structure and format. Audit programs can be set up in a variety of ways ranging from an annual full system audit to monthly departmental audits. The format and structure should be unique to each individual organization. Determine what works best for the organization and stick with it.

Developing a concise schedule will help to ensure expectations are clear. This schedule should be communicated with team members via appropriate channels. Identifying a point person to routinely follow up on the progress of the audits will ensure the program is being managed as expected. Considerations should be made for potential scheduling challenges. Build in additional time for those areas that are known to encounter delays.

Staying consistent with the maintenance and review of the program will ensure all audit activities are conducted within the expected timeframe. This can be accomplished by establishing a routine review of the program. Monthly review meetings can be established to review the audit schedule, results of audits and pending action items. During this time necessary adjustments can be made as needed and communication plans can be established. This helps to drive engagement across the organization around the entire audit program.

Accurate maintenance of audit records is a crucial step in maintaining a successful program. Ensure all records are properly filed and protected by establishing a designated filing system. Developing an organized file structure aids in keeping files in one place and reduces frustrations around locating documentation in the future. Be sure to include records for both internal and external audits as they are a required input to management review and may be needed for future assessments.

Build a Strong Audit Team  

Having a good pool of auditors to pull from is critical. The number of auditors needed will vary based upon the size of the business and complexity of the processes. When considering the format of your team consider the backgrounds of the team members selected. There should be a good mix of experienced and new auditors to provide balance among the group. When assigning auditors to specific areas consider technical knowledge for those complex processes that may require a deeper understanding. Pairing auditors together is a great way for auditors to learn from each other as they work through the review of the data.

Auditing is often a required responsibility for QA/RA. Recruiting internal auditors from departments outside of QA/RA is beneficial, as they bring a different perspective and may ask questions that seem obvious to QA/RA professionals. All of the standards require auditors to be trained and/or competent in the auditing process. Training can be done externally or internally, and companies must show proof of training.

Selecting auditors from varying backgrounds is a great way to incorporate diversity within the team. Each auditor brings their unique experience to the group which builds a richer audit. Varying viewpoints helps to push the team to dig deeper to identify issues that may otherwise go unnoticed. Encourage the audit team to work together to build audit checklists that are specific to the area being audited. Conducting a review of the process and supporting documentation prior to the audit will enable the team to gain an understanding of the area under review. Encourage auditors to not become locked into the checklist but rather think of it as a guide. If audit trails within the scope of the audit arise during the audit be all means explore if time allows. This approach helps to empower the audit team by providing a sense of autonomy over their work.

When building the audit team, management should be mindful of the workload. For the program to be successful you want to ensure that audit team members are not overloaded. Often audits will be delayed due to competing responsibilities of auditors. To mitigate this issue, develop the audit schedule so there is a balance across the assigned audits. Ensuring that the auditor has plenty of time to conduct the audits within the specified timeframe. Overall, the audit team should feel supported and appreciated for their efforts and not be overwhelmed and burdened with the task. A poorly balanced workload only leads to a lack of interest and a disengagement among the audit team.

Provide Opportunities for Education

Providing an understanding of quality management systems and the standard being audited is imperative to the success of any audit program. There are two groups that require education. Education for the auditors and those that are participating in the audits. The auditors need an in-depth understanding of the standard and the requirements which they are auditing against. While the employees need awareness of how the management system is structured and their role in supporting it.

These educational goals can be accomplished both formally and informally across the organization. Auditors will need a more formalized structured training program that focuses on the details of the standard and auditing principles. While employee training can be incorporated into departmental meetings or shared through one-point lessons. Building education programs into existing activities is a great way of incorporating the audit program into the organizational culture. This helps to educate as well as share information with those in the organization who may otherwise not have awareness. This could be conducted via training sessions around processes and their linkage to the standard in which the organization is certified. Providing an understanding of the connections between the departments helps build collaboration between working groups. Employees gain exposure to what others in adjacent departments are doing and obtain a sense of understanding of challenges that may be faced by those groups. This in turn results in a collaborative team approach to the management of the overall system.

Involving employees from all parts of the business helps to drive the message that the system cannot operate in one department alone. Through education, employees will be able to understand their role in the system. This will lead to more engagement in the internal audit program. Employees will become excited to aid in audit activities and improvement initiatives because they will see positive results. They will gain understanding of the impact of their actions and how it impacts the overall system. This value-added approach will result in a favorable outcome for both the organization and the individual employees.

Promote Continuous Improvement

The support of top management is a very important element in the success of any audit program. Establishing a culture of continuous improvement will motivate the team and build engagement across the organization. This can be accomplished by frequently sharing status updates around the management system activities. A simple 15-minute update during sitewide meetings goes a long way. It demonstrates a commitment to the program and growth of the organization and its people.

Develop a format of communicating the details around the management system and any upcoming activities. This can be done by having a specific time each month when updates are provided. Putting this on the calendar will ensure that information is effectively communicated. Details should include both the negative and positive outcomes of internal and external audits. Include specifics around the audit findings and actions taken to address concerns. This will communicate to employees that the organization is serious about growing and is focused on improvement.

Sharing information helps to engage employees by bringing them into the improvement efforts rather than just being bystanders. These seemingly small actions can help drive excitement for the overall program and build a culture of quality. Lastly, be sure to celebrate the wins and ensure that team members are appreciated for their efforts. Building a successful internal audit program is a lot of work. Celebrating and acknowledging the efforts of the team is imperative.

Accomplish the Mission  

There are many ways to build a successful internal audit program. Taking the time and effort to think through the process of identifying the format, structure and team members is critical. By reviewing these items upfront roadblocks can be identified early on. There will always be unforeseen challenges yet having a plan is key to developing a successful program. With a strong commitment from top management and a mindset of continuous improvement an organization can establish a robust internal audit program that exceeds expectations.

Steve Ardagh
FST Soapbox

What’s in Your Glove?

By Steve Ardagh
2 Comments
Steve Ardagh

In the food processing and food service industry, glove wearing is meant to protect, not infect. That’s the theory, but not necessarily the reality.

Over 100 billion protective gloves—over 90% of the national supply—are imported into the U.S. each year from factories scattered throughout Asia. A good proportion of the gloves are destined for a substantial proportion of the 700,000 workers in meat and poultry processing and fresh produce sectors, as well as a proportion of the 14 million workers in the food service sector.

The FDA recently specifically classified gloves as Zone 1 Food Contact Surfaces, meaning in direct contact with ready to eat (RTE) ingredients or finished food products, and at the highest risk for product contamination.

The Food Safety Gap

However, there is a vital and contradictory gap in the oversight of quality assurance within FDA regulations. Here’s how the gap occurs. The FDA Compliance (21CFR177) for a glove to be called food-compliant involves a one-time single glove test conducted by overseas factories with an FDA-approved lab. The test is focused solely on chemical migration from the glove to food, and unless the manufacturer changes material ingredients, the test has no expiry date. “Food Compliant” gloves are not tested for bioburden, cleanliness or performance.

Complementary regulations also listed under FDA Title 21 Part 110 – Good Manufacturing Practice (GMP 21 CFR 110.10) require gloves to be “intact, clean, and sanitary” and “impermeable.” Upon arrival in the U.S. however, there is no requirement from the FDA for gloves to arrive “intact, clean, and sanitary” and “impermeable.” Gloves with FDA (21 CFR 177) compliance are imported “without the benefit of inspection.”

Why Does This Matter?

If you went down a food processing line and told every glove wearer that there was a 46% chance that the gloves they were wearing contained human fecal indicators, or potentially contained more than 250 unique and viable pathogens, what do you imagine the reaction would be? What would consumers think knowing the food on their dinner table might have been handled by potentially contaminated gloves?

The findings of a five-year study commissioned by Eagle Protect and undertaken by the B. Michaels Group revealed widespread risk of contamination in the disposable glove industry. The findings were presented at the 2019, 2021 and 2022 International Association for Food Protection (IAFP) annual meetings. Results found human fecal indicators on 46% of new and unused off-the-shelf gloves along with other foodborne pathogens and microbes including E. coli, Bacillus cereus, Bacillus anthracis, Listeria monocytogenes, Clostridiales difficile, Staphylococcus, Salmonella, Pseudomonas aeruginosa, Streptococcus pneumonia, and various fungi including Aspergillus.

Michaels, a leading microbiologist, ran the study, which involved independently testing 2,800 new and unused U.S. glove imports representing 26 different brands (approximately 25% of the ~100 SE Asian glove factories). Over 250 different viable microbial species were found on both the interior and exterior surfaces of the tested gloves.

Based on both observed conditions and events at SE Asian glove factories, as well as characteristics of microorganisms identified on or in disposable gloves, it was ascertained that microbes originate from contaminated water sources (rivers, drainage ditches and ponds). Once introduced into glove manufacturing facilities, contaminated rinse water circulates in and out of leaching or wash tanks, often not heated sufficiently, that are responsible for removing soluble chemical residues from glove surfaces.

In addition, gloves made of poor-quality materials can rip and tear, with particles finding their way into food products. Glove toxins can also contribute to a range of potential health issues including carcinogenicity, endocrine disruption, fertility impairment, metabolic disorders and skin diseases including dermatitis. For companies, there are issues with potential recalls, liability, worker compensation and consumer health.

How Can This Be?

In addition to dirty, polluted, contaminated water sources at factories, poor filtration, poor raw materials, unhygienic packing, poor hygiene practices by factory staff, lack of oversight and care by factory owners and, most important, lack of procurement standards on the part of U.S. corporate, business and institutional glove purchasers allow this to go on.

What Is the Solution?

There is little pressure on foreign glove manufacturers to self-regulate and improve their practices, unless businesses refuse to purchase from companies that cannot demonstrate acceptable standards. Therefore, the onus is on corporate and business purchasers of gloves. They need to be better educated about glove safety, including the risks of billions of potentially contaminated gloves on the hands of their workers in factories and plants, the potential risks to end consumers, and the value of adopting of clear standards for procurement that supersede the overwhelming criteria of “how cheap can we get them?”

Ask 1: Do manufacturers use Safe Ingredients? Are the raw materials tested to ensure consistency of manufacturing and to ensure the gloves are free of potentially toxic chemicals that might impact user and consumer health or contaminate food?

Ask 2: What is the Performance of the glove? Strength and durability tests and Acceptable Quality Level (AQL) further ensure consistent glove performance. AQL (maximum pinhole defects per 100 gloves) levels are required for medical and sterile gloves. There are no stated requirements by the FDA for Food Compliant Gloves. However, the standard should be at 2.5 (examination grade) or lower for food safety.

Ask 3: Are the gloves Clean? Bioburden on both the inside (skin contact) and outside (food and patient contact) can be tested to identify fungal and microbial contaminants that could pose a threat to the glove wearer, and the product handled.

Ask 4: Are the gloves Skin Tolerant? Poor quality gloves are often the cause of skin irritation. FDA Food Compliance does not ask for cleanliness, physical standards or toxicity tests. Gloves can be tested for a wide variety of chemicals and toxic exposure that could result in dermal or systemic toxicity, ensuring against skin irritation and occupational skin diseases of the wearer.

Ask 5: Is the factory making your gloves independently certified and does it use child or forced labor? Does your supplier or distributor have credentials such as being a registered B-Corp or accreditation by WRAP (Worldwide Responsible Accredited Production) organization, SEDEX (Supplier Ethical Data Exchange) or similar independent labor and quality verifications?

Ask 6: Is the product traceable? Does your glove box come with a QR code in which manufacturing activity is captured, secured and shared across the supply chain?

Consortium of Agreement to be Better Informed

The sight of blue gloves on a production line is universal. So too is the assumption that these gloves are safe by being “intact, clean, and sanitary.” Yet, we have learned that this is not always true. The only realistic action that can improve glove safety is for corporations to adopt standards, for glove wearers to demand quality gloves and for consumers to start asking “What’s in your gloves?”

Although regulators can set the tone that encourages industry to do the right thing, ensuring glove safety really does come down to suppliers and buyers uniting in a full-throated demand that there be a reduction in the risk of glove contamination in the U.S.

There needs to be a consortium of agreement from purchasers of protective gloves to shift from the lowest common cost denominator (cost) to a higher standard. The top 15 food producing companies in the U.S. have a combined market capitalization of $1.4 trillion so there is room to take some extra safety steps to implement a Supplier Code of Conduct using a system to conduct assessments and lab tests and to monitor outcomes.

Better and more informed decisions can be made by procurement departments. Food processing and food service companies all have safety and sustainability criteria; glove safety should be among the standards to adhere to.

We should be able to feel more at ease knowing that the gloves our food processing and service personnel put on are of the highest standards. This should be a paramount concern, not just to experts, but also the public who remain mostly unaware of the risks and dangers in glove manufacturing. Therefore, it is incumbent on all the industries involved in the making, selling and purchasing of gloves to adopt and advocate for a robust system for the manufacturing, tracking and quality assurance of gloves.

Jennifer McEntire
Women in Food Safety

Building a Satisfying Career in Food Safety

By Food Safety Tech Staff
No Comments
Jennifer McEntire

With so many potential paths available to food safety and quality assurance professionals, how do you narrow your career path goals, and when is it time to move on to a new opportunity? These were two of the themes of last month’s Women in Food Safety gathering. Featured speaker, Jennifer McEntire, Ph.D., founder of Food Safety Strategy and former Chief Food Safety & Regulatory Officer at the International Fresh Produce Association (IFPA), discussed her 25-year career path and why she chose to step out on her own as an independent food safety consultant.

The keys to a long and satisfying career are to keep an open mind and explore opportunities, said McEntire. Having trained as a food microbiologist, her career was heavily influenced by an early internship at the National Food Processors Association (later to become the Grocery Manufacturers Association) in Washington, DC. She later worked with IFPA and regulatory consultancies including the Acheson Group and Leavitt Group. Her experiences in DC instilled in her an appreciation for regulations and an interest in what she referred to as “being in front of the debate in forming legislation.”

“I love reading regulations, I love DC and I enjoy learning how decisions are made, the debate of a bill and finally how it gets passed,” said McEntire. “So I have always worked in the regulatory area.” However, as she moved up the ladder, she realized that she was spending more time in meetings than rolling up her sleeves and working and decided to go out on her own as a consultant. “I am naturally risk adverse,” said McEntire. “So, I made this transition very cautiously.”

Questions to Ask

The questions that have guided her career decisions, which she encourages other professionals to ask themselves are, “What am I good at? What do I like to do?”

Although she has a very strong background in regulations and compliance, when launching her own company she wanted to take the opportunity to broaden that scope and work with companies in building better food safety management systems. “I didn’t want to focus just on audit compliance as these clients are often just compliance focused. Instead, I wanted to work with companies that wanted to be better, build and improve their operations,” said McEntire. Key questions she encourages companies to ask (that she asks clients) are, “Where do we go from here? What does success look like?”

Owning and managing her own company gave her the opportunity to build her skill set outside of food safety regulation. “Owning my own business isn’t easy, but at each stage I learn something new. For example, how to build a website and how to manage my company email accounts,” said McEntire. “Although there are many new things, I enjoy being responsible for my own schedule. I don’t have to ask anyone for permission and I actually don’t miss working for an employer anymore.”

Tips for Success

McEntire shared several tips that contributed to her success, including:

  • surround yourself with the right people.
  • stay informed and keep up-to-date
  • take advantage of the opportunities that arise

“Throughout your career, it’s important to let your opinion be heard,” she said. As you move into leadership positions, “I ask everyone what they think, then gather all information and make sure I understand it. If you have to make the decision, make a decision that you are confident in based on the information available. You may get challenged, but be strong, defend it and don’t hesitate in making the final decision.”

 

Emily Newton, Revolutionized Magazine

Sanitary Design: Finding the Right Conveyor Belt System

By Emily Newton
No Comments
Emily Newton, Revolutionized Magazine

Sanitary or hygienic design supports food safety by ensuring that the equipment you bring into your facilities does not pose a risk to the food you produce and that it can be properly maintained and sanitized. When it comes to purchasing a new conveyor belt system, there are several considerations, as well as standards and regulations, that can and should guide your decision.

Current Standards and Regulations

The food safety standards that apply to conveyor belts may differ depending on where your company operates. Here’s a closer look at some geographic specifics as well as standards recognized worldwide.

The United States. In the U.S., the FDA does not directly certify conveyor belts. Instead, the agency focuses on Current Good Manufacturing Practices (CGMPs). These are overarching regulations covering virtually all aspects of a food processing facility. In addition to equipment, CGMPs extend to sanitation, plant design, production, process controls and more. The FDA also has additional CGMPs for infant formula, acidified foods, low-acid canned foods, bottled water and dietary supplements.

The FDA maintains a list of approved food contact substances (FCS) and materials deemed safe and not technically affecting consumables. A food-grade conveyor belt’s materials must be on the FDA’s list to comply with U.S. regulations.

Europe. The European Committee for Standardization (CEN) combines 34 European countries’ standardization bodies. It includes, but spans far beyond food to cover consumer appliances, health care, construction, chemicals and much more. Different CEN standards apply based on how and where the conveyor belt will be used. For example, CEN/TC 153/WG 9 is for equipment used to process cereals, while CEN/TC 153/WG 2 relates to meat processing infrastructure.

Less broadly, the 1935/2004 regulation applies to conveyor belts used in the European Union (EU). It concerns all articles or materials that touch food. The regulation also mentions 80/590/EEC, which established a symbol designating safe materials. Moreover, it emphasizes that food producers must maintain traceability and verify the sources of any food-grade materials.

International Third-Party Certification Systems. In addition to abiding by country or regional standards, food processing professionals may wish to pursue internationally recognized certifications. One example is Food Safety System Certification 22000 (FSSC 22000). It covers food safety and quality management for manufacturing, packaging and storage. Another is the BRCGS Global Food Safety Standard, adopted by many of the top food manufacturers as well as retailers and restaurants.

These third-party certifications are optional. However, they can strengthen a company’s worldwide reputation and increase consumer confidence.

There are no third-party certifications specifically for conveyor belts used in the food industry. However, the Conveyor Equipment Manufacturers Association (CEMA) website offers research and technical information that can help guide purchasing decisions as you investigate products and suppliers.

3-A Sanitary Standards (3-A SSI). The 3-A Sanitary Standards (3-A SSI) cover design methods and principles to support proper sanitation by making equipment easier to clean. Standard 3A 39-01 covers pneumatic conveyors for dry materials, while 3A 41-03 is for mechanical conveyors that move dry items. These are voluntary standards developed for food processing plants and facilities associated with the dairy industry.

Conveyor belts that comply with the 3-A standards are made with nontoxic, food-safe materials. They must also tolerate repeated and ongoing exposure to cleaning products. The 3-A standards also include details about construction of the conveyor belt to prevent areas where food could get caught. This includes making systems with smooth surfaces and no sharp corners.

Moreover, 3-A standards require designers to consider methods of cleaning. For example, must the cleaning occur in the production area, or can the conveyor system be moved to another area for cleaning and sanitation?

Considerations When Choosing a Conveyor System

A food processing plant’s environment presents several key considerations when selecting conveyor belts. For example, many belts include nonflammable materials so they can be used near high-heat areas. Moisture in the air can also affect the belt. Too much wetness could cause some materials to stretch or break, while too little moisture can cause other materials to crack or shrink.

Companies must think about the processing that occurs as food moves along the conveyor. Does it require cutting, washing or exposure to oil? Consider each stage the products go through, from raw to complete. Each step could introduce new considerations for your food-grade conveyor belt. Take potatoes, for example. Processing often involves immersion in a boiling oil bath and seasoning, and each processing step causes potential temperature changes and chemical exposures.

Following are additional considerations when investigating a new system:

Food Characteristics. Aspects of the food itself could affect how well a conveyor belt works or how long it will last. Sugar and salt are two examples of non-synthetic preservatives that double as ingredients. Their abrasive textures can cause premature wear on conveyor belts not designed to handle them. Look for options with special polymers that encourage the food with sticky textures to come off cleanly and not cling to the belt. Consider overall weight of the foods on the belt at a given time as well.

Cleaning Methods and Products. Manual cleaning methods are time and labor-intensive, but they’re cost-effective for small operations. Plus, they work well for removing bacteria and/or biofilms from hard-to-reach places. Automated options usually rely on motorized brushes and sprayers that move along a belt’s surface. Dry ice blasting and dry steam cleaning also help to remove dried or stuck-on materials.

Consult the manufacturer’s cleaning instructions to identify chemical agents that will work best for the belt’s materials as well as those that you should avoid. Using inappropriate cleaning products could cause the belt material to break down, creating food safety and contamination risks. One best practice is to choose a washdown-rated food-grade conveyor belt that can tolerate many different cleaning methods as well as high temperatures.

Many modern conveyor systems also have quick-release parts that make cleaning easier and reduce the amount of time that the equipment is out of commission.

Optional Accessories. Many conveyor belts can be customized as needed before or after purchase. These optional accessories may include cleaning-in-place (CIP) modules or automated container-filling systems. Some companies now offer plug-and-play CIP modules that can be attached to any conveyor belt without expensive retrofitting.

The Desired Length. A conveyor belt’s length is an important consideration, but companies need not worry if they realize they need to add length. Food-grade fasteners allow you to extend the belt to meet your facilities’ needs. Splice presses can be even more efficient, especially with air-cooled designs that offer splice times of under 10 minutes, providing maximum flexibility for manufacturers.

Maintenance and Warranty Considerations

When investigating options, sales representatives can help you choose the correct model and optional features for your needs. Once you’ve identified a few suitable options, ask about maintenance and warranty options. Even short periods of downtime can be extremely disruptive in the food industry, so you need to understand how to contact customer support and how quickly they can respond to requests for service.

Warranties can vary in length, the specific components they cover and can affect the final cost. Read the fine print to make sure you understand circumstances, such as changes in the manufacturing process or environment, that may void the coverage as well.

Purchasing a new conveyor belt system requires planning and a thorough investigative process. Consider these points as you research options and reach out to peers in the industry to get their input on trusted products and manufacturers.

Rick Biros
Biros' Blog

The Rising FSQA Phoenix

By Rick Biros
No Comments
Rick Biros

Last month, the Food Safety Tech team wrapped up a very successful Food Safety Consortium Conference. While I could name drop many of the who’s who of food safety who presented this year, Erik Mettler, Assistant Commissioner for Partnerships and Policy in the FDA’s Office of Regulatory Affairs, gave a great keynote address in tandem with Sandra Eskin, Deputy Undersecretary for Food Safety at USDA FSIS. Erik stayed for the full conference and participated in two additional panel discussions, one on Succession Planning and the second on Recalls. Sandy stayed for two days and made herself accessible to the delegates.

As the conference director I’m also the emcee. I introduce the speakers and panelists, but I also have the opportunity to be a participant and observe the interplay between delegates. What I observed at the Consortium was great networking, conversations and mentoring but what really stood out was a real energy among the delegates, something I haven’t seen at any food safety conference in the last few years. I believe that energy is an indicator that FSQA (food safety and quality assurance) is coming back from the devastation and impact of the Covid-19 pandemic.

For example, on the topic of FSQA auditing and inspections, Covid significantly reduced the amount and type of internal and supplier audits as well as FDA inspections. Many auditors who were independent contractors just quit. They moved on because there was no work. This left a huge void in trained and experienced auditors.

Our session on Succession Planning for Inspectors and Auditors included panelists from government, academia, industry and industry associations. They discussed the increase in inspections and audits coming in 2024 and thus, the real need to fill the void in inspectors and auditors left from the pandemic, as well as the need to train and nurture those folks.

Another theme at the Consortium was the continued evolution of Food Safety Culture. Delegates were looking for ways to take Food Safety Culture to the next level and apply metrics to it. We did a post conference survey, and the feedback we received supports this. Here are some of the direct responses:

Q: What were your top takeaways from the Food Safety Consortium?

  • Transparency from regulators and ways to foster growth and culture.
  • Food Safety Culture is in the forefront, as evidenced by the numerous panels. I attended nearly every one pertaining to this subject. It is a difficult subject because it is subjective and difficult to measure and quantify.
  • Food Safety Culture is ever evolving and becoming a more important factor every year. We need a new system but are unwilling to scrap or majorly overhaul the current one … FSMA was supposed to drastically reduce foodborne illness incidents. It doesn’t seem to be working, and we are nearing the time for FSMA 2.0. While it doesn’t appear that we are getting better at reducing the number of incidents, we are getting better at detecting them.

Q: What Topics should we plan for next year’s Food Safety Consortium?

  • Updates from the FDA and USDA on current projects
  • How to demonstrate Food Safety Culture. How to build a program and maintain momentum was discussed this year. But how do we show results to auditors? We need guidance and expertise on proving a solid FSC to auditors.

My takeaway from this year’s Food Safety Consortium is that the FSQA community is on the cusp of a resurgence in activity, training and investments—like a Phoenix rising from the ashes of Covid. But even before the pandemic, there was an overall sense of FSMA and GFSI fatigue. I am seeing a collective increase in FSQA activity that has not been present in many years, and that’s a good thing!

In 2024, we will see accelerated digital transformation. Data analytics will play a greater role in FSQA strategies. Getting an entire industry and supply chain ready for FSMA 204 in two years will be a huge undertaking. Also, Food Safety Culture will evolve to provide metrics and data for accountability.

Food Safety Tech continues to publish original weekly articles on these emerging trends. We are introducing a new FSQA Auditor Training program in Q1, and next year’s Food Safety Consortium conference will be held October 20-22, 2024, in Washington, DC, continuing the conversations, debates and discussions.

You can be part of this new wave of FSQA energy by contributing an article to Food Safety Tech or submitting an abstract for the 2024 Food Safety Consortium conference.

This new wave of energy has inspired me. It’s been a while since I last wrote this column, way too long. And FSMA 2.0, that will be the subject of a future column. Also, I’ll share my thoughts on the new food safety agency, our new podcast partners from Don’t Eat Poop and many other topics. Until next time…

All the best!

Rick Biros, Founder, Publisher, Conference Director

 

 

Hacker

Ransomware: Lessons Learned from One Food Company’s Experience

By Food Safety Tech Staff
No Comments
Hacker

In fall 2021, G&J Pepsi-Cola Bottlers Inc, came face-to-face with a potential ransomware attack and was able to avert it. We spoke with G&J’s enterprise infrastructure director, Eric McKinney, and cybersecurity engineer, Rory Crabbe, to learn more about how they detected and responded to the attack, the steps they have taken to strengthen their cybersecurity, and what advice they have for other food companies in the wake of the near catastrophe.

What happened to G&J back in 2021, and when did you realize something was wrong?

McKinney: Around Labor Day of 2021, we received a really weird call. The callers were acting as if they were friends looking out for our best interest, and they alerted us to the fact that there may be compromises to our system. They showed us a spreadsheet of usernames in our active directory to verify that they were in our systems, and they said we could pay them to prevent an attack. We did not engage with them further—and we think they may have been part of it—but we believed that something was happening.

Eric McKinney
Eric McKinney

We went through all of our servers—we don’t have a large footprint, because we are a cloud first organization—but we did detect some software that should not have been installed on a couple of our servers. We removed that immediately, but we were unable to find the beacons that they leave behind that act as triggers to start encrypting your files.

We made the decisions that if anything happened, we were not going to negotiate, we were not going to try to get our systems back, we were going to shut everything down and roll back. I put myself on call and sure enough I got a call two days later at 3:00 a.m. from one of our people. He was logging in remotely to a server and he said, “Something don’t look right.” I go to his screen and I immediately see the locked files and realize this is really happening.

The thing that saved us ultimately is we use native platform backups. We use Microsoft Azure. So we immediately shut everything down and started rolling back our systems as far back as we could go. Those backup files were not compromised because we don’t leverage backups that tie to a file system within a server. The only way you can touch them is if you have our Cloud credentials, which are all multi-factored.

How did this affect operations?

McKinney: The net impact was our critical systems were down for about seven to eight hours, and we were recovering PCs for almost a week—there were 100 to 150 PCs that were impacted as it continued to move laterally through our organization, and we had to get them all flushed out. We had to roll the system back two weeks, so we lost two weeks of data. That impacted the accounting team the most.

We did experience an event—it was not an almost event. But we never lost a single case of sales and we never paid a single dollar. We took everyone’s computers and blew them away, handed them right back to them and said you’re starting fresh. Fortunately, this only affected employees’ files. They could still get their emails and the things that were in OneDrive.

The things that really worked in our favor were our Cloud-first strategy and getting away from a legacy client architecture. We were still able to communicate. We could send emails, we could set up Teams and we had all the tools to coordinate and get out of this and recover as quickly as we did. The second thing was having those native platform-based backups.

How did this change your digital and cybersecurity strategies?

McKinney: We were doing weekly backups, now we back up every day. And these are full system backups, which means that if you hit restore, the whole system lights back up not just the data but also your operating system that it runs on.

Crabbe: We also reached out to a lot of companies, including Arctic Wolf, who we ultimately began working with to help us figure out what we didn’t know. We worked with them to go through our environment and come up with ideas on how to improve. We are a big Microsoft shop, and we started utilizing a lot of the native tools that we already had such as Defender for Endpoint and the security portal. This addressed a lot of the low hanging fruit, such as automatic updates and not allowing outside vendors to contact us without going through a vetting process.

Rory Crabbe
Rory Crabbe

Arctic Wolf went through our system and sent us a list of recommendations, and a lot of what we did involved utilizing the native tools that we already had, shoring up our defenses, making sure the backups work and creating a disaster recovery plan.

McKinney:  We quickly went from being a business of convenience, where we said, “let’s allow USB drives,” to changing all of our technical policies by turning on all of our attack surface reduction rules. We blocked all logins from outside the U.S. and brought in new team members dedicated to cybersecurity.

I have some self-confidence issues due to this attack because your failures are put on display, and there is a feeling that if you were doing a better job this would have been prevented. But we were a very small team and we were responsible for cybersecurity, ERP (enterprise resource planning) initiatives, development initiatives, support and infrastructure initiatives and data initiatives. When you’re wearing all of these hats things do get missed, and in the end it ended up being one application update. One application patch was exposed, which set all of this off. in terms of where we’ve gotten better, we signed up with an MSP (managed service provider) to monitor our environment 24 hours a day seven days a week. In addition, these companies assist your team by keeping them up to date with the latest techniques and providing proactive communication on things that we should be doing to secure and protect our environment.

We’ve taken a lot of steps over the past two years and we still have a long way to go. We will never stop or become complacent.

There is a concern among some people that the Cloud is less secure, and it’s better to control your own servers. Is that a misconception?

Crabbe: When it’s on premise it is your responsibility. If something happens to your infrastructure, you’ve got to be on call and wake up to deal with that. So not only is the Cloud a reduction in personnel work; it’s also peace of mind. Microsoft has its own team of engineers, and they have physical security in place as well. The Azure building is protected by armed guards to protect the data from physical hackers. It’s a lot easier to apply security policies to something that’s in the Cloud because Microsoft can give you options for all kinds of things that you didn’t even know you needed. This makes it easier to visualize where you are and where you need to go.

McKinney: These are also publicly traded companies that have to follow all of the controls that come with being publicly traded. They’re going to do a better job than the one or two individuals that you have at your company who cannot work 24/7 365 days a year.

I appreciate you guys talking openly about this, because one of the issues that comes up in food defense and cybersecurity is people aren’t necessarily sharing information that could help others recognize vulnerabilities. Is it difficult to share this information?

McKinney: We didn’t want to talk about it for a long time. It’s hard to put your failures—or at least what is perceived as a failure—out there. But when you look around, you realize this can happen to anyone. It happened to MGM with all their resources. And one issue that isn’t discussed very often is, behind the business implications is an incredibly stressed out IT team that really is traumatized by an event like this.

In talking with others who have been through this, it’s often the most stressful thing that’s ever happened in their lives. It certainly is the most stressed out I’ve ever been. You’re thinking, I just cost my company millions of dollars. I shut down my business. We may not be able to get product to our people. So many things flash through your mind, and you really don’t want to talk about it or advertise it. Luckily for us, we had the right systems but most importantly we had really great executive support and great team members to help us recover.

When it comes to access management, companies have to balance convenience for their employees with the need for stringent security. Were employees understanding of the changes you had to make, and how did you communicate these changes in processes?

Crabbe: There was a lot of frustration with people saying this worked before, why can’t we do it now? One of the benefits of being a family-owned company is that we are a fairly small group, so we were able to deal with it on almost a case-by-case basis. We have an internal system that people can submit their issues or requests through, and we review them. For example, if somebody needs to move a device to a USB stick to take to an external vendor, we can look at that and say what alternatives do we have? Can we use OneDrive or another native tool to share that information? Does it have to be a USB stick? Or, if someone is going on vacation in Mexico, they can submit a ticket and we can allow them remote access from a specific country for a specific amount of time so they can log-in. We can tell them yes or no on a case-by-case basis and explain why we made the decision.

McKinney: This event also made us ask questions like, do we even need USB sticks? There are so many other tools we can use. A lot of the changes involved looking at more modern ways to collaborate. And a lot of that revolves around retraining and catching your workforce up with the new tools that we have available.

Based on your experience, what advice would you offer other companies?

McKinney: The IT spend in the food and beverage industry is typically small compared to industries like insurance or banking or health care. You need to capture all the signals from all your systems—emails being sent, open, received, etc.—and you must monitor those. Then you need the right algorithms and the right people to make sense of that data. If you are not able to maintain a large enough in-house team, investigate an MSP. They can ingest all the signals, funnel them and turn all that data into actionable items. Also, store your backups off site and limit access. Don’t store them with your production data.

Crabbe: Shore up your defenses using your native tools and create a disaster recovery plan. Those would be my two biggest recommendations for any company going forward. Dig deep and utilize what you’ve got. There’s probably a lot more available to you than you realize you have, and don’t be afraid to reach out to third-party vendors for help.