Keeping your eyes open

The food sector continues to undergo enormous disruptive change. It is grappling simultaneously with major issues, including changes in consumer buying habits, virtual food shopping, sustainability, food waste, clean labelling, the war on plastic and even ‘nutrigenomics’ – the interaction between nutrition and our genes. In this turbulent environment, it is no wonder food businesses may have their eye off the ball when it comes to risk management and adopt an ‘it won’t happen to us’ approach. In short, it needs to become more proactive and more resilient.

Traditionally, one risk that food businesses have worked hard to prevent is the spread of food-borne illnesses as a result of its processes. But, while it has a history of protecting against specific, established threats, such as Salmonella spp, it does not have such a good record in anticipating, identifying and managing rapidly emerging bacterial or viral pandemics, such as the outbreak of bird flu in 2009.

Global sourcing within UK companies may offer increased consumer choice, but with this comes less control, reduced supply-chain transparency and a consequent increased exposure and risk.

Information security is another area in which the food world could become more resilient. The focus and energy directed at preventing health-related operational risks can distract food businesses from protecting and securing vital information, making them more vulnerable targets.

Few people now dispute the scale of information security (IS) threats. According to the UK Government’s Cyber Security Breaches Survey 2018, 43 percent of businesses had suffered an IS breach or cyber attack in the previous 12 months. Many such incidents affected the food and beverage industry worldwide. To cite just one example, in June 2017 the Petya global cyber attack shut down the operations of an Australian factory, resulting in an estimated cost of over $200m in lost revenue and remediation costs.

The most common IS vulnerabilities are internal security loopholes, loss of customer data, and theft of proprietary information, such as confidential financial, commercial or product data. The direct costs from business interruption, compensation claims, regulators’ fines and ransom demands could be substantive. And the indirect cost of damaged reputation, loss of trust and lost business could be even larger – which explains why the problem remains under-reported.

Supply chain threats

In a global economy, there is increased potential for supply chain incidents, both from man-made threats such as cyber attacks, strikes and political instability, and from natural causes such as earthquakes and floods. According to the Horizon Scan Report 2017, published by the Business Continuity Institute (BCI) and BSI, 34 per cent of organisations report supply-chain losses of at least €1m a year, while nine percent report at least €1m of losses from a single incident.

Achieving supply-chain transparency remains one of the biggest challenges to our sector. For example, the challenge to achieve a clear line of sight through an entire chain and in making informed decisions based upon information that is current, reliable and accurate, has been highlighted in the past by the discovery of slave or bonded labour being used, particularly within outsourced or parallel supply chains of some food businesses.

In the UK, the Modern Slavery Act of 2015 places a duty upon all businesses to disclose steps they are taking to tackle forced labour and human trafficking. Food businesses, then, have a legal obligation, as well as powerful moral and commercial drivers, to manage risk effectively in this area.

Building resilience

When something goes wrong, companies tend to add another layer of protective measures to their existing procedures. But overlaying process upon process in this way is ultimately self-defeating, bringing increased cost and complexity, more technical challenges, and greater scope for human error, while the root cause of the problem remains buried.

Worst of all, ‘process excess’ makes organisations too risk averse and too static, undermining their ability to adapt and innovate. What is really needed to counter threats is a proactive, strategic, methodical approach to organisational resilience. It starts with a company’s value system and a principled approach to doing business. This means operating in ways that meet fundamental corporate responsibilities and governance in the areas of food safety, human rights, labour, environment and anti-corruption.

Business standards certainly help. They include the BSI HACCP & GMP Programme, FSSC 22000 v4.1 and the latest iteration of the BRC Global Standard for Food Safety – Issue 8, which for the first time highlights new and emerging risks such as cyber security. ISO 27001 (information security), ISO 22301 (business continuity) and ISO 37001 (anti-bribery) are examples of less sector-specific, but equally respected, horizontal international management standards. These are often mandated by major businesses as a means to de-risk their supply chains, enhance core capabilities, including:

• Collaboration across disciplines such as information security, human resources management, procurement and business continuity
• Horizon scanning, so that emerging risks can be identified early and the business can prepare to manage them
• Agility to adapt to changes following disruptive events to ensure long-term sustainability.

Enterprise class supply chain management tools include BSI’s Supply Chain Risk Exposure Evaluation Network (SCREEN), a web-based global intelligence system that is used to identify and quantify the risk of supply chain incidents in over 200 countries; and BSI’s Trafficking & Supply Chain Slavery Patterns Index, which assists food businesses in assessing the specific risks posed by slavery and trafficking.

Risk and reward

To sum up, a resilient food business is operationally self-aware, constantly evaluating and identifying areas of weakness, implementing improvements and efficiencies, and maintaining key risk management measures. A resilient food business operator treats data as an asset, protecting it with robust information security management systems. A resilient food business seeks to understand what is happening across its entire supply chain, gathering information so it can access intelligence in areas such as food safety, ethical, environmental and security risks.