What is a vulnerability assessment?
In the food industry, the term vulnerability assessment refers to a risk-assessment-style evaluation of a food’s vulnerability to food fraud. Food fraud is deception, using food, for economic gain (Food Fraud Initiative, Michigan State University 2016). Some organisations, particularly in the United States of America, use the phrase vulnerability assessment when referring to malicious attacks on food, such as those conducted for extortion, ideological reasons or terrorism. However those types of risks are issues of food defense rather than food fraud and those risks are not considered here. To learn more about the terminology around food fraud, food defense and food security click here.
A vulnerability assessment is a documented assessment that identifies vulnerabilities to food fraud and explains how those vulnerabilities were identified.
Why ‘vulnerability’ and not ‘risk’?
A vulnerability assessment is slightly different to a risk assessment; risk is something that has occurred before and will occur again, it can be quantified using existing data. A vulnerability is a weakness that can be exploited by someone or something who wishes to profit or intends harm. A vulnerability can lead to a risk. Because food fraud is difficult to estimate and quantify, we use the word vulnerability rather than risk. In addition, using the word ‘vulnerability’ helps to minimise confusion in the food industry where risk assessments for food safety are commonly performed and well understood.
Why do a vulnerability assessment?
- To protect consumers: Food that is vulnerable to food fraud presents significant risks to consumers. Food that is adulterated or diluted causes direct risks to consumers from microbial contaminants, chemical contaminants, allergens or unhygienic handling of the food during any adulteration or substitution. There are also indirect risks from adulterants that cause chronic disease, or are carcinogenic and from fraudulent foods that are lacking in nutrients that would be present in an authentic product.
- To protect your brand: Any problem with your food products can cause loss of consumer trust which can be catastrophic for your brand.
- To meet regulatory requirements: adulteration, substitution or dilution of an ingredient indicates a flaw in the traceability of your product, which means non-compliance with the requirements of food safety regulations.
- To prevent financial losses: product withdrawals, recalls, prosecutions and civil lawsuits commonly arise from fraudulent adulteration. These can be financially crippling. How much does a recall cost?
- To meet the requirements of FSMA and GFSI food safety standards, including BRC, FSSC 22000 and SQF. What are these acronymns?
As a food safety professional you have probably already asked yourself about the vulnerabilities of the ingredients and products you work with. You may already have implemented some food fraud prevention and mitigation measures. A vulnerability assessment is simply a record of what you have considered and how you have estimated the vulnerabilities of your raw materials or finished products..
The aim of a vulnerability assessment is to
- Understand the likelihood of food fraud affecting a food product
- Understand the impacts of food fraud on consumers and the food brand
- Provide a framework to prioritise strategies to prevent food fraud occurring and mitigate the risks if fraud does occur.
How to conduct a vulnerability assessment
A vulnerability assessment is much like a conventional risk assessment, which is based on the likelihood of a risk occurring versus the consequences. In a vulnerability assessment for food fraud, the likelihood of food fraud occurring and the consequences if the food fraud was to occur are plotted onto a risk matrix to obtain the overall vulnerability. The vulnerability assessment can be performed on raw materials, ingredients, intermediate products or finished consumer goods. It is recommended for all types of businesses in the food industry, including those operating to GFSI Food Safety Standards, including British Retail Consortium (BRC) Food Safety Standard Issue 7 (clause 5.4.2), FSSC 22000 Version 4.1 (clause 2.1.4) and SQF Version 8 (clause 2.7)
ESTIMATE THE LIKELIHOOD
In order to understand the likelihood of food fraud affecting your ingredients or products, you will need to investigate the susceptibility of the material to food fraud. Start by understanding the general susceptibility for the material as a whole. Is it commonly affected by food fraud? Are there any emerging issues that may increase the risk of food fraud for this material in future? Once you have an understanding of the general susceptibility of food fraud for this food you should dig deeper by considering aspects of the supply chain of the material that you actually purchase, as well as your company’s purchasing policies and the format of the material. For detailed instructions on investigating susceptibility and links to on-line resources read our detailed guide.
As you investigate susceptibility for a material, document your findings – these form an important part of a vulnerability assessment report. Use your findings to estimate the likelihood that the material will be affected by food fraud; very unlikely, unlikely, fairly likely, likely, very likely/certain.
Need more help with this? Try our online training, which includes downloadable templates and everything you need to prepare for audits.
ESTIMATE the SEVERITY of CONSEQUENCES
Next, consider the impact on the food product, its consumers and brand if food fraud was to occur. Again, it’s important to document your considerations and your conclusions about the impact of food fraud on your consumers, brand and business.
PLOT RESULTS on a RISK MATRIX
Plot your results on a risk matrix like the one below. If the product or material falls into a red square, it should be considered very vulnerable and actions must be taken to prevent, detect and mitigate food fraud for the material.
A completed vulnerability assessment should include:
- the name of the material: food product or ingredient
- the date of the assessment,
- the date that the assessment should be reviewed (usually one year from the assessment date),
- the name of the person(s) who performed the assessment,
- page numbers and other document control features,
- scope information that reflects the requirements of your food safety management system standard
- the estimate of the likelihood that food fraud will affect the material
- the estimate of the consequences of food fraud on the material
- a risk matrix with results marked in the relevant box
- a conclusion about the overall vulnerability of the material
- information showing how the estimates of likelihood and consequences were reached.
Need templates? Check out our online training. It includes detailed, easy-to-use downloadable templates that meet the requirements of SQF Edition 8, BRC Issue 7, FSSC 22000 ver 4.1 and other major food safety standards.
What comes next?
Now you have a vulnerability assessment, what comes next?