Hi Kmboardman, welcome to the forum! I'm sorry you had such a poor experience implementing the requirements of your certification, it can be frustrating especially when you're trying to make sure you don't mess up any FSIS requirements while implementing, I definitely get that. This response ended up obnoxiously long, so I'll break it out into categories and here's a TL;DR.
- Yes, it is expensive, and it's going to be whether it's consulting fees or company time, that's what it costs.
- Yes, it does take sometimes years to get certified, and it shouldn't be easy to "tack on" if you're already under a government requirement. If it was, it would just be a piece of paper with no actual changes made.
- No, it doesn't make sense for all small companies. Any company can just implement areas of the code that make sense for them even without actually getting "certified", which still means food safety and reduced risk of recall without the added cost of certification. However, if it means you get to sell to a major grocery chain, then there's an obvious ROI for actual certification. Anyone can embrace the principals whether or not you want the full certification and associated costs.
- Ambiguity is the case with GFSI and FDA, which isn't what you get with FSIS who tells you exactly what they want through policy or your on-site inspection personnel. That's the way they work and it means increased liability for you along with added flexibility.
- Embrace the ambiguity to make it work for your facility, separate your documentation to make auditing easy and training effective.
- Find good consultants by identifying ones with industry experience doing what you want in your industry, clarifying that the relationship isn't about regulation research but about content generation, and by providing enough detail that what they make is for you, not generalized. Avoid consultants if you already understand the requirement and want someone to actually generate the program, bring that in-house or reach out to someone in your industry and ask if you can see how they did it.
Cost and benefit
I don't think the implementation costs you incurred are that abnormal. So while it seems like a lot, and it is, it comes down to whether that's the value of the certification for your company. This pays itself off it if allows you to sell to a major grocery chain who requires it, or if you avoided a $100,000 recall, but the former is easier to prove an ROI on than the latter. It may not make sense for very small companies who won't see these benefits because the volumes are so low recalls are unlikely, and the customer base is small or indifferent to the certification.
I know a few companies (mostly low-risk products that don't sell direct to consumer) that ultimately abandoned certification after not seeing a cost-benefit. They instead took the parts of the policies they liked that had an impact on product quality, and let others go that felt like overkill in their facilities (e.g. some of the calibration requirements you mentioned, or verification flows that can feel circular at small companies). This is why SQF is awesome for making the code free and available, anyone can embrace the principals that resonate with them without going through a paywall.
With regard to your comment "why do I need a $150/hr consultant to do this". This isn't a hard rule, but consultants generally need to charge at least 3x what they're worth as a salaried employee to cover their expenses, so you're essentially paying for what would be an employee worth 100k salary+benefits or probably somewhere in the neighborhood of 60-70k base salary.
Still seems expensive, but that's what SQF practicioners at large companies make, and their only job is to maintain these certifications. So whether it makes sense to bring someone on to maintain this stuff or if it's cheaper to continue outsourcing depends on the level of maintenance your program will need ongoing, but ultimately this is why SQF asks for a practitioner in the code itself, they recognize that the scheme requires labor and put in the requirement so that there's no question that it's going to cost at least as much as another person on staff.
The world is full of bad ones, and good ones that didn't give you what you needed. IMEX, good consultants will have industry experience doing exactly what you need, so look for those and not people who worked 5 years, got some kind of education-based certification (e.g. certified food scientist or Certified SQF practicioner), and ran off to be their own boss. Also, really decide whether you are using consultants to consult or generate content. Members of the latter will push for details and generally do a better job if they aren't just copy-pasting generic templates for you in exchange for a fee, you should be able to recognize these because nothing will feel like it "fits" your facility well, and they won't ask for things like your existing paperwork to match the content you're currently using.
Consultants who "consult" are typically only good for basic information that you can find yourself if you have simple research skills. Keep in mind that the majority of the work these people do is helping folks who have zero knowledge of the tasks. These are folks like many "label consultants" who will review labels to tell you things like "you forgot to include an allergen statement" or that your net weight has the wrong units. Tons of people pay for this service rather than do the research, and so they have a market for it. However these types of consultants often don't have the skillset or genuine interest in helping you evaluate whether your product qualifies for a "made in USA" claim, except to send you the regulatory text or specify where it could appear on the package. Again, replaceable by someone with strong google-fu, but very helpful to that small bakery who is selling to stores for the first time and is a 3-man operation, no time to research label requirements when you're baking and running the business.
This is the reason why most consultant's aren't much help for companies pursuing complex certifications. They're trying to keep their costs to you low, so they don't get into details and just look up the information that you need to be compliant, not actually learn about and integrate it into your business, which takes much more time that a dedicated employee would inherently have, and the majority of small companies making the call really just need some basics covered they don't have the time or experience to investigate themselves.
But if you've found a good consultant who is knowledgeable and willing to help you generate content that will be effective at your company, they're only going to be as good as the information you've provided them. You mentioned you're under FSIS so you may have experience with the old label approval process? Even though FSIS used to review every label for every product, recalls for missing allergens still happened all the time. The reason? Missing allergen declarations would have been caught by the reviewer if they were given accurate ingredient statements, but they could only review labels based on what companies provided. So if they missed an allergen or didn't declare sub-ingredients in the approval application, reviewers had no clue that anything was missing. They aren't setup to ask for all of your ingredient labels as part of the approval, since that would be a huge timesink and they aren't there to act as a full time employee for your company. Consultants operate the same way, if you state "I need to comply with X requirements and this is my process", any nuance of missing information will be missing from what they provide, and they will refuse to provide specifics because they don't work there and can't know if you've shared everything.
The forums work in much the same way, but with more industry experience shown. This is demonstrated by the first comment after any question usually starting with "can you provide more information?". Since this forum generally assumes that you've already done your google-fu and you're parsing out some specific detail unique to your situation.
Speed to certification
As far as speed to cerification, you mentioned it seems crazy that it takes 1-2 years. 2 years would be pretty long, and really just demonstrates that these are companies adding it to existing duties rather than prioritizing it with personnel and capital. But in general there are a ton of multi-department moving pieces to implement. I would agree that someone knowledgeable of the code, how it is audited, and on-site at your company could crank out the "program" in a few months with their time dedicated to the task (not just added to an existing position), but actually implementing it effectively and getting people on board? That's what takes forever. You had a leg-up with FSIS with regard to a lot of existing programs and facility maintenance, but getting your maintenance guys on board with tracking plastic, repairs, etc., operators handling chemicals differently, getting suppliers "approved", or adding a label revision control program takes a long time to get going in an effective way.
An opposing point here is that these certifications shouldn't be easy, that's what makes them worth it. You may have past experience with getting an AIB sanitation audit or some other audit in place, which is basically a phone call, day audit, some corrections, and done. Those audit's aren't effective and it showed. GFSI schemes are intended to be rigorous and different from a government or other audit. In short, they shouldn't be easy to implement if you're already under FSIS, otherwise that just means that they're useless and a piece of paper attached to zero policy or process changes.
Embracing your certification
Certifications are more frustrating if you don't embrace them as a culture, which is what I read from many of your comments. You stated (and I agree) that you had your stuff together due to FSIS inspection and the rest feels like overkill.
Depending on your volume and product/process risk, it can be! Nothing wrong with admitting the reality on how often an undamaged pair of calipers is actually going to go out of spec. Or how terrible establishments doing nothing right can keep on operating for years without issue or oversight. Take one look at warning letter history to see plants covered in rodent feces operating as per usual, they're definitely not maintaining a register of brittle plastics....
They way I tell my employees that SQF is part of our company culture is that it's a collection of "good ideas". Even though the risk is minimal for our process or we have no clue how something could lead to recall, every part of the code is a "good idea" that we should try to embrace, even if it isn't super critical or likely. Food defense is often a soft target, since any sort of personal safety carries a sarcastic "doesn't matter if we do that, someone could just do something during X supply chain step...". Just because the work could be undone, doesn't mean protecting the product under your control is a "bad idea", and that embracing SQF you've agreed to do whatever the code suggests because it can only help, not hurt, food safety, even if it isn't 100% effective.
It's a good discussion to have about GMP's as well, when employees question hairnets in the presence of hairy arms, I come back to the "good idea" principal. It doesn't hurt, so why would we throw it out?
Making it better ongoing or for other new companies
I have some (free! :) ) recommendations for you to hopefully make this easier/cheaper ongoing, since that was your request in your original post. Keep in mind that based on the information you provided, I'm making the following assumptions:
1. You're a 1 man QA department or at least with no technical or regulatory compliance staff reporting to you.
2. Your company is very small (<2mil/year or under 20 employees)
3. You're producing an amenable product that may or may not sell direct to consumer
4. This is your first time implementing this type of audit scheme
And of course, it’s still going to be frustratingly vague J
First, if you can't do it yourself with your other duties, it sounds like it's time to bring someone new into your QA department to help manage this. A document controller is a good first step who can provide verification on production docs, organize them, and free you up from paperwork management time. Supplier maintenance is a huge timesink that this person can help you with, and can be a multi-purpose employee other departments can rely on as well. The position can be relatively inexpensive, but a hard one to fill since good document control is a special skillset, and not just anyone who can use word is good at managing revision control and organized databases. Find someone who can generate content and organize it in a universal way, not just someone who can follow a flowchart.
Second, instead of consultants, try reaching out to others in your industry who already have certification in place and ask how they met the requirements you're struggling with. Identify a non-competitor (e.g. similar product but different market, like if you process heat&serve TV dinners reach out to a jerky producer or some other amenable snack food that might have a similar process flow or shelf life/risk) and get in touch with their QA manager. Most companies under GFSI are committed to food safety in general, and may be willing to let you check out how they organize their FSM (registers, etc.) even if they can't share the proprietary details. It's really easy to remove confidential information and send templates around. I learned what I know from my original training and then by touring several other companies both in and out of schemes to get ideas on different routes of presentation, as well as grilling my auditors (from all agencies and customers) on what they see at other plants. This is a great way to also find out those "standardized" calibration requirements. Your supplier approval program can also be a source of examples of SOP's if you request them as part of your documentation.
Note: this can also be a good way to find solid "consultants" who currently have industry jobs but are willing to weigh in on your stuff for free in the interest of food safety in your food sector. E.g. IFSQN members. They can also weigh in with opinions, since they aren't charging for services and carry less liability for your decisions than consultants.
Third, embrace the ambiguity. As an FSIS establishment, you basically had your HACCP plan written from a long history of specified process flows, control points, etc. It's a blessing in most cases as it makes government audits simple and the requirements are clear. But it also means there hasn't been a reason to reinvent the wheel or generate your own content for fear that it won't be what's expected from your product/industry. This is the hardest thing to do, because it requires you to consider hazards that have never been an issue, and the reality that you may not be able to describe controls for the new hazards you identify. It also means that you can identify areas of little/no risk and avoid needless requirements there. This is hard for QA to do because we like it when the government tells us what the risk areas are, but that's not the point of the certification. Use the ambiguity as an opportunity to "eliminate" areas of the code that are overkill for your specific facility (e.g. label review for a facility with no potential for undeclared allergens), and be prepared to defend your program when needed, which is why you're present for audits and not just turning in paperwork.
Fourth, regarding your desire for information on formatting, register arrangement, policy examples, etc. I see this as another area where FSIS has given the meat industry what FSIS wants to see in the past and your on-site inspector has been a partner in creation to make their job easier (e.g. can you post your holds with this info so I can call you if I have questions?). This isn't they way FDA or GFSI schemes operate, they love to make result-oriented requirements and leave the how up to you. Which isn't simple for QA, as it places all the liability on you with very little guidance, and forces you to defend your FSM to auditors who don't like the way it was organized in your case.
My recommendations for anyone creating this stuff for the first time would be this (based on my experience, which is strictly SQF, whom is generally more less detail fixated than BRC).
Policies: from a policy level, auditors want to see the material from the code reflected almost word-for-word and bullet-by-bullet in policy, with nouns and verbs altered for your product/process/facility. This doesn't make good training material, but simplifies audits, so I recommend creating "policies" to demonstrate you observe the code for your managers and yourself, and more layman training documents to implement it with your employees. Because you have the code, this has already written itself. A great example is your policy to enforce GMP's, which might include a million bullet points on hand washing, clothing, jewelry, closing doors, etc...but your training may be a simple picture of an employee who is ready for work, demonstrating all the requirements without having to list out 1000 words to prove the policy exists.
Registers: Million ways to do this, but simply put, when an inspector arrives you should be able to provide a list of all your SOP's in whatever format. This could be a bunch of file folders on a computer, a handwritten list, quality system software reports, or a table of contents for your binder of SOP's. Any other register (suppliers, labels, training) can be the same type of deal, with the requirement being that it's current and can be brought up quickly, and could be used to find information. My "registers" are my active databases of information that I use daily, since I can print out columns to generate lists quickly.
Formatting: like I said, you have two tiers of documents, policy ones for managers and audits, and training tools for employees. Format the policy documents to mirror the code you're trying to follow so that it's easy for the auditor to check those boxes. Format the training docs so that they're helpful to employees and you actually implement the policies in a meaningful way.