Jump to content

  • Quick Navigation
Photo
- - - - -

Food Fraud threat assessment and mitigation FSSC 22000 V4.1

Food Fraud

  • You cannot start a new topic
  • Please log in to reply
11 replies to this topic

#1 lnkiema

lnkiema

    Grade - Active

  • IFSQN Active
  • 1 posts
  • 0 thanks
0
Neutral

  • Kenya
    Kenya

Posted 11 May 2019 - 02:50 PM

Hi Team,

 

Glad to join this forum.

 

Undertaking a FSSC certification in a months time. 
 

Any ideas on Food Fraud threat assessment and mitigation are welcome.



#2 tsebring

tsebring

    Grade - MIFSQN

  • IFSQN Member
  • 65 posts
  • 37 thanks
15
Good

  • United States
    United States
  • Gender:Male

Posted 13 May 2019 - 02:46 PM

I am not on this audit scheme, but like most, they have their requirements online.  That would the first place to start.  

 

Here's a direct link to their food fraud overview: http://www.fssc22000...inal-100418.pdf

 

In the references (end of the document), it refers to a free online FFVA assessment that I've used with my scheme.  I believe that others, using your scheme, have used successfully as well, but maybe they can weigh in on that directly.  That direct link to the assessment is: https://ffv.pwc.com/vsat/#/.  You would need to assess whether this assessment covers the scheme's complete requirements.  

 

Not sure how much help this, but hopefully it's a start.  

 

Good luck,

Todd



Thanked by 2 Members:

#3 Hlonipani Nleya

Hlonipani Nleya

    Grade - Active

  • IFSQN Active
  • 1 posts
  • 1 thanks
0
Neutral

  • Zimbabwe
    Zimbabwe

Posted 13 May 2019 - 06:27 PM

The FFVA is a good tool. But you may need to supplement the tool with a detailed mitigation action plan.

The FFVA does not offer good guideline on how to develop the mitigation plan you will need to use your experience to cover basics like:

 

1. Resources and responsibilities. 

2. How you are going monitor action plan progress. 

3. How you are going to evaluate effectiveness of your mitigation plan.

 

Good luck



Thanked by 1 Member:

#4 Charles.C

Charles.C

    Grade - FIFSQN

  • IFSQN Moderator
  • 15,860 posts
  • 4372 thanks
715
Excellent

  • Earth
    Earth
  • Gender:Male
  • Interests:SF
    TV
    Movies

Posted 15 May 2019 - 12:10 AM

I am not on this audit scheme, but like most, they have their requirements online.  That would the first place to start.  

 

Here's a direct link to their food fraud overview: http://www.fssc22000...inal-100418.pdf

 

In the references (end of the document), it refers to a free online FFVA assessment that I've used with my scheme.  I believe that others, using your scheme, have used successfully as well, but maybe they can weigh in on that directly.  That direct link to the assessment is: https://ffv.pwc.com/vsat/#/.  You would need to assess whether this assessment covers the scheme's complete requirements.  

 

Not sure how much help this, but hopefully it's a start.  

 

Good luck,

Todd

 

In fact the above tool has had a mixed reception. Some like it and some the exact opposite. It is undoubtedly conceptually exhaustive, but I personally found it laborious to implement and discarded it.

 

There are some condensed variations on this Forum which might be more workload-palatable.

 

You might find this more simpler approach easier to implement (although the stumbling block for most methods is locating a database to check historical occurrences) -

 

https://www.ifsqn.co...ed/#entry121799


Edited by Charles.C, 15 May 2019 - 12:22 AM.
expanded

Kind Regards,

 

Charles.C


#5 tsebring

tsebring

    Grade - MIFSQN

  • IFSQN Member
  • 65 posts
  • 37 thanks
15
Good

  • United States
    United States
  • Gender:Male

Posted 15 May 2019 - 12:09 PM

It wasn't my favorite tool, but met the guidelines in our audit scheme.  We've got really tight control over everything (family business), so I really just used it as part of my justification to not add any mitigation strategies, additional monitoring steps, etc., so I admit that my experience with it wasn't "normal".  I also did a VACCP analysis based upon GFSI's technical guidance food fraud types as the entire food fraud area is not well defined (yet) and I wasn't sure if auditors would be happy with the PWC tool.  I figured that I was safe if I went back to how GFSI itself defined fraud and used a more traditional HACCP approach.  I stripped my file down to a template and am uploading here in case it's useful.  I think that it will be at least 5 years before we see a consolidated approach to food fraud given everything that I've read - definitely not until Codex releases their standards.

 

 

 

In fact the above tool has had a mixed reception. Some like it and some the exact opposite. It is undoubtedly conceptually exhaustive, but I personally found it laborious to implement and discarded it.

 

There are some condensed variations on this Forum which might be more workload-palatable.

 

You might find this more simpler approach easier to implement (although the stumbling block for most methods is locating a database to check historical occurrences) -

 

https://www.ifsqn.co...ed/#entry121799

Attached Files



Thanked by 1 Member:

#6 Charles.C

Charles.C

    Grade - FIFSQN

  • IFSQN Moderator
  • 15,860 posts
  • 4372 thanks
715
Excellent

  • Earth
    Earth
  • Gender:Male
  • Interests:SF
    TV
    Movies

Posted 15 May 2019 - 02:51 PM

It wasn't my favorite tool, but met the guidelines in our audit scheme.  We've got really tight control over everything (family business), so I really just used it as part of my justification to not add any mitigation strategies, additional monitoring steps, etc., so I admit that my experience with it wasn't "normal".  I also did a VACCP analysis based upon GFSI's technical guidance food fraud types as the entire food fraud area is not well defined (yet) and I wasn't sure if auditors would be happy with the PWC tool.  I figured that I was safe if I went back to how GFSI itself defined fraud and used a more traditional HACCP approach.  I stripped my file down to a template and am uploading here in case it's useful.  I think that it will be at least 5 years before we see a consolidated approach to food fraud given everything that I've read - definitely not until Codex releases their standards.

 

Hi tsebring, 

 

Thks for the interesting template. I presume the format was primarily targeted at SQF[?] since, for example, the template lacks overt listing of some factors specifically required by BRC

 

TBH I suspect the auditors for any GFSI-recognised Standard are accepting almost any scheme looking reasonably persuasive which answers any specific queries.  The whole topic has become a minefield of confusion IMO. It's OPRP all over again.

And I fear that all this analysis will not prevent another melamine-type incident occurring in the future.


Kind Regards,

 

Charles.C


#7 tsebring

tsebring

    Grade - MIFSQN

  • IFSQN Member
  • 65 posts
  • 37 thanks
15
Good

  • United States
    United States
  • Gender:Male

Posted 16 May 2019 - 01:20 PM

I'm one of the rare people here on Primus.  We're an ag business.  I spent quite a bit of time trying this past year researching the topic - wanting to settle on a solid approach (so that I didn't have to change it all in a few years) only to realize that while there are many groups pushing ideas, but no actual standards.  Without anything solid, since Primus looks to the GFSI standard, I decided to refer to their technical document to keep me safe with any super picky auditor.  Hard for them to argue if I am going back to their own logic.  That file's grouping logic is directly from the GFSI's technical document and how they chose to define the possible areas involved in food fraud.  I personally think that they should include other factors into their logic - things like geopolitical influences, complexity of supply chain, degree of audit oversight, history of fraud in the product(s), etc., but it's not mine to do.  

 

It's a legitimate problem, but the unlying exposure involved is so varied as to make a standard difficult.  Should be interesting to watch how it plays out in the coming years.  My expectation is that everyone will look to Codex when they get that far.  Be a fun problem to solve...

 

Thanks,

Todd

 

 

Hi tsebring, 

 

Thks for the interesting template. I presume the format was primarily targeted at SQF[?] since, for example, the template lacks overt listing of some factors specifically required by BRC

 

TBH I suspect the auditors for any GFSI-recognised Standard are accepting almost any scheme looking reasonably persuasive which answers any specific queries.  The whole topic has become a minefield of confusion IMO. It's OPRP all over again.

And I fear that all this analysis will not prevent another melamine-type incident occurring in the future.

 



#8 Charles.C

Charles.C

    Grade - FIFSQN

  • IFSQN Moderator
  • 15,860 posts
  • 4372 thanks
715
Excellent

  • Earth
    Earth
  • Gender:Male
  • Interests:SF
    TV
    Movies

Posted 17 May 2019 - 06:47 AM

I'm one of the rare people here on Primus.  We're an ag business.  I spent quite a bit of time trying this past year researching the topic - wanting to settle on a solid approach (so that I didn't have to change it all in a few years) only to realize that while there are many groups pushing ideas, but no actual standards.  Without anything solid, since Primus looks to the GFSI standard, I decided to refer to their technical document to keep me safe with any super picky auditor.  Hard for them to argue if I am going back to their own logic.  That file's grouping logic is directly from the GFSI's technical document and how they chose to define the possible areas involved in food fraud.  I personally think that they should include other factors into their logic - things like geopolitical influences, complexity of supply chain, degree of audit oversight, history of fraud in the product(s), etc., but it's not mine to do.  

 

It's a legitimate problem, but the unlying exposure involved is so varied as to make a standard difficult.  Should be interesting to watch how it plays out in the coming years.  My expectation is that everyone will look to Codex when they get that far.  Be a fun problem to solve...

 

Thanks,

Todd

 

Hi Todd,

 

Thks for info/comments. Very readable.

 

I presumed the GFSI doc.referred above is the one you linked to here (?) -

https://www.ifsqn.co...ht/#entry139382

 

I noted primus's requirements as -

 

1.08.01: Is there a written food fraud vulnerability assessment (FFVA) and protection plan for all types of fraud, including all incoming and outgoing products?
Total compliance (5 points). There should be a vulnerability assessment and comprehensive protection plan for all types of food fraud. This includes economically motivated hazards, economically motivated food safety hazards, adulterant substances, theft, tampering, simulation, diversion or gray market, intellectual property rights and counterfeiting.

 

I guess this is probably the most non-specific of any of the GFSI-recognised standards I have seen. Seems totally unclear regarding internal/external possibilities. Apparently requires consideration of both safety/non-safety food fraud. (probably matches GFSI's own text which tends to be equally generic albeit not quite to iso depths)

 

TBH I couldn't quite see how the content of the GFSI document (linked above) relates to the column layout of the vaccp template in post 5.

(i noticed the heading word "tactics" which sounds more like a threat/defense/taccp-type source)

(meaning of column B "Step" unclear to me - = Process step ? )

(food safety G column seems to  exclude food fraud potentials of  non-safety type although  seemingly expected to be included by Primus) (FSSC22000 = ??)

 

(I also noted that this, oft- criticized, template was apparently quite adequate for Primus -

https://www.ifsqn.co...on/#entry137749

 

Regardless I totally agree yr approach that there is no reason to supply Primus with data in excess of that required to yield 5 Points.

 

 

Returning to OP -

 

I noticed the FSSC22000 guidelines expect historic data, etc as, afaik, do every other GFSI-recognised standard (but probably not by gfsi itself).

 

The fssc22000 guidelines appear to demand an encyclopedic response - obviously exaggerated. The text also includes throw-away remarks such as the horsemeat episode being a "serious incident" - from an adulteration/traceability aspect undoubtedly yes, but from a health POV = afaik zero (French consumers may even have preferred it !)

 

My prediction is the FF emphasis will stay just above the radar unless another melamine occurs to cause a Peaking.  Pro-activity will remain problematic.

 

Again, thks for input.


Kind Regards,

 

Charles.C


#9 tsebring

tsebring

    Grade - MIFSQN

  • IFSQN Member
  • 65 posts
  • 37 thanks
15
Good

  • United States
    United States
  • Gender:Male

Posted 17 May 2019 - 01:29 PM

I concur that it a crappy standard on their part which is what set me on my research path.  A clear case of them "checking the box" without any real depth behind it.  

 

As for how I got from one to the other, their guidelines outline specific types of fraud (1.08.01) that need to be included in the VACCP.  That matched up exactly with the "APPENDIX: DETAIL OF TYPE OF FRAUD, AND EXAMPLES" in GFSI's technical document, so I used that to form the basis of my VACCP.  That was mostly to answer any "why" questions by the auditor.  Hard to argue when I'm aligned with the very standard that they are supposed to be aligned to.  

 

I have an background in IT (am semi-retired) and so I probably evaluate food safety more from a straight risk management perspective than most.  To me, for this company and product portfolio, the actual fraud risk is virtually nil, so it was more of documenting all of that in a manner that would meet their requirements. Other company or other products, I might care a lot more about it because the risk might be more real. 

 

As for Primus, I see why its derided by many, but they've used it for more than a decade and it works for sales, so it's what they want to stay with.  It's not the basis for my Food Safety management system.  I will do what's right and needed and then add in their stuff, when needed, to check their boxes (as it were). 

 

I see FSMA's Preventive rule for Human food being the primary driver of food fraud efforts in the U.S. right now, but concur that unless something major occurs, it will just hover above the radar screen.  Added cost without any clear ROI makes it hard to get the financial support without some type of a major driver.  Once Codex settles on standards, then the GFSI schemes will align with that, and it will get more tangible for the industry.  

 

Anyway, hopefully my explanation makes sense...

 

Take care,

Todd

 

 

Hi Todd,

 

Thks for info/comments. Very readable.

 

I presumed the GFSI doc.referred above is the one you linked to here (?) -

https://www.ifsqn.co...ht/#entry139382

 

I noted primus's requirements as -

 

 

I guess this is probably the most non-specific of any of the GFSI-recognised standards I have seen. Seems totally unclear regarding internal/external possibilities. Apparently requires consideration of both safety/non-safety food fraud. (probably matches GFSI's own text which tends to be equally generic albeit not quite to iso depths)

 

TBH I couldn't quite see how the content of the GFSI document (linked above) relates to the column layout of the vaccp template in post 5.

(i noticed the heading word "tactics" which sounds more like a threat/defense/taccp-type source)

(meaning of column B "Step" unclear to me - = Process step ? )

(food safety G column seems to  exclude food fraud potentials of  non-safety type although  seemingly expected to be included by Primus) (FSSC22000 = ??)

 

(I also noted that this, oft- criticized, template was apparently quite adequate for Primus -

https://www.ifsqn.co...on/#entry137749

 

Regardless I totally agree yr approach that there is no reason to supply Primus with data in excess of that required to yield 5 Points.

 

 

Returning to OP -

 

I noticed the FSSC22000 guidelines expect historic data, etc as, afaik, do every other GFSI-recognised standard (but probably not by gfsi itself).

 

The fssc22000 guidelines appear to demand an encyclopedic response - obviously exaggerated. The text also includes throw-away remarks such as the horsemeat episode being a "serious incident" - from an adulteration/traceability aspect undoubtedly yes, but from a health POV = afaik zero (French consumers may even have preferred it !)

 

My prediction is the FF emphasis will stay just above the radar unless another melamine occurs to cause a Peaking.  Pro-activity will remain problematic.

 

Again, thks for input.

 



#10 Charles.C

Charles.C

    Grade - FIFSQN

  • IFSQN Moderator
  • 15,860 posts
  • 4372 thanks
715
Excellent

  • Earth
    Earth
  • Gender:Male
  • Interests:SF
    TV
    Movies

Posted 20 May 2019 - 01:20 AM

I concur that it a crappy standard on their part which is what set me on my research path.  A clear case of them "checking the box" without any real depth behind it.  

 

As for how I got from one to the other, their guidelines outline specific types of fraud (1.08.01) that need to be included in the VACCP.  That matched up exactly with the "APPENDIX: DETAIL OF TYPE OF FRAUD, AND EXAMPLES" in GFSI's technical document, so I used that to form the basis of my VACCP.  That was mostly to answer any "why" questions by the auditor.  Hard to argue when I'm aligned with the very standard that they are supposed to be aligned to.  

 

I have an background in IT (am semi-retired) and so I probably evaluate food safety more from a straight risk management perspective than most.  To me, for this company and product portfolio, the actual fraud risk is virtually nil, so it was more of documenting all of that in a manner that would meet their requirements. Other company or other products, I might care a lot more about it because the risk might be more real. 

 

As for Primus, I see why its derided by many, but they've used it for more than a decade and it works for sales, so it's what they want to stay with.  It's not the basis for my Food Safety management system.  I will do what's right and needed and then add in their stuff, when needed, to check their boxes (as it were). 

 

I see FSMA's Preventive rule for Human food being the primary driver of food fraud efforts in the U.S. right now, but concur that unless something major occurs, it will just hover above the radar screen.  Added cost without any clear ROI makes it hard to get the financial support without some type of a major driver.  Once Codex settles on standards, then the GFSI schemes will align with that, and it will get more tangible for the industry.  

 

Anyway, hopefully my explanation makes sense...

 

Take care,

Todd

 

Hi Todd,

 

Thks above. I have stayed well clear of FSMA after an initial attempt to understand their PC approach. I found their initial PC-related logic not convincing and gave up.

 

Returning to yr vaccp template - 

 

(a)Regarding "severity", the use in this food fraud context is ambiguous, eg assessed from a health perspective or ? The latter seems generically not considered appropriate so, for example,  BRC, USP, IFS use matrices but replace "health"  by  detection/economics/detection respectively, versus likelihood.

 

(b) Regarding "likelihood"  I noted that Primus make no mention of  scope of potential sources. The final result typically depends on how you aggregate the individual contributing factors. IFS are maximally conservative in that they opt for selecting the highest individual  likelihood factor while other matrix approaches either attempt intuitive or quantitative summations or averaging.

 

I appreciate you have worked from a haccp-type layout but I'm not sure how it would work with health severity/multiple fraud likelihoods. Maybe my reservations are (somehow) addressed by columns B/E/F.

 

PS - might add that afaik virtually all, if not all, proposed methods for (1) using XY matrices and (2)  accumulating vulnerability factors are open to theoretical criticism but such limitations have been known for a long time. Possibly the reason why FSMA's promised list of "high risk" foods has never materialised  despite their publishing an initial draft calculation formula.


Kind Regards,

 

Charles.C


#11 tsebring

tsebring

    Grade - MIFSQN

  • IFSQN Member
  • 65 posts
  • 37 thanks
15
Good

  • United States
    United States
  • Gender:Male

Posted 20 May 2019 - 02:00 PM

Regarding your (a), I left the matrix logic the same given the tool's alignment with HACCP.  That was more for the auditor (as most I've met are rooted in HACCP and not always that comfortable outside of it).  Personally, I align with the body of thought that finds risk matrices to be of little direct value (as they are so subjective), but I understand why they are part of the HACCP logic and it didn't hurt me to put them in.  Underneath, I am comfortable that what I produced was comprehensive for both types of fraud (dilution, misbranding, etc), as well as, possible contributing factors like geopolitical considerations, audit strategies, susceptibility of QA methods, supply chain impact, etc.    

 

Regarding (b), yeah, Primus is behind in identifying a  specific food fraud approach, but, being honest, I hope they continue to be vague, as it gives me the freedom to not have to align with two competing requirements because....

 

I will be moving to FSMA's IA (Intentional Adulteration) rule logic now that they have their training out for that.  (It would not nice not to align to FSMA, but alas, some of us don't have that option.)  Hopefully some of my existing work can be reused.

 

Anyway, thanks for your feedback; I'm always looking for ways to improve.

 

Todd

 

 

 

 

Hi Todd,

 

Thks above. I have stayed well clear of FSMA after an initial attempt to understand their PC approach. I found their initial PC-related logic not convincing and gave up.

 

Returning to yr vaccp template - 

 

(a)Regarding "severity", the use in this food fraud context is ambiguous, eg assessed from a health perspective or ? The latter seems generically not considered appropriate so, for example,  BRC, USP, IFS use matrices but replace "health"  by  detection/economics/detection respectively, versus likelihood.

 

(b) Regarding "likelihood"  I noted that Primus make no mention of  scope of potential sources. The final result typically depends on how you aggregate the individual contributing factors. IFS are maximally conservative in that they opt for selecting the highest individual  likelihood factor while other matrix approaches either attempt intuitive or quantitative summations or averaging.

 

I appreciate you have worked from a haccp-type layout but I'm not sure how it would work with health severity/multiple fraud likelihoods. Maybe my reservations are (somehow) addressed by columns B/E/F.

 

PS - might add that afaik virtually all, if not all, proposed methods for (1) using XY matrices and (2)  accumulating vulnerability factors are open to theoretical criticism but such limitations have been known for a long time. Possibly the reason why FSMA's promised list of "high risk" foods has never materialised  despite their publishing an initial draft calculation formula.

 



#12 Charles.C

Charles.C

    Grade - FIFSQN

  • IFSQN Moderator
  • 15,860 posts
  • 4372 thanks
715
Excellent

  • Earth
    Earth
  • Gender:Male
  • Interests:SF
    TV
    Movies

Posted 20 May 2019 - 02:56 PM

Regarding your (a), I left the matrix logic the same given the tool's alignment with HACCP.  That was more for the auditor (as most I've met are rooted in HACCP and not always that comfortable outside of it).  Personally, I align with the body of thought that finds risk matrices to be of little direct value (as they are so subjective), but I understand why they are part of the HACCP logic and it didn't hurt me to put them in.  Underneath, I am comfortable that what I produced was comprehensive for both types of fraud (dilution, misbranding, etc), as well as, possible contributing factors like geopolitical considerations, audit strategies, susceptibility of QA methods, supply chain impact, etc.    

 

Regarding (b), yeah, Primus is behind in identifying a  specific food fraud approach, but, being honest, I hope they continue to be vague, as it gives me the freedom to not have to align with two competing requirements because....

 

I will be moving to FSMA's IA (Intentional Adulteration) rule logic now that they have their training out for that.  (It would not nice not to align to FSMA, but alas, some of us don't have that option.)  Hopefully some of my existing work can be reused.

 

Anyway, thanks for your feedback; I'm always looking for ways to improve.

 

Todd

 

Hi Todd,

 

I think you have proven that you know a lot more about food fraud than Primus auditors.

 

Regarding IA you might find this link of some interest although I admit the content went right over my (non-FSMA/IA) head, :smile:

 

https://foodsafetyte...fsi-compliance/

 

Cheers !.


Kind Regards,

 

Charles.C






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

EV SSL Certificate