9 replies to this topic

[Serena :)]

Good evening all!

I wonder if I can find any help concern point 4.2 of BRC standards.

I am working for a small company, very small manufacturing. 

I made a food defence plan but I am not sure I did in a perfect way.( I am working in this company since a very short time only 3 months)

I used a vulnerability threat assessment considering as a threat :

• internal and external potential threat
• different area ( such us outside area, inside area, processing area, receiving area, storage area, water security, chemical security, personal security)

 

is anything else should I consider? I am a little bit lost cause is a very small reality and company.

Any help is appreciated :)

[pHruit]

Welcome to the forum
IIRC the interpretation guide also mentions IT and data security - how relevant this is will depend on the nature of the business and is perhaps less significant if you're small and are using lots of networked production stuff, don't have online access portals for payment or customer/consumer details etc, but it's probably worth documenting that you've considered it either way.

I don't recall it being mentioned explicitly in the standard, but I've included the transport stage in ours too - you can have the most secure facility in the universe, but it's not much use if anyone can tamper with your product between it leaving your site and arriving at your customer

 

I'd also document the review criteria/triggers mentioned towards the end of 4.2.1, as if nothing else it's always easier to present direct written evidence to the auditor to show you've considered these things.

 

4.2.2/4.2.3 will depend to an extent on the outcome of your risk assessment for 4.2.1 - if you have areas requiring consideration then find a manageable way to do it with your small team, but also consider that it is entirely possible to conclude that you do not have any significant threats that need extra controls for management, but I'd document that this is the case if so.

 

Any sane BRC auditor should approach your site with a sensible expectation of proportionality given the size - having very few people generally makes it somewhat easier to manage direct security than if you're a massive brand/manufacturer with hundreds/thousands of people coming and going from the factory.

[Charles.C]

Good evening all!

I wonder if I can find any help concern point 4.2 of BRC standards.

I am working for a small company, very small manufacturing. 

I made a food defence plan but I am not sure I did in a perfect way.( I am working in this company since a very short time only 3 months)

I used a vulnerability threat assessment considering as a threat :

• internal and external potential threat
• different area ( such us outside area, inside area, processing area, receiving area, storage area, water security, chemical security, personal security)

 

is anything else should I consider? I am a little bit lost cause is a very small reality and company.

Any help is appreciated :)

 

Hi Serena,

 

There are many  querying threads here on this BRC topic.

 

Have a look at this post/surrounding thread -

 

https://www.ifsqn.co...an/#entry161409

 

And maybe this interpretation pair for comparison -

 

https://techni-k.co....-site-security/

https://techni-k.co....eat-assessment/

(somewhat generalised for marketing reasons)

 

PS - this may also be of interest -

 

https://www.ifsqn.co...ce/#entry146770

[Serena :)]

Many thanks for your answers!

at this point, I feel more confused

 

we already have a taccp/vaccp for our raw materials ( we only manage two ingredients, so very low risk)

I'm wondering if I did basically the job twice. The previous technical manager only considered raw material with no including any security defence ( I mean proper building defence or all particular area that I considered in a defense plan).

Are these two plans correlated so they can be structurise together as a unique plan or they have to separate?

 

Sorry guys for the silly questions but this are new points of BRC V8 that no one treats last year in this company.

 

Many many thanks :)

[pHruit]

I believe that the Interpretation Guide (if you're already BRC certified then you can access this for free via BRC Participate, or if this is your first BRC then it is worth purchasing) advises that you can combine your approach for section 4.2 and 5.4, but this definitely is not mandatory. There is a reasonable degree of flexibility to structure an approach that works for you - personally I've found it more efficient to address these individually, but if a joint system suits your materials/processes/business then this is also fine.

[Charles.C]

Many thanks for your answers!

at this point, I feel more confused

 

we already have a taccp/vaccp for our raw materials ( we only manage two ingredients, so very low risk)

I'm wondering if I did basically the job twice. The previous technical manager only considered raw material with no including any security defence ( I mean proper building defence or all particular area that I considered in a defense plan).

Are these two plans correlated so they can be structurise together as a unique plan or they have to separate?

 

Sorry guys for the silly questions but this are new points of BRC V8 that no one treats last year in this company.

 

Many many thanks :)

 

Hi Selena,

 

Based on previous BRC threads, I opine that most people have done Food fraud(= VA) in clause 3.5.1.1. So separately to clause 4.2.

 

But, as IIRC illustrated in my previous link, not all.

 

BRC in fact issued a rather elegant  and detailed presentation of their interpretation of VA.

 

My offering for clause 3.5.1.1 is here -

 

http://www.ifsqn.com...al/#entry100194

(ultimately above likely overkill since BRC will probably, currently, be perfectly happy with a lot less rigorous analysis since no recent horsegate catastrophies)

[zoelawton]

Hi Serena.Sorbello.

 

I understand your confusion, it can seem pretty daunting when trying to find a starting point. 

 

Please see attached our Food Defense Risk Assessment, as well as the Fraud / Vulnerability Assessment. Hope this helps. 

 

Please bare in a mind a comment we received regarding this in July from BRC was 'this isn't laid out in the usual way - but that isn't necessarily a bad thing' 

 

Also, i would ensure this is added to your annual management review meeting agenda as it is to be reviewed annually and HAS to be documented that it is to be reviewed annually. 

Attached Files

•  Risk Assessment Food Defense.pdf   100.26KB   469 downloads
•  QP018 Fraud & Vulnerability Assessment.pdf   19.91KB   417 downloads

[Charles.C]

Hi Serena.Sorbello.

 

I understand your confusion, it can seem pretty daunting when trying to find a starting point. 

 

Please see attached our Food Defense Risk Assessment, as well as the Fraud / Vulnerability Assessment. Hope this helps. 

 

Please bare in a mind a comment we received regarding this in July from BRC was 'this isn't laid out in the usual way - but that isn't necessarily a bad thing' 

 

Also, i would ensure this is added to your annual management review meeting agenda as it is to be reviewed annually and HAS to be documented that it is to be reviewed annually. 

 

Hi FSA,

 

I am guessing the attachment  is an introductory summary of (to be) presented data, not the vulnerability assessment per se ?

Edited by Charles.C, 03 September 2020 - 09:31 PM.
edited

[zoelawton]

Hi FSA,

 

I am guessing the attachment  is an introductory summary of (to be) presented data, not the vulnerability assessment per se ?

 

Hi Charles, 

 

To answer the unedited remark - it was deemed as acceptable. Everything is there that is necessary. We are super low risk, closed product (one product) site. 

Please see snippet from audit report regarding 4.2. (as i said, the auditor mentioned that is not the usual way he would see this done however it does not mean that it is not ok)

 

4.2 Site security and food defence

Security systems in place. A documented risk assessment (TACCP) has been completed within YF6 v1 2019-02-08 and includes both internal and external threats. This has led to a threat assessment plan that is reviewed a minimum of annually or following a new threat or if an incident occurs. All threats have been deemed low or negligible. Where risk to products have been identified the site have the following controls a member of the family lives on site, gates on all the access points that are locked when site is not in operation and CCTV, these controls are monitored by the MD and results documented and reviewed annually. All visitors report to reception and sign in. The security of the site is maintained by CCTV and appropriate locking of doors with keypad entry to the facility to prevent unauthorised access. With the current pandemic the site also screened for Covid-19 before visitors are allowed onto the site. External storage tanks, silos and intake pipes are not present. There is no secure fencing, but the site is very rural, and the access gates are secured when the site is not in operation. Staff are trained in Site security and food defence, see section 7.1. The site is registered with the appropriate authorities – Hambleton District Council - last EHO visit 2020-02-17.

[Charles.C]

 

Hi Charles, 

 

To answer the unedited remark - it was deemed as acceptable. Everything is there that is necessary. We are super low risk, closed product (one product) site. 

Please see snippet from audit report regarding 4.2. (as i said, the auditor mentioned that is not the usual way he would see this done however it does not mean that it is not ok)

 

4.2 Site security and food defence

Security systems in place. A documented risk assessment (TACCP) has been completed within YF6 v1 2019-02-08 and includes both internal and external threats. This has led to a threat assessment plan that is reviewed a minimum of annually or following a new threat or if an incident occurs. All threats have been deemed low or negligible. Where risk to products have been identified the site have the following controls a member of the family lives on site, gates on all the access points that are locked when site is not in operation and CCTV, these controls are monitored by the MD and results documented and reviewed annually. All visitors report to reception and sign in. The security of the site is maintained by CCTV and appropriate locking of doors with keypad entry to the facility to prevent unauthorised access. With the current pandemic the site also screened for Covid-19 before visitors are allowed onto the site. External storage tanks, silos and intake pipes are not present. There is no secure fencing, but the site is very rural, and the access gates are secured when the site is not in operation. Staff are trained in Site security and food defence, see section 7.1. The site is registered with the appropriate authorities – Hambleton District Council - last EHO visit 2020-02-17.

 

 

Hi FSA,

 

Sorry, I missed yr post.

 

I think we are partially talking at cross-purposes.

 

from BRC (after GFSI) -

 

(1) Food defence - Procedures adopted to ensure the safety of raw materials and products from malicious contamination or theft.

 

(2) Food fraud -  Fraudulent and intentional substitution, dilution or addition to a product or raw material, or misrepresentation of the product or material, for the purpose of financial gain, by increasing the apparent value of the product or reducing the cost of its production

 

 

 I suspect BRC have caused confusion in this area  by attempting to blend the well-known PAS96 (UK) document together with GFSI's Interpretation of Food Fraud (also debatable but uncontestable). The result is a mess  which is "almost"  acknowledged  in the BRC Interp.Guidelines.

 

Yr 1st attachment is titled "Risk assessment Food Defence". However, as I read it, it actually includes (1,2). IMO this is incorrect. I consider that EMA should occur  with Food Fraud in yr 2nd attachment together with other items in the table of 1st attachment. As a result the 2nd Fraud attachment becomes a 1-page summary.

 

Seems to me that BRC initiated this confusion and their auditors are having to live with it.

 

PS - BRC do opine in their lengthy Food Fraud publication that a risk assessment of the (LxS) type as used in 1st attachment is not really appropriate. Seems they are unconcerned in practice (although I believe a revision has now been published which may retract their earlier viewpoint).

 

PPS - The infamous Horsegate affair which propelled the fraud topic to prominance illustrated the inability to maintain traceability within the food supply chain. i wonder if anything much has changed ?