Appealing an SQF Food Defense nonconformance: auditor wants locked front door

We recently had our annual SQF Fundamentals Edition 1 Manufacturing - Intermediate audit and received a non-conformance for Food Defense.  2.7.1.1 - The methods, responsibility and criteria for preventing food adulteration caused by a deliberate act of sabotage or terrorist-like incident shall be documented, implemented and maintained.

The reason given for the non-conformance is that we leave the front door and vestibule door unlocked.  However, there is an alarm on the front door that chimes every time it is opened.  Also, our Office Manager has a view of the parking lot from her desk and forewarns us about anyone coming to the front door or just in the parking lot unexpectedly.  Our facility has 7 employees, making it very easy to identify any intruders.  Finally, you have to walk through our lobby and office to get to our production area.  Not to mention the fact that you have to know where our manufacturing area is.  And before you mention disgruntled employees, it's been more than 2 years since we've fired anyone.  

Our facility is very inconspicuous; you have to know where we are to find us.  I've literally had to go into the parking lot to wave down food safety auditors so they could find us.  In the 20 years that we've been in this facility, we've had 3 SQF auditors, 2 IDPH auditors, and 1 FDA auditor; none had any issues with our food defense mechanisms.  Then we get a new SQF auditor who seems to expect us to maintain the same standards he saw working for giant food companies and wants us to lock the front door.  We have customers who pick up orders and others who just drop in to visit us.  All of them appreciate that they are welcome to show up unannounced to chat with us.  When people visit us, they always stop in the lobby until they are greeted and welcomed into the office or sent away (as is the case with unsolicated sales people).

I feel like this food safety auditor was more interested in pushing his personal agenda of locked doors than in paying attention to the food defense measures we already have in place.  Measures that we have shown to be successful.  Is it unreasonable for me to appeal this non-conformance?  I've never appealed a non-conformance before.

I used to do food defense breaches where I'd put a lab coat on and walk in with a hardhat (that said inspector on it ) and clipboard under my arm

With the exception of 2 times out of a hundred or so, I was never stopped - even with chimes on the door and somebody watching the door, and that reliance must account for bathroom breaks, etc.

Someone that intends to do damage to the interior of the facility will already know how to go from the open door, thru the office and into production.

I would suggest putting a remote controlled lock on the door and something like a Ring Camera with intercom - a little sign that says, for entry, ring bell and speak into the speaker.

By the way, most of our breaches were because the front door was unlocked (or a dock, shipping or exit door) and when available the door from the lobby to the front office areas was unlocked as well.

Why the others missed this I have no idea, but this Auditor was not over the top - it was good finding.

You can always appeal it, but I doubt it would go thru/

If you want to appeal just contact your CB contact and request the process as they may have their own format/form for you to complete and submit.

Hi Spidey,

Your Office Manager cannot be watching the front door 100% of the time, I guess they have to go to the toilet occasionally etc. so the Auditor's finding is not unreasonable and it is doubtful an appeal would be successful. 

Putting a lock on the front door and a door bell camera then buzzing visitors in is the least you could do and shouldn't cost too much.

Get it done and move on.

Kind regards,

Tony

Agree with the above posts.

People who test your systems (pen testers) would easily get into your facility.

Nobody is looking at a carpark or door 100% of the time. Even if they didn't need toilet and lunch breaks, after about 10 minutes their attention would drift and don't they have a day job to do?

I think Glenn's suggestion of a ring doorbell or similar is a good one. I agree with both Tony and Glenn, an appeal will fail. You're saying you have food defence systems in place but they're weak.

I'm not sure what you know about hierarchy of control but it's used a lot in health and safety (people safety). It's not super easy to map it across to food safety and food defence but I'll explain why it should be in your mind IMO.

About Hierarchy of Controls | Hierarchy of Controls | CDC

When you think about a health and safety hazard, the best control is to get rid of it completely. The worst control is PPE. Why? Because if you remove the hazard, it cannot become a risk. If you rely on behaviours to reduce the risk (i.e. the behaviour of wearing PPE) we know that they are prone to failure. It could be argued that the control you have in place isn't even an admin control. The ways it could fail are numerous. You'd be better isolating people from the hazard (i.e. locking the door and allowing access by exception once known to be safe to do so).

For cyber, physical threat etc, the process of "denial by default" is a MUCH better approach than "we'll probably know when someone has entered". Do you see the difference?

We recently had our annual SQF Fundamentals Edition 1 Manufacturing - Intermediate audit and received a non-conformance for Food Defense.  2.7.1.1 - The methods, responsibility and criteria for preventing food adulteration caused by a deliberate act of sabotage or terrorist-like incident shall be documented, implemented and maintained.

 

The reason given for the non-conformance is that we leave the front door and vestibule door unlocked.  However, there is an alarm on the front door that chimes every time it is opened.  Also, our Office Manager has a view of the parking lot from her desk and forewarns us about anyone coming to the front door or just in the parking lot unexpectedly.  Our facility has 7 employees, making it very easy to identify any intruders.  Finally, you have to walk through our lobby and office to get to our production area.  Not to mention the fact that you have to know where our manufacturing area is.  And before you mention disgruntled employees, it's been more than 2 years since we've fired anyone.  

 

Our facility is very inconspicuous; you have to know where we are to find us.  I've literally had to go into the parking lot to wave down food safety auditors so they could find us.  In the 20 years that we've been in this facility, we've had 3 SQF auditors, 2 IDPH auditors, and 1 FDA auditor; none had any issues with our food defense mechanisms.  Then we get a new SQF auditor who seems to expect us to maintain the same standards he saw working for giant food companies and wants us to lock the front door.  We have customers who pick up orders and others who just drop in to visit us.  All of them appreciate that they are welcome to show up unannounced to chat with us.  When people visit us, they always stop in the lobby until they are greeted and welcomed into the office or sent away (as is the case with unsolicated sales people).

 

I feel like this food safety auditor was more interested in pushing his personal agenda of locked doors than in paying attention to the food defense measures we already have in place.  Measures that we have shown to be successful.  Is it unreasonable for me to appeal this non-conformance?  I've never appealed a non-conformance before.

"The reason given for the non-conformance is that we leave the front door and vestibule door unlocked.  However, there is an alarm on the front door that chimes every time it is opened." A chime on the door doesn't actually prevent bad actors from coming in. I agree with the others that a Ring doorbell (or similar) with a remote-controlled lock is more effective.

"Also, our Office Manager has a view of the parking lot from her desk and forewarns us about anyone coming to the front door or just in the parking lot unexpectedly.  Our facility has 7 employees, making it very easy to identify any intruders." Your office manager has an office to manage and they need bathroom and lunch breaks too. You didn't even consider the option they may have a vacation/time off or get sick of a few days.

"Finally, you have to walk through our lobby and office to get to our production area.  Not to mention the fact that you have to know where our manufacturing area is." Food defense breach testing has shown time and time again that if someone wants to get in they find a way. They can pretend to be an auditor, or an official from the local water or gas company. Even a small number of employees doesn't prevent this. Is the door to your production area locked, even though it is hidden away? If not, THAT is the priority issue you need to address. It's fine if people can get into the lobby, but you have to lock doors elsewhere to prevent them penetrating deeper into the building and reaching production areas. (And don't forget the risk access to the office can pose. One bad actor can introduce a virus or steal sensitive company data if the area is not locked away. 

"And before you mention disgruntled employees, it's been more than 2 years since we've fired anyone." That is false security. People who do things that require food defense to be implemented can hold long grudges. Your risk may well be lower than that posed to a larger company, but it's not zero.

SHQuality makes some good points.

It's just made me think of something else. I was in a small packaging company just before Christmas picking up an item for some work I'm doing. I walked into the main building, there was nobody in the office.

I got all of the way into their manufacturing area and in the end shouted out for someone, at which point a head bobbed up and they dealt with my query.

You assume Spidey that your controls are in place and operating perfectly and bad actors don't know just what times to try to evade them. Start and end of day. Lunchtime. School holidays. Etc etc. I've only done a few pen tests but it's so easy to work your way into somewhere you don't know. Surprisingly so. And Glenn's "look official" gambit is typical. Another is to create a false sense of urgency. So for example, someone rocking up claiming to be from head office / major customer / the competent authority / the police / ICE / the guy to fix the drain that someone further down the estate has just reported is blocked. All of these things circumvent people's natural caution.

SH has also made me think of somewhere else. We had a small company of only 40 people. I knew everyone by name. Got on, I thought, with everyone. The MD had to sack an engineer for falsifying paperwork (I didn't find the issue, the MD found it himself). When the engineer handed his phone back in, my name was in the mobile with "GMO, pain in the a**".

People don't always tell you when they hate you or hate the company. They may not tell you about their affiliation with a terrorist organisation. (Why would they?) Or some activism thing. You might not even be the target of what they're trying to do, it might be your customer, the country or just because they're irrational. Or, as in the case of the engineer, they might just really hate you because you were the person who tried to make sure things were done the right way...

We have two facilities that people are able to enter the main door, but have to ring a bell to get in further.  We just bought a cheap button, with a "bell" we can plug in anywhere so we can move it around depending on who is on "door duty".  I think our sign says something along the lines of, "Please ring the bell and we will be up momentarily."  Sometimes it takes a minute or two for someone to actually get to the door, but it is secure and didn't cost a lot.  

I get the small business attitude.  I also get food defense is a serious topic to many auditors, especially if they're having a hard time finding faults at a small organization with a simple and safe process.  Very rarely would an auditor want to write a 100 unless they can fully and wholly affirm it to a gold standard.  So if you're SQF auditor gave you a 99 and this was the one finding, I'd find a way to lock the doors.

Now, by your own testimony, your door watching office manager or whomever is spotting these visitors in the parking lot can still open the door and let them in without them needing to ring a bell.  You aren't losing any relationships over this, and customers will be able to still visit as you describe.  If you still want people to get into the office freely, then you can get away with locking the doors to production.  A simple electronic keypad on a doorknob will do the job.  Free access to the office gets maintained, and honestly your customers/visitors have no business entering production or storage to begin with so I hope that's not something you're looking to preserve.

SHQuality makes some good points.

 

It's just made me think of something else. I was in a small packaging company just before Christmas picking up an item for some work I'm doing. I walked into the main building, there was nobody in the office.

I got all of the way into their manufacturing area and in the end shouted out for someone, at which point a head bobbed up and they dealt with my query.

You assume Spidey that your controls are in place and operating perfectly and bad actors don't know just what times to try to evade them. Start and end of day. Lunchtime. School holidays. Etc etc. I've only done a few pen tests but it's so easy to work your way into somewhere you don't know. Surprisingly so. And Glenn's "look official" gambit is typical. Another is to create a false sense of urgency. So for example, someone rocking up claiming to be from head office / major customer / the competent authority / the police / ICE / the guy to fix the drain that someone further down the estate has just reported is blocked. All of these things circumvent people's natural caution.

 

SH has also made me think of somewhere else. We had a small company of only 40 people. I knew everyone by name. Got on, I thought, with everyone. The MD had to sack an engineer for falsifying paperwork (I didn't find the issue, the MD found it himself). When the engineer handed his phone back in, my name was in the mobile with "GMO, pain in the a**".

People don't always tell you when they hate you or hate the company. They may not tell you about their affiliation with a terrorist organisation. (Why would they?) Or some activism thing. You might not even be the target of what they're trying to do, it might be your customer, the country or just because they're irrational. Or, as in the case of the engineer, they might just really hate you because you were the person who tried to make sure things were done the right way...

Hi GMO:

I already know that food defense is important, but with all the stories you shared, I'm starting to wonder if it may actually be a point that needs far more attention than it is currently getting. Am I just getting that impression because you summarized all of them in one post, or is your personal experience similar?

Agreed with all that's been said so far. We are a small facility & team located in the middle of nowhere, so I can understand your frustrations. I want to add some simple, low-cost ways to help.

• Just 7 staff, give them identification cards, and revoke them when staff leave the company. Train your staff to speak up when they see anyone without an ID card. Give visitors a different card (or work jacket) that visually stands out.
• Request a background check when hiring new staff.
• Install a security lock on the Production entrance door with codes for staff.
• Install a doorbell and sign at the main entrance so the door can be locked at all times. Then the office manager acts as security, only allowing entry to those necessary.
• If you have security cameras that are running 24/7 include this in your program.

Hi GMO:

I already know that food defense is important, but with all the stories you shared, I'm starting to wonder if it may actually be a point that needs far more attention than it is currently getting. Am I just getting that impression because you summarized all of them in one post, or is your personal experience similar?

I have worked at places where there have been suspected and actual incidents. Most tend to be insider attacks so the risk of external attack is probably overstated and even with 7 people the risks of internal attack is probably underappreciated.

Even just the small scale stuff. There is not a single workplace (even small ones right now) where someone isn't really really p---ed off. Pay is not keeping track with inflation in most cases and the whole feel people have of disengagement post Covid? That's without the whole world situation right now. So I'd be VERY wary of internal attacker risk. Even if it's just low level theft "I'm stealing this because my employer doesn't give a crap" kind of stuff, but that can escalate.