Jump to content

  • Quick Navigation
Photo

Preventative Action plan for an SQF Corrective Action

Share this

  • You cannot start a new topic
  • Please log in to reply
10 replies to this topic

AC2018

    Grade - MIFSQN

  • IFSQN Member
  • 174 posts
  • 50 thanks
32
Excellent

  • United States
    United States
  • Gender:Female

Posted 15 July 2021 - 12:52 PM

Hello all, we recently went through our edition 9 SQF audit. We have a CA for not including a cyber attack in our crisis management program that I have submitted corrective and preventative action steps for. I thought what I included was very thorough but the comment is saying there is no documents uploaded to support preventive action. I included the crisis management plan document that includes we have assessed the potential for a cyber attacked and a walk through scenario of how we would handle this. I then included looking at other unlikely but potential scenarios like civil unrest or an epidemic which were also not previously included. What other preventative action can be submitted? Are they looking for more preventative action regarding the cyber attack? Or for the CA itself? I am just very confused at what else I can show to prove preventative action. Thanks! 



Scampi

    Fellow

  • IFSQN Fellow
  • 5,444 posts
  • 1507 thanks
1,524
Excellent

  • Canada
    Canada
  • Gender:Not Telling

Posted 15 July 2021 - 01:16 PM

do you mind including actual quotes from your CB with the identifying info blacked out or removed?


Please stop referring to me as Sir/sirs


AC2018

    Grade - MIFSQN

  • IFSQN Member
  • 174 posts
  • 50 thanks
32
Excellent

  • United States
    United States
  • Gender:Female

Posted 15 July 2021 - 01:24 PM

Sure, 

 

Reviewer comments:

There is no documentation uploaded to support your preventive action. Also, recommend using 5 why system to determine the correct preventive action.

 

 

 

I completed a lengthy root cause which really goes in depth as to why it wasn't included originally. Corrective action was an explanation of adding the scenario into the existing program after assessing the scenario and potential outcomes. Preventative action was additionally assessing the program and adding in other unlikely but potential scenarios. I included the updated program with the submission. 

 

I can include my exact responses if that would help more than the summary provided above. 

 

Thanks!



Scampi

    Fellow

  • IFSQN Fellow
  • 5,444 posts
  • 1507 thanks
1,524
Excellent

  • Canada
    Canada
  • Gender:Not Telling

Posted 15 July 2021 - 02:05 PM

A) I would reach out to the CB (not the auditor) for clarification

 

B)  They cannot tell you what root cause method(s) to use so I would argue that comment   Here's the guidance   https://www.sqfi.com...ce-Document.pdf              it only says "such as...........5 whys"...........

 

C)  it sounds like they want to see the actual mock crisis record for a cyber attack---but that wasn't what the non conformance was issued for so I'd argue that as well

 

Is your business actually susceptible to a cyber attack?  Or are they just using the term de jour because of the recent cyber attack at the meat plant???

 

Sounds like your auditor is uninformed and under educated----------speak directly to the technical manager at your CB for a resolution


Please stop referring to me as Sir/sirs


Thanked by 1 Member:

olenazh

    Grade - FIFSQN

  • IFSQN Fellow
  • 1,363 posts
  • 439 thanks
432
Excellent

  • Canada
    Canada
  • Gender:Female
  • Location:Toronto
  • Interests:My job, church, reading, gym, horror movies

Posted 15 July 2021 - 02:22 PM

Scampi nailed it completely! I would do the same.



AC2018

    Grade - MIFSQN

  • IFSQN Member
  • 174 posts
  • 50 thanks
32
Excellent

  • United States
    United States
  • Gender:Female

Posted 15 July 2021 - 02:24 PM

I appreciate all of the input. This really helps me because I thought everything I submitted was accurate and enough to have this accepted and I was just really stumped when I read that comment.. 

 

I would say that it is highly unlikely. We are a very small business (30 employees total) that repacks food and non food items for a few select customers. Our internal systems aren't anything crazy and are pretty old school. We have everything in place to handle a cyber attack if it were to happen, just didn't have it written out in the plan specifically. Which is what I explained in our root cause analysis. 

 

It was brought up in the audit because of all of the recent cyber attacks happening. 

 

Thanks again for the input!! 


Edited by AC2018, 15 July 2021 - 02:34 PM.


MDaleDDF

    Grade - PIFSQN

  • IFSQN Principal
  • 507 posts
  • 209 thanks
393
Excellent

  • United States
    United States
  • Gender:Male

Posted 15 July 2021 - 03:01 PM

This whole thing seems odd to me.  Just today the President of the United States offered 10 million dollars for info leading to those committing cyber attacks.  

If the federal government can't do anything, what on earth are we supposed to do?!?!?!?!   Lol.....



AC2018

    Grade - MIFSQN

  • IFSQN Member
  • 174 posts
  • 50 thanks
32
Excellent

  • United States
    United States
  • Gender:Female

Posted 15 July 2021 - 03:02 PM

Hahahah valid point. 



AC2018

    Grade - MIFSQN

  • IFSQN Member
  • 174 posts
  • 50 thanks
32
Excellent

  • United States
    United States
  • Gender:Female

Posted 15 July 2021 - 04:26 PM

Update for anyone who is interested: 

 

I contacted the reviewer and what they are looking for is that we will review the list of scenarios annually and determine if there are any others that should be added. 

 

I had in the program already that the whole program would be reviewed, tested, etc. but not specifically calling out the list of scenarios to be reviewed

 

 

 

Thank you all for your help and a boost to my self-esteem when you were all on the same page I was! 



Scampi

    Fellow

  • IFSQN Fellow
  • 5,444 posts
  • 1507 thanks
1,524
Excellent

  • Canada
    Canada
  • Gender:Not Telling

Posted 15 July 2021 - 05:20 PM

WOW!!!!!!!!!!  

 

They be crazy...........we review the entire plan every year and then choose one as a mock crisis..........we do not list which will be reviewed when

 

 

Glad you were able to get clarity on what they were after!


Edited by Scampi, 15 July 2021 - 05:22 PM.

Please stop referring to me as Sir/sirs


AC2018

    Grade - MIFSQN

  • IFSQN Member
  • 174 posts
  • 50 thanks
32
Excellent

  • United States
    United States
  • Gender:Female

Posted 15 July 2021 - 05:27 PM

Yeah same here. 

 

Just one more thing to add to the program...  :hypocrite:





Share this


Also tagged with one or more of these keywords: SQF, Preventative Action, Corrective Action, Crisis Management

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users