Since the critical shake-up of U.S. security by the 2001 Twin Tower and anthrax atatacks, food defense has developed as an operational practice throughout the U.S. food chain.
However, like food safety regulatory guidance, and despite the requirements of the Bioterrorism Act of 2002 for facility registration and product tracking and documentation, there is currently no regulatory requirement for food companies to have a food defense plan in place.
Plans are recommended but not required except in specific instances (e.g., operations supplying food to USDA programs). But earlier this year, USDA/FSIS established plant adoption of food defense plans as an agency performance measure, setting a goal of 67 percent compliance for 2010. By 2015, the agency wants at least 90 percent of plants to have functional food defense plans.
Guidelines for developing such plans are readily available on the Web or in print from USDA and FDA, as well as numerous public and private organizations and companies, but it can be beneficial to step outside the realm of bulleted and numbered organizational plans to test your system and determine your actual state of preparedness—should the worst happen.
In the Beginning.
Prior to his current position as Cardinal Health Chief Security Officer, Greg Halvacs worked in food security for both FritoLay/Pepsico and Kraft Foods. In early 2001, there was little to no concern about bioterrorism, but with 9/11 and the anthrax attacks occurring on its boot heels, “that was the kicking off point,” Halvacs said.
Not only did it cause concern in food companies about potential intentional contamination, but customers and consumers began calling in anytime they saw an unidentified substance, particularly a white powder, fearing it to be anthrax (which generally turned out to be flour or sugar).
It was like a pandemic of today, Halvacs said. And then, as now, “the thing you want to do is to ease people’s minds that things have been done for prevention.”
Andrew Gilman, CEO and President of CommCore Consulting, sees preparedness as critical not only for prevention, but also for dealing with a crisis should it occur. Reviewing and learn-ing from the response of companies that have undergone crises can be key to your own preparedness and crisis management. This is true for both positive and negative response outcomes, Gilman said, explaining, “The Big 4—Tylenol, Toyota, BP and Tiger [Woods]—are ‘teaching moments’ to understand reputation management, crisis anticipation, response and recovery.”
Rather than being simply “a set of tips and tactics,” crisis management requires a reputation protection model, he said, explaining the methodology as going beyond preparation and response. “It adds a lens that views crisis preparation as an investment in an organization’s long-term reputation in the eyes of its most important stakeholders.” Gilman describes the three stages of crises as:
BSH – Before the Crisis, aka Before Stuff Happens. “Whether we call it preventive medicine or anticipation, the best crisis is one that never happens,” Gilman said. “Upfront BSH can help bad news from becoming worse.” To prepare: Appoint a crisis team, monitor potential issues, set aside resources and physical assets to guide crisis response, ask questions about possible doomsday events, run simulations and repeat the process as needed. BSH requires a level of candor and openness to discuss worst case scenarios.
HBL – During the Crisis, aka Hell Breaks Loose. “HBL is the crux of the crisis maelstrom and is driven by what appear to be mutually contradictory concepts—calm and speed,” Gilman said. It works best with a tested crisis plan in place, strong antennae to gather information, rapid response capabilities, a trained spokesperson and effective teamwork.
RRR – After the Crisis, aka Repair Reassess Reputation. The transition from HBL to RRR can last a few hours or several weeks. This year’s BP spill is an example of inordinate time from inception of the crisis to RRR. It is human nature to revert to business as usual once the danger has passed, but a focus on fixing the problems that caused the crisis and developing systems to prevent future occurrence is a valuable investment, Gilman said.
“Today it’s all about resiliency,” Halvacs said. It’s about being able to readily recover by having emergency systems and response plans in place, and ensuring that all plant personnel are prepared.
At Kraft, Halvacs said, “we did something called penetration testing.” Geared to test the plant’s defense, a third party would attempt to breach plant security. Were they stopped? Were they questioned? How far did they get? If they made it into the processing area, was the line stopped? All are security points such a test can assess.
Unfortunately, Halvacs said, “Most locations (offices, plants and warehouses) will fail a penetration exercise unless the facility is heavily fortified or secured like a nuclear plant. If someone knows the lay of the land, they can get in.”
Thus, it is critical that all workers understand the importance of a secure facility. “Get them to realize that if we have a problem, we could be shut down,” he said. “You have to get people to realize that their jobs and the future of the company depend on it.”
To further stress the point and incent reporting of any potential security breach, plant workers were told, “Speak up if you see something,” with anyone catching the mock intruder being treated to a reward.
“Security is everyone’s responsibility,” Halvacs said, “and training your team regularly is the key. “I would equate it to your production line. If it hasn’t been maintained, you don’t know when something will break down.”
The author is Managing Editor of QA magazine. She can be reached at firstname.lastname@example.org.