From salmonella to cyber attacks: the risks food businesses need to be aware of

My view, based upon over 35 years’ experience in the industry, is that food businesses are neither resilient nor particularly robust. Their default is to react to events, rather than proactively recognising and responding to new and emerging threats before they cause damage.

The sector continues to undergo enormous disruptive change, driven by technology. My concern is that in this turbulent environment food businesses may be asleep at the wheel, adopting an ‘it won’t happen to us’ approach to threats. There are particular areas of risk where they need to increase resilience:

Operational risks

Traditionally, food businesses have worked hard to prevent the spread of food-borne illnesses. But while they have protected against established threats, such as salmonella spp, they do not have such a good record in anticipating, identifying and managing rapidly emerging bacterial or viral pandemics, such as the outbreak of bird flu in 2009.

With global sourcing comes reduced supply chain transparency and increased risks. For example, in some parts of Asia it is common for farm animals and humans to live together in close proximity, encouraging avian and porcine diseases to mutate and make the jump to humans. I would suggest our sector has a high level of inertia, allowing such risks to blow up into a crisis instead of pre-empting them.

Information security

The focus on health-related operational risks can distract food businesses from protecting vital information. According to the UK Government’s Cyber Security Breaches Survey 2018, 43% of businesses had suffered an information security (IS) breach or cyber attack in the previous 12 months. In June 2017, for example, the Petya global cyber attack shut down the operations of an Australian factory, resulting in an estimated cost of over $200m lost revenue and remediation costs.

The most common IS vulnerabilities are internal security loopholes, loss of customer data, and theft of proprietary information. The direct costs of an incident can be substantive – from business interruption, compensation claims, regulators’ fines and ransom demands. And the indirect cost could be even larger – from damaged reputation, loss of trust and lost business – which explains why the problem remains under-reported.

Supply chain threats

In a global economy, there is increased potential for supply chain incidents, both from man-made threats such as cyber attacks, strikes and political instability, and from natural causes such as earthquakes and floods. According to the Horizon Scan Report 2017, published by the Business Continuity Institute (BCI) and BSI, 34% of organizations report supply chain losses of at least €1m a year.

Lack of supply chain transparency has been highlighted in the past by the discovery of slave or bonded labour being used within outsourced or parallel supply chains of some food businesses. The global nature of today’s supply chains means that even the smallest firms can find themselves linked to modern slavery. In the UK, the Modern Slavery Act, which became law in 2015, now places a legal obligation on UK food businesses to manage risk effectively in this area.

Building resilience

Few food businesses create an enterprise-level of understanding of operational, IS and supply chain risks. For most, risks assessments focus on well-understood threats and recent incidents, while supply chains remain poorly understood, leaving potentially fatal points of failure overlooked. What is really needed is a proactive, strategic, methodical approach to organizational resilience. This starts by meeting fundamental governance responsibilities in the areas of food safety, human rights, labour, environment and anti-corruption.

Business standards certainly help. They include the BSI HACCP & GMP Programme, FSSC 22000 v4.1 and the latest iteration of the BRC Global Standard for Food Safety – Issue 8, which for the first time highlights new and emerging risks such as cyber security. Other horizontal international management standards – such as ISO 27001 (information security), ISO 22301 (business continuity) and ISO 37001 (anti-bribery) – can enhance core capabilities, including collaboration across disciplines, horizon scanning to identify emerging risks, and agility to adapt to changes following disruptive events.

Supply chain management tools include BSI’s Supply Chain Risk Exposure Evaluation Network (SCREEN), a web-based global intelligence system that is used to identify and quantify the risk of supply chain incidents in over 200 countries; and BSI’s Trafficking & Supply Chain Slavery Patterns Index, which assists food businesses in assessing the specific risks posed by slavery and trafficking.

Risk and reward

A resilient food business is operationally self-aware, constantly evaluating and identifying areas of weakness, implementing improvements and efficiencies, and maintaining key risk management measures. It treats data as an asset, protecting it with robust information security management systems. And it seeks to understand what is happening across its entire supply chain.

Risk and reward go hand in hand – but a resilient organization can take measured risks with confidence.

Richard Werran, FSOFHT, FIFST, is Director – Food EMEA at BSI, the global business improvement organization, which has more than 86,000 clients worldwide.