Food fraud is a real problem for us all, both manufacturers and consumers. Swapping out raw materials for cheaper alternatives or just out and out contaminating them is a serious issue and businesses need to take steps to counter any of this, so where do you start?
Risk Assessments!
Carrying out a VACCP/TACCP risk assessment is definitely best practice for any food related business, but it's not a specific requirement for ISO 22000, only when you ramp up to FSSC does it become mandatory. Understanding what it is will make it clear just why.
Let's start with exactly what these acronyms mean and what you should be looking for.
Luckily, we have an overview of both so you can understand that while related, they are focusing on different areas of Food Security:
VACCP (Vulnerability Assessment and Critical Control Points)
- Focus: Food fraud prevention (economically motivated adulteration i.e. making a product worse in quality by addition of another substance, making the cost to make it cheaper while claiming it's the 100% quality item)
- Objective: Identifies vulnerabilities in the supply chain where food fraud (e.g., adulteration, substitution, mislabelling) might occur.
- Application: Ensures ingredients, suppliers, and processes are assessed to prevent fraudulent activities.
- Examples: Substitution of high-quality ingredients with cheaper alternatives, mislabelling of organic or premium products. (think of the ol' sawdust in the flour from days past!)
TACCP (Threat Assessment and Critical Control Points)
- Focus: Food defence (intentional contamination or sabotage)
- Objective: Identifies threats to food security, safety, and integrity from intentional actions such as bioterrorism, sabotage, or malicious contamination.
- Application: Protects against deliberate attacks on food products, whether from disgruntled employees, activists, or external threats.
- Examples: Intentional poisoning, introduction of harmful substances, cyber threats to food production systems. (think of the needles in strawberries scenario)
Key Differences
| Feature | VACCP
(Food Fraud) | TACCP
(Food Defence) |
| Intent | Economically
motivated | Malicious
or ideologically motivated |
| Focus | Preventing
fraud in the supply chain | Preventing
intentional harm or sabotage |
| Examples | Diluted
honey, fake olive oil, counterfeit ingredients | Poisoning,
tampering, terrorist attacks |
| Objective | Identify
and mitigate fraud risks | Identify
and mitigate security threats |
Phew! That's some thinking required!
How to create your risk assessment
First things first, you will need a risk matrix to be able to quantify that the risk that is relevant to your business, and that's important, you need to define your levels of severity and what they mean. A typical five by five format like this one below is a great start:
Change the detail within the severity/consequence to match the outcomes expected for either VACCP or TACCP, and you're ready to go.
For VACCP, focus on raw ingredients: you need to be looking primarily at your incoming supply chain, since the majority of risk comes from outside your own business.
Your initial risks should be listed out with a different one for each level of risk as the controls may be different.
Not 100% clear? Let me give an example.
Say you are baking bread, and you have flour, water, salt and yeast.
Having a risk of "incoming raw material" is too broad. If you think about the likelihood of flour being substituted for a lower grade etc, vs your water supply being purposely out of spec, they have very different risk profiles. You would list Flour, Water, Salt and Yeast separately. They are added in vastly different quantities, perhaps local vs overseas supply and so on, the likelihood and consequences will vary greatly.
For more complicated products involving many different ingredients, you can group them into similar risk categories or similar control outcomes to make it more manageable.
Best practice is to risk score them at this point, without controls in place. So, if you did nothing, what is the worst-case scenario for each risk, how likely is it to happen and if it did how bad would it be?..
Once you have a baseline, as with any other risk assessing, you then start looking at controls.
What do you currently do to mitigate the risk of food fraud? i.e. do you have any risk controls in place? Perhaps you have a supplier review or questionnaire that includes independent certification requirements? You may have inwards goods checks, label vs specs etc. So, you can reassess the risk scoring and these controls may drop the risk to an acceptable level.
But that doesn't guarantee "what's in the bag".
If the risk score remains higher than you're comfortable with, or you just want to provide the best outcome for your customer, you can look at what other controls you could implement to improve the risk. Perhaps you can random sample the incoming ingredient and get it independently tested to verify. Certainly, that would vastly improve the chances of catching an issue.
Once you have the risk scored both pre- and post-controls, and you have some plans in place for improving said scoring, make sure you have a solid timeline in place for reviewing those risks. This is making sure at worst they haven't increased, and if you've stuck to your plans, that they have improved.
It doesn't have to be crazy (we all have jobs to do that keep us busy!) so be practical about your review frequency. It's often good practice to have your highest risks being reviewed more often (say 6 monthly), and then your medium and low risks less often (perhaps annual and 2 yearly). Think about practicality vs risk.
What About TACCP?
For TACCP you essentially do the exact same exercise, with the focus then moving internally within your own site/process. You need to be looking more at things like your own employees access, checkpoints within the process for confirmation the product is as expected, and including things like site access from the public. Are there critical control areas that perhaps access should be restricted into, with only staff who are fully vetted gaining the ability to be in direct contact with the product. Do you need to consider security measures like cameras? Sadly, this is the reality of things that do need to be considered.
The hardest work is doing the initial risk list and scoring. Once you're up and running, it gets much easier to manage on an ongoing basis.
Definitely consider including the wider team when it comes to original population of your risks and also at review time, the more heads involved in the risk process, the far more likely you are to pick up things you may have missed, angles you hadn't considered.
Food safety should always be about continuous improvement, and ISO agrees!
If you add VACCP and TACCP to your risk profile, you can help keep your consumers safe, and stay out of the headlines.
Ready To Start Your ISO22000 Journey?
Make a booking now and find out how we can help you Simplify Compliance, Improve productivity and engage people.
Ready To Start Your ISO9001 Journey?
Make a booking now and find out how we can help you Make Things, Better
Simplify FSSC and ISO22000 with Mango
Stop waisting time with multiple different systems, see how Mango can manage all of your ISO22000 or FSSC requirements in one fully integrated solution.
Make a booking now to see how simple it is to integrate your systems, reduce paperwork, save time and be compliant.
Reclaim your precious time
Copyright
© Many Caps Consulting | All Rights Reserved
Comments