WHITE PAPER

Understanding the Food

Defense Risk Analysis Model

zosilearning.com
Introduction
Risk analysis is a process that helps manufacturers identify and manage potential
problems in their process or facility. A food defense risk analysis model has
three components: risk assessment, risk management, and risk communication.
Risk assessment refers to rating the severity and likelihood of a certain hazard or
threat. Risk management refers to making decisions on how to control hazards and
implement mitigation strategies. This food defense risk analysis model discussed
here was created by the Food Protection and Defense Institute and is based on the
foundational model provided by the World Health Organization (WHO). As you read
through this white paper, remember that no two facilities are identical. Different
pieces of processing equipment, policies and procedures, and workforces all mean
that organizations conceive of risk, parse out risk factors, and assess risk factors
differently. We recommend that each organization determine the method it deems
best to meet the Intentional Adulteration Rule’s (IA rule) requirements.

Graphic from FPDI and Zosi’s

Food Defense Manager course

zosilearning.com 2
The Food Defense Risk Analysis
Model: Risk Assessment
Step 1: Context Assessment
The first part of a food defense risk analysis model is context assessment. A
context assessment looks at the kind of product being produced in terms of the
role in the food system. A context assessment is beneficial because differences
in contexts inform how one perceives and evaluates risks in a facility. A context
assessment is not required by the IA rule but is encouraged as a best practice as
it helps manufacturers consider factors that affect the incentive and opportunity
of an intelligent adversary to cause a food defense incident.

A context assessment considers the following questions:

• Are there multiple vulnerable points where adulteration might happen?

• Has adulteration happened to this product or similar products in the past?

• Is there a special or vulnerable population that consumes this product, such as

infant formula?

Take for example a dairy plant. In such a setting, there are a number of processes
that may present risk and dairy plants provide food to a number of special
populations, such as small children and elderly individuals. As a result, the context
of a dairy plant might be very different from that of, say, a spaghetti manufacturer.

zosilearning.com 3
A context assessment also considers the following factors:

Type of industry. Risk varies according to the type of industry. For example,
bulk product manufacturers are at increased risk of an incident spreading rapidly
across the food system as opposed to a manufacturer producing retail products. In
another instance, producers of liquid products present a higher-risk context than
dry products as seen by the Key Activity Types established by the Food and Drug
Association (FDA).

Size of facility. Different sized facilities will change the context.

Employment dynamics. A facility with a very stable workforce that has been
with a company for a very long time is a different context than one relying heavily
on temporary and day labor.

Price and trade shifts, disasters, and crises. World events can incentivize
food adulteration and create opportunities for intelligent adversaries to
adulterate food.

Step 2: Criticality Assessment

The second part of risk assessment is criticality assessment. A criticality
assessment encourages food producers to consider critical points in the supply
chain that affect its resilience in the event of a food defense incident upstream,
internally, or downstream at your facility. Like the context assessment, criticality
assessments are not required by the IA rule but are encouraged as a best practice.

A criticality assessment includes supply chain mapping and documentation, a

criticality assessment of supply chain components, and targeted further risk
assessments. The goal of this assessment is to ensure that products in the supply
chain comply with the IA Rule , and that each facility is aware of criticalities that
may affect its production.

zosilearning.com 4
Step 3: Vulnerability Assessment
A vulnerability assessment is required by the IA rule1. Each facility must assess
public health impact (e.g. severity and scale), degree of physical access to the
product, and the ability of an inside attacker to successfully adulterate the product
at every process step within the facility. In this section, we’ll look at the easiest
method to conduct the vulnerability assessment – key activity types. Key activity
types are FDA-identified categories of food manufacturing processes that are
most vulnerable to adulteration.

There are four key activity types:

1. Bulk liquid receiving and loading

2. Liquid storage and handling

3. Secondary ingredient handling

4. Mixing and similar activities

Bulk liquid receiving and loading focuses on bulk liquid receiving at the facility from
an inbound conveyance, including opening the inbound transport vehicle, opening
venting hatches or other access points, attaching any pumping equipment or
hoses, and unloading the bulk liquid.

Liquid storage and handling includes both bulk and non-bulk liquids in storage silos
and other tanks at the facility. This key activity type includes activities such as
handling, metering, surge, or other types of intermediate processing tanks used to
control flow rates of liquid ingredients or products through the production system.

1. IA RULE 21 CFR 121.30 (a)

zosilearning.com 5
Secondary ingredient handling involves the staging of secondary ingredients
or opening tamper evident ingredient packaging and moving the ingredients to
the production area in advance, preparation of secondary ingredients, addition
of secondary ingredients, and the removal of clean, unadulterated food from
processing for reasons other than insanitary conditions (i.e. rework product).

The final key activity type is mixing or similar activities which include actions that
would create a consistent distribution of an adulterant into the product.

For a more in depth look at key activity types, consider Zosi’s online Food Defense
Manager training.

zosilearning.com 6
The Food Defense Risk Analysis
Model: Risk Management
After identifying vulnerabilities in the facility, the next step in the food defense
risk analysis model is risk management. Risk management is required as part of the
IA rule and includes:

• identifying and explaining mitigation strategies for assessed risks

• implementation and management strategies like monitoring, corrective actions,

verification, training, and record-keeping

• plan reanalysis (required by the IA rule)

According to the IA rule, qualified individuals “must identify and implement

mitigation strategies at each actionable process step” (21 CFR 121.135 (a)).
Actionable process steps are those points, steps, or procedures in a food process
where a significant vulnerability exists. Mitigation strategies refer to risk-based,
reasonably appropriate measures employed to significantly minimize or prevent
vulnerabilities. These are customized to the actionable step at which they are
applied, tailored to each facility’s existing processes.

zosilearning.com 7
For many vulnerabilities, low- and no-cost mitigation strategies will reduce
vulnerabilities to an acceptable level. These can build on existing systems and/or
develop as a result of a small procedural or physical change.

The FDA described approaches to mitigation strategies in Draft Guidance. These

approaches can be modeled in the following 2x2 Matrix and used in developing
mitigation strategies.

Graphic from FPDI and Zosi’s

Food Defense Manager course

To learn more about food defense risk management and food defense risk
management best practices, consider Zosi and FPDI’s Food Defense Manager
online course.

zosilearning.com 8
The Food Defense Risk Analysis
Model: Risk Communication
The final part of the food defense risk analysis model is risk communication. Risk
communication is not part of the IA rule; however, communication is an essential
part of risk analysis and management. Before any incident, leadership will be
communicating to employees, explaining what the company is doing to mitigate
risk, and what is expected from each employee.

During and after an incident, communication to leadership, employees, consumers,

and the media will be needed. Each audience will require information most
pertinent to their role. However, all will need information such as what the issue is,
what steps they need to take, and what they can expect from you or the company.

As preparation for risk communication, it is recommended to complete a “What If?”

exercise. This entails looking at what would happen if an incident occurred and
asking a series of questions about a response.

For example:

• What if my facility were to have an intentional adulteration incident?

• How would that shift my communication plan?

• How does the pre-work that I’ve done in the before, during, and after of creating
my food defense plan play into a potential response in the event of a food
defense incident?

When communicating risk, it’s important to provide some metric that helps the
audience understand the value of risk. Providing people with a visualization helps
them better understand the risk at hand.

zosilearning.com 9
Conclusion
With the right food defense risk analysis model, manufacturers can accurately
identify and effectively manage potential problems in their process or facility. By
understanding the building blocks of risk assessment, risk management, and risk
communication, food defense managers and team members are better prepared to
safeguard their site(s), product(s), and consumers. For a more in-depth look at food
defense roles, processes, and best practices, consider Zosi and FPDI’s library of
food defense online courses.

zosilearning.com 10