From Salmonella to cyber attack

Richard Werran (Food Director, Middle East Africa for BSI) encourages food businesses to remain alert to conventional risks and wake-up to emerging ones


Herodotus, the Ancient Greek historian observed “Great deeds are usually wrought at great risks”; his words 2,500 years later still ring true today, not least in business.


By definition, doing business is a risk, however the issue for organizations is not whether to take risks, but actually how to manage and mitigate them. And in this challenge, the global food industry has much to learn. My view, based upon over 35 years’ experience in the industry, is that food businesses are neither resilient nor particularly robust; the default being to react to events rather than be proactively recognizing and responding new and emerging threats before they cause damage.



The sector continues to undergo enormous disruptive change, with technology, science and innovation at its heart. It is simultaneously grappling with a host of major issues, from changes in consumer buying habits, virtual food shopping, sustainability, food waste, clean labelling, the war on plastic and even to ‘nutrigenomics’ – the interaction between nutrition and our genes.  In this turbulent environment, it is no wonder food businesses may have their eye off the ball when it comes to risk management, adopting an ‘it won’t happen to us’ approach. We live in an uncertain world and such an approach is rather like being asleep at the wheel; so let’s consider three broad areas of risk where the food industry needs to increase its resilience:


Operational risks

Traditionally, one risk that food businesses have worked hard to prevent is the spread of food-borne illnesses as a result of its processes. But while it has a history of protecting against specific, established threats, such as Salmonella spp, it does not have such a good record in anticipating, identifying and managing rapidly emerging bacterial or viral pandemics, such as the outbreak of bird flu in 2009. For example, in some parts of Asia it is common for farm animals and humans to live together in close proximity, encouraging avian and porcine diseases to mutate and make the jump to humans. I would suggest our sector has a high level of inertia, too often waiting for issues to blow up into a crisis, instead of identifying and addressing the root cause at an early stage.


One of the benefits of global sourcing is increased consumer choice but with it comes less control, reduced supply chain transparency and a consequent increased exposure and risk.


Information security

The focus and energy directed at preventing health-related operational risks can distract food businesses from protecting and securing vital information, making them more vulnerable targets.


Few people now dispute the scale of information security (IS) threats. According to the UK Government’s Cyber Security Breaches Survey 2018, 43% of businesses had suffered an IS breach or cyber attack in the previous 12 months. Many such incidents affected the food and beverage industry worldwide. To cite just one example, in June 2017 the Petya global cyber attack shut down the operations of an Australian factory, resulting in an estimated cost of over $200m lost revenue and remediation costs.


The most common IS vulnerabilities are internal security loopholes, loss of customer data, and theft of proprietary information, such as confidential financial, commercial or product data. Suppose a cybercriminal stole valuable information from you or one of your suppliers and made it public, or held the business to ransom with the threat of disclosure. The direct costs could be substantive – from business interruption, compensation claims, regulators’ fines and ransom demands. And the indirect cost of damaged reputation, loss of trust and lost business could be even larger – which explains why the problem remains under-reported.


Supply chain threats

In a global economy, there is increased potential for supply chain incidents, both from man-made threats such as cyber attacks, strikes and political instability, and from natural causes such as earthquakes and floods. According to the Horizon Scan Report 2017, published by the Business Continuity Institute (BCI) and BSI, 34% of organizations report supply chain losses of at least €1m a year, while 9% report at least €1m of losses from a single incident.


Achieving supply chain transparency remains one of the biggest challenges to our sector. For example, the challenge to achieve a clear line of sight through an entire chain and in making informed decisions based upon information that is current, reliable and accurate, has been highlighted in the past by the discovery of  slave or bonded labour being used particularly within outsourced or parallel supply chains of some food businesses.



Building resilience

Few food businesses create an enterprise-level of understanding of operational, information security and supply chain risks. For most, risks assessments focus on well-understood threats and recent incidents, while supply chains remain poorly understood, overlooking potential points of failure that could prove fatal.


When something goes wrong companies tend to add another layer of protective measures to their existing procedures. But overlaying process upon process in this way is ultimately self-defeating, bringing increased cost and complexity, more technical challenges, and greater scope for human error, while the root cause of the problem remains buried. Worst of all, ‘process excess’ makes organizations too risk averse and too static, undermining their ability to adapt and innovate. Opportunities pass them by, with damaging consequences to  long-term performance.


What is really needed to counter threats – from food viruses and phishing emails to corruption and coerced labour – is a proactive, strategic, methodical approach to organizational resilience. It starts with a company’s value system and a principled approach to doing business. This means operating in ways that meet fundamental corporate responsibilities and governance in the areas of food safety, human rights, labour, environment and anti-corruption.


Business standards certainly help. They include the BSI HACCP & GMP Programme, FSSC 22000 v4.1 and the latest iteration of the BRC Global Standard for Food Safety – Issue 8, which for the first time highlights new and emerging risks such as cyber security.


Other less sector-specific, but equally respected, horizontal international management standards, such as ISO 27001 (information security), ISO 22301 (business continuity) and ISO 37001 (anti-bribery) often mandated by major businesses as a means to de-risk their supply chains enhance core capabilities, including:


  • Collaboration across disciplines such as information security, human resources management, procurement and business continuity;
  • Horizon scanning, so that emerging risks can be identified early and the business can prepare to manage them;
  • Agility to adapt to changes following disruptive events to ensure long-term sustainability.



Risk and reward

To sum up, a resilient food business is operationally self-aware, constantly evaluating and identifying areas of weakness, implementing improvements and efficiencies, and maintaining key risk management measures. A resilient food business operator treats data as an asset, protecting it with robust information security management systems. A resilient food business seeks to understand what is happening across their entire supply chain, gathering and be able to access intelligence in areas such as food safety, ethical, environmental and security risks.


Finally, it is worth remembering the words of Herodotus. Risk and reward go hand in hand – but a resilient organization takes measured risks with confidence.


Richard Werran is Director – Food EMEA at BSI, the global business improvement organization, which has more than 86,000 clients worldwide.


Contact us for information security courses: