Food Defense Initiatives Can Safeguard Your Company

When most people think of product contamination and recalls, the first thing that comes to mind is food poisoning cases from bacteria such as e-coli and listeria. Food and drug companies, however, are experiencing malicious and intentional product tampering that can be equally deadly and dangerous. Many of us can’t forget the 1982 cyanide Tylenol crisis, Johnson & Johnson’s worst nightmare as reported cases of death from their products came pouring in, causing recalls nationwide.

The Tylenol case was long ago, but unfortunately, decades later and despite modern day advancements in packaging and processes, there is still a steady flow of cases globally, where bad actors contaminate products. This can lead to possible danger for customers, recalls, lasting reputational damage and potentially huge financial losses.

For example, in 2013, unsafe levels of the insecticide malathion was found in a Japanese frozen food company’s product after customers reported a chemical smell coming from the products and almost 3,000 incidences of sickness from consuming them. As a result, the products were recalled and the company shut down, causing its stock to plummet.

Why does it happen?
The main motive for tampering with food products is to make a statement. Bad actors aim to cause injury or economic and reputational harm to companies, especially since news of these acts can go viral, creating the negative impact on companies they hope to achieve.

As with cases of cybercrime, these companies are in a sense being “hacked” and need protection. Like with the mysterious hacker, manufacturers and retailers are facing this threat from both inside and outside the organization.

Oftentimes an employee within the company is the culprit, such as in the case of Just Bare Whole Chicken. A recall of 55,608 pounds of chicken sold nationwide went into effect last June, after black sand and soil was found in some Gold’n Plump and Just Bare branded poultry. The employee responsible was identified and terminated, but the effects of the disruption were lasting.

Taking Preventative Measures
Food companies should have a full understanding of the risks they face, the insurance available, and the regulations associated with product tampering.

Insurance: Malicious Product Tampering (MPT) insurance addresses deliberate contamination, or the threat of such contamination of products when a company or the public has a reasonable belief that the products might cause bodily injury if consumed. MPT insurance should be considered as part of a total product recall risk management solution. Many of these insurance programs provide experienced crisis management consultants to help a company manage and recover from such incidents efficiently and effectively in order to minimize loss. When putting together a risk management program, make sure to have first and third party coverage for product recall, including malicious contamination, business interruption, product extortion, product recall costs, rehabilitation expenses, replacement costs and consultant costs.

Defense initiatives: There is a difference between food safety processes, which protect food from unintentional contamination by products that are present in the production plant, and food defense initiatives, which protect from intentional tampering by unknown substances. Some people use the terms interchangeably, but food defense is key to protecting against tampering.

In 2016, the FDA issued a final rule on Mitigation Strategies to Protect Food Against Intentional Adulteration and, as part of this initiative, released the Food Defense Plan Builder program, which assists food facility owners and operators with developing personalized food defense plans. This user-friendly tool should be quite valuable to your food defense strategy.

Regulation: The Food Safety and Modernization Act aims to ensure that the U.S. food supply is safe by focusing on preventing contamination before it happens rather than simply responding to it. It requires mitigation strategies to be put in place in certain food facilities.

With these risk management strategies and the right insurance plan in place, companies can protect themselves and help mitigate their risks of food or product tampering.

International Women’s Day: Risk Management Issues to Watch

A 2013 piece on the role of women in risk management remains the most controversial article we’ve ever run in Risk Management magazine and the one that received the most comments and letters to the editor, hands down. Many of those reader comments were…let’s just say less than kind or receptive.

Today, International Women’s Day, offers the perfect opportunity to revisit that article, Woman at Work: Why Women Should Lead Risk Management, and some of our more recent coverage of pressing issues like the wage gap and gender parity at the board level.

The significance of this conversation is ever clearer, given not only the political climate and regulatory concerns, but also the simple data about the bottom line. Just last year, the Peterson Institute for International Economics and EY found that almost a third of companies globally have no women in either board or C-suite positions, 60% have no female board members, 50% have no female top executives, and less than 5% have a female CEO. After analyzing 21,980 publicly traded companies from 91 countries and a wide range of industries, their report, Is Gender Diversity Profitable? Evidence from a Global Study, found that organizations with leadership that is at least 30% female could add up to 6 percentage points to its net margin.

“The impact of having more women in senior leadership on net margin, when a third of companies studied do not, begs the question of what would be the global economic impact if more women rose in the ranks?” said Stephen R. Howe Jr., EY’s U.S. chairman and Americas managing partner. “The research demonstrates that while increasing the number of women directors and CEOs is important, growing the percentage of female leaders in the C-suite would likely benefit the bottom line even more.”

While study after study comes to similar conclusions, a recent report from EY explored why businesses need gender diversity for the innovation to thrive. Five disconnects continue to hold businesses back from achieving gender diversity on their boards, the firm found:

  1. The reality disconnect: Business leaders assume the issue is nearly solved despite little progress within their own companies.
  2. The data disconnect: Companies don’t effectively measure how well women are progressing through the workforce and into senior leadership.
  3. The pipeline disconnect: Organizations aren’t creating pipelines for future female leaders.
  4. The perception and perspective disconnect: Men and women don’t see issues the same way.
  5. The progress disconnect: Different sectors agree on the value of diversity but are making uneven progress toward gender parity.

Check out some of our previous coverage of key issues regarding women in business and risk management specifically:
Equal Work, Unequal Pay: Risks of the Gender Wage Gap
The Wage Gap in the Boardroom
Is the Insurance Industry Improving for Women?
Boards Still Lagging on Gender Parity
Preparing for New Pay Equity Requirements

Costs Climb as Companies Move to Mitigate Supply Chain Interruptions

Some 70% of companies have experienced at least one supply chain interruption during the past year, with an unplanned IT or telecommunications outage the leading cause, according to the eighth edition of the Business Continuity Institute’s (BCI) Supply Chain Resiliency Report, produced in association with Zurich Insurance Group.

Covering 526 respondents in 64 countries, the report studies the causes, costs, and frequency of such events while also looking at companies’ progress in responding to supply chain interruptions and mitigating further occurrences.

While 70% of respondents reported at least one supply chain interruption during the past 12 months, only 17% said they have had no supply chain disruptions, with 13% saying they did not know. Perhaps more alarming is the increase to 13%—from 3% previously—of respondents reporting more than 20 such incidents.

Also alarming is the upward trajectory of costs associated with supply chain disruptions. The portion of respondents reporting cumulative losses of more than € 1 million ($1,058,171.30) resulting from supply chain interruptions jumped to 34% in this year’s survey from just 14% previously.

An unplanned IT or telecommunications outage was the leading cause of a supply chain disruption for the fifth consecutive year, followed by a loss of talent or skills, which jumped to second place from fifth, and then cyberattack or data breach, which dropped to third place from second. Despite this drop, the portion of respondents which said that cyberattacks and data breach had a ‘high impact’ on their supply chains increased from 14% to 17%.

Reaching the top 10 for the first time was terrorism, which moved to ninth from eleventh, while currency exchange rate volatility had the largest move up the list of event causes, jumping to seventh from 20th last year and cracking the top 10 for the first time since 2012. Insolvency in a company’s supply chain also reentered the top 10 for the first time since 2012, moving from 14th to 10th.

Lost productivity (68%), increased cost of working (53%), and customer complaints received (40%) were listed as the top three consequences of a supply chain interruption by respondents. The perception of such incidents can also hurt a company, with damage to brand reputation/image (38%), shareholder/stakeholder concern (30%), and share price fall (7%) all named by respondents as consequences of a supply chain disruption.

“It is crucial to note that the percentage of organizations reporting reputational damage as a result of supply chain disruption is at its highest level since the survey began. As this coincides with greater media scrutiny and social media discussions related to organizations, this result might be a good opportunity to reflect on reputation management and how supply chain disruptions might translate into adverse publicity for a given organization,” said the report.

As threats and costs grow, there appears to have been at least some progress in more closely addressing the issue.

While the percentage of respondents without firm-wide reporting of supply-chain incidents remains high at 66%, the portion of those using firm-wide reporting has grown steadily across the past five reports, rising from just 25% of respondents in 2012 to 34% in the 2016 report, the latest. Similarly, the portion of respondents which employ no reporting has declined steadily from 39% in 2012 to 28% in 2016.

As reporting is on the rise, so too is the complexity of interruption incidents as external supply chains cause more incidents. The portion of respondents which said the majority of their interruptions came from external supply chains jumped to 24% from 9% previously, and the portion attributing at least a quarter of interruptions to external suppliers more than doubled to 34% from just 15% previously.

Even with reporting on the increase, however, insurance uptake appears to be declining. Just 4% of respondents said they were fully insured against supply chain losses, down from 10% previously, with small and medium-sized enterprises more likely to be uninsured, at just 39%, than large organizations at 62%.

“These variations in insurance uptake may indicate a need to revisit business continuity arrangements and risk transfer strategies pertaining to supply chain disruptions,” according to the report.

New York Cybersecurity Regs to Take Effect March 1

The state of New York is implementing sweeping new regulations designed to protect insurers, banks and others from the growing wave of electronic security breaches which are making headlines and causing headaches across the financial services industry.

The new rules, slated to take effect March 1, mandate that insurers, banks and other financial services institutions regulated by the Department of Financial Services (DFS) establish and maintain a cybersecurity program. In addition to setting program standards, the 12-page document also provides definitions for companies as well as laying out “Transitional Periods” of 180 days to two years for companies to comply with different parts of the conditions and parameters of the regulations.

Entities must create and maintain written policies, requiring board-level or equal approval, setting out the company’s cybersecurity plan. Companies also must designate a chief information security officer (CISO), either in-house or third-party, who will be required to report annually to the company’s board. The rules call for stress testing of systems and periodic risk assessment and for the inclusion of third party service providers in a company’s cybersecurity plan.

The regulations will be published in the New York State register on March 1 and lay out the Department’s logic in establishing the new standards. According to the document:

“The New York State Department of Financial Services (DFS) has been closely monitoring the ever-growing threat posed to information and financial systems… Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances… It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs.”

New York’s regulatory framework is the first of its type in the nation, according to a release from the Governor’s office.

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks,” Governor Andrew M. Cuomo said in the statement. “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”

Under development since 2014, proposed new regulations were first published in September 2016, followed by a 45-day comment period. Updated proposed regulations were then published in December 2016, followed by a 30-day period for comments. Then in December, N.Y. state delayed implementing the rules and subsequently adjusted some requirements to reflect input from the industry, which asserted the rules were burdensome and said they would need more time to comply.

In addition to these accommodations, DFS took measures not to burden smaller businesses by establishing limited exemptions for companies with fewer than 10 employees, less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations, or less than $10 million in year-end assets.

According to the statement from the Governor’s office, the new regulations mandate:

• Controls relating to the governance framework for a robust cybersecurity program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization

• Risk-based minimum standards for technology systems including access controls, data protection that includes encryption, and penetration testing

• Required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to DFS of material events

• Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS

While cybersecurity has become an outsized concern for many business as high-profile breaches have played out in the media, sometime drawing in millions of consumers and costing companies millions of dollars in addition to precious reputational damage, many businesses remain under—or unprepared—for the challenges posed by cyber threats.

Indeed, The Hiscox Cyber Readiness Report 2017 surveyed managers and IT specialists at 3,000 small to large companies in the U.S., U.K. and Germany and found that just over half, 53%, of businesses are ill-prepared to deal with cyber-attacks. The study ranked companies from novice to expert in four key areas: strategy, resourcing, technology and process. Only 30% qualified as “expert” in their overall cyber readiness, of which 49% were U.S.-based companies.