Vendor Risks: Preventing Recalls with ERM

Recall
In 2016 alone, there have been dozens of recalls, by food companies, car manufacturers, and vitamin producers, among others. Not only do these recalls greatly impact a company’s bottom line, they can also affect the health and safety of consumers. With this in mind, what can organizations—both within the food industry and otherwise—do to improve their chances of uncovering suppliers operating in subpar conditions? How can they mitigate the risk of recalls?

Customers of CRF Frozen Foods, for example, a full-line, individually quick frozen processing plant that packages fruits and vegetables for a variety of customers, recently had big problems when it was linked to a widespread listeria outbreak. Contaminated foods affected big-name distributors like Trader Joe’s, Costco and Safeway, and some customers fell ill as a result.

Even though a series of sanitation concerns and other facility issues at CRF had been exposed by regulators as early as 2014, the factory was allowed to continue operating and its customers weren’t notified.

Red flags raised by regulators aren’t always seen by the companies they’re most relevant to, however. The fact that these outbreaks occurred seems to demonstrate that customers’ vendor management practices either failed or simply weren’t robust enough to detect issues. It all comes down to effective enterprise risk management (ERM). ERM provides the tools and framework that allow any organization to standardize processes and effectively mitigate vendor risk.

An ERM approach is characterized by standard criteria, interdepartmental communication, and automatic alerts and notifications. It keeps everyone in the organization on the same page and ensures assessment results are always understandable and accessible. This eliminates redundancy in the risk management process. As a result, you can quickly and easily determine the last time your organization evaluated a supplier. Something as simple as a notification that regulators have published new requirements might save your organization from acquiring infected or defective products.

There are three general stages that apply to any successful risk management effort:

  1. Identify specific risks, followed by assessment and evaluation
  2. Implement tailored mitigation activities to address those risks
  3. Monitor those mitigations to ensure long-term effectiveness

The first step serves as the foundation for steps two and three. Without a proper understanding of what risks your organization faces, it is impossible to prioritize and mitigate them. Especially across multiple business departments or within supply chains—it is quite difficult to identify and account for every variable.

To keep up with vendors’ fluctuating conditions, teams need to systematically identify and assess risks, catching them as they crop up. Preventing assessments from becoming obsolete is the key to keeping a pulse on everything that may affect the business, therefore avoiding unwanted surprises.

Risk assessments also help determine the best way to allocate limited resources. Minimizing vendor-related risks needn’t be burdensome, however. It should be a streamlined process that, by enabling you to avoid harmful incidents, improves operational efficiency. Once your risk assessments reveal the areas of highest priority, you can determine exactly how to mitigate those concerns.

The Freedom of Information Act can be extremely helpful when it comes to your third-party risk management efforts. It grants all companies the right to ask vendors for specific information about plant processes, worker training, sanitation practices, and maintenance. Suppliers are required to be forthcoming with all information (when asked), and teams need to take advantage of this opportunity. It is an important part of the risk management equation and will help you understand your risks before disruptions occur.

Performing vendor risk assessments—in the form of inspections, questionnaires, and service level agreements—generates an enormous amount of data and information. This information is useful for mitigating risk, but only if it is up to date, consistent and distributed to the appropriate individuals. The Freedom of Information Act provides an opportunity to evaluate suppliers with robust risk assessments, and ERM provides the means to capitalize on that opportunity. Ad-hoc assessments of current and prospective vendors, without standardized processes, will only get your team so far.

Steps to Effective ERM

Capitalizing on your vendor assessment rights is only part of the equation. Without an appropriate means of processing, distributing, and making data actionable, you’re back at square one. To make sense of important data, follow these steps:

  1. Create a taxonomy: define relationships between risks, requirements, goals, resources and processes. If each area of the business uses its own system for identifying and classifying risk, the resulting information is subjective and unusable by other departments. There is also significant information overlap—and therefore waste. Use your existing information to create a standard for data collection with minimal work.
  1. Streamline with the standardized risk assessments identified in step one. Risk assessments can be conducted in many different formats and qualities. Use resources already in place and streamline the results using the standard from step one. The most effective way to collect risk data is by identifying the root cause, or why an incident occurred. Honing in on the root cause provides useful information about what triggers loss and your organization’s vulnerabilities. When you link a specific root cause to a specific business process, designing and implementing mitigations is simpler and more effective.
  1. Connect mitigation activities to each of the key risks in these processes. A risk taxonomy gives you a more holistic understanding of all the moving parts in your organization. This makes it easier to design mitigation activities.
  1. Connect incidents, complaints and metrics (for each business process) to mitigation activities. Typically, companies already dedicate many resources to monitoring business performance, collecting information about incidents, complaints and metrics. These processes are often inefficient and ineffective. Simply connecting them to mitigation activities, however, identifies the reason such incidents happen. You can then take straightforward corrective actions, meeting top priorities and allocating resources with forward-looking measures. Risk management, after all, is not about minimizing fallout after an incident, but preventing such an incident from happening in the first place.

To make this entire process effective, management must work to develop an enterprise-wide risk culture. ERM is not just an executive-level process, but should be pushed all the way to frontline managers, where everyday decisions are made and the risks are known—but resources are often absent.

Approach your vendor risk assessments as you would any other risk assessment—they should be reoccurring and standardized. Perform them regularly and evaluate the results with the same scale and criteria with which you evaluate all other risks. Finally, automate information collection and review so that reporting reveals cross-silo dependencies before these risks turn into scandals. The result will be increased vendor security and the prevention of surprises, at a fraction of the cost.

Risk Landscape: Coverage Trends to Watch

Being aware of your company’s new and changing risks is critical for sound risk management. As the year progresses, we have identified growing risks facing
companies, and their directors and officers, that are likely to impact policyholders. These risks include cybersecurity, Telephone Consumer Protection Act (TCPA) lawsuits, drones, wage and hour lawsuits and food recalls. The risks and issues to watch out for are expanded below:

Cybersecurity

Cyberattacks against businesses doubled in 2015 and are expected to continue to increase as attackers become even more sophisticated. Watch out for:

Phishing scams and social engineering fraud. In social engineering scams, hackers utilize phishing, purporting to be legitimate employees or third parties try to trick businesses into wiring funds or allow access to their systems. Although many businesses have crime insurance that covers “computer systems fraud,” ambiguous provisions or liability limits may restrict coverage. SomCompliancee courts have held that fraud coverage applies only when intrusions are unauthorized, but not when an unwitting employee falls prey to an online scam.

Data breaches. Companies should also be conscious about their coverage for data breaches, which increasingly present significant exposures. Insurers often contest whether data breaches constitute “publication” of private information, and, if so, whether an insurer’s duty to defend applies. This is particularly important as the storage of consumer data is a lynchpin of many businesses’ operations and marketing.
Businesses need to ensure that their commercial insurance policies adequately cover their business risks and consider purchasing dedicated cyber policies.

Coverage for TCPA claims

Certain efforts to engage with consumers may come at a steep cost. Under the Telephone Consumer Protection Act (TCPA), businesses that send unsolicited faxes, voice calls or text messages to consumers may be held liable for at least $500 per violation.

General liability coverage of TCPA claims. In recent years, commercial general liability (CGL) insurers have increasingly added broad exclusions to their policies for TCPA claims. Moreover, courts are split on whether “right to privacy” coverage in CGL policies cover these claims. Some courts uphold coverage only for losses from incidents that divulge confidential information (secrecy-related claims), whereas others uphold coverage for unsolicited communications, even if they do not republish confidential information.
While such coverage may be restricted under CGL policies, policyholders may have coverage under their directors’ and officers’ (D&O) insurance.

LA Lakers test case for D&O coverage. In 2016, the Ninth Circuit will likely address this issue in an appeal by the Los Angeles Lakers. The franchise’s marketing campaign included sending unsolicited text messages to fans. When sued under the TCPA, the franchise sought coverage for its defense costs under its D&O policy. In April 2015, a California federal court rejected coverage, finding that the policy’s “invasion of privacy” exclusion precluded coverage.
As businesses seek to engage consumers directly through various media, they should consider whether their insurance protects against TCPA claims.

UAVs and Insurance in 2016

Unmanned aerial vehicles (UAVs), or drones, promise to revolutionize not just commerce but insurance as well. The United States Federal Aviation Administration (FAA) estimates that, by 2023, annual global spending on UAVs will total $11.5 billion, and by 2020, about 30,000 commercial and civil drones will dot the skies.

Drone property loss and liability. The rise of drones raises several risks. The most obvious of these risks are loss of property and third-party liability. Use of drones for package or cargo delivery raises the risk of damage to the UAV itself—or its payload, which is usually the bigger loss. As shown by recent news reports and the first lawsuit, Boggs v. Merideth (W.D. Ky.), operators face liability for costs of defense and settlements or judgments payable to third-party claimants when UAVs go astray. With drones’ ability to film and collect data, other risks include privacy-related claims and data breach and hacking.

New coverage provisions. In June 2015, the Insurance Services Office, Inc. (ISO), approved new coverage provisions addressing commercial use of drones. The new ISO provisions modify standard CGL and umbrella/excess liability policy forms and merit close consideration by policyholders.
Because these new provisions are untested, policyholders should review them carefully against their entire insurance program and consult with insurance advisors to ensure that new provisions or policies provide the protection needed. Companies using UAVs should consider the aviation insurance market and also assess the need for cyber insurance coverage for privacy and data-breach exposures.

Wage-and-Hour Lawsuits

Cases alleging violations of the Fair Labor Standards Act (FLSA) have shot up in recent years. In 2015, almost 9,000 FLSA cases were filed in federal court, up more than 10% from 2014, and 30% from 2011. State courts have also experienced high volumes of wage-and-hour cases. California and New York recently enacted laws that allow directors, officers, and in New York, “top 10 shareholders” to be held personally liable for wage-and-hour violations.
Traditionally, companies have looked to their employment practices liability (EPL) and D&O insurance to protect against the defense and liability costs in wage-and-hour lawsuits. However, EPL insurance policies today regularly exclude coverage for such claims. Unlike EPL policies, D&O policies do not routinely exclude such coverage, but are including such exclusions with increasing frequency. As a result, policyholders must review D&O policies carefully to ensure that they protect against the threats posed by such claims.
Brokers and insurers have been developing new insurance products that specifically address these increasing wage-and-hour exposures. Policyholders, particularly those with significant operations in California and New York, should consider these newly emerging wage-and-hour specialty policies to ensure that they are adequately protected.

Food Contamination and Recall Coverage

The number of food product recalls for alleged contamination, undisclosed ingredients and other mislabeling issues also has risen dramatically. Although CGL and business property insurance policies provide some protection against liability for food contamination and recalls, savvy food companies should also consider specialized recall and contamination coverage.
These specialized policies may cover the reasonable costs that a policyholder incurs, for example, to examine its products for contamination, announce and institute a product recall, safely destroy contaminated products, and reimburse distributors and retailers for down-stream recall costs. Such policies often include crisis management coverage to help the policyholder mitigate negative media reports.

Varying types of special coverage. Because recall and contamination policies are not standardized, individual insurers offer differing policy terms and levels of coverage. Companies contemplating the addition of such coverage, or pursuing coverage under an existing policy, should closely examine the policy to understand the scope and limitations of coverage.

Items to watch. When purchasing such coverage, food companies need to identify their primary risks and negotiate the broadest possible coverage. In addition, because such policies often include very strict notice requirements, policyholders should give notice as soon as a recall arises to avoid coverage denial on late notice grounds.

Christina Buschmann, Linda Powell and Adrian Torres, Perkins Coie Insurance Recovery attorneys, also contributed to this article.

Chipotle Food-Borne Illness Outbreaks Highlight Supply Chain, Reputation Risks

For the past month, Chipotle Mexican Grill has been mired in a food safety crisis. An e. coli outbreak linked to Chipotle has sickened at least 52 people in nine states. In a seemingly unrelated outbreak, 120 people in Boston – most of them students at Boston College – also fell ill after contracting norovirus from eating at the quick-service chain.

While food safety and product recall concerns are always a major liability for industry players, the spate of infections poses even more of a threat to Chipotle as the company has built its reputation on the foundation of a healthy, responsible supply chain, boasting its use of fresh produce, meat raised without antibiotics, and a network of hundreds of small, independent farmers. As Bloomberg put it, the company’s biggest strength is suddenly its biggest weakness. Given the chain’s 1,900 locations and the rate at which it has expanded (about 200 new locations every year), its supply chain is already under significant pressure. When an audit found unacceptable practices earlier this year, the company suspended a primary pork supplier, pulling carnitas from the menu at about a third of its restaurants nationwide. The company pointed to its decisive action as proof of its commitment to sustainable agriculture, but many analysts said it highlighted the company’s inherent vulnerability to supply chain issues.

“You can never eliminate all risk, regardless of the size of suppliers, but the program we have put in place since the incident began is designed to eliminate or mitigate risk to a level near zero,” Chris Arnold, the company’s director of communications, told Bloomberg.

Now, as the number and geographical spread of E. coli cases grows, the company has closed dozens of restaurants for what it promises will be thorough investigation and cleaning. Steve Ells, the company’s co-chief executive, went on the “Today” show to publicly apologize and vow that reforms currently being put into place would turn Chipotle into a leader in food safety. “The procedures we’re putting in place today are so above industry norms that we are going to be the safest place to eat,” he said.

But consumers are not so sure, leading sales to fall 16% in November, and its stock price has dropped almost 30% since the outbreak was first detected, the Washington Post reports. Analysts and the company itself have said they expect the outbreak to continue to cause a drop in sales. Take a look at how the ongoing crisis has impacted the company’s stock:

chipotle stock e coli

These doubts may have long-term impacts on Chipotle and may even extend to other food industry stakeholders.

“Fast-food companies are 100 percent reliant on their food supply to send them something that is pathogen-free, but the supply chain is still extremely reluctant to test every [food] product it provides,” food safety consultant Mansour Samadpour told the Washington Post. “Many companies are starting to do it, but the reluctance is real and it’s problematic — and that’s getting in the way of food safety.”

“I worry that [consumers] look at food safety from the organic, non-GMO, sustainability, animal welfare standpoint,” Bill Marler, a lawyer specializing in food-borne illness, told the Post. “And a lot of people in that space, in that agricultural movement, tend to believe that because they do those things their food is automatically safer than food that’s served at McDonald’s or Jack in the Box or Walmart. But that’s just not the case.”

For more about food safety crises and product recall, check out the following articles from Risk Management:
Feeding an Appetite for Trust, A Q&A with Center for Food Integrity CEO Charlie Arnot
Food Safety Updates Stalled by Funding
Maximizing Coverage for a Product Recall

Monitoring Food Safety from Farm to Fork

Food Production Safety

BALTIMORE—The Food and Drug Administration is increasingly harnessing data-driven, risk-based targeting to examine food processors and suppliers under the Food Safety Modernization Act. At this week’s Food Safety Summit, the FDA’s Roberta Wagner, director of compliance at the Center for Food Safety and Applied Nutrition, emphasized the risk-based, preventative public health focus of FSMA.

While it has long collected extensive data, the agency is now expanding and streamlining analysis from inspections to systematically identify chronic bad actors. FSMA regulations and reporting are revolutionizing many of the FDA’s challenges, but so is technology. According to Wagner, whole genome sequencing in particular has tremendous potential to change how authorities and professionals throughout the food chain look at pathogens. WGS offers rapid identification of the sources of foodborne pathogens that cause illness, and can help identify these pathogens as resident or transient. In other words, by sequencing pathogens (and sharing them in Genome Trakr, a coordinated state and federal database), scientists can track where contamination occurs during or after production.

At the same session, Jorge Hernandez, senior vice president of food safety and quality assurance at US Foods, also highlighted the importance of thorough risk evaluation and data-driven analysis for food companies. He encouraged a farm to fork approach to managing food safety and quality assurance risks, examining data as far back as possible so that companies just face the burden of maintaining safety, not combating or passing on contamination. Developing standards or suppliers that rest on a foundation of data and testing is the first step, but then companies must also be ready to check for compliance and implement change.

The primary components of the food chain are standard: producers, processors, suppliers/distributors and operators. Between each, however, comes the opportunity for monitoring and verification checks that should serve as control points, Hernandez said. These controls must be integrated into every link in the chain, and food companies must constantly evaluate what systems are necessary to ensure success downstream.