Chipotle Provides Yet More Reminders of D&O and Food Safety Risks

chipotle food borne illness outbreaks

If the average food safety crisis or product recall forces companies to weather a storm, Chipotle has spent the past year trying to weather a category 4 hurricane. Now months into their recovery effort, it seems they are still seeing significant storm surges.
Last week, a group of Chipotle shareholders filed a federal lawsuit accusing executives of “failing to establish quality-control and emergency-response measures to prevent and then stop food-borne illnesses that sickened customers across the country and proved costly to the company,” the Denver Post reported. The suit accuses executives, the board of directors, and managers of unjust enrichment and seeks compensation from Chipotle’s co-CEOs, while also asking for corporate-governance reforms and changes to internal procedures to comply with laws and protect shareholders.

Sales remain significantly impacted by the series of six foodborne illness outbreaks last year. The company reported in July that same-store sales fell another 23.6% in Q2, marking the third straight quarter of declines for performance even lower than analysts had predicted. The company’s stock remains drastically impacted, currently trading at about $394 compared to a high of $749 before the outbreaks came to light a year ago.

In addition to the most recent shareholder lawsuit, the bad news for directors and officers specifically has also been further compounded recently. Shareholder lawsuits were filed earlier this year alleging the company had misled investors about its food safety measures, made “materially false and misleading statements,” and did not disclose that its “quality controls were not in compliance with applicable consumer and workplace safety regulations.” In June, a group of shareholders sued a number of top executives for allegedly violating their fiduciary responsibilities and engaging in insider trading. Relying on insider knowledge about insufficient food safety protocols, the suit alleges that the executives sold hundreds of thousands of shares in the first half of 2015 before the food poisoning scandal was made public.

Check out previous coverage of the Chipotle crisis in the Risk Management March cover story “Dia de la Crisis: The Chipotle Outbreaks Highlight Supply Chain Risks.”

Vendor Risks: Preventing Recalls with ERM

Recall
In 2016 alone, there have been dozens of recalls, by food companies, car manufacturers, and vitamin producers, among others. Not only do these recalls greatly impact a company’s bottom line, they can also affect the health and safety of consumers. With this in mind, what can organizations—both within the food industry and otherwise—do to improve their chances of uncovering suppliers operating in subpar conditions? How can they mitigate the risk of recalls?

Customers of CRF Frozen Foods, for example, a full-line, individually quick frozen processing plant that packages fruits and vegetables for a variety of customers, recently had big problems when it was linked to a widespread listeria outbreak. Contaminated foods affected big-name distributors like Trader Joe’s, Costco and Safeway, and some customers fell ill as a result.

Even though a series of sanitation concerns and other facility issues at CRF had been exposed by regulators as early as 2014, the factory was allowed to continue operating and its customers weren’t notified.

Red flags raised by regulators aren’t always seen by the companies they’re most relevant to, however. The fact that these outbreaks occurred seems to demonstrate that customers’ vendor management practices either failed or simply weren’t robust enough to detect issues. It all comes down to effective enterprise risk management (ERM). ERM provides the tools and framework that allow any organization to standardize processes and effectively mitigate vendor risk.

An ERM approach is characterized by standard criteria, interdepartmental communication, and automatic alerts and notifications. It keeps everyone in the organization on the same page and ensures assessment results are always understandable and accessible. This eliminates redundancy in the risk management process. As a result, you can quickly and easily determine the last time your organization evaluated a supplier. Something as simple as a notification that regulators have published new requirements might save your organization from acquiring infected or defective products.

There are three general stages that apply to any successful risk management effort:

  1. Identify specific risks, followed by assessment and evaluation
  2. Implement tailored mitigation activities to address those risks
  3. Monitor those mitigations to ensure long-term effectiveness

The first step serves as the foundation for steps two and three. Without a proper understanding of what risks your organization faces, it is impossible to prioritize and mitigate them. Especially across multiple business departments or within supply chains—it is quite difficult to identify and account for every variable.

To keep up with vendors’ fluctuating conditions, teams need to systematically identify and assess risks, catching them as they crop up. Preventing assessments from becoming obsolete is the key to keeping a pulse on everything that may affect the business, therefore avoiding unwanted surprises.

Risk assessments also help determine the best way to allocate limited resources. Minimizing vendor-related risks needn’t be burdensome, however. It should be a streamlined process that, by enabling you to avoid harmful incidents, improves operational efficiency. Once your risk assessments reveal the areas of highest priority, you can determine exactly how to mitigate those concerns.

The Freedom of Information Act can be extremely helpful when it comes to your third-party risk management efforts. It grants all companies the right to ask vendors for specific information about plant processes, worker training, sanitation practices, and maintenance. Suppliers are required to be forthcoming with all information (when asked), and teams need to take advantage of this opportunity. It is an important part of the risk management equation and will help you understand your risks before disruptions occur.

Performing vendor risk assessments—in the form of inspections, questionnaires, and service level agreements—generates an enormous amount of data and information. This information is useful for mitigating risk, but only if it is up to date, consistent and distributed to the appropriate individuals. The Freedom of Information Act provides an opportunity to evaluate suppliers with robust risk assessments, and ERM provides the means to capitalize on that opportunity. Ad-hoc assessments of current and prospective vendors, without standardized processes, will only get your team so far.

Steps to Effective ERM

Capitalizing on your vendor assessment rights is only part of the equation. Without an appropriate means of processing, distributing, and making data actionable, you’re back at square one. To make sense of important data, follow these steps:

  1. Create a taxonomy: define relationships between risks, requirements, goals, resources and processes. If each area of the business uses its own system for identifying and classifying risk, the resulting information is subjective and unusable by other departments. There is also significant information overlap—and therefore waste. Use your existing information to create a standard for data collection with minimal work.
  1. Streamline with the standardized risk assessments identified in step one. Risk assessments can be conducted in many different formats and qualities. Use resources already in place and streamline the results using the standard from step one. The most effective way to collect risk data is by identifying the root cause, or why an incident occurred. Honing in on the root cause provides useful information about what triggers loss and your organization’s vulnerabilities. When you link a specific root cause to a specific business process, designing and implementing mitigations is simpler and more effective.
  1. Connect mitigation activities to each of the key risks in these processes. A risk taxonomy gives you a more holistic understanding of all the moving parts in your organization. This makes it easier to design mitigation activities.
  1. Connect incidents, complaints and metrics (for each business process) to mitigation activities. Typically, companies already dedicate many resources to monitoring business performance, collecting information about incidents, complaints and metrics. These processes are often inefficient and ineffective. Simply connecting them to mitigation activities, however, identifies the reason such incidents happen. You can then take straightforward corrective actions, meeting top priorities and allocating resources with forward-looking measures. Risk management, after all, is not about minimizing fallout after an incident, but preventing such an incident from happening in the first place.

To make this entire process effective, management must work to develop an enterprise-wide risk culture. ERM is not just an executive-level process, but should be pushed all the way to frontline managers, where everyday decisions are made and the risks are known—but resources are often absent.

Approach your vendor risk assessments as you would any other risk assessment—they should be reoccurring and standardized. Perform them regularly and evaluate the results with the same scale and criteria with which you evaluate all other risks. Finally, automate information collection and review so that reporting reveals cross-silo dependencies before these risks turn into scandals. The result will be increased vendor security and the prevention of surprises, at a fraction of the cost.

Cybersecurity, Product Recall and Drones Top List of Emerging Casualty Risks

The cybersecurity insurance industry is booming, with demand for this specialty coverage vastly outpacing any other emerging risk line, according to a new survey by London-based broker RKH Specialty. In fact, 70% of the insurance professionals surveyed listed cyber as the top casualty exposure.

The brokers, agents, insurers and risk managers RKH queried after April’s RIMS 2015 conference said their top casualty concerns after cyber are product recall and drones (11% each), with others including e-cigarettes, autonomous vehicles and telematics totaling only eight percent.

RKH Specialty Study Graph

“Losses stemming from cyber-related attacks and business interruption can be catastrophic for individual businesses,” said Barnaby Rugge-Price, RKH Specialty’s CEO. “Healthcare and retail have been the major buyers in the cyber space to date but we are seeing an increasing conversion rate across the whole of our portfolio. After a number of years of looking at the offering, clients are increasingly deciding to purchase the cover as the product has improved and the frequency of attacks has continued to increase. There has also been a heightened focus on the business interruption aspect, where cyber attacks can cause whole facilities to shut down. But whether cyber related or not, any interruption to the supply chain can cause a disproportionate loss. The survey highlights the importance of specialist insurance for a whole host of emerging risks.”

Turning specifically to property exposures, supply chain disruption was identified by 61% as the top risk, followed by flood (30%) and tornadoes (9%). The findings reflect a growing recognition of the potential exposures that longer and more complex supply chains introduce, the firm said.

The brokerage also asked insurance professionals what they think clients are and will be most concerned about when evaluating a broker’s service, and in turn, what brokers will need to focus on to stay competitive. They predict:

RKH Specialty broker service

Five Questions with a Food Fraud Expert

Food Fraud

BALTIMORE—After his Food Safety Summit session on food fraud and economically motivated adulteration, I caught up with Doug Moyer, a pharmaceutical fraud expert and adjunct with Michigan State University’s Food Fraud Initiative. Here are a few of his insights into top challenges for the supply chain, and the biggest risks to be wary of as a consumer.

What are the riskiest foods for fraud?

The most fraudulent are the perennials: olive oil, honey, juices and species swapping in fish. Most people underestimate the amount of olive oil adulteration, but the amount of what is labeled “extra virgin olive oil” that Americans buy is more than Italy could ever produce. I buy certified California olive oil because I’ve sat down with that group and I know that their industry is really concerned about standards and have established a rigorous certification process. I am also really concerned about species swapping in the seafood industry. I love sushi, but I have a lot of concerns eating it, and they are not always about health. I don’t like feeling duped, and a lot of companies now have to contend with that reputation issue after so many studies have found that the odds can be incredibly low that you are eating the fish that you think you ordered—as little as 30% in some sushi restaurants in Los Angeles, for example.

Adulteration has been getting a lot more attention recently, from consumers and regulators. How old of a phenomenon is food fraud?

Food fraud actually dates back to the antiquities. In the industry, we refer to it as a 2,000-year-old problem. There are actually ancient jugs used for oil or wine that feature art that is misleading about the origin or quality of what came inside.

Why are we seeing more food fraud in the U.S. now?

In the United States, we have the real luxury of solid supply chains and active food safety protectors in the form of regulators and advocates. But, as the supply chain lengthens, strangers and anonymous players get introduced, and that’s where the system is most endangered.

What is the worst case of food fraud you’ve ever seen?

Melamine in Chinese infant formula is definitely one of the worst, and especially sinister. In the ‘80s, there was also a truly horrible case with olive oil in Spain. Many people hear about olive oil adulteration now and say, “What’s the harm, if it’s just another oil?” In that case, though, it was adulterated with industrial grade oil. Over 1,000 people died, and some are still infirm and in hospitals today.

What are the biggest culprits in pharmaceutical fraud?

Male enhancement, by far, is the top victim. Patients may be too embarrassed to see a doctor about their symptoms, so they log online and order from a rogue pharmacy—which may not even be a pharmacy at all. But if they were too embarrassed to get the medication to begin with, they will probably be too embarrassed to report the issues, too. Anti-malarials are also a big culprit abroad. In countries with a lot of demand for medications that fight malaria, many counterfeiters see the opportunity to fill that need before legitimate providers can. Poor populations gravitate toward these cheaper products, and access to doctors may be limited by a long, expensive trip—when you are already sick, or cannot afford the trip, it’s easier to go to a street vendor who rips off a sheet of what he says will help. It’s a particularly heinous crime because counterfeiters will trick customers with a little bit of aspirin in the pills that lower fevers and help with the body ache. That kind of deliberate attempt to keep people from getting better, to me, is more heinous than food fraud.