Professional Documents
Culture Documents
GFSI vulnerability
assessment
Lesson guide
Module 1, Lesson 2: GFSI vulnerability assessment
All of these schemes currently require a vulnerability assessment for food fraud, with the exception of
Primus GFS.
Scheme requirements
The scheme requirements for vulnerability assessment can be summarised as follows.
5.4.1
Information sources
2.1.4.6.1 2.7.2.1 5.4.2 5.6.8
Vulnerability assessment
2.1.4.6.2 2.7.2.2 5.4.3 5.6.8
Protection measures
2.1.4.6.1 2.7.2.1
Procedure
2.7.2.1
Team
2.1.4.6.3 2.7.2.3 5.4.2
Review
The requirements of the schemes for vulnerability are below. (Please note, these are correct at the
time of publishing, please check to make sure the scheme you are interested in has not been updated
since.)
FSSC22000
(Reference: Food Safety System Certification 22000, Part 2: Requirements for Certification, Version 4:
January 2017)
2.1.4.6 Food Fraud prevention
1) The organization shall document, establish and maintain a documented procedure for food fraud
vulnerability assessment that:
2) In order to identify the vulnerabilities, the organization shall assess the susceptibility of its products to
potential acts of food fraud.
1) The organization shall put in place appropriate preventive measures to protect consumer health. These
processes shall;
b) at least annually.
SQF
(Reference: System Elements - Primary Production, Edition 8)
2.7.2.1 The methods, responsibility and criteria for identifying the site's vulnerability to food fraud shall be
documented, implemented and maintained. The food fraud vulnerability assessment shall include the site's
susceptibility to product substitution, mislabeling, dilution and counterfeiting or stolen goods which may
adversely impact food safety.
2.7.2.2 A food fraud mitigation plan shall be developed and implemented which specifies the methods by which the
identified food fraud vulnerabilities shall be controlled.
2.7.2.3 The food fraud vulnerability assessment and mitigation plan shall be reviewed and verified at least annually.
2.7.2.4 Records of reviews of the food fraud vulnerability assessment and mitigation plan shall be maintained.
5.4.1 The company shall have processes in place to access information on historical and developing threats to the
supply chain which may present a risk of adulteration or substitution of raw materials. Such information may
come from:
• Trade associations
• government sources
• private resource centres.
5.4.2 A documented vulnerability assessment shall be carried out on all food raw materials or groups of raw
materials to assess the potential risk of adulteration or substitution. This shall take into account:
The vulnerability assessment shall be kept under review to reflect changing economic circumstances and
market intelligence which may alter the potential risk. It shall be formally reviewed annually.
5.4.3 Where raw materials are identified as being at particular risk of adulteration or substitution appropriate
assurance and/or testing processes shall be in place to reduce the risk.
IFS
(Reference: IFS Food, version 6)
5.6.8 Based on hazard analysis, assessment of associated risks and on any internal or external information on
product risks which may have an impact on food safety and/or quality (incl. adulteration and fraud), the
company shall update its control plan and/or take any appropriate measure to control impact on finished
products.
Important points
Here are some important points to note, for your vulnerability assessment.
Only do it once…
In a few of the certification schemes, the standard asks you to complete an assessment for food
fraud more than once.
For example; in the BRC standard, not only does section 5.4 ask you to complete a vulnerability
assessment, but in clause 3.5.1.1 it asks you to include substitution and food fraud in your raw
material risk assessment.
You don’t need to do it twice. Only do it once, just make sure you meet the clauses that refer to
the vulnerability assessment.
Supply-chain mapping
Supply-chain threats and the use of supply-chain mapping is not clear at this stage.
BRC state that the vulnerability assessment must cover food fraud risks due to access to raw
materials through the supply-chain, but they don’t really clarify what they mean by this.
The other schemes talk about identifying vulnerabilities; but again they do not specify, if, or how,
the supply-chain should be assessed.
We know from our learnings from the horsemeat scandal that the supply-chain can cause
vulnerabilities, and as the horsemeat scandal is what triggered this, we really should be taking it
into consideration.
Records
If your certification scheme says it’s required - make sure it’s recorded!