Creating a Food Defence System

A comprehensive guide to creating a food defence system

Alongside a food safety management system based on the principles of HACCP (Hazard Analysis and Critical Control Points), it is recommended that all food businesses establish a food defence system to ensure that their food is safe to eat and is not affected by food fraud.

In this article, we will outline the steps involved in creating a food defence system based on the principles of TACCP and VACCP.

Checking surfaces

Be aware that the steps outlined in this article are general, and may not be suitable for use by all food businesses (especially those that are large or at a high-risk of experiencing food fraud).

  1. Who may want to attack the business?
    • Identify and assess the threats.
    • Separate product and non-product-related threats.
  2. How may they attack the business?
    • Identify the attackers.
    • Devise a process flow chart.
    • Identify key staff and vulnerable points.
    • Consider the impact of the threats.
    • Identify which points are most critical.
    • Determine if control procedures will detect the threat.
  3. Where is the business vulnerable?
    • Establish the priority of each threat.
    • Identify who could carry out high-risk actions.
  4. How can an attacker be stopped?
    • Decide on and implement control measures.
    • Create an incident management plan.
    • Determine review arrangements.
    • Monitor horizon scans and new threats.

Who may want to attack a food business?

Stage 1a - Identify and assess the threats

The first stage of a food defence study is to identify the types of attacker that pose a threat to an organisation and its systems, especially electronic systems. The team should also identify those who may be a threat to specific operations, such as specific premises.

Once this has been completed, these attackers must be assessed to establish their motivation, capability, and level of determination to carry out an attack.

Stage 1b - Separate product and non-product-related threats

Once the threats have been identified and assessed, they need to be separated into product-related threats and non-product-related threats. For each of the product-related threats, a product must be selected that is representative of a particular process that could be affected. This can be the same product for multiple threats.

  • Product-related threats are threats that affect a food product directly, such as economically motivated  and intentional adulteration.
  • Non-product-related threats are threats that affect a food business but will not impact the safety of the food produced, such as cybercrime and espionage.

How might they attack a food business?

Stage 2a - Identify the attackers

Once the product threats have been established, those individuals and/or groups that may target each one must be identified. This is similar to the identification process carried out in stage 1a, but with a focus on individual attackers and their impact on products.

Once completed, the team should have an exhaustive list of product threats and details of those who may carry each one out.

When identifying potential attackers, the following four groups should be considered:

  • Outsiders
  • Supply chain personnel
  • Suppliers/contractors
  • Insiders

Stage 2b - Devise a process flow chart

At this point, a process flow chart must be created for each product that shows its journey through the ‘farm to fork’ process, including stages that the food-related business is not directly involved in. This should be carried out using expertise from both inside and outside of the business, and attention should be paid to the less transparent parts of the process.

A food-related business should also gather information from its suppliers when creating a flow chart, including information on the assurance and audit processes of those suppliers.

Stage 2c - Identify key staff and vulnerable points

This stage requires the food defence team to use the process flow chart to establish the vulnerable points that an attacker may be able to successfully target. To be able to do so successfully, the team must ‘think like a criminal’ and should be aware of the main threats that affect supply chains.

Attention should be paid to extraordinary circumstances, such as a supplier running out of raw materials, because this may reveal additional vulnerabilities that are not immediately apparent.

They should also identify the people that have access to the food product throughout its production, especially so at each of these vulnerable points.

Stage 2d - Consider the impact of the threats

At this point, the food defence team must identify the threats that could impact food production at each stage of processing and assess the impact that the process may have in mitigating these threats. For example, a toxic contaminant that is added may be destroyed or removed by processes such as cooking and/or cleaning.

Stage 2e - Identify the critical points

Now that the threats and vulnerable points have been identified, the critical points must be established. These are the points in the food production process at which the threat will have the greatest effect and the points at which the same threat may be detected.

Stage 2f - Determine if control procedures will detect the threat

A food-related business must have an existing food safety management system in place that ensures that the food produced is safe and free from unintentional contamination. This system will require certain control measures and testing procedures to be put in place to detect contamination.

It may be the case that existing procedures are effective for detecting intentional contamination and other food-related threats. For example, routine laboratory tests could detect the presence of added water or unusual fats and oils in a food product. At this stage, a food defence team must assess whether existing procedures will detect each threat and, if so, how reliably they will do so.

Where can a food business be  vulnerable?

Stage 3a - Establish the priority of each threat

After completing the previous stages, a business should have a clear idea of who could affect it and how they may do so. It should also have a list of all potential threats that it could face, including product-related and non-product-related threats.

At this point, each of these threats must be arranged to determine their priority, which is done by assigning each threat a likelihood and impact score. This allows a business to focus its efforts on targeting those threats that are more likely to occur or will have the greatest impact.

Stage 3b - Identify who could carry out high-risk threats

For those risks that are determined to have a significant or a high priority, the food defence team must identify who has unsupervised access to the relevant products or processes. Each of these people with access must be assessed to determine their trustworthiness and whether this trust can be justified. It must also be established whether this access is required for the individual in question to carry out their role.

How can an attacker be stopped?

Stage 4a - Decide on and implement control measures

At this point, the threat analysis is complete. This means that the food defence team must identify, agree upon, implement and maintain the proportionate preventative actions required to eliminate or reduce the risk of a food-related attack occurring. These measures may include implementing additional site security measures and scrutinising external suppliers using assurance and audit systems.

The form that these measures can take will vary significantly between businesses, so external expertise may be required at this point.

Once the control measures have been decided on, an action plan should be created that details what these control measures are and why they are in place. This is so that information can be communicated easily to employees and suppliers.

Stage 4b - Create an incident management plan

Alongside control measures, a business must create and implement an incident management plan. This plan should contain information on what to do in the event of an attack occurring. Specifically, it should detail how to:

  • Prevent physical and financial harm.
  • Collaborate with investigatory and enforcement authorities.
  • Maintain public support.
  • Minimise the financial, reputational and personal cost of the attack.
  • Identify the attackers.
  • Prevent the attack from reoccurring.

It is important that this plan is rehearsed regularly, before an attack takes place, so that every person involved knows what their role is and that they are able to act quickly and effectively in the event of an incident.

Stage 4c - Determine review arrangements

Once the control measures have been implemented, the food defence team must decide on the review arrangements for the system. Reviews should happen annually and when prompted by a trigger. These triggers include:

  • A successful food attack taking place.
  • A change in the food production process, such as a new recipe or supplier.
  • When new threats emerge.
  • When there are changes in good practice.

Stage 4d - Monitor horizon scans and new threats

Horizon scanning is an ongoing process in which the food defence team maintains a routine watch of official and industry publications that can give a business early warning of new threats, or changes to existing ones, that could impact them. Food businesses should also monitor and follow the guidance of other organisations such as the Food Standards Agency, Food Standards Scotland and the World Health Organization.


For more information on food safety management or food defence systems, and how to create effective systems for your business, consider taking one of our training courses shown below:


Further Reading