Finally, it seems that most of the players in the food production supply chain are willing to acknowledge that the safety of their product should be a central concern. And what has caused this gradual shift in attitudes?

Many of the firms that have been out in front of the movement saw that it could provide them with a competitive advantage. Others came to the conclusion that it was simply ‘the right thing to do.’ Some are simply reacting to the continuous pressure applied by retail outlets requiring Global Food Safety Initiative compliance.

Regardless of the cause, the outcome is a positive for consumers and for the industry. And with this change, many food manufacturers are beginning to take a mature perspective as they integrate corporate risk management.

Risk Management Is…
At its most basic, risk management refers to the identification, assessment and prioritization of uncertain events—along with plans to minimize, monitor and coordinate activities to control the impact of events. For those who are new to the professional practice of risk management, ISO 31000 provides an excellent reference point to begin the study of frameworks and standards.

However, as is always the case when transitioning from the textbook, there are issues that every company must wrestle with as they try to implement these ideal world concepts in the unwashed reality of day-to-day business.

Who Is in Charge of Risk?
There are some legitimate reasons to debate who your Risk group reports to—is it the CEO, CFO, legal or is there direct communication with the board?

The answer to this question will parallel a similar question: Who is your legal counsel there to protect—the CEO or the Corporation? Two very different priority profiles can be in play as you decide.

Risk Is Internal and External
Are you evaluating risk exposure throughout your full value chain or is your focus only internal? As you work through your risk assessment process, are you asking your suppliers about their risk exposure and mitigation plans?

In many cases, the risk exposure for safe product inputs is greater than they are from internal processes. You had better know exactly what you are getting and who you are getting it from.

Reputational Risk Is Real
There was a time when negative incidents involving food products tended to be isolated to a very regional audience.

Those times are gone. The Internet has arrived.

Now, stories of companies that do not take pathogenic contamination seriously are shared instantly across social networks, and sharing is virtually frictionless. It takes only the click of a ‘like’ button to repeat news of a contamination across yet another social graph.

Traditional PR professionals are helpless in the face of these stories going ‘viral’. Once a story is on the Internet, it is virtually permanent and only a quick Google search away. Even after the situation has been fully resolved, those stories that report the initial event will hover near the top of search results for months and years.

And the markets are more aware of these issues with shareholder returns increasingly impacted by negative reputation events. Reputation is also moving more companies to accelerate adoption of the triple bottom line and to include executive compensation packages that track indicators of corporate social responsibility.

Reputational risk does not exist in a static environment either:

• Common practices that were acceptable in 2010 will not be acceptable in 2015.
• The public’s ability to share negative reputation will only continue to get easier.
• Activists are becoming increasingly sophisticated and dedicated to online communications and community building.

Risk Maps
For many managers in the food manufacturing sector, these concepts are not new. A familiar tool is the Probability/Severity Matrix which typically looks something like Figure 1.

This is a straightforward way to look at risk exposure. But consider what happens when an event in the top left box takes place (Figures 2 and 3). This is an event with a very low probability of happening, but when it does happen, the impacts on the company are profound.

Think Deepwater Horizon oil spill or the Fukushima 1 nuclear power plant or the XL Foods Escherichia coli contamination or the Lac-Mégantic train crash. Most companies do not survive very high severity events like these, so it is important that you adjust your perspective accordingly.

Determining the probability of an event is much more difficult than determining the severity. People have a fairly easy time finding agreement on the potential impact that a given event will have, but when asked to nail down the likelihood that it will happen, consensus is much more difficult.  The perspective of many managers as they evaluate very low probability events is typically something like this, “We’ve been in this business for 70 years, and nothing like this has ever happened.”

Until it does.

Geoff Schaadt, M.Sc., M.B.A., is a consultant with Delta Partners.