One of the daily challenges for food safety professionals is being viewed as a cost center (or, as the joke goes, the “profit prevention center”). If you are in a food safety role, you know that nothing could be farther from the truth. If we are viewed as “blocking” or “preventing,” it is because our role is much like an offensive line protecting its quarterback—we defend and protect our company’s customers, brands, and bottom line in nearly everything we do. Then why is it so challenging to obtain a meaningful budget to procure the right equipment to protect those key players? Is there another way to position ourselves and our requests for resources to enhance our food safety game?
The short answer is yes. It is an approach called enterprise risk management (ERM). Unbeknown to many, publicly traded companies are required to manage enterprise risks that may have a material impact on their balance sheet or long-term survivability. What higher risk does a food company have than food itself?
You may be asking whether your company should start integrating your food safety management program into your ERM strategy. We will address three questions to help you give ERM the consideration it deserves.
What Is Enterprise Risk Management? There are several definitions for enterprise risk management, all of which reflect ERM as a vital risk management process.
As alluded to above, for virtually any food company, food safety should be considered one of the leading, if not the top, enterprise risks. But before we can chastise a company for not having food safety at the top of its playbook, we should acknowledge that this tool is relatively new to food companies.
ERM doesn’t have the same shared, industry-adopted, common definition attached to it, like Hazard Analysis and Critical Control Points. This is at least partially because food safety traditionally speaks in terms of managing hazards (e.g., Listeria monocytogenes), not risk (e.g., the risk of a recall due to Listeria). For food safety to get its legitimate place among all enterprise risks, it is important that a food safety team can discuss risk, and one effective way of doing so is to provide estimates of the likely financial impact of food safety incidents. For example, according to a survey administered by the Consumer Brands Association, the average food recall costs $10 million.[1] Have you run a financial simulation to determine what the cost could be to your company on your highest-selling product if you can’t produce it or have to recall it if there is a food safety issue? This exercise is particularly important to level the playing field for budgetary as well as financial impacts of other enterprise risks that can often be estimated more easily.
A leader in defining and shaping this ERM is a group known as COSO—the Committee of Sponsoring Organizations of the Treadway Commission.[2] COSO created a management system called ERM that addresses material financial risk out of the wake of financial scandals in 2001 and 2002.
COSO describes ERM as:
• An ongoing process
• Applied in strategy setting and across the enterprise
• Designed to identify potential events that, if they occur, will affect the entity in a material way
• A process to manage risk within an organization’s risk appetite
• Providing reasonable assurance regarding the achievement of business objectives
COSO summarizes ERM as:
• A process to assist resource allocation-based decision making designed to identify potential events (risks) that may affect the enterprise; manage risks to fall within the identified risk appetite; and provide reasonable assurances that such risks are being managed and the organization’s objectives are being achieved (metrics) (words in parenthesis and emphasis added by the authors).
While there are other working definitions and ERM frameworks, virtually all can be summarized in the following definition that reflects our proposed definition for the food industry: ERM is the discipline, culture, and control structure an organization has in place to continuously improve its risk management capabilities in a changing business and risk environment.
In addition to food safety, other enterprise-level risks are often found to “compete” with food safety for resources and priority. Cybersecurity is a good example of this. If your company is subject to a material data breach or hacked and held hostage by a ransomware attack, this could present a material balance sheet risk to your organization and potentially cripple or even bankrupt your company. Other enterprise-level risks often offer a similar competitive challenge when food safety is vying for finite funds in budget planning and boardroom requests. See “Other ERM Risks in Food Companies” for additional examples.