Coliforms vs. Cybersecurity: How Metrics Can Help Food Safety “Compete” with Cybersecurity and Other Enterprise Risks

With recent cyberattacks on the Colonial pipeline and, much closer to home, a ransomware attack impacting the world’s largest beef producer, JBS, more than ever food safety professionals need to lace up their boxing gloves and employ some new moves to compete for resources with other important enterprise risks.

Food safety incidents may not result in payment of millions in bitcoin to those holding data for ransom, but our industry still pays dearly for the consequences of food safety/food quality (FSQA) going awry. Recalls and foodborne illness outbreaks are mainstream news and fill our social media feeds, significantly increasing risk of reputational damage and whittling away customer and consumer trust. Food safety incidents may also involve actual monetary loss such as regulatory fines, product recalls and associated costs, production downtime, equipment replacement, litigation, etc. So, why do our IT counterparts receive what seems to be a bottomless piggy bank to mitigate cyber risks, and food safety gets the last few pennies left over?

Maybe we aren’t showing up to the fight with the right training and the right “gloves” to hold our own in the ring.

This is the last of a three-part series^1,2 focusing on the power of leveraging enterprise risk management (ERM) principles in the design and continuous improvement of food safety risk management programs. In this final article, we will explain:

What metrics should I use and what are “meaningful”
Why it’s challenging, yet critical, to translate “hazard” to “risk” for food safety to compete with other ERM risks
Who should participate in developing and monitoring metrics
How these metrics can help both food safety and C-suite stakeholders understand and appropriately invest in food safety
Where metrics “fit” into a corporate enterprise risk management program

What Metrics Should I Use?

What Are Metrics?

Let’s start with some good old dictionary definitions to ensure a common understanding of what we are talking about when we refer to “metrics.”

Data: Facts or figures that can be stored in or used by a computer, or, as is still common in the food industry, are stored on paper. An example of food safety data may be the specific coliform test results for each of many samples collected on different days and throughout a shift.
Information: The summary of data; turning data into actionable knowledge. An example here may be a summary of coliform data (e.g., percent positive, coliform levels) by day over multiple weeks, which may show an increase in coliform prevalence or levels throughout a given shift with increases starting after 12 hours, suggesting that extended run times longer than 12 hours may not be advisable unless the root cause of these elevated prevalences and counts is identified and eliminated.
Metrics: Measures of quantitative assessment commonly used for comparing and tracking performance or production. An example may be taking the information from the Information example above and comparing it across multiple production areas or across different facilities to understand if the results are in, or out, of established performance targets or if a given facility is substantially underperforming relative to another, serving as an early warning of a potential problem and where resources need to be promptly invested.

What Metrics Are “Meaningful”

A key challenge for food safety professionals is to define and track the appropriate metrics that allow us to develop and implement effective food safety systems. In a world where managing food safety is part of an overall ERM portfolio (that includes things such as cybersecurity as well as commodity prices, labor issues, and more), this necessitates multiple metrics that target different audiences. For example, food safety professionals will most likely want to continue to track and utilize more “traditional” metrics such as percent of environmental samples positive for Listeria or Salmonella and percent of preoperational samples that fail an ATP test, etc., which can be used to provide goals for the QA and sanitation teams. Even with these existing metrics, it is important to ensure that they are tracked and used appropriately to make sure that they do not carry unintended consequences. For example, if “Percent of environmental samples positive for Listeria” is used as a metric, then hitting the target could be achieved by sampling sites less likely to yield positives or by using sampling techniques (e.g., light swabbing of a small surface) that are less likely to yield positives. In short, be mindful to incentivize, not penalize, positives when using this type of metric.

While the metrics described above can be useful to manage in-plant activities, they may be of limited value for the C-suite and the individuals who manage the overall ERM portfolio (namely, those who decide how to allocate resources). For this audience, a single metric will be most useful. And that metric, frankly, should be money. Yes, this is blunt. But it is also reality. It is the language of the C-suite and can be easily translated into risk to the organization. The challenge is that we as food safety professionals typically speak a different language; we talk about the presence of “hazards” and use hazard-related metrics, such as “percent of environmental samples positive for Salmonella” (which essentially means the percent of samples positive for a hazard). How do we translate “hazard” or hazard-related metrics into risk (such as having a risk of $4.5 million recall exposure)? Answer? Money. Or what we refer to as a “single dollar metric.”

Why It’s Challenging, yet Critical, to Translate “Hazard” into “Risk” in Order to Compete

Why is it so hard to translate hazards into financial risk? One reason is that food safety incidents are not widely reported unless they result in a foodborne illness outbreak or recall. The vast majority of incidents, especially those identified by internal FSQA personnel, are not reported or publicly available at all.

For comparison, cybersecurity-breach statistics are widely available. According to the New York Times,³ ransomware attacks occur every 8 minutes. There are numerous sources that track and report the average cost of cyberattacks ranging from $200,000 ⁴for small companies to $1 million-plus. ⁵Yet when researching similar statistics, we are hard-pressed to find current and comprehensive data to inform us of the true risk of food safety incidents; rather, we find current articles citing the same study from 10 years ago from the Food Marketing Institute and Grocery Manufacturers of America (now Consumer Brands Association), conveying that the average recall costs $10 million.

So, what do we need to “compete” with other ERM risks? Ideally, current, readily accessible information. Short of that, we need the ability to make some educated assumptions and calculations to arrive at a single-dollar risk metric.

How Do I Derive a Single-Dollar Metric to Elevate Understanding and Increase Investment?

In the first article of this series, ¹ we already introduced the idea of a single-dollar metric and described how, in general terms, to quantify the annualized financial risk of a recall, using the metrics from an environmental monitoring program to estimate the likelihood of an FDA swab-a-thon finding Listeria as XX% (e.g., 90%), which combined with estimates of the chance of a swab-a-thon happening in a given year (e.g., 20%). The likelihood of follow-up investigations by FDA leading to a recall (e.g., 25%), leading to an estimated 4.5 percent risk of a recall in a given year (0.2 × 0.9 × 0.25 = 0.045), which, based on the average estimated cost of $10 million, leads to an annualized financial risk of $450,000.

But this is just a starting point. An organization with a mature food safety program that manages enterprise risks should use multiple metrics, such as percent of environmental samples positive for Listeria or Salmonella; percent of preoperational samples that fail an ATP test; and percent of effective (meaning verified) corrective and preventive action close-out within 60 days, for example, and quantitatively link these metrics to food safety and enterprise risk relevant outcomes such as (i) public health risks (e.g., outbreak), (ii) regulatory risks (e.g., recall), (iii) operational risks (e.g., partial or complete plant shutdown, product shortage, etc.), and (iv) reputational risks (e.g., loss of customers), with all these risks quantified using financial losses (in dollars) as metrics. A more nuanced approach like this will probably yield more accurate and persuasive results than using an old general estimate of recall risk (like the $10 million estimate provided above). This approach will also facilitate a more targeted approach to risk management and will help both the food safety team and the C-suite assess which specific risks associated with food safety incidences would be most impactful and hence require focused investments to manage.

Role of Testing in Food Safety Metrics

While food safety-related testing can be performed for a variety of reasons (such as customer requirements), most if not all testing should be linked to managing specific risks. Developing specific single-dollar metrics as detailed above also provides a unique opportunity for any company to reassess their testing schemes and efforts. Ideally, one should be able to link all testing performed to a specific risk being managed (e.g., regulatory risk, operational risk, reputational risk), using quantitative approaches (such as an X% increase in Listeria-positive environmental samples leads to a $XX,XXX increase in recall risk). On the flip side, every risk (e.g., reputational risk) should have (leading) metrics that can be used to assess the risk and changes in the risk. Identification of food safety metrics that cannot be linked to an enterprise risk or enterprise risks that have no associated food safety metrics consequently represent a clear gap between food safety and the C-suite and is an opportunity for enhancement.

Who Should Participate in Metrics Development

For many food safety professionals, development of the types of food safety-related ERM metrics described here will quite likely represent a considerable challenge. Hence, it is important to assemble the appropriate interdisciplinary team to develop, implement, and refine food safety metrics. While expertise in a given organization may include the CFO or others on the business side, it often can also be valuable to bring in external experts who can facilitate and challenge the discussions and set the groundwork that may be necessary before involving the internal ERM team. Importantly, this is not a one-time effort; all aspects of a food safety-related ERM metric initiative will have to be regularly reevaluated. Just as the recent ransomware cyberattacks will surely trigger a reassessment of the business impact of IT security, recalls, outbreaks, and even Department of Justice prosecutions following an outbreak need to trigger reevaluations of food safety-related enterprise risks and associated ERM programs.

As this series concludes, two points need clarifying. First, we are by no means downplaying the risk associated with cyberattacks. This is a very real and ever-growing risk. U.S. Secretary of Agriculture Tom Vilsack advised food producers that they need to face the fact that disruptive cyberattacks are part of their “new reality.” Cyberattacks could lead to the sale of tainted food to the public, financial ruin for producers, or even the injury and death of plant workers. ⁶ Perhaps there is power in numbers? Consider joining forces with your IT counterparts to obtain some joint resources.

Second, some of you may be thinking it is too risky to assign a single-dollar metric to food safety risks in your company for fear it may be construed that you are placing a dollar value on public health. But let us ask you this: If you don’t, and as a result you don’t get the resources you need to effectively compete and combat reasonably foreseeable food safety risks, how is that any different?

References

Melanie Neumann, J.D., M.Sc., is the principal of Neumann Risk Services, a Matrix Sciences Company, and Martin Wiedmann, D.V.M., Ph.D., is the Gellert Family Professor in Food Safety at Cornell University.

Live: April 30, 2024 at 3:00 pm EDT: Join our webinar to explore these critical issues and learn actionable solutions to efficiently manage maximum residue levels (MRLs).

Live: May 1, 2024 at 2:00 pm EDT: Attend this webinar to understand how to set up your preventive maintenance program to build a sustainable path toward increased uptime.

Live from Food Safety Summit: May 7, 2024 at 12:30 pm CDT: From this session, you will become familiar with the requirements of the final FDA Traceability Rule.