To learn more about data security in the workplace, checkout this infographic compiled by the University of Alabama at Birmingham’s Online Master of Science in Management Information Systems program.
Blogs
Streamlining Compliance Case Management
- Compliance Management
- 17 May 17
3 min read
Introduction
In early February this year, the fraud section of the U.S. Department of Justice (DoJ) released a new document with specific guidelines on how they will evaluate corporate compliance programs in organizations going forward. The DoJ clearly specifies in the document that they will look at corporate compliance programs in their entirety and not just at the reporting or investigations part.
With a spate of new regulations coming up, organizations are striving to improve their compliance program. Many are moving up the compliance maturity curve and keeping pace with the rapid regulatory developments happening around them. However, multiple reporting requirements, myriad reporting authorities and structures, and stricter regulations continue to challenge compliance teams, putting pressure on them to develop effective and better ways to address an ever more complex regulatory and business environment. In a recent MetricStream webinar titled “Streamlining Compliance Case Management: Challenges and Best Practices,” Eric Morehead, Principal Consultant, Morehead Compliance Consulting, LLC, provided valuable insights into the challenges organizations face when managing and investigating ethics and compliance cases, how to improve the efficiency of case management programs, and how to track the effectiveness of compliance programs by leveraging technology.
One of the biggest compliance challenges organizations face is in investigating non-compliance cases. Multiple questions arise: What is being reported, to whom, and where? What reports can you provide to your board of directors and regulators and can they be benchmarked based on industry standards?
First – What is being reported? It’s important to adopt a fine-focus approach toward tracking trends such as common sort of issues that get reported on various reporting mechanisms. Cases get reported to various parts of an organization such as helplines, HR, audit, or the board members, depending on the organizational hierarchy. When these cases are aggregated and sent to the compliance office, there is often some disconnect. However, by identifying a common set of issues or trends from the available statistics, organizations can effectively find a solution.
Second – Where is it being reported? Organizations must have ways to abrogate the cases that have come via different channels. This helps them remove duplicate cases.
Third- What report can you provide to the board of directors? In many cases, there is a strong disconnect between what gets reported to the systems and what the board of directors ultimately gets to read. This gap could lead to problems, especially when an organization has to provide reporting and investigation details to regulators. The key is to put serious consideration into what is being reported to the board of directors, and report the good work that has happened or being done within the compliance space. Ask hard questions about the information that gets reported to the board of directors so that the organization can get better information first.
Fourth- Stacking up with competitors and peer organizations. Ask yourself – “Do you have a story to tell”? Both regulators and the board of directors will judge you based on the technology and
processes you use to handle your data. Regulators will ask you tough questions regarding your compliance programs and your investigations. Will you be able to meet those expectations?
Growing regulatory demands and expanding awareness about compliance are driving the enhancement of compliance case management capabilities. Organizations are recognizing this shift, and to remain relevant they need to make the right technological investment. Ultimately, mature case management systems can transform compliance programs.
For updates on our other upcoming webinars, click here.
Jump to Topic
Related Resources
Blogs
Can Marketing and Compliance Share a Playbook?
- Compliance Management
- 09 May 17
5 min read
Introduction
I recently read an article in the Winter 2017 MIT Sloan Management Review, Mastering the Market Intelligence Challenge (Chari, Luce & Thukral). In this work, the authors address how “many multinationals simply import their domestic models into emerging markets.” And whilst this work is directed towards those who deal with market intelligence in emerging markets, the conclusions drawn are equally applicable to those who face compliance challenges in such frontier regions. If you review the article and substitute ‘due-diligence’ for ‘market intelligence,’ it reads like a compliance thought piece. So I ask, can both compliance and market leaders share resources and data when it comes to due diligence and market information, as to allow for a more collaborative approach?
The authors state that “for developed-market companies, winning consumers in these new high-growth markets requires a radical change in mindset, capabilities, and allocation of resources.” I would add that such ‘radical changes’ are also applicable to compliance leaders and teams who face the challenges of addressing business development in emerging markets, where commercial opportunities and corruption risk are often intertwined.
A few of the issues which might de-rail market intelligence or a compliance program in emerging markets might be:
- Grouping. Very often from the home office, markets and risks are grouped regionally. But in emerging markets, where each market sector and country present a unique set of risks and opportunities, market and/or risk factors in one emerging market country “may not readily transfer to another as much as they would transfer from one advanced country to another.” So, while one might think of Scandinavian countries as having a similar risk profile, thinking the same of the GCC countries could be problematic.
- Change. As we see with current events, political, social and economic change in developing countries can sometimes occur via evolution, and sometimes by revolution. Thus, thinking of markets or risks as static in these regions “compounds the information problem.” Compliance and business leaders should be considering this type of dynamic, and the possible monitoring costs of staying abreast of change, before investing initial resources. As the authors argue, success in such evolving markets requires a more robust calibration and recalibration of intelligence to market conditions, and to which I would add, risk conditions.
- Spend. The authors argue to be cautious about spending on market intelligence in emerging markets “as a percentage of revenues in the market or on an ad hoc basis.” Indeed, for marketing or compliance investments, looking at costs on such an ad-hoc basis might prove as “insufficient in emerging markets” where more upfront resources are required to gather current, reliable and useful intelligence.
As a result, the authors recommend the following practices for obtaining robust and actionable business intelligence:
- “Treat and manage market intelligence as a strategic asset.” Strategic intelligence means that “updated market intelligence is considered front and center when multinational corporations take strategic actions in emerging markets.” This is much more than what might be necessary for “advanced economy market entry.” The authors advocate the use multiple data sets, relating to the “economy, business environment, and demographics of each country.” Such data would also be useful for a compliance team in order to gauge risk and opportunity. So, why silo the data when it’s valuable to both teams?
- “Continuously update market intelligence.” As the authors well state, updated information is “necessary to recognize changing market conditions at the earliest convenience.” To a compliance professional, that might mean ‘don’t vet and forget.’ The authors caution that using “potentially dated market intelligence or assumptions about the market” can lead to bad marketing decisions and poor resource allocations. That same risk would equally apply to a compliance program and due-diligence process. Past behavior and data is not necessarily a gauge for future risk. We have seen that peril, especially in countries with political and regime turnover.
- “Organize differently for market intelligence in emerging markets.” Here, I found a fascinating organizational discussion. The authors try to balance centralized versus in-country market intelligence. We see a similar challenge in compliance programs, as to the right mix between a centralized and remote function. While the authors don’t strongly advocate either approach, they do address the consequences of not appreciating where they might disconnect. Instead, they argue that market intelligence “should be organized as a shared responsibility between the corporate office and emerging market business executives.” One could see how a compliance function can also benefit from that same sense of shared responsibility and cross-function cooperation.
- “Use a wide range of sources and methods to obtain market intelligence.” There’s no magic bullet here, or single solution, be it for market or risk intelligence. Rather, “because of the paucity and unreliability of information sources, multinationals need to use a wide range of sources to obtain market intelligence in emerging markets.” Among some of the recommended sources are “in-country partners, market facing staff, business press, social media, internal and external market research, and the company’s own experience.” Again, it seems like these are valuable data sources for both market and risk decisions. But as the authors caution, “no single source is typically able to provide all of the information we need.”
And finally, review, review, review.
As the authors remind us, pooling, sharing, disseminating and discussing information, all ensure that “an organization can gain as complete of a picture” not only of the marketplace, but of changes within the marketplace. Again, that’s valuable to both compliance leaders and market executives. As they conclude, when information is a shared responsibility among corporate and in-country managers, using a “wide range of sources and methods,” then organizations can “obtain and use the market intelligence necessary to succeed.” So, instead of having a market intelligence playbook and a compliance playbook, how about a “share and share alike” approach to opportunity and risk!
Jump to Topic
Related Resources
Blogs
Promoting Data Security in the Workplace
- Compliance Management
- 14 March 17
4 min read
No matter the workplace, data security is often a top concern for management professionals. Security breaches can end up threatening the livelihood of employees and entire companies alike, depending on how severe they are. There are solutions available to
Employees and General Information Security
Over eighty percent of companies say that their biggest security threat is end user carelessness. Seventy five percent of companies also believe that employee negligence is their greatest security threat. Three percent of all United States full time employees admitted to using the same collection of passwords for their online needs. A third of this percentage even admitted to using less than five different passwords to access anywhere between twenty five to fifty websites, some of which were business and professional locations. Over thirty three percent of US companies do not have a security plan for internal security risks, which means personal responsibility is the largest deterrent in a vast majority of these incidents.
Top Mistakes
Many mistakes committed by employees are entirely avoidable. Things such as sharing passwords with others and leaving their computers unattended outside the workplace all contribute to security problems. Employees are strongly encouraged to use different passwords for different websites, and to change them frequently. Additionally, it is important to delete data when it is no longer being used on the computer, as well as avoid connecting personal devices to company networks and databases.
Largest Threats to Information Security
Senior managers are as much a culprit of problematic behavior as their employees. Over fifty eight percent of senior managers have accidentally sent crucial and private company information to the wrong people. Fifty one percent of all senior managers have also taken private files from the company with them after they left the job. Business owners may end up compromising their own company’s security as well. Over eighty seven percent of all business owners regularly upload files from work to a personal cloud or storage network. Sixty three percent of those same business owners also use the same passwords to log into different systems in both business and personal affairs.
Tips on Promoting Security
There are many solutions that can be taken to help keep the workplace safe. One of the first of these is to implement a strict, written set of security guidelines. Enforcing physical restrictions to personal data is also recommended. Destroying older data in a more timely fashion can also help resolve many security risks. Generally raising security awareness in the workplace by training and educating employees in proper and improper behavior can be a good idea. All business owners and leaders are strongly encouraged to become more vocal about security in the workplace.
Employees and Specialized Training
Proper information and security training on a professional level can also help reduce the frequency and severity of security breaches. Over thirty seven percent of employees had received mobile security training, while over forty percent of employees had received information sharing training. Increasing this number can help spread security awareness in the workplace on a much more efficient level, and businesses are encouraged to introduce some type of professional training program.
Current Bring Your Own Device Practices
Fortunately, while there is room for improvement in many companies, management professionals are also looking into ways to help improve Bring Your Own Device standards and practices. Over forty percent of companies currently consider mobile device insecurities to be a large security concern. Fifteen percent of employees believe that they have minimal, or practically no, responsibility to safeguard the personal data stored on their devices. This type of thinking is what encourages security risks to occur in the first place. As a result, there is going to be an expected increase in security strategies of upwards of sixty four percent for employees concerning the use of their personal devices over the next twelve months.
Information Security Recommendations
Numerous security recommendations are already being considered by many companies and many businesses are planning on introducing more data leakage protection to help control what data mobile employees will be able to send through Bring Your Own Device practices. This can help prevent the transfer of regulated data through unsecured apps. These plans can also help prevent employees from accessing data on unsecured devices, or transferring unsecured data on their own devices. Future demands will also require owned devices to have a password necessary in order to access the stored data. Many training programs are also going to be planned as well, which will inform employees of the necessity of adhering to, and enforcing, data security regulations.
The following blog post was originally posted here and is reposted with the authors permission.
Jump to Topic
Related Resources
Blogs
Gearing Compliance to the Tasks at Hand
- Compliance Management
- 06 March 17
3 min read
Introduction
The following blog post was originally posted in the Richard Bistrong Front-Line Anti-Bribery Blog at www.richardbistrong.com and is reposted with his permission.
I recently had the opportunity to travel to Chicago for my first SCCE Compliance and Ethics Institute (CEI), and attended a session “Keeping Compliance Simple,” which was led by Ricardo Pellafone, CEO, The Broadcat (www.thebroadcat.com) and John Partridge of Gibson Dunn. It was an engaging session, and it gave me an opportunity to reflect on their work in the context of some recent corporate engagements.
What first caught my attention was when Ricardo started the session by sharing that a compliance training program needs to address “the tasks at hand” to those on the front-lines of business. Does that sound obvious? Well, when we look at the complex challenges facing compliance and commercial teams, it might not be. Thus, I think we should heed to Ricardo and John’s reminder that an engaging compliance program is one that’s calibrated to help people execute with what they have been charted to do. Big and small.
In other words, as Ricardo well states, “give people something they can look at while they are doing their job.” I think that’s excellent thought leadership and advice. Do you expect your commercial teams to be subject matter experts on anti-bribery laws, facilitation payments, and export compliance, to name a few; or, would you rather give them something that they can read, reference, and which serves as a guide and guard-rail to their missions at hand? Ricardo’s right when he shares that “training around risk is problematic,” but compliance training which is oriented towards task completion and simplicity is a compliance program which is an active tool at the field level. And isn’t that we want?
A few weeks after the CEI, when presenting to a multinational, I had the opportunity to hear the CEO share some of his vision for growth, which inspired me to reflect on the ‘simplicity’ panel (FYI, when a CEO presents to a compliance/commercial team event, that’s a very loud spoken and unspoken message). When addressing corruption risk, he counseled the teams to “have a cleared-eyed view of the risks you face before you’re in the middle them, understand the resources available to make decisions, and then know how to engage.” If I had to think of one sentence which encapsulates what a simple yet resonating compliance program should look like at the front-lines of business, that would be it. While execution might not be so painless, having a compliance program which takes complex laws and regulations, and then translates them into how they apply to real-world scenarios, is a compliance program that comes to life.
Remember, when you hired those on the front-lines, you probably looked for individuals who could aggressively, ethically and compliantly execute on business growth and strategy. You might have even on-boarded some with risk-taking in their DNA.Thus, while it sounds easy to pronounce “grow the market, takes risks, but don’t break the law,” don’t those same teams deserve a compliance program which is simple, makes sense to their work, and which they can reference as a guide to success: One task at a time.
The following blog post was originally posted in the Richard Bistrong Front-Line Anti-Bribery Blog at www.richardbistrong.com and is reposted with his permission.
Jump to Topic
Related Resources
Blogs
3D Printing – Boon or Bane
- Compliance Management
- 26 February 17
3 min read
Introduction
The 3D printing market is growing at an average of 35% CAGR, and is set to quadruple to $12.5 Billion by 2018 from $3Billion in 2013 (Wohler Associates 2014 report), however at the same time, organizations have to face heavy penalties and loss diminished by brand and reputation due to risks associated with 3D Printing. For instance,mishandling of patient information through 3D Printed software and associated violations of HIPAA compliance has already resulted in $9Million in fines for US-based companies in the last one year alone.
Consumers around the world are converging to newer technologies that allows customization and immediate product deliveries. Just as e-commerce companies have done for consumers, will 3D Printing do the same for organizations?
The 3D Printing industry emerged in the 1980’s, then known as Additive Manufacturing for product developments and rapid prototyping. With new technologies in design and faster printers available, the trend has quickly shifted to mass production. General Electric, as a part of the LEAP project, started to mass produce close to 25,000 aircraft fuel nozzles using 3D Print technologies. Similarly, USPS has partnered with 3D Print Service providers and are planning to purchase printers onsite in order to deliver packages, printed in 3D, to consumers when they need it. This service from USPS will add $485 Million in incremental revenues
To meet this increased demand, organizations small and large are either providing 3D Printing as a service, or manufacturing 3D Printers. For example, HP has been relying heavily on the sales of its 2 newly launched 3D Printer models (HP3200 and HP4200) in May-2016, making up for its declining PC and 2D printing business. Additionally, several startups have received funding to leverage the potential of this growing market.
3D Printing is set to disrupt the Manufacturing industry, however, organizations are cautious about adopting this technology as there are initial upfront costs, design complexities, increased raw material costs, and slow print speeds.
While the market demand, potential and revenue upsides are high, the risks associated with 3D Printing must not be ignored.
- Cyber Security
3D Printers work by accepting a CAD/STL design software file when the printer is connected to Internet through Wifi. This makes it vulnerable for hackers to inject a virus into the design file, which can change the orientation of the print head. As a result, this could print products of low quality – in such cases, organizations may have to recall the product and face impact to their brands and reputations.
- Counterfeit
Using 3D Printing technologies, products can be duplicated easily and exported as the originals. This can pose security risks, and can infiltrate the supply chain. Blueprints of the products can get into the hands of attackers through the CAD/STL file, which could have a disastrous impact on the company and its relationship with consumers.
- Supply Chain
3D Printing technologies are set to disrupt the Supply Chain for many organizations, as their products will now be available at the point-of-use as raw materials. This will be difficult to regulate, especially in the healthcare industry, where the FDA recommends to design controls from the point-of-origin in manufacturing to when the product leaves the facility. In the case of 3D printing, it is unclear what will be regulated – is it the CAD file leaving the facility, or the part that was printed at the point-of-use?
- Intellectual Property
Just as the music industry suffer from piracy, the 3D printing industry is vulnerable to similar threats. File sharing will become common online and can cost organizations billions in the loss of IP file designs that can also lead to counterfeiting. This is not common right now, but it is a serious potential risk in the future that we must be mindful of as the market matures.
- Drugs
The healthcare industry needs to be cautious when using 3D technology, as patented drugs can be printed by illegal drug manufacturers. Researchers used a sub $2,500 MakerBot 3D printer to manufacture illegal drugs, and to fabricate tiny implants with certain chemicals, which will release specific drugs when placed into the human body. If this isn’t tightly managed, the potential for disaster could be huge.
- Weapons
Anyone with CAD/STL design can create input files for 3D Printers. Criminals can get access to such files online for producing guns at home. In 2013, a law student from Arkansas, printed a gun from a 3D Printer. The design file used for the gun was made available online, and was then downloaded over 100,000 times around the world, before the state department ordered to bring it down.
There are great opportunities with 3D printing technology, but understanding its implications and risks, and regulating the process and execution is critical. Public and Private partnerships are needed here, to help us realize the great potential of this growing market, while protecting consumers and organizations alike from risks at hand.
Jump to Topic
Related Resources
Blogs
Walking The Line Between Personalization And Privacy
- Compliance Management
- 06 February 17
3 min read
Introduction
2017 promises significant shifts in retailer tactics as they embrace more intimate conversations, leveraging the power of digital devices, analytics and channels. Walking the fine line between becoming a trusted advisor, to intrusion and perceived (or actual) privacy violations, will become as much of a science as it is an art in today’s world.
Here’s a look at the top five trends that will impact the retail industry in 2017.
1. Beyond Mobile Payments: Enhancing The Personal Shopping Conversation
Retailers will provide innovative mobile apps to enhance customer experience, going beyond simple payments to establishing a virtual, real-time, personal shopping conversation — for example, notifying sales associates of a drive-through pickup or return. Retailers will equip associates with mobile devices to reach out to in-store customers, track real-time shopping behaviors and send curated offers while blurring the line between online and in-store shopping.
2. Predicting The Path To Purchase And Preference: Blurring The Line Between Online And In-Store And Satisfaction Based On Actual Use
Omnichannel will reach beyond purchase into actual use as retailers unify online, offline and Internet of Things analytics to understand the 360-degree view of an individual’s needs and behavior and gain insight into preferences. Correlation analysis throughout the shopping journey will increasingly be used to predict an online or offline purchase, using browsing history, reviews read, social media networks and favorites on sites like Facebook or Pinterest — blurring the line between online and in-store shopping. The focus will shift to helping impatient buyers make faster decisions, and at the same time build long-term loyalty. Most importantly, the Internet of Things will become increasingly critical in providing insight into how products are being used after purchase and predicting a repeat purchase or recommendation.
3. Frictionless Convenience Rules The Wallet
Understanding customer needs, wants and behaviors will drive retailers to strengthen the relationship by using partnerships and connected devices to create a frictionless, real-time experience. Retailers will use devices to reach out to in-store customers, track real-time shopping behaviors and send curated offers while establishing a virtual, real-time, personal shopping conversation. This will be bolstered by a rise in subscription services that provide clear value and built trust like Amazon Dash, 1-click and Amazon Prime. Retailers will leverage partnerships that capitalize on trust built with complementary, highly trusted brands to provide convenient buying experiences. We will see a rise in combined offers for a specific need – travel, hiking or formal attire — complete with personalized rewards.
4. Privacy Is A Two-Way Street
Consumers will begin to react to privacy concerns that arise from more intimate, personal conversations with their trusted retailers, with whom they allow tracking and analytics. Retailers will need to provide more transparency into actual analytics and increasingly allow consumers to participate in the co-creation and selective editing of their own profiles, going beyond simply opting in to how information will be used. In addition, retailers will need to provide tangible assurances that their private information is safe, as new cyber threats emerge that target mobile and Internet of Things. Innovative retailers will start to show how their app experience protects data in smart devices.
5. ‘Security by Design’ Throughout The Supply Chain
As consumer data accumulates from the shopping experience, through the supply chain into warehouses and out into the home through the Internet of Things, unencrypted transmissions and card-not-present transactions will present opportunities to hackers to steal personal data captured along this chain. Retailers will start to cooperate and adopt ‘Information Security by Design’ principles, building security deep into processes as opposed to bolting security monitoring onto processes after the fact.
Stay tuned for some astounding innovations by both retailers and the technology vendors that support them. And don’t forget that we are an essential part of these equations. As consumers, we co-create and influence innovations as they unfold in the landscape of our shopping experiences by staying engaged and, ultimately, voting with our (mobile) payments.
The original blog was published via Retail Touch Point. View it here.
Jump to Topic
Related Resources
Blogs
Pharmaceutical Recalls: A Risk and Compliance Roadmap for Manufacturers
- Compliance Management
- 29 November 16
4 min read
The three aspects a manufacturer must swiftly address in the instance of a pharmaceutical recall.
All manufacturers and distributors wish to avoid having to recall a product. Through governance, risk and compliance tools, and processes they aim to safeguard product quality and standards. This takes not only attention to detail and precision within the company’s own business operations, but also with those of its suppliers and third parties, as well as effective monitoring and assessments across the whole supply chain.
However, plans do have to be made around handling a product recall should one need to happen. With increasing regulatory demands and complex international supply chains, effectively managing a pharmaceutical recall takes a coordination effort of many responsibilities.
Among the many aspects a manufacturer has to get right is the identification of key decision makers, a clear understanding of roles and responsibilities, and a robust communications strategy. The damage to company brand and reputation can be severe for those that get it wrong.
1. Decision Makers
The Food and Drug Administration (FDA) is responsible for protecting human health by ensuring the safety of pharmaceutical products. They can request or order a product recall when it becomes aware of a problem; but recalls are also initiated by the manufacturers themselves.
The FDA takes an advisory as well as reinforcement role through guidance on recall processes and action needed through the stages. Senior management, quality assurance, regulatory liaison, and communicators will be central to a manufacturer’s recall process.
An effective product recall hinges on the company’s level of preparation. Identifying, training, and updating the core team that will be involved in the event of a recall is essential, as is clearly establishing decision-making authority at each stage of the process. Plans should be regularly tested to identify any knowledge or process gaps that must be filled.
Throughout the decision-making and recall process itself, manufacturers need to keep the FDA informed, as well as work closely with suppliers, distributors, and other third parties along the supply chain to take effective action. The FDA assigns a classification to the recall—which is essentially determined by the level of danger the quality or safety issue presents—and this impacts a number of factors in the recall process, including urgency and method of distributor/customer notification.
2. Roles and Responsibilities
Any confusion over roles and responsibilities can result in delays, process stages being missed or not executed well, and possible non-compliance. Decision-makers, plan executors, and communicators need a common understanding of their role and responsibilities as well as those of others involved. This extends outside company walls to suppliers, distributors, regulators, and third parties.
The pharmaceutical industry is a global one with many manufacturers supplying multiple markets. Where licenses to sell in particular markets are held by multiple third parties, a lack of clarity over who has what responsibility—and/or any breaks in the chain of communication—can cause significant problems.
To maximize success, manufacturers must cultivate a transparent environment of information access and exchange. This is essential not only to track impacted parties and the root cause of the issue but also to keep all players up to date throughout the recall process. All responsible individuals need to work from the same information, and it needs to be up to date.
This is hard to achieve for many companies still working with systems and applications in silos where shared data has to be interpreted and fed into various tools that support the process.
Plan executors and senior management need visibility into product recall progress as well as the output of root cause analysis and other quality assurance tasks. This is best achieved through real-time executive dashboards and reports with drill-down capability to access relevant statistics, analytics, and trends.
3. Communications Strategy
Poor communication can be found at the root of many poorly-handled business problems. Product recall planning must consider the complete spectrum of communications—intra-company, externally with parties along the supply chain, with customers, and with regulators and officiating bodies.
Time zones, physical distance, language barriers, and cultural differences can all hinder effective communication. These must be managed for timely and effective communication.
Not only does communication need to be effective during the process of a product recall itself, it also needs to ensure the business learns from the situation, feeds information back into the system, and is equipped to take any corrective or mitigating action needed. An integrated solution that tracks and manages information and events across departments can initiate action based on change—for example the requirement for training or actions resulting from an audit.
It is also important when considering the business tools to support effective company communication to think about how people consume information and the clearest and most effective ways of presenting it to achieve the maximum result. The visual presentation of data, for example, can be an effective way of maximizing understanding.
Through planning and the use of technology, manufacturers can streamline and improve the processes and procedures that expedite product recall activities. In this way they aim to limit brand impact, better serve customers, and ultimately drive improved business performance.
Effective governance, risk management, and compliance are essential for good business practice and to try to mitigate issues that may result in the need for a product recall. Despite ensuring effective processes and procedures and compliance with regulatory mandates, issues do still arise and preparation is essential to manage them when they do.
Automated risk management solutions can help support the execution of roles and responsibilities, informed decision making, and effective communication not only when a product recall has had to be decided upon but also minimizing and managing enterprise risk in day-to-day operations.
The original article was published by Pharmaceutical Processing. To read the full blog, click here.
Jump to Topic
Related Resources
Blogs
Three-Stage Regulatory Compliance in Food Manufacturing
- Compliance Management
- 25 November 16
6 min read
Introduction
To safeguard quality and standards, food manufacturing and distribution is highly regulated. To be fully compliant, companies need insight into their complete supply chain — end-to-end from base ingredients to finished product — and they must be prepared to act in the event of a contaminated or compromised product that jeopardizes customer health. This demands detailed and precise planning, execution, monitoring and assessment. Disconnected, manual governance, risk and compliance (GRC) tools and processes can be inefficient for the job.
The regulatory landscape in the food industry is increasingly complex, particularly for global manufacturers and distributors. Companies have to comply with all local, national and regional regulatory agencies relevant to their business. This means keeping up with evolving regulations and ever-changing circumstances. Guidelines and mandates must be interpreted, acted upon and compliance tracked. The impact on businesses is far-reaching across manufacturing, handling and food distribution.
Three-Stage Compliance
GRC is central to business operations in all industries; in food manufacturing and distribution it must be integral to the way companies work. Robust management, quality inspection and corrective action is of paramount importance. Companies that automate and streamline activities through supply chain traceability and GRC systems will be quicker to react and take control in the event of a food quality or standard issue.
The stakes are high when it comes to public health and safety. Preserving company and brand reputation depends on successful GRC and this means excellence across three stages of compliance:
1. Policy and Procedures
Regulatory compliance requires tight control over policy and procedures. Organizations need first to be fully aware of the regulations appropriate to their business, to understand what it takes to be compliant and to ensure that all staff and suppliers have up-to-date training.
In the U.S., this largely means being up-to-speed on regulations from the USDA Food Safety and Inspection Service (FSIS) and the Food and Drug Administration (FDA), which together are responsible for ensuring food safety.
2. Execution and Controls Monitoring
Organizations must take a proactive approach to food safety and compliance to mitigate against incidents and to protect their business, onward supply chain and customers.
The first step is to identify hazards, in order to stop them from causing a problem. Again, this involves being up to date on the latest information as the FDA identifies specific hazards, for example, related to agricultural products and pesticides. To help exercise effective controls, companies must choose suppliers wisely and impose rigorous prerequisites around aspects such as sanitation and pest control.
Each hazard has its own characteristics and, therefore, control measures. In the case of the pathogens Salmonella and Clostridium botulinum for example, each requires its own particular control measures.
3. Access to Data and Incident Management
A host of issues can cause a food safety standard problem. These include allergens, viral and parasitic outbreaks and bacterial contamination. One such issue occurred last year when nearly 30,000 cases of hummus had to be recalled due to a possible listeria contamination.
To maximize information capture, companies should tap into all data sources that can provide feedback on product quality. These days, this can include social media as news spreads quickly when a food standard issue occurs. Once an organization is aware of an issue, it must be able to rapidly track and trace the impact on its own production and be ready to instigate robust incident management. Preparation is key.
Earlier this year, Mars had to recall millions of confectionery bars in response to pieces of plastic found in some items. As a global brand, the task of tracking down impacted batches and isolating the production problem is significant. Thanks to the efficiency of its supply chain management systems and GRC controls, Mars was able to quickly identify the root cause, trace the contaminant back to a specific factory and track affected batches.
Many Links, One Chain
Supply chain management is all-important in regulatory compliance. No company can rapidly and successfully track forward and back the impact of an issue without knowing its supply chain. Traceability back to source and forward to consignees is essential. For example, the conditions on the farms that breed the cows for the beef that makes the hamburgers are important. Not just to the farmers (or the cows) but to all the companies that do business with those farms.
In the event that something does go wrong, the impacted organization needs to put its action plan into operation quickly. Then, root cause analysis can begin and be swiftly followed by corrective and preventive action planning.
Effective GRC for Product Recalls
Product recalls must be effectively managed for regulatory compliance and for the protection and preservation of the company’s brand reputation. The complex multi-stage process will include:
1. Making the Decision
Generally, the decision to initiate a food recall is taken voluntarily by the food manufacturer. This could be as a result of the organization’s own issue identification — from its own tests, industry watching or customer feedback monitoring — or from a supplier notification. Regulatory agencies may detect a problem from sample testing or field inspections.
Both FSIS and the FDA have the power to instigate a recall themselves. Such action is rare, but can occur if a company refuses to act and there is a threat to human health.
2. Communication and Investigation
The investigation must identify impacted items so that action can be taken to remove them from the food supply and to prevent any more from entering it. Communication is critical here — within the organization, with suppliers, with partners, with distributors, with governing bodies and with customers.
The recalling firm should discuss the nature of its communications with the FDA District Office Recall Coordinator, including any requirement for translation into other languages. Press releases are also used for wider notification.
The manufacturer is responsible for notifying all its recipients of the compromised food product and they, in turn, must contact all of the companies they passed it on to, in whichever form. For example, tomato purée may be used in a range of products such as sauces and pizza, as well as being sold as a product in its own right. The complexity of the food distribution and supply chain highlights the importance of swift and clear recall communication.
The timeline for the recall will vary according to the level of urgency and nature of the product. Where there is a risk to human health, action must be immediate and regular progress reports should be provided to the regulator.
The regulator will oversee the recall process and carry out audit checks to determine that diligent action was taken and that the recall was successful. FSIS or the FDA may choose to contact the likes of distributing agencies and school food authorities to confirm that they received information about the recall and acted accordingly.
Once the issue has been contained, root cause analysis can begin. Unfortunately, an all too common obstacle to this is access to required data. Electronic records and a connected, digital system of supply chain management can help here, greatly easing the task of traceability and communication.
3. Prevention and Control
Learning from a product recall must feed back into the organization to support continuous improvement and, if required, change. Regular inspections and risk assessments — across the entire supply chain — must be integral to processes and procedures as well as control measures and a comprehensive understanding of compliance. The final status report on a product recall must be shared with the relevant regulatory agency, detailing actions taken and the preventive action program implemented.
Through effective GRC, food manufacturers and distributors can help meet the requirements of regulatory compliance, manage issues when they arise and mitigate against repeat problems. By streamlining processes and procedures that expedite these activities, companies will work more effectively with supply chain partners, better serve clients and customers and ultimately drive improved business performance.
Jump to Topic
