Sadly, these are real life examples where the CEO was not made fully aware of what certification can or cannot do. Certification is not a bullet proof vest or a guarantee. A third-party audit is only one performance measure, when so many other performance measures are needed for monitoring the robustness of your FSMS.
Every week, every month, every year we are confronted with news of recalls, of consumers getting sick or even dying because of unsafe food. This news comes from all over the world and includes all kinds of product and organizations. Note, this is not a problem from less developed countries or small to medium sized (SME) food establishment organizations!
When crises arise, organizations don’t always react as they should. One of the problems is that organizations don’t have effective “processes in place to handle and withdraw/recall potentially unsafe food” (that is one of the expectations for organizations with a certified Food Safety Management System, more on this below). Still, there is another problem in organizations that have food safety standards in place (and sometimes more than one). That is top management in some organizations start to look for someone to blame! On their minds, “they are paying for a professional to manage food safety, paying for external audits, paying a certification body, and they have a certificate on the wall!! After all, who is doing a bad job? Who missed something?”
From experience, unfortunately in some cases, someone loses their job after a crisis. Without disregarding that some individual errors may be the cause of a crisis, it is important for top management to understand what Food Safety Management Systems are based on and what to expect from it.
In this regard, the recently published ISO document “Expected outcomes for certification to ISO 22000, a Food Safety Management System (FSMS)” can be a good document to help food safety professionals implementing and managing a FSMS but also for Top Management to understand exactly what is expected and what a certification to ISO 22000 does not mean.
Below we share some takeaways from the document but we strongly recommend to download the full version from ISO website. You should also share this with your Top Management as it was written with them in mind.
Who is the intended audience for this document?
This publication is for leadership.
For the average food safety professional, this will be information you already know and your first impression might be whether or not this is needed. However, for senior management this is a healthy reminder for what certification to ISO 22000 means and what certification to ISO 22000 does not mean.
Why is this important?
There are many instances, typically during a food safety crisis e.g., a product recall, where a CEO may start asking questions like “why are we having a recall if we have a certificate on the wall” and “why are we paying a certification body if we still get recalls” and in some cases the CEOs will say “I want the auditor fired” or “I want to change the auditing company we use!”.
Sadly, these are real life examples where the CEO was not made fully aware of what certification can or cannot do. Certification is not a bullet proof vest or a guarantee. A third-party audit is only one performance measure, when so many other performance measures are needed for monitoring the robustness of your FSMS.
What can an organization do with this document?
As an organization, you can review the publication and decide whether or not you have sufficiently documented expected outcomes for your FSMS.
A management system standard (MSS) has an expected outcome. For example, at the highest level, a ISO 9001 Quality Management “aims to enhance customer satisfaction.” For, ISO 22000, the expected outcome is “to provide assurance to its customers that the food is safe and thus enhance its customer trust.”
So, we have different outcomes, satisfaction vs safe food and trust. In this example, different functions within an organization are looking for different expected outcomes. In the food supply chain, the key is to understand the expected outcome of the individual management system, then consider not just an expected outcome for a function within an organization, instead think what a successful outcome is for the consumer. When you understand things by looking cross-functionally with your organization and put yourself in the shoes of the consumer you avoid unintended consequences and systems failures.
Expected outcomes can then be documented in your food safety or quality policy. This can go beyond an expected outcome that is safe food for the consumer. Other examples of expected outcomes for a food safety or quality policy could be zero defects, no waste, personal development, 100% compliance to regulatory and clients’ requirements and everyone’s commitment to cultivate positive food safety culture.
Finally, it must be the CEO who signs off on the Food Safety or Quality Policy. Top management must be accountable for safe food. When a recall occurs, the CEO and top management will less likely play the blame game or fire the auditor!.
In the document it is presented what certification to ISO means. Some of examples of what the organization must demonstrate are presented in the ilustration below.
As important as what it means is what it does not mean. In this regard, it is paramount that Top Management understand that having a certificate on the wall does not mean that:
- The organization will never face a recall
- The product is certified. ISO 22000 requires the development and management of a management system is not a “product certification”
- You won’t get a fine for not complying with regulatory requirements. ISO 22000 requires compliance to regulatory requirements (and that should be verified by an accredited certification body) but it does not guarantee its oversight
Do you have an outcomes focused audit process for your Food Safety Management System (FSMS)?
In some organizations the answer is no. This is because they have adopted a prescriptive approach to food safety. Relying upon a list of requirements that are ticked off in a checklist. With the exact same set of requirements audited every year, without fully undertaking a risk-based approach in the audit process.
An outcome-based audit process will consider the following:
- Defining / mapping expected outcomes e.g. using Turtle or SIPOC diagrams
- Identifying outcomes where the expectations (or requirements) are not met
- Analyzing these outcomes using appropriate tools e.g. 5 – why, cause and effect, fishbone, etc.
- Non-conformities / opportunities for improvement
When expected outcomes are defined, the audit process works backwards. You start with the output and work your way back. Understand what is happening by asking the “who”, “why”, “when”, and “where” questions.
An outcome-based audit process can identify potentional systemic failure causes which includes
- miscommunication
- lack of awareness / competency
- conflicting priorities
It is important to note systemic failures are typically not identified when organizations have adopted a prescriptive approach only using a checklist to perform an audit. This could result in an organization stopping at conforming to requirements of a standard.
This is not enough. As leadership is often distracted with other operational priorities, it is possible they may likely pay less attention to food safety. This means risk increases as attention decreases to the point of system failure, and in some cases, a food safety recall. Therefore, the goal of outcome focused approach is to go beyond conformance and compliance and build upon this driving effectiveness and efficiency. This performance mindset over time will reduce complacency in the organization and keep it focused on delivering against its expected outcomes for safe food.
This article was written by:
Disclaimer: The information contained on this article is based on research done in the last months and the authors personal experience and opinion. It is not intended to represent the view of any organization they work for or collaborate with. The authors will not be held liable for the use or misuse of the information provided in the article.