Disaster Due Diligence March 27, 2009

Food safety

 
HEADLINE: President promises to bolster food safety

SUMMARY:  President Obama announced the creation of a Food Safety Working Group, which will oversee the coordination across federal agencies, to improve the country’s food-safety system. Each year, approximately 76 million people in the United States are sickened by contaminated food and about 5,000 die. Last year, the FDA inspected only 7,000 of the country’s 150,000 food processing facilities.

STORY LINK: http://www.nytimes.com/2009/03/15/us/politics/15address.html

ANALYSIS: President Obama’s desire to improve food safety is an admirable goal and one that should be supported by all Americans. Many believe that creation of a single food agency would eliminate the majority of food contamination cases that sicken thousands every year. But is the core issue the fact that two major federal bodies, FDA and USDA, oversee the bulk of food safety? Or are the problems inherent in the food processing and handling system itself, and immune to what agency may have oversight? 

Mr. Obama is plowing some old ground. The GAO issued reports to Congress recommending changes to the food safety system as far back as 1992. They did so again in 1994 (two reports), 1998, 1999 (two reports), and continued to do so until just recently. Other presidents have also created food safety advisory groups. Yet, Congress and presidents have failed to provide agencies even the basic power to demand and force a recall of products deemed unsafe for human consumption. 

Congress continues to divide food safety authority for political purposes rather than concerns over safety. In the last Farm Bill, Congress moved inspection authority for a single species of fish from FDA to the Food Safety Inspection Service (FSIS) of USDA. Prior to this date, FSIS only inspected meat, poultry and egg products. Now they must inspect a single species of catfish whether it originates in Cambodia, China or Mississippi. This is not a rational use of resources or a promotion of food safety. President Obama could begin improving food safety by eliminating these Congressional mandates that do everything to protect certain American political constituencies and less to protect consumer health.

Other countries have created single food agencies with mixed results. The European Food Safety Authority is routinely ignored by European politicians and scientists alike. Japan also has a single authority, but contamination of the food supply continues. The new China single food safety authority has yet to be challenged.

How would a single food safety agency operate and would it improve safety? And what are the costs? Often it is assumed that FDA would control a single food agency. Yet only USDA has inspectors in every processing plant during operations while FDA may visit a facility once a year. So, mandated inspection for every plant during processing would swell the FDA budget by billions. Third-party private inspection is no panacea, as was seen in the recent peanut problem. A major U.S. third-party food-safety certifying entity gave the peanut plant a clean bill of health just weeks prior to the outbreak (and while the plant was running contaminated product). Risk based inspection has been fought by consumer groups and food irradiation is a political “no-man’s land”. 

So what should be done? There are several ways to improve food safety without tearing apart the positive aspects that our current awkward system has amassed over the 100 years of food safety enforcement.

First, listen to the scientists rather than the politicians. Do not force agencies to inspect specific foods, domestic or imported, to protect a voting bloc. Inspect for safety, not political results.

Second, consumers are often the primary source of food contamination, so work to assure they understand safe food handling and cooking processes prior to dismantling a federal agency.

Third, provide FDA and USDA with authority to mandate recalls when a product is dangerous for human (or pet) consumption.

Fourth, strengthen current inspection services. The government must be willing to hire and pay for trained food safety scientists.

Fifth, be honest about the costs and time in examining food imports. Is Congress willing to undertake the costs for such inspection? Are consumers? Will they do so without undue restrictions to trade? 

Sixth, if you want a single agency, go slowly. Take fish inspection (as well as some pet food and animal feed inspection which contain fish products) out of the Department of Commerce and give it to FDA or USDA. See what efficiencies are gained. Move oversight of alcohol and tobacco production and consumption to FDA and out of the Department of Treasury. See what efficiencies are gained. 

Seventh, ask the tough questions. Do consumers want federal scientists who register and approve a pesticide or herbicide to be in the same agency that dictates what products are “safe” to consume? That is, will political pressure be more easily applied to a single agency to serve the consumer, the producer, the processor or the marketer? Or is a system of agency checks and balances a better approach?

After the above steps are taken, then one can make a rational determination as to whether a single agency will improve food safety and reduce illness and death from contaminated foods and better serve the tax-paying public.

-- Richard Fritz, Firestorm Expert Council member

Workplace safety

HEADLINE: New ISO standard for building escape and evacuation plans published

SUMMARY: The International Organization for Standardization has released new evacuation standards to better ensure the safety of a building’s occupants. Improved training and education are recommended to reduce possible confusion in reading signs and understanding plans in times of emergency.

STORY LINK: http://www.continuitycentral.com/news04463.html

ANALYSIS: Anyone may need to evacuate. Predict: Fire, workplace violence, storms, earthquakes, accidents, flooding or other events make it a reality. At minimum, every business needs a fire evacuation plan and drill annually. OSHA, fire departments, and city/county codes require it. These all serve as notice to organizations. Do you have a plan? Plan: ISO has a new standard. The best practices are now clear. Have you done a benchmark/gap analysis of your evacuation plan? Does your plan meet or exceed the standard? Perform:  Training and exercises are required. Do you train your employees annually? Do you test your plan at least annually?

Failure to plan means the business judgment rule does not apply. In addition, you could potentially lose your corporate protection and insurance coverage. But, even worse, how will you explain to a family member that their relative died because you did not plan?

-- Jim Satterfield, Firestorm President/COO

Cyber security

HEADLINE: Will al-Qaeda’s next attack on America be a cyber attack?

SUMMARY:  One of the first principals of warfare is to strike an opponent at its weakest point and today the world’s weakest points are its financial infrastructures and markets, warns cyber security expert Dr. Jim Kennedy. Many al-Qaeda operatives and future recruits are educated at prestigious universities across the U.S. and world, so knowledge of financial institutions and systems or technical knowledge is no barrier.

STORY LINK: http://www.continuitycentral.com/feature0653.html

ANALYSIS: While I would never want to underestimate al-Qaeda as an enemy, there is more being done by the financial sector to protect the physical and information structure than is referenced in the article.

Along with the list of government agencies enumerated by Dr. Kennedy, there is another organization that plays a vital role protecting the financial services sector – the Financial Services Information Sharing and Analysis Center (FS-ISAC).  Launched in 1999, FS-ISAC was established by the financial services sector in response to 1998's Presidential Directive 63. That directive - later updated by 2003's Homeland Security Presidential Directive 7 - mandated that the public and private sectors share information about physical and cyber security threats and vulnerabilities to help protect the U.S. critical infrastructure.

The government takes a dim view of large corporations getting together behind closed doors to exchange information.  But in the case of ISAC, it was recognized that an attack on any one financial institution or a financial intermediary (such as a stock exchange or a commodity exchange) would have a devastating ripple effect throughout the industry. 

In fact, depending on how you define “cyber attack,” those events happen daily, indeed hourly. 

Financial institutions and their service providers are constantly being probed by malware and hackers eager to exploit their defenses, and are among the best in the industry in defending against those attacks.  Through the FS-ISAC, that information is shared among members so everyone can be made aware that, for example, sites originating from a certain location are launching denial-of-service attacks, or are probing firewalls, or there is a pattern of phishing attempts purported to be from a bank, the IRS, or the Chamber of Commerce, to name some recent actual events.

The FS-ISAC also has considerable contact with the Department of Treasury, the Secret Service, the Department of Homeland Security, the FBI, and a variety of regulatory agencies and associations. This is a public-private partnership at its best.  The information exchanged among these constituents is considerable, and they have been critical in preventing a number of events that could have had a crippling effect on our financial infrastructure. 

I am concerned about any diminution in funding our defenses against an implacable enemy like al-Qaeda or any other foe.  But the government is not the only line of defense we have.

For more information, visit www.fsisac.com and www.isaccouncil.org. 

-- Ted Hansen, Firestorm Expert Council member

Business continuity

HEADLINE: Overcoming silos seen as biggest challenge to effective enterprise risk management programs

SUMMARY: A study on enterprise risk management conducted by Marsh Inc. and Governance Metrics International revealed nearly half of the companies surveyed cite a lack of integration and overcoming corporate silos as the biggest challenges to their programs. This was found to be primarily because of ineffective communication between a risk department and the rest of the company.

STORY LINK: http://www.continuitycentral.com/news04464.html

ANALYSIS: Information is power, in life and a company. It is counter-intuitive that departments, divisions and subsidiaries do not openly share information regarding plans and procedures. Firestorm regularly conducts surveys of organizations as a part of any analysis or planning process. On almost every occasion, we find 60-80 percent of employees unaware of plans. In reviewing crisis management for a global pharmaceutical company, every country and division stated that they would manage the crisis within their local organization and follow the corporate plan to follow instructions from a centralized corporate crisis management structure.

Chaos results quickly because of lack of information or conflicting authority.  Firestorm

recommends a local decision authority for quickly developing issues and a centralized command structure for developing exposures. Even in a rapidly developing crisis, coordination with a centralized command structure must occur as soon as possible. In any event, all personnel involved in crisis management must be trained regardless of level and structure. All should be exercised annually. All must share information for plan development.

-- Jim Satterfield, Firestorm President/COO