The Freedom of Information Act Reduces Vendor Management Risk
Steven Minsky | June 15, 2016
Does your organization rely on vendors or other third parties? In the likely event that it does, are your vendor risk management processes as thorough as they could be? When performing risk assessments of both current and prospective vendors, it’s difficult to ascertain that every variable has been accounted for. This is especially true for organizations like food and beverage companies; they receive ingredients that, if contaminated, can have serious (and sometimes fatal) effects on consumers.
The Freedom of Information Act allows companies to ask their third parties for specific information like plant conditions, processes, maintenance, and worker training. Doing so for prospective vendors is critical and usually standard procedure, but it’s also important not to neglect inspections of current vendors. Conditions constantly change, both for better and for worse, as demonstrated by recurring issues at a CRF Frozen Foods LLC factory.
Performing thorough risk assessments generates a lot of information and data. Sifting through all that information, which might come from inspections, questionnaires, or even service level agreements, requires robust vendor management software. Had the companies relying on CRF been using such a solution, they likely would have rejected the vendor. This would have prevented the national distribution of listeria-infected foods that sent eight people to the hospital, leaving two dead.
Problems at a CRF Frozen Foods Factory May Have Caused a Fatal Listeria Outbreak
Government inspectors found a series of recurring problems at a CRF factory, starting more than a year before the product recall following the outbreak. Three inspection reports, all released by the FDA, were published following a Freedom of Information Act request. Each report detailed sanitation concerns and issues with the facility itself.
A routine inspection (by the Washington State Department of Agriculture) in December 2014 “found a bin containing soapy water and dead insects near a spot where corn was handled, as well as a black residue on the ceiling.” Additionally, some areas where food was handled didn’t have access to hot water, “a violation that inspectors listed as critical,” according to The Wall Street Journal.
In retrospect, the factory conditions seem extreme enough to be anomalous. But just because red flags were raised numerous times doesn’t mean companies that relied on CRF were aware of them. This begs the question: what other suppliers are operating in suboptimal conditions, unbeknownst to customer organizations?
Had the FDA or CDC made discoveries extreme enough to warrant shutting down the factory, events would have panned out differently. As it was, the factory continued operating, leaving customers to do their own due-diligence investigations. The fact that the outbreaks occurred is sufficient evidence that customers’ vendor management processes either failed or weren’t robust enough in the first place.
The case also serves as a good example of why vendor risk assessments should not be a one-time, or even a once-in-a-while, affair. Subsequent inspections revealed that certain problems, like the ceiling, weren’t ever resolved. While other problems, like access to hot water, were solved, other problems – including a pipe leaking chlorinated water – started to pop up at different times.
The lesson here is that the status of any third party can change, from good to bad or bad to worse, and it’s necessary to implement appropriate vendor management procedures.