We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

The Freedom of Information Act Reduces Vendor Management Risk

Vote 0 Votes
Glasses and Desk.jpg

Does your organization rely on vendors or other third parties? In the likely event that it does, are your vendor management processes as thorough as they could be? When performing risk assessments of both current and prospective vendors, it's difficult to ascertain that every variable has been accounted for. This is especially true for organizations like food and beverage companies; they receive ingredients that, if contaminated, can have serious (and sometimes fatal) effects on consumers.

The Freedom of Information Act allows companies to ask their third parties for specific information like plant conditions, processes, maintenance, and worker training. Doing so for prospective vendors is critical and usually standard procedure, but it's also important not to neglect inspections of current vendors. Conditions constantly change, both for better and for worse, as demonstrated by recurring issues at a CRF Frozen Foods LLC factory.

Performing thorough risk assessments generates a lot of information and data. Sifting through all that information, which might come from inspections, questionnaires, or even service level agreements, requires a robust vendor management solution. Had the companies relying on CRF been using such a solution, they likely would have rejected the vendor. This would have prevented the national distribution of listeria-infected foods that sent eight people to the hospital, leaving two dead.

Problems at a CRF Frozen Foods Factory May Have Caused a Fatal Listeria Outbreak

Government inspectors found a series of recurring problems at a CRF factory, starting more than a year before the product recall following the outbreak. Three inspection reports, all released by the FDA, were published following a Freedom of Information Act request. Each report detailed sanitation concerns and issues with the facility itself.

A routine inspection (by the Washington State Department of Agriculture) in December 2014 "found a bin containing soapy water and dead insects near a spot where corn was handled, as well as a black residue on the ceiling." Additionally, some areas where food was handled didn't have access to hot water, "a violation that inspectors listed as critical," according to The Wall Street Journal.

In retrospect, the factory conditions seem extreme enough to be anomalous. But just because red flags were raised numerous times doesn't mean companies that relied on CRF were aware of them. This begs the question: what other suppliers are operating in suboptimal conditions, unbeknownst to customer organizations?

Had the FDA or CDC made discoveries extreme enough to warrant shutting down the factory, events would have panned out differently. As it was, the factory continued operating, leaving customers to do their own due-diligence investigations. The fact that the outbreaks occurred is sufficient evidence that customers' vendor management processes either failed or weren't robust enough in the first place.

The case also serves as a good example of why vendor risk assessments should not be a one-time, or even a once-in-a-while, affair. Subsequent inspections revealed that certain problems, like the ceiling, weren't ever resolved. While other problems, like access to hot water, were solved, other problems - including a pipe leaking chlorinated water - started to pop up at different times.

The lesson here is that the status of any third party can change, from good to bad or bad to worse, and it's necessary to implement appropriate vendor management procedures.


Visit our website to learn more about implementing a healthy vendor management solution that helps you uncover risks before they become incidents.

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives