The FDA continues to signal that food enforcement is back in fashion.

Last week at a press-only briefing the agency tried to demonstrate its proactive side, saying it was “taking steps to protect the public following the early identification of Salmonella Tennessee in one company’s supply of hydrolyzed vegetable protein (HVP) and again last week the agency issued an open letter to the food industry calling for more transparent product labels.

So what’s it all mean?

We spoke recently with Kim Egan, partner in the law firm DLA Piper’s Product Liability practice, and a regular source for us on these and other FDA-related matters.

“The food industry is facing a “perfect storm” — high-profile food-borne illnesses continue to plague the global supply chain, prompting President Obama to create the Food Safety Working Group, and the First Lady has declared war on childhood obesity, including a focus on food industry marketing to children, “junk” food in public schools, and the nutritional content of school lunches,” Kim points out.

I happened to see the harrowing film “A Perfect Storm” at my sister’s house last week and if I am an official in the food industry, an expert like Kim using “Perfect Storm” and “Food Industry” in the same sentence would get my attention.

Kim notes that President Obama said in a March 2009 weekly radio address that “At a bare minimum, we should be able to count on our government keeping our kids safe when they eat peanut butter.  That’s what Sasha eats for lunch.”

The Executive Memorandum announcing the First Lady’s Let’s Move campaign said that “[n]early one third of children in America are overweight or obese — a rate that has tripled in adolescents and more than doubled in younger children since 1980.  “Taken together, the new Administration’s focus on food has in turn pushed FDA to renew efforts to improve food safety and more aggressively enforce existing food labeling regulations,” Kim adds.

It’s all part of a more active FDA across the board, Kim notes.

“FDA has stepped up enforcement of existing regulations.  In August 2009, FDA reorganized its food oversight function and moved the Office of Foods into the Office of the Commissioner, giving food safety and food manufacturing enforcement greater visibility.  FDA appears to be focusing particularly on health claims made by food manufacturers, such as its recent warning letter to General Mills that it had no scientific evidence to support cholesterol claims on Cheerios cereal,” Kim adds.

As Kim explains, FDA said that the General Mills claims that Cheerios reduced cholesterol meant that General Mills was advertising Cheerios as a drug, an unapproved one at that.  FDA has also been focusing on health claims made by dietary supplements, the most notable examples of late being dietary supplement products that purported to be effective against the HINI virus.  There is an effort underway to improve front-of-label nutrition information for all food packages, and Senator McCain introduced legislation in February 2010 to strengthen FDA authority to regulate dietary supplements.

Congress has had food safety legislation in the works for a couple of years now.  Highlights of that bill include:

• The Food Safety Modernization Act that is now making its way through Congress will require foreign suppliers to use “risk-based reasonably appropriate preventative controls” to prevent adulteration and reduce hazards.
• FDA would be required to implement new food safety regulations within a year of enactment.  FDA would also have two years from enactment to “expand the technical, scientific and regulatory capacity of foreign governments,” which could include multilateral agreements and international harmonization of the Codex Alimentarius.  FDA would also be required to expend resources on foreign inspections.
• Having said that, however, the majority of food-borne illness outbreaks since 2006 have been caused by domestic products or other products from North America , including fresh spinach, peanuts, jalapeno peppers, and tomatoes.

“In short, we can expect further pressure on food manufacturers to improve quality control,” Kim says.  “We can also expect continued pressure on food manufacturers to adhere strictly to promotional and nutritional labeling requirements, and we can expect those requirements to change in some possibly meaningful respects in the coming years.”

For more information, request “The New FDA Drive for Food Safety” paper here:

Risk management is one of those terms that is often used a bit too loosely, warns AssurX’s Sal Lucido. “People say ‘risk management’ but it can mean very different things to people working at different parts of a company.”

For example, the finance and accounting department focuses on documenting and managing risks associated with business financial transactions and reporting as governed by Sarbanes-Oxley (SOX). The information technology group (IT) focuses on cyber security risks, which involves processes such as identity and access management, threat and vulnerability management, and configuration control. The regulatory compliance group is concerned with meeting government regulations, laws and standards applicable to their industry. For example medical device companies must meet regulations imposed by the FDA regarding such activities as quality and incident management. Energy companies must abide by national and state mandated regulations established by NERC, FERC and their respective regions. Noncompliance can lead to fines that sometimes total in the millions.

Across these industries “the Federal Government is actively auditing and levying large fines for those companies found to be out of compliance. The bar is being set higher each year and the penalties are becoming more severe.”

“Having a risk management system that is managed on paper and spreadsheets is just not going to cut it anymore.”

Sal has helped dozens of regulated companies in industries ranging from utilities to medical device manufacturers to better manage their corporate risk data and processes. And he’s observed that they have a lot in common when it comes to handling risk management. Based on his years of experience with many different firms working to address risk, he has some valuable observations and advice.

Across the board, “what we’ve been finding is that information associated with risk management is rarely made available to the departments that need access to it. For example, if the audit department had access to the identified risks and their risk levels, they could use this information to plan their audit activities aiming audits at those that pose the greatest liability to the company. ”

Companies are now looking for tools that “allow for secure collaboration” so that the risk information and data is readily available for all those who need to access it.

”Because each of these departments already have their own processes” companies are looking for applications that allow each group to maintain their own forms and workflows. “It’s critical to have an application that provides processes unique to each group while harmonizing the underlying data” so that each group can access what it needs, when it needs it.

The other trend we are seeing is that companies are looking to move beyond just documenting risks and listing mitigation efforts. They are looking for enterprise applications that can manage the associated business processes. For example, risk assessment and mitigation efforts are tasks that need to be assigned to individuals or teams, with due dates and status updates. In order to ensure projects stay on track there is a need for escalation functionality that automatically emails the appropriate personnel when tasks become due and go late. These activities also have associated workflows and approval routings that need to be managed via software. Of course this type functionality goes well beyond the capabilities of simple risk tracking software and spreadsheets.

The other need we are seeing is related to reports and dashboards. Department and process managers are looking for reports that show risk levels, heat maps, late reports and so forth. The executive staff is looking for enterprise dashboards that report on the state of compliance throughout the organization using easy to read traffic light and gauge or thermometer formats.

Finally the solution should also be flexible enough to integrate with data and systems that are already being used within the company. For example, if a system is already being used to document the status of key risk indicators (KRI’s) such as violations or incidents, “that data should be reported within (and accessible from) the risk management system.”

In conclusion, managing risk across the corporation means something different to each department yet it requires the entire organization to work together. It involves documenting and sharing risk data across the enterprise, managing workflows and tasks, while handling escalation and reporting. Yes, risk management has matured beyond the spreadsheet.

Sal Lucido is VP of Enterprise Solutions at AssurX, Inc.

In the IT world, there is ever that security pendulum that either seems to move toward ease of use or toward restrictive control.  Users typically tend towards the “ease of use” end of the spectrum because who wants to remember yet another password?  And who wants to install complicated VPN software or jump through extra authentication hoops? Conversely, IT folks (like me) tend to believe in restrictive control, in complicated passwords as possible, extra authentication hoops and logging everything that happens over an established connection.

With the advent of SaaS (Software as a Service), security becomes all the more critical in terms of both the user of the service and the administrator of the environment providing that service.  The beautiful thing about SaaS offerings like CATSWeb is that they are completely web based through HTML.  This makes life much easier for all parties.  From the user side, CATSWeb requires no special VPN software, nothing downloaded to the client computer and no local certificate store to verify a user’s identity  only  a web address and a password.  From the IT standpoint, all machines involved in providing CATSWeb SaaS are completely locked down to two ports of traffic; an IT dream come true.  Users will either be coming into a hosted CATSWeb environment via HTTP (port 80) or HTTPS (port 443). For securing a server to the world, only having to deal with two ports is about as simple a scenario as exists in the IT industry.

Because CATSWeb traffic is only on two ports, our servers are locked down completely, with those two ports being monitored constantly through the firewall, protected by live scanning anti-virus solutions and safeguarded by managed IDS (Intrusion Detection) systems.  Add to that all web traffic is logged from start to finish and you’ve got as bulletproof a server system as can be found.  And then we get to CATSWeb itself.

Within CATSWeb, AssurX has included additional security tools to ensure that your data is safe.  First, each customer company has their own unique, individual database not shared by anyone else. If a customer chooses to require SSL for accessing their CATSWeb database, this ensures that all traffic to and from that database is encrypted.  System access is automatically logged for easy review, including the IP address from where the traffic originated.

The rest we leave up to users.   I guess that’s where CATSWeb SaaS becomes a two-pendulum system. The “server security pendulum” we’ve chosen to swing as far toward restrictive control as possible.  The “user access pendulum” we leave to the users of CATSWeb.  An administrator in a CATSWeb system can set their own requirements for passwords for their users, establish their own session parameters such as session length and inactivity timeouts and much, much more.  This will allow any given SaaS CATSWeb system to have security anywhere along the user access pendulum, from easy to restrictive, based on what your requirements are.

In the IT world, there is ever that security pendulum that either seems to move toward ease of use or toward restrictive control.  Users typically tend towards the “ease of use” end of the spectrum because who wants to remember yet another password?  And who wants to install complicated VPN software or jump through extra authentication hoops? Conversely, IT folks (like me) tend to believe in restrictive control, in complicated passwords as possible, extra authentication hoops and logging everything that happens over an established connection.

With the advent of SaaS (Software as a Service), security becomes all the more critical in terms of both the user of the service and the administrator of the environment providing that service.  The beautiful thing about SaaS offerings like CATSWeb is that they are completely web based through HTML.  This makes life much easier for all parties.  From the user side, CATSWeb requires no special VPN software, nothing downloaded to the client computer and no local certificate store to verify a user’s identity ­ only  a web address and a password.  From the IT standpoint, all machines involved in providing CATSWeb SaaS are completely locked down to two ports of traffic; an IT dream come true.  Users will either be coming into a hosted CATSWeb environment via HTTP (port 80) or HTTPS (port 443). For securing a server to the world, only having to deal with two ports is about as simple a scenario as exists in the IT industry.

Because CATSWeb traffic is only on two ports, our servers are locked down completely, with those two ports being monitored constantly through the firewall, protected by live scanning anti-virus solutions and safeguarded by managed IDS (Intrusion Detection) systems.  Add to that all web traffic is logged from start to finish and you’ve got as bulletproof a server system as can be found.  And then we get to CATSWeb itself.

Within CATSWeb, AssurX has included additional security tools to ensure that your data is safe.  First, each customer company has their own unique, individual database not shared by anyone else. If a customer chooses to require SSL for accessing their CATSWeb database, this ensures that all traffic to and from that database is encrypted.  System access is automatically logged for easy review, including the IP address from where the traffic originated.

The rest we leave up to users.   I guess that’s where CATSWeb SaaS becomes a two-pendulum system. The “server security pendulum” we’ve chosen to swing as far toward restrictive control as possible.  The “user access pendulum” we leave to the users of CATSWeb.  An administrator in a CATSWeb system can set their own requirements for passwords for their users, establish their own session parameters such as session length and inactivity timeouts and much, much more.  This will allow any given SaaS CATSWeb system to have security anywhere along the user access pendulum, from easy to restrictive, based on what your requirements are.