Risk Mitigation and Compliance Management Strategies - Tightly Intertwined but Very Different!

Brian Sharp
Contributing Writer
Ask the Expert sponsored by FoodSafetyTech

Melanie Neumann of Neumann Risk Services, LLC, (NRS) a global food safety and compliance law firm, shares her thoughts on the similarities and differences of risk mitigation and compliance management, as well as the year ahead and what companies should be focusing on with regard to these key risk management topics.

Q.  Risk Mitigation and Compliance Management are often grouped together – in your view what is the key distinction between the two?

A. The two are very much linked and very much codependent yet they are separate topics that need to be identified, implemented and managed differently. Independent strategies need to be put together that are different, separate and apart based upon a company’s strategy and risk tolerance. For example, risk mitigation is something that is active, something that you want to use a very active voice with and take action steps against a well-laid out plan. In short, risk mitigation is the action and act of identifying what your risks are and taking active steps to reduce or eliminate those risks or adverse effects.

How does this compare to compliance management? Compliance management is more of an umbrella program management term -  think of it as programs and systems that need to be completed based on standards and policies - ones that are both internally driven or externally driven - by regulations for example.

Q. What risk mitigation approach is most realistic, and typically deployed by the food & beverage industry?

A.  With risk management, there are 4 types of risk mitigation strategies that are typical. I’ll break down to how you can manage risk very simply – 1) avoid it,  2) limit it,  3) transfer it, and  4) if you can't do any of these 3, you can accept it.

Risk avoidance is clearly the opposite of risk acceptance, that is the action that you are going to avoid any risk exposure. Risk avoidance is usually the most expensive as well as it is a rarity in the food industry because there is simply an inherent risk involved in manufacturing food. If you try to manage all your risk to zero in the food industry you likely won’t be in business for long.

We always hear the phrase, "You can't reduce your risk to zero in the food industry" and often times that is very true - so what are your other options? You can either limit your risk or you can transfer your risk. In the day to day practicality of making food, those are the two risk mitigation options that we are left with in the food industry. It is usually a combination of these risk mitigation strategies and sort of averaging them out that most companies end up utilizing to manage all the risks they must contend with in the reality of making food. 

Q.  How does your risk management strategy tie into compliance management?

A. Tying it together, risk management identifies the risk, and establishes a way to manage that risk appropriately. Compliance management is assessing whether the process of managing that risk is actually working the way you intended it, and is meeting laws or regulatory requirements if there are any that apply.

Most companies have developed some sort of compliance management program - think of enterprise risk management (ERM) or corporate internal audit programs. In its basic form a compliance management program is a process or system to be able to help a company understand from a risk management perspective how well they are managing risk on an ongoing basis and whether they are complying with internal and external requirements. Internal requirements may be a company policy or SOP; external requirements may be a state OSHA law or a federal food safety regulation.

This process makes sure that on an ongoing basis they can tell some “power that be”, whether it’s a board of directors, audit committee or the FDA or USDA, that the company is "compliant", based on established criteria, requirements and metrics.  

Q.  What are some of the key risk mitigation and compliance management considerations and initiatives companies should be thinking about in 2017?

A.  As companies continue to develop and execute upon their risk mitigation and compliance management strategies – they should be focusing on: 1- Showing your work; and 2 – leveraging your data for positive outcomes.

1-  Show your work!

Reflecting back on my 5th grade math class, I remember not getting a 100% on my math test because I wasn't showing my work, only the answer.  I would get into major arguments with the teacher because I got the right answer! So why should I have to show my work?!

I think about this analogy when it comes to risk mitigation and ensuring compliance. Companies need to show their work to get full credit for compliance, so you don't go down to 95 percent like I did in math class . You did the work, so show it. Document your hazard analysis.  Show you know what ingredient or which supplier is high risk, and show the assessment of why.  What criteria did you use to assess your risks?  If there was a food safety issue or investigation, document your investigation and what you did to resolve it. This is going to be very important going forward.  In the eyes of the regulators, auditors, litigators and consumers - if it is not documented it didn’t happen.  Show your work. But be careful how much and not to speculate or make admissions against your interest while you do.

2-  Leverage your data for better outcomes

Don’t just set and forget.  Verify, regularly, that your risk mitigation strategies are working! Making needed adjustments based on periodic review and feedback is key.

This is where it ties back to risk management and the co-dependencies between the two. The risk assessment is very important - in understanding where risk is.  This is the process of determining how to assess the risk of a given hazard, such as asking what factors do I weigh? What criteria do I use? This is all very important to an effective risk assessment, but running through the motions of a risk assessment and stopping there is only part of the story, and does nothing to actually manage risk.

What is equally as important is monitoring performance on an ongoing basis, leveraging the food safety data being captured throughout your operations and from suppliers on an ongoing basis to track performance and determining risks on an ongoing basis. This is the act of risk management.

I think these two items are really going to be key in the future and unless you have a data management system to support your compliance management program you will have a hard time handling effectively internal and external risks that need managing, including the ad hoc risks that arise.

Q. Any parting thoughts on what you’ve shared today?

A. Right now, frankly, the stakes are higher than ever.  Liability concerns are greater than ever, too.  “Knowledge” is being imputed on companies more than ever before for food safety issues that occurred in the past and rear its head again in the future.

“Knowledge” is being imputed as willfulness or an intentional act that you might be letting a systemic problem in your food facility keep occurring and it's argued that there is a duty if you have this “knowledge” to do something and to act on this knowledge according to regulators and the Department of Justice.  I agree that if a company knows they have LM in their finished product they should recall it from the marketplace.  I question whether finding LM in a zone 3 environmental should constitute “knowledge.”  I am not the judge nor jury, and all I can suggest is that companies understand the risks are changing, and should know what is going on and take action on it, instead of repeating or letting suppliers repeat the same offense over and over again, if not ... you may be the one left holding the bag.

Thank you Melanie for sharing your insights!  To learn more about Neumann Risk Services, please visit:

Want to learn how SafetyChain’s solutions can help you more effectively reduce risk and ensure program compliance?