Review of The GFSI Food Fraud Prevention Compliance Development & Requirements: Part 2 – The Shift to Prevention and VACCP

This is the second of three reviews of ‘The GFSI Food Fraud Prevention Compliance Development & Requirements.’ Expanding on GFSI recognition of food fraud as a problem, this blog reviews the start of food fraud research and the shift to prevention and vulnerability assessments in VACCP.

Reference: The GFSI Food Fraud Prevention Compliance Development & Requirements: A Ten-Year Review (Revision3, Accepted), Published online 27 July 2023, URL:

The article was published in July 2023 and covers a review of the previous ten-years of GFSI activity regarding food fraud prevention. The GFSI compliance requirements were published in February 2017 and required in January 2018, but GFSI started five years earlier with the creation of the GFSI Food Fraud Think Tank in July 2012. This three-part series will start with the overview, then the compliance requirements of VACCP and TACCP, and then present lessons learned from other disciplines that created the GFSI food fraud prevention requirements.


From Page: 768 to 770

The GFSI Food Fraud Development History

New compliance requirements or management mandates do not just magically appear. Also, preventing every type of risk or vulnerability is impractical, especially for those without high-stakes incidents yet. The start of GSFI’s focus on food fraud began with a series of related events (Table 3). Food fraud incidents such as Sudan Red and melamine in infant formula and pet food were recognized as serious and costly food industry events (2004 to 2007). There was an awareness that the current systems were reactionary and not focused to reduce the root cause – the then-current food fraud management was “just to catch food fraud.” At the same time, scholarly research and publications had started to explore the quality management concept of root cause analysis from criminology, enterprise risk management, and supply chain perspectives.

The GFSI Board of Directors considers new or emerging topics and food fraud is a new problem.

In July 2012, the GFSI Food Fraud Think Tank conveners and executive sponsors were GFSI Board Members Yves Rey (GFSI Board and Danone) and Frank Yiannas (GFSI Board and Walmart) (Figure 2). The think tank Chair was Petra Wissenburg (Danone), with support from Michelle Lees (Eurofins), Mitchell Weinberg (Inscatech), and John Spink (Food Fraud Prevention Academy & Michigan State University). Later the team expanded to include Faycal Bellatif (Eurofins) and Aldin Hilbrands (Ahold Delhaize). The team was chartered to review a series of questions and present findings to the GFSI Board of Directors.

The project changed intensity and focus when six months into the GFSI FFTT project, in January 2013, the horsemeat in beef food fraud incident occurred. After the horsemeat incident, everything shifted from ‘what is food fraud’ to serious consideration of ‘how GFSI should address food fraud.’ (GFSI FFTT, 2013) The GFSI Food Fraud Think Tank report from December 2013 was the foundation for the GFSI Food Fraud Position Paper published in July 2014. (GFSI, 2014) The Position Paper announced and outlined the new food fraud prevention requirements in the following published GFSI Benchmarking Document.

From the GFSI Food Fraud Position Paper: (GFSI, 2014)

“GFSI POSITION: The GFSI Board has decided to follow the recommendations of the Food Fraud Think Tank and proposes to incorporate the two food fraud mitigation steps in the form of two new key elements in the GFSI Guidance Document to:  1. Require a company to perform a food fraud vulnerability assessment, and 2. Have a control plan in place.”


A key outcome of the GFSI Food Fraud Think Tank was the recommendation for three separate assessments for food safety (HACCP, hazard analysis, and critical control point plan), food fraud (VACCP, vulnerability assessment, and critical control point plan), and food defense (TACCP, threat assessment, and critical control point plan). HACCP has been widely adopted to address food safety issues successfully and efficiently. TACCP was created in the U.K. Publicly Available Standard 96 (PAS96) Guide to protecting and defending food and drink from deliberate attack. (PAS 96, 2017) PAS 96 was created in 2008, focusing on physical security and the more traditional food defense scope. Food defense is generally defined as “an intentional act with the goal to cause public health harm, economic loss, or terror.” (Spink & Moyer, 2011) The 2010 version did not mention food fraud or economically motivated adulteration but did have a case study on the Sudan Red food fraud incident.

Then building on the HACCP and TACCP programs and general standard operating procedures, it was natural that food fraud followed the “-ACCP” taxonomy. Since food fraud focused on vulnerabilities, the term applied logically was Vulnerability Assessment and Critical Control Point Plan (VACCP). From a management standpoint, it was efficient to explain, “VACCP is like HACCP but for food fraud, not food safety.” The VACCP concept was created within the GFSI FFTT and first presented at the 2013 GFSI Annual Conference as one of three assessments under the food safety management system “umbrella.” (Figure 3) (GFSI FFTT, 2013)

Separating the work into three assessments does not create three times the work since considering each topic itself is much more efficient than creating one big formula.[1] Each of the factors is extremely different. Combining so many different root causes into one system would be extremely complex. Also, the risk management of likelihood and consequence could confuse or void the calibration. For example, the U.S. FDA published the food defense assessment of CARVER+Shock in 2009. (CFSAN/FDA, 2007) That assessment was not intended to address product fraud, so it would be an ill-fitting tool to address food fraud. The economic impact of even one of the most significant malicious tampering incidents in history, cyanide-laced Tylenol pills in the Chicago area in 1982, would be only a 1-2 or 3-4 on a “Shock” scale of 1-10. (Spink, Singh, et al., 2011) So, using the food defense assessment for food fraud incidents would not be helpful since the Tylenol incident was not a significant food defense act. Still, it was a problem that was not acceptable to society. The food defense assessments were ill-fitting tools to assess food fraud problems. The Tylenol incident resulted in $100 to $200 million in removing the product from the marketplace and around $1 billion in lost sales.[2] The incident was so impactful that it created the momentum for tamper-evident and tamper-resistant packaging development, regulation, and near-universal adoption (now, consumers expect inner lids and cap overwraps on all products, regardless of the level of regulation). The food safety and food defense assessments and models were ill-fitting tools to address food fraud. Based on this model, product fraud incidents would be very low and not prioritized. 

Food Safety as a Management System Applied to Food Fraud

A significant impact of HACCP is the adoption of common terminology, taxonomy, and standard operating procedures within a formal management system. The International Standards Organization (ISO) defines a management system standard (MSS) as “the way in which an organization manages the interrelated parts of its business in order to achieve its objectives.” (ISO, 2022) ISO has developed general standards such as ISO 9001:2015 for Quality Management Systems and ISO 27002:2017 for Information Technology Security. There are also sector-specific standards such as ISO 22163:2017 for Railway Applications Quality Management and ISO 22380:2018 Security and Resilience for Product Fraud Risk and Countermeasures. Further, related standards include more detailed implementation guidance, such as ISO 19011:2018 Guidelines for Auditing Management Systems and ISO 22003:2013 Food Safety Management Systems.

ISO has adapted to address food fraud indirectly and directly in management systems, including:

  • ISO 22380/ 22382 General principles for product fraud risk and  Countermeasures: Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods included a definition of “product fraud,” which included food and beverages. [Previously ISO 12931:2018]
  • ISO 22000 Food Safety Management System standard was updated in 2018 and now specifies that food fraud and food defense are to be considered (though there is no further detailed guidance).

The food safety/ HACCP programs have evolved into highly interconnected management systems with intense oversight and auditing. Food fraud management systems are still maturing into more formal programs. The GSFI food fraud requirements are a crucial spark and motivation since once systems are created and implemented, it is natural for process improvement and benchmarking to occur.


[1] Of course, there are now three assessments instead of one. The effort includes relatively straight forward assessments for food safety, food fraud, and food defense. If they three assessments were combined there would be an extremely complex task of trying to calibrate often the same or similar factors but with different impacts on each item. Also, it is simpler to refine and update a smaller, single concept model rather than a multidimensional formula.

[2] From CARVER+Shock, the “Shock” of 3-4 is: “Target has little historical, cultural, religious, or other symbolic importance. Loss of life less than 100. Small impact on sensitive subpopulations, e.g., children or elderly. National economic impact between $100 million and $1 billion. Also, the “Shock” of 1-2 is: “Target has no historical, cultural, religious, or other symbolic importance. Loss of life less than 10. No impact on sensitive subpopulations, e.g., children or elderly. National economic impact less than $100 million.” This is exactly why the CARVER+Shock assessment works for food defense not in the same assessment to thoroughly address food fraud.

Takeaway Points

  • The GFSI focus on food fraud started from a position of considering the possible – and recent – root causes of food safety incidents and product recalls. During the GFSI food fraud think tank project, the project research question quickly turned from “what” is food fraud and “if” GFSI should address the problem to “how” should GFSI include food fraud prevention and “when” could it most quickly be adopted.
  • The GFSI strategy followed global risk management best practices – such as ISO 31000 Risk Management and ISO 9000 Quality Management which are a foundation of ISO 22000 Food Safety Management – to separate out unique risk assessment and to focus on the root cause and prevention.
  • To focus on food fraud, GFSI presents the concept of a Vulnerability Assessment and Critical Control Point Plan (VACCP) which build upon previous product fraud research from outside the food industry such as from ISO 22380 Product Fraud.

Fortunately, there is a significant body of scholarly and academic research that includes some very simple, direct, and helpful training and education (including our Food Fraud Prevention MOOC series – see

Scroll to Top