Supply Chain the Bar: Food DefenseGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-06-01T04:00:00Z<p>​When the Food Safety Modernization Act (FSMA) was passed in 2011, it was the first regulatory recognition of intentional acts against the food supply in the United States. Among the FSMA's long list of changes—including the regulation of produce and updates to the U.S. Food and Drug Administration's (FDA) authorities—is a rule that emphasizes food defense and strengthens its efforts.</p><p>Food defense is the effort to protect food from acts of adulteration where there is an intent to cause harm. The FSMA's final intentional adulteration rule, released in May 2016, establishes a compliance framework for regulated facilities. Like counterterrorism laws for many industries, regulated facilities must prepare a security plan—in this case, a food defense plan—and conduct a vulnerability assessment to identify significant vulnerabilities that, if exploited, might cause widescale harm to public health, according to the FDA. </p><p>According to the FSMA's intentional adulteration rule, regulated facilities must identify and implement mitigation strategies at actionable process steps to provide assurances that the significant vulnerability at each step will be minimized or prevented. How this is accomplished must be put into writing as part of the food defense plan that includes auditable procedures that track how food defense is implemented, monitored, and verified. The plan must maintain records, be reevaluated periodically, and include records to support personnel training.</p><p>Compliance dates for the regulation are based on the size of the regulated facility. Very small businesses—which average less than $10 million per year—must comply with modified requirements by July 2021—five years after the publication of the FSMA final rule. Small businesses—which employ fewer than 500 full-time employees—must comply by July 2020. And those businesses that are not classified as small or very small and do not qualify for exemptions must comply by July 2019.​</p><h4>A Written Food Defense Plan</h4><p>Under the FSMA final rule, regulated facilities are required to prepare and implement a written, dated, and signed food defense plan, which must include the outcomes of the vulnerability assessment, mitigation strategies for each actionable process step identified, plans for recordkeeping and periodic reanalysis, and procedures for food defense monitoring, corrective actions, and verification.</p><p>The FDA has identified four key activity types where an act of intentional adulteration is most likely to occur based on vulnerability assessments that have been conducted over the last 15 years across a variety of commodities. These areas include coating, mixing, grinding, or reworking; ingredient staging, preparation, or addition; bulk liquid receiving or loading; and liquid storage and holding.</p><p><strong>Elements. </strong>According to the FDA, the presence of these key activity types at a process step—such as manufacturing, processing, packing, or holding of food—indicates a significant vulnerability. </p><p>The FDA has provided flexibility to regulated facilities to choose a vulnerability assessment methodology appropriate to their operations, providing that the methodology addresses fundamental elements. These fundamental elements include acts of intentional adulteration to the process, the degree of physical access to the product, and the ability of an attacker—including insiders—to successfully contaminate the ingredient or product.  </p><p>If the vulnerability assessment finds that these factors converge, a regulated facility has a significant vulnerability at an actionable process step. This means written mitigation strategies must be included in the facility's food defense plan and management components to ensure proper implementation of the mitigation strategies, including monitoring, corrective actions, and verification. </p><p><strong>Plan.</strong> The written food defense plan is  not a food safety or food quality plan—the food defense plan is not intended to be woven into existing plans. </p><p>While few owners or operators look forward to creating a new program or document, a written food defense plan is critical for demonstrating compliance with the new law and assuring customers of compliance. Organizations that have already developed a food defense plan may be that much further ahead in terms of FSMA compliance. </p><p>The food defense plan must be reassessed every three years—or more frequently if there are changes in facility activities, new information on vulnerability to food production, failures in the implementation of existing mitigation strategies, or if the FDA directs a reassessment. Changes to the plan as a result of these reviews must be reflected in the food defense plan. </p><p>The FDA says that a clearly written, standalone food defense plan will facilitate proper implementation of mitigation strategies. However, based on the author's nearly 30 years of working with organizations that must comply with a new regulation requiring a written food defense plan, the Intentional Adulteration rule poses several challenges.</p><p>Many organizations are already involved in voluntary food defense initiatives and have food defense protocols or programs in place to demonstrate compliance with those initiatives. With an added FSMA food defense plan requirement, there is an additional layer of complexity and coordination if an organization erroneously elects to maintain two separate plans. </p><p>Additionally, most organizations have already made substantial investments in securing personnel and operations but may not have documented security measures in the form of a written plan as required.</p><p>Some organizations may be regulated by other entities—such as the U.S. Marine Transportation Security Act or U.S. Chemical Facility Antiterrorism Standards. With a rigorous physical security or asset protection plan already in place, adding a food defense plan creates potential for duplication and coordination challenges, particularly as it relates to the poorly understood but critical role that foundational programs such as physical security, training, and personnel surety have in reducing the risk of intentional adulteration.​</p><h4>Vulnerability Assessment</h4><p>A facility-specific vulnerability assessment is a legal requirement designed to protect the public from intentional adulteration of food. However, there is a significant debate about whether FSMA's rule is currently structured to deliver meaningful value to the food industry. Experienced practitioners recognize that there is a significant difference between complying with the rule and providing comprehensive food defense and enterprise security risk management for their organizations. </p><p>The threshold of tolerance for risk for food manufacturers is far lower than the FDA standard of widespread public health impact under FSMA's rule. One illness or injury from an act of intentional adulteration is too many from the manufacturer's perspective. A risk assessment to identify enterprise risk might be more useful than the limited focus on intentional adulteration as defined under the current FSMA rule.</p><p>In risk assessments that the author has performed in the last several years, scenarios associated with intentional adulteration made up only 10 percent of a company's applicable security scenarios. Food manufacturers are cautioned against pigeonholing all security measures against food defense alone to the detriment of risks to people, other assets, and intellectual property. The author, member of the ASIS Food Defense and Agriculture Security Council, strongly recommends a comprehensive approach to criminal and terrorist risk mitigation and a strategic approach to security risk management with a strong and compliant food defense component.  </p><p>While not in the rule, the FDA's guidance states that existing mitigation such as locks or other foundational programs should not be considered while performing the vulnerability assessment—assessments should be conducted as if no security is in place. This is an important distinction because the assessment process is not measuring risk, only vulnerability. This approach is generally not good for businesses and results in excessive cost in mitigating vulnerability, rather than addressing the highest risks of intentional adulteration. </p><p>A wide variety of unknowns to the industry are related to threat intelligence, and a lack of information sharing between the U.S. government and industry inhibits sound risk-based business decisions. </p><p>For example, the U.S. government does not provide timely and accurate intelligence to the food manufacturing community about the true nature of the threat to the food supply. Similarly, the U.S. government does not define or share the scientific nature of intentional adulteration, so the industry does not know what agents and quantities would create a widespread public health impact. </p><p>There is also insufficient information available to the private sector regarding the identification of indicators of a developing insider threat, which is a heavy emphasis of the current FSMA rule. This lack of guidance hampers the identification and implementation of effective controls.  </p><p>Together, these factors create an environment where full compliance may still leave an organization short of achieving the stated objectives of the regulation: preventing intentional adulteration. There are no indications that the regulatory environment will change in the near term, as the first milestone of compliance fast approaches. The following advice is offered to maximize the benefit of a risk assessment-informed food defense plan. </p><p><strong>Assessment team.</strong> Facility-specific vulnerability assessments require a list of food defense team members and their qualifications. Ideally, the team would include a chemical engineer, a toxicologist, a food safety professional, operations personnel, and a security subject matter expert to cover threat assessment, vulnerability identification, and options for security mitigation. In a real-life situation, however, the type of available personnel may be limited. </p><p>Prior to the introduction of the concept of food defense, this matter was not a primary responsibility of the security department—it generally fell to the food safety or quality control departments. Given that food defense is a counterterrorism and crime prevention effort, it is critical for security to partner with the food safety and quality professionals in the industry. Both disciplines bring critical competency necessary to properly position organizational processes to work well to prevent or detect an act of intentional adulteration—not just widespread public health impact. </p><p>The failure to include a physical security subject matter expert in a risk assessment will likely result in the oversight of exposures that could be exploited by an adversary—particularly outsiders and, to a slightly lesser degree, insiders—in an intentional adulteration attack. The security practitioner also brings to the table the basics of access control, training, and personnel surety, which are critical foundational programs to aid in reducing risk of intentional adulteration. </p><p><strong>Process flow.</strong> In most instances, the facility under consideration will already have a hazard analysis and critical control point flow diagram. These diagrams are usually simplified schematics of the process and, irrespective of the vulnerability assessment methodology chosen, are a good place to start. It is valuable to go over the flow diagram in detail with facility staff to identify those generic blocks that contain multiple pieces of equipment and define these and any processes that are not represented on the flow diagram to determine the effect, if any, they exert on the product. </p><p>All equipment and process steps that exert an effect should be included in the assessment to get an accurate understanding of the conditions an added agent would be subjected to and to identify if there are any vulnerabilities within the production environment that the flow diagram does not capture. By not performing a detailed risk assessment of the entire process, a facility might inaccurately depict the risk that exists from an act of intentional adulteration. </p><p>Additionally, it is possible that some of the hazard analysis and critical control point process steps that are identified in these diagrams could need to be broken down further to more fully understand the forces being exerted on the ingredients of the finished product. The step identified as "receiving," as an example, could consist of multiple sub-steps that include seal verification, receipt of the material, quality sample and holding, offloading, staging, screening, and storage. From this example it's easy to see that the hazard analysis and critical control point flow diagram is a good start, but owners and operators are encouraged to look a little closer at each of those steps to make sure that each point, step, or procedure is being adequately assessed. </p><p><strong>Vulnerabilities.</strong> A significant vulnerability, as defined by the FDA, has three considerations: potentially severe or scalable public health impact if a contaminant were added, the degree of physical access to the product, and the ability of an attacker to successfully contaminate the product. </p><p>Begin with ingredient or raw material receiving and follow the process steps through to the finished product's packaging, storage, or loadout. At each step, determine if it is possible to add a contaminant and, if added, whether the contaminant could survive the process and be able to harm the public. </p><p>Processing steps that might kill bacterial contaminants may not permanently denature toxins or acutely toxic chemicals, for example. The effect a processing step can have on contaminants needs to be evaluated for all classes of potential food defense contaminants. As stated earlier, this information is not readily available to the food and beverage industry and creates challenges for the industry to be able to fully understand the impact these contaminants can have on ingredients and finished products being manufactured. </p><p><strong>Potential impact.</strong> According to industry experts, the greatest shortcoming of today's food defense vulnerability assessment mechanisms is that they do not provide guidance on how to address specific contaminants. The potential impact of the contamination of an undefined process with an unknown quantity of an unidentified agent is impossible to discuss. Using a short list of agents, a facility-specific vulnerability assessment could be used to try to depict the potential impact of each agent, should a contamination occur at a particular point, step, or procedure. </p><p>While everyone has heard of anthrax, who knows how to determine if there would be a negative effect on the public health if a certain quantity of it were added to a process step? Not being able to accurately model the fates of specific agents within a process may yield an inflated sense of concern resulting in unnecessary expend­itures. With some work, it is possible to simplify traditional chemical and biological risk assessment methodologies and apply them to the facility's process. Doing so provides a more accurate picture of likely-negative effects on public health.</p><p><strong>Agent removal.</strong> Are there processes downstream from a potential actionable process step that could reasonably be expected to reduce the risk of an intentional adulteration? </p><p>In most instances, processing exerts an effect on the product being manufactured. The question is whether that processing step contributes to a reduction of risk. Is the product subjected to a reduction where part of the product stream is diverted, or is there a filtration or rinsing or drying step that can be expected to remove a contaminant? If there are steps in the process that could reduce the contaminant load, the extent to which the reduction can be expected to occur and the rationale for expecting the reduction need to be explained. These written justifications are required within the food defense plan. </p><p><strong>Access.</strong> Access control is the first line of defense in reducing the risk of intentional adulteration and is a foundational element of a sound facility security plan. If a process step is located within an access-controlled room within an access-controlled building within an access-controlled premises, it is far less likely to be contaminated by an external aggressor than a process step for which these barriers to access have not been established or are poorly controlled. </p><p>Having the hardware in place is half of the challenge; training and demonstrating functionality is a prerequisite for sound facility security posture. Additionally, if only a single, well-vetted employee has access to the process step, as opposed to every employee in the facility, the potential for an intentional adulteration is reduced, but the risks borne by that insider attacker need to be addressed and controlled. </p><p>A significant characteristic of a processing step that can be inadvertently overlooked is whether the process step is sealed. If the process operates under vacuum, high pressure, or high temperature, the processing step could have next to no access and therefore probably cannot be compromised while in operation. </p><p><strong>Contamination.</strong> This is determined by both the physical access to the product and the amount of agent or contaminant that would be required to contaminate the volume of product being produced or stored, in order to result in wide-scale public health impact.</p><p>A small process that manufactures hundreds of servings of a product will require much less contaminant to be toxic than a process that manufactures millions of servings. </p><p>How much of an acutely toxic chemical, toxin, or pathogenic microbe could an aggressor carry into the facility without being challenged? This type of mitigation is typically covered by physical security foundational programs such as visitor screening, prohibition of personal effects in the manufacturing environment, and bag checks. </p><p><strong>Volume of product.</strong> The volume of product that could be impacted in an intentional adulteration is determined by the number of consumable units as a result of the volume or mass of product immediately prior to packaging in a consumable package. It should not be necessary to consider volumes impacted at the operating units within the process because it is the potential toxicity of the finished product that is the concern.</p><p><strong>Products.</strong> It is possible to identify a vulnerability that does not rise to the level of a widescale public health impact as defined by the FDA, but where an act of intentional adulteration could be catastrophic to the brand or organization. It is important to capture these conditions if observed in a vulnerability assessment and to address those in enterprise food defense efforts, which undoubtedly will exceed what is required by FSMA. </p><p>In one recent vulnerability assessment, a processing step along a conveyor was observed where the product was accessible after it was put into the unsealed container and before it was sealed in the consumable package. In theory, it is possible that the finished product could be contaminated, but not to a point where it could cause widescale public health impact. It would be inappropriate and irresponsible to ignore this exposure, but in theory, if a facility is performing an FSMA key activity-type vulnerability assessment, it would be compliant without addressing this exposure.​</p><h4>The Insider Threat</h4><p>The FSMA Intentional Adulteration rule clearly and rightfully acknowledges the insider threat. While foundational security programs—such as badging, video, surveillance, and workplace violence prevention—mitigate the risk of both outsiders and insiders gaining access to the food production process, companies may need to put in place additional mitigation strategies that deal with a potentially sophisticated insider that is capable of engaging in an act of intentional adulteration.  </p><p>In a 2016 case, a Minnesota woman was sentenced to 90 days in jail after being convicted of two felony counts of causing damage to property at her workplace. She was also ordered to pay $200,000 in restitution for contaminating food product with sand and black soil. Twenty-eight tons of chicken had to be recalled due to this act of intentional adulteration. While no motivation was publicized in the ensuing coverage of the incident, it goes to show the magnitude of the damage that an insider can cause.   </p><p>In a more recent incident in the United Kingdom, a couple was arrested for plotting a terrorist attack. The circumstances around the event were reported by the Food Protection and Defense Institute at the University of Minnesota in its February 2018 newsletter. </p><p>A man who worked for a large food company met a woman with an advanced degree in pharmaceutical science on a dating site. They shared extremist, ISIS-inspired views—the man reportedly visited and communicated with ISIS-sponsored social media sites. Using their respective industry knowledge, the duo plotted to build and detonate bombs, and investigated making ricin before they were arrested by police.</p><p>A strategy to manage the insider threat must be spelled out in the vulnerability assessment. Like workplace violence, intentional adulteration could be perpetrated by individuals with different motivations. </p><p>There is not a great deal of information developed on these classifications of offenders as of the writing of this article, but it is important to recognize that there are distinctions, and the risk can be reduced through education of the warning signs of an insider who could pose an elevated threat to an act of intentional adulteration.</p><p>There continues to be debate between the industry and government on the Intentional Adulteration rule as compliance deadlines loom. Industry professionals know that compliance with FSMA alone does not meet the high bar the industry has set for itself. The ASIS International Food Defense and Agriculture Security Council encourages members of the food and agriculture industry to consult available resources, join the conversation, support the debate, and best influence the regulation to truly and holistically contribute to food defense.  </p><p><em>Frank Pisciotta, CSC (Certified Security Consultant), is a veteran independent security consultant and subject matter expert in risk analysis, security system design, security management, and a variety of critical infrastructure verticals including food, healthcare, education, manufacturing, oil/gas, and chemical, in both public and private sector organizations. He can be reached at    </em></p><h4>Resources on Food Defense Preparedness and Training</h4><ul><li><p><strong>ASIS Food Defense and Agriculture Security Council</strong> – <a href="" target="_blank">Security and food defense professionals</a> working collaboratively to serve and develop resources for the industry with the mission of helping to protect the food supply chain from farm to fork.</p></li><li><p><strong>FDA</strong></p></li><ul><li><p>The FDA has established an Intentional Adulteration Subcommittee with the Food Safety Preventive Controls Alliance to develop food defense training resources for industry and regulators alike.</p></li><li><p>The agency intends to publish guidance documents to provide information relevant to the provisions of the final rule, such as conducting a vulnerability assessment, identifying and implementing mitigation strategies, and writing procedures for food defense monitoring, corrective actions and verification.  These guidance documents may be available by the summer of 2018.  </p></li><li><p>In addition, FDA has a number of tools and resources currently available on the web (<a href=""></a>) that were developed for voluntary food defense efforts.</p></li><li><p>The <a href="">Mitigation Strategies Database</a> is an online, searchable listing of mitigation strategies that can be applied to different steps in a food operation to reduce the risk of intentional adulteration.</p></li><li><p>The <a href="">FDA FSMA Food Safety Technical Assistance Network</a> is already operational and provides a central source of information to support industry understanding and implementation of FSMA. Questions submitted online or by mail will be answered by information specialists or subject matter experts.</p></li></ul><li><p><strong>Food Protection and Defense Institute</strong> – The Food Protection and Defense Institute (FPDI), formerly known as the National Center for Food Protection and Defense, was officially launched as a Homeland Security Center of Excellence in July 2004 at the University of Minnesota. Developed as a multidisciplinary and action-oriented research consortium, FPDI addresses the vulnerability of the nation's food system. FPDI takes a comprehensive, farm-to-table view of the food system, encompassing all aspects from primary production through transportation and food processing to retail and food service (<a href=""></a>).  </p></li><li><p><strong>Food & Agriculture Sector Coordinating Council </strong>– The Council serves as the primary private sector policy coordination and planning entity to collaborate with the U.S. Food and Drug Administration (FDA), the U.S. Department of Agriculture (USDA), the U.S. Department of Homeland Security, the Food and Agriculture Government Coordinating Council (GCC) and other government entities to address the entire range of critical infrastructure security and resilience activities and sector-specific issues.  The Council serves as a voice for the sector and represents a principal entry point to collaborate with government for critical infrastructure security and resilience activities. Wherever possible, the Council will participate in efforts to establish voluntary practices to ensure that sector perspectives are included in relevant Presidential Policy Directives, National Infrastructure Protection Plans (NIPP), Sector Specific Plans (SSPs) and other policy documents related to Critical Infrastructure Security and Resilience.  (<a href=""></a>).  </p></li><li><p><strong>International Association of Food Protection (IAFP)</strong> – The IAFP represents a broad range of members with a singular focus — protecting the global food supply. Within the association, you will find educators, government officials, microbiologists, food industry executives and quality control professionals who are involved in all aspects of growing, storing, transporting, processing and preparing all types of foods. (<a href=""></a>).  </p></li><li><p><strong>Grocery Manufacturers Association </strong>– GMA has formed an Intentional Adulteration Rule Working Group – The Grocery Manufacturers Association is the voice of more than 250 leading food, beverage and consumer product companies that sustain and enhance the quality of life for hundreds of millions of people in the United States and around the globe. Based in Washington, D.C., GMA's member organizations include internationally recognized brands as well as steadily growing, localized brands.  Founded in 1908, GMA is an active, vocal advocate for its member companies and a trusted source of information about the industry and the products consumers rely on and enjoy every day. The association and its member companies are committed to meeting the needs of consumers through product innovation, responsible business practices and effective public policy solutions developed through a genuine partnership with policymakers and other stakeholders. (<a href=""></a>). </p></li><li><p><strong>Food Defense Consortium</strong> – The FD Consortium is an informal group of F&B manufacturers that was established in June 2016. The intent of the FD Consortium is to bring toget​her multiple disparate working 'groups' addressing the FSMA IA Rule and discussing general food defense best practices. The group meets monthly to address current issues and   <a href=""></a> </p></li><li><p><strong>Food Safety Tech</strong> – Food Safety Tech is an industry-specific eMagazine and Conference series serving the food industry. Built on the platform of the next generation model for B2B publishing.  (<a href=""></a>).</p></li><li><p><strong>USDA OHSEC</strong> – Departmental Management is USDA's central administrative management organization. Departmental Management provides support to policy officials of the Department, and overall direction and coordination for the administrative programs and services of USDA. In addition, Departmental Management manages the Headquarters Complex and provides direct customer service to Washington, D.C. employees.  <a href=""></a> </p></li><li><p><strong>Association of Food and Drug Officials (AFDO) Food Protection & Defense</strong> – The Association of Food and Drug Officials (AFDO), established in 1896, successfully fosters uniformity in the adoption and enforcement of food, drug, medical devices, cosmetics and product safety laws, rules, and regulations.​ <a href=""></a>   </p></li><li><p><strong>Bob Norton's Food and Water Defense Blog:</strong> Dr. Robert A. Norton, PhD, is a professor at Auburn University and currently serves as coordinator of National Security Initiatives in the Auburn University Open Source Intelligence Laboratory and program director of the Futures Laboratory, a collaborative effort between Auburn University, Auburn University at Montgomery and Air University at Maxwell Air Force Base. A long-time consultant to multiple federal agencies and the Department of Defense, Dr. Norton's research interests include public health/one health, intelligence analysis, chemical and biological weapons defense, medical and technical intelligence, military-related science and technology, biosecurity/biodefense, and veterinary infectious diseases.​  <a href=""></a>  ​ </p></li></ul><p> ​</p>

Supply Chain the Bar: Food Defense Chain Company Makes Access Control a Priority Review: Supply Chain Security in China Strategies Dirty Secret of Drug Diversion Most Resilient Countries in the World Chain Strategies Usual Suspects Review: Diamond Mine Security the Public Interest in the Supply Chain Protection Shrink Reduction Crime and Terrorism Chain Security: A Comprehensive Approach Food Imports Chain Resources and Loss Prevention: An Introduction, Sixth Edition Tracking Trends

 You May Also Like... Dirty Secret of Drug Diversion<p>​Controlled substances were going missing at Hennepin County Medical Center (HCMC), and the hospital’s security investigator, William Leon, was determined to get to the bottom of it. So, at 11 p.m. on a Friday, Leon settled in for a night of observation at the Level I trauma center in Minneapolis, Minnesota. He kept a trained eye on one registered nurse who was suspected of stealing hydromorphone, an opioid pain medication, for her personal use.</p><p>HCMC has cameras set up in the medication room to monitor controlled substances, and Leon watched as the nurse began gathering prescribed medication for a patient in the emergency department. The process, called wasting, requires the healthcare worker to take a fresh vial or syringe full of medication and then dispose of the excess, leaving only the correct dosage—all with a witness present. Leon observed the nurse dispense a syringe of hydromorphone from the medicine cabinet, and, while a fellow nurse was signing off on the withdrawal, she placed the syringe in her pocket and pulled out an identical syringe, which Leon later learned contained saline. The nurse held up the saline syringe and wasted the required amount, tricking her fellow nurse, and left the room.</p><p>At this point, Leon knew exactly what was going on, and watched with increasing alarm as the nurse headed to a patient’s room in the orthopedic area of the hospital. “In that area, I knew immediately, this patient could have a broken bone—they were in intense pain and requiring this medication,” Leon says. “I see a lot of doctors standing around and I’m thinking ‘uh oh, this patient is going to get saline.’”</p><p>Leon raced to the room and saw that the doctors had given the patient the saline the nurse had brought up. “The patient was still screaming in pain and the doctor was frantically asking the nurse, ‘Are you sure you got the right dosage? Are you sure it was hydromorphone?’ and she was insisting she had,” Leon says. He called the doctor and the nurse into the hall and explained that the patient had just gotten saline and still needed the proper pain medication because the nurse had diverted the hydromorphone in the medication room. The doctor went to properly treat the patient and Leon called the nurse manager and the local sheriff’s detective in to begin an official investigation into the nurse’s actions.</p><p>Drug diversion in the United States is a nebulous problem that is widespread but rarely discussed, experts say. Whether in manufacturing plants, retail pharmacies, hospitals, or long-term care facilities, healthcare workers are stealing drugs—typically for their own personal use—and putting themselves, patients, and coworkers at risk. </p><p>“I hate to tell you, but if you have controlled substances and dispense narcotics, you’ve got diversion going on,” says Cherie Mitchell, president of drug diversion software company HelioMetrics. “It’s just a question of whether you know it or not.”</p><p>The scope and frequency of drug diversion is almost impossible to grasp, due in large part to how diversion cases are addressed. A facility that identifies a diversion problem might bring in any combination of players, from private investigators and local law enforcement to state accreditation boards or the U.S. Drug Enforcement Agency (DEA). There is no overarching agency or organization that records every instance of drug diversion in the United States.</p><p>Controlled substance management is dictated by a number of laws, including the U.S. Controlled Substances Act of 1971, which classifies substances based on how they are used and the potential for abuse. It also dictates how the substances are dispensed, and a facility may be fined if it does not comply. </p><p>The closest estimates of drug diversion rates come from people or organizations who dig up the numbers themselves. The Associated Press used government-obtained data in its investigations on drug diversion at U.S. Department of Veterans Affairs (VA) medical centers. Reported incidents of diversion at about 1,200 VA facilities jumped from 272 in 2009 to 2,926 in 2015, the data revealed, and the VA inspector general has opened more than 100 criminal investigations since last October. John Burke, president of the International Health Facility Diversion Association, extrapolated data he obtained from facilities in Ohio to estimate the presence of 37,000 diverters in healthcare facilities across the country each year. </p><p>Mitchell points out that any statistic derived from officially collected data still wouldn’t accurately reflect the extent of drug diversion in the United States. “There’s a lot of people investigators really suspected were diverters but had to be chalked up to sloppy practice due to a lack of concrete evidence, so any statistic is talking about known diverters who are fired for diversion,” she tells <i>Security Management</i>. “Even if you did have a statistic, it would be off because how do you incorporate those so-called sloppy practicers, or diverters who thought they were about to get caught so they quit on you and left? No matter what number you come to, it’s probably bigger in reality.”​</p><h4>Addiction and Diversion</h4><p>Although more people are paying attention to drug diversion due to recent high-profile cases and the current opioid epidemic in the United States, experts say they have been dealing with the same problems their entire careers. </p><p>“I can personally tell you that I dealt with the same issues 15 or 20 years ago that the healthcare arena is facing today, specifically in the drug abuse and diversion by their own hospital healthcare employees,” says Charlie Cichon, executive director of the National Association of Drug Diversion Investigators (NADDI) and a member of the ASIS International Pharmaceutical Security Council. “There are different drugs today, of course, than there were 20 years ago.”</p><p>Susan Hayes has been a private detective for healthcare facilities for more than a decade and says the opioid epidemic has magnified the drug diversion problem in recent years. “The opioid addiction in America has lit my practice on fire,” she says.</p><p>It’s no secret that opioid addiction has reached epidemic levels in the United States. In 2010, hydrocodone prescriptions were filled 131.2 million times at retail pharmacies alone, making it the most commonly prescribed medication, according to the Mayo Clinic. However, those are just the numbers that were legally prescribed—about 75 percent of people who take opioids recreationally get them from a friend or family member. According to the U.S. Centers for Disease Control and Prevention (CDC), approximately 52 people in the United States die every day from overdosing on prescription painkillers.</p><p>Healthcare workers are not immune to the draw of opioids. In fact, up to 15 percent of healthcare workers are addicted to drugs or alcohol, compared to 8 percent of the general population, according to the Mayo Clinic. </p><p>“Healthcare providers are in very stressful jobs,” Hayes says. “They all have problems. Nurses have emotional attachments to patients that they see die. Even orderlies have very stressful physical jobs, they’re lifting patients. Pharmacists can make mistakes that mean life or death. You have people that are already in very stressful situations, and now you give them access to drugs…. I think the combination is almost deadly.”</p><p>While a bottle of 30mg oxycodone tablets can sell on the street for up to 12 times its price in the pharmacy, most drug diverters are addicts using the drugs themselves. Because of this, diversion shouldn’t be considered just a security concern but a patient safety concern, Cichon says. He references several high-profile diversion cases in which the diverters used the same syringe full of medicine on both themselves and their patients, spreading bacterial infections and hepatitis. In one especially egregious case, a traveling medical technician with hepatitis C would inject himself with his patients’ fentanyl and refill the same syringe with saline, ultimately spreading the virus to at least 30 people in two states.</p><p>Unfortunately, experts acknowledge that most diverters don’t get caught until they have been diverting for so long they start to get sloppy. “The people who are your real problem are the people who are hiding in the weeds, not doing enough to get caught, and those are the ones you want to find,” Mitchell says. “The people they are finding now are the people that have the needle in their arm or somebody has reported them. You want to try to find them before that.”​</p><h4>Out of the Loop</h4><p>Hayes details the path of drugs through a hospital: a pharmacy technician orders the medication from a wholesaler, who will deliver them to the hospital pharmacy. The drugs are sorted and stocked in the pharmacy, where they will remain until they are brought up to the patient floors and stored in various types of locking medicine cabinets. When a patient needs medication, a nurse goes to the medicine cabinet and dispenses the drug for the patient. </p><p>Another ASIS International Pharmaceutical Council member—Matthew Murphy, president of Pharma Compliance Group and former DEA special agent—describes this as the closed loop of distribution. “Once a drug is outside of the closed loop, when it gets dispensed from a pharmacy or administered by a doctor, it’s no longer in the purview of DEA rules and regulations,” he explains. Drugs are most likely to be diverted during those times when they are in transit or exchanging hands, outside of the closed loop.</p><p><strong>Wholesalers.</strong> When fulfilling a pharmacy’s request for medication, wholesalers have just as much of a responsibility to notice if something is amiss as the pharmacy does. Whether it’s a retail pharmacy or a hospital pharmacy, wholesalers are responsible for cutting them off if they start to request unusually high amounts of opioids. </p><p>In 2013, retail pharmacy chain Walgreens was charged $80 million—the largest fine in the history of the U.S. Controlled Substances Act—after committing record-keeping and dispensing violations that allowed millions of doses of controlled substances to enter the black market. Cardinal Health, Walgreens’ supplier, was charged $34 million for failing to report suspicious sales of painkillers. One pharmacy in Florida went from ordering 95,800 pills in 2009 to 2.2 million pills in 2011, according to the DEA. </p><p>Hayes says the fine against the wholesaler was a wake-up call, and now suppliers use algorithms to identify unusual spikes in orders of opiates. Wholesalers can even stop the flow of medication to pharmacies if they believe diversion is occurring—which can be disastrous to a trauma center, Hayes notes.</p><p><strong>Pharmacies.</strong> To restock the shelves, pharmacy technicians compile lists of what medications they are low on to send to the wholesalers at the end of each day. Hayes notes that many pharmacies do not conduct a retroactive analysis on what is being purchased—which is why wholesalers must pay attention to any unusual changes in orders. She stresses the importance of constantly mixing up the personnel who order and stock medications. </p><p>“If you’re both ordering and putting away drugs, that’s a bad thing because you can order six bottles when you only need five and keep one for yourself,” Hayes notes. </p><p>Similarly, it is important to rotate who delivers the drugs to the patient floors. “John the technician has been taking the drugs up to the floors for the last 20 years,” Hayes says. “Well gee, did you ever notice that John drives a Mercedes and has two boats and a house on Long Island? He makes $40,000 a year, did you ever do any investigation into why?”</p><p><strong>On the floor. </strong>Experts agree that the most egregious diversion occurs during the wasting and dispensing process in scenarios similar to the incident Leon witnessed at HCMC. Mitchell explains that all hospitals have different wasting procedures—some require nurses to waste the medication immediately, before they even leave the medication rooms, while others may have a 20-minute window. Other hospitals may prohibit nurses from carrying medication in their pockets to prevent theft or switching. ​</p><h4>Investigations</h4><p>Any company involved with controlled substances, whether manufacturing, distributing, or dispensing, must be registered with the DEA and must adhere to certain rules and regulations—which aren’t always easy to follow.</p><p>Murphy, who worked for the DEA for 25 years, now helps companies follow mandates he calls “vague and difficult to interpret.” For example, DEA requires anyone carrying controlled substances to report “the theft or significant loss of any controlled substance within one business day of discovery.”</p><p>“This hospital had 13 vials of morphine that ‘went missing’ and someone called me in to find out why,” Hayes says. “They asked me, ‘Are 13 vials substantial or not? Do I really need to fill out the form?’ I counsel them on what’s substantial because the language is very loose.”</p><p>Depending on the frequency or significance of these or similar forms, the DEA may open an investigation, Murphy explains. “DEA will look at these recordkeeping forms and determine if in fact everything has been filled out correctly, that they have been keeping good records,” he says. “If DEA determines that they are lax or have not been adhering to requirements, there could be anything from a fine to a letter of admonition requiring corrective actions.” In more serious cases, DEA could revoke the registration because the activity or behavior was so egregious that it was determined that the facility is not responsible enough, Murphy explains. If a facility loses its DEA registration, it cannot dispense controlled substances.</p><p>However, DEA does not get involved in every suspected case of diversion. “There are only so many DEA diversion investigators, so they have to prioritize what they get involved with,” Murphy says. “It has to be pretty egregious for them to get involved to seek a revocation or fine.”</p><p>That’s where people like Hayes come in. “They want me to come in instead of DEA or law enforcement,” she explains. “I’m a private citizen, I understand law enforcement procedures, and I can help them get at the root of the problem before they call in law enforcement.” </p><p>After an investigation into a diverter is opened, it is unclear what happens to the offender. Hayes says that she typically gathers evidence and gets a confession from diverters, at which point her client calls in law enforcement to arrest them. Leon, who was in charge of diversion in­vest­igations at HCMC for 20 years before becoming a consultant for HelioMetrics, was able to investigate but not interview suspected diverters. He tells <em>Security Management</em> that he would call in a sheriff’s detective to interview the suspect.</p><p>Although most diverters are fired when their actions are discovered, they are not always arrested—it’s often at the discretion of their employer. Depending on the diverter’s role, state accreditation boards—such as those that license nurses and pharmacists—would be notified and could potentially conduct their own investigations. </p><p>Cichon cautions that some hospitals hoping to avoid bad press and DEA scrutiny may look for loopholes. “We found out through the course of investigations that if someone resigns and was not sanctioned it may not be a reportable action,” he says. “If we allow this person to resign rather than take action against him, then we don’t have to report it.”</p><p>Murphy notes that DEA typically has no role in individual cases of diversion. “If the diverter has a license from one of those state agencies, usually it’s required that they be reported, and then it’s up to the board how they proceed with the personal license of the individual,” he says. The DEA doesn’t regulate the personnel—that’s up to the state and the facility. </p><p>Cichon notes that the lack of standards when addressing diversion makes it more likely that offenders could slip through the cracks and move on to continue diverting drugs at another facility. “Unfortunately, there are different laws and statutes in every state that set up some sort of reporting requirements,” he says. “There are medical boards, nursing boards, pharmacy boards, and not every worker even falls under some sort of licensing board for that state.” ​</p><h4>Staying Ahead</h4><p>Due to the stigma of discovering diverters on staff, many hospitals just aren’t preparing themselves to address the problem proactively, Cichon explains.</p><p>“This is something that is probably happening but we’re not finding it,” he says. “The statistics I’ve seen at hospitals that are being proactive and looking at this are finding at least one person a month who is diverting drugs in their facility. If a 300-bed hospital is finding one person a month, and Hospital B has the same amount of staff and beds and is finding nothing…”</p><p>NADDI has been providing training for hospitals to develop antidiversion policies. Cichon notes that many hospitals throughout the country have no plan in place to actively look for diverters. “As big as the issue is, many of them are still just not being that proactive in looking at the possibility that this is happening in their facility.”</p><p>Cichon encourages a team approach to diversion that acknowledges diversion as a real threat. “Not just security personnel should be involved with the diversion aspect,” he says. “Human resources, pharmacy personnel, security, everyone is being brought into this investigation, because the bigger picture is patient safety. The diverting healthcare worker typically isn’t one who’s going to be selling or diverting his or her drugs on the street, but they are abusing the drugs while they are working.”</p><p>Leon worked hard on diversion prevention at HCMC after discovering a surprising pattern: almost all of the diverters he investigated wanted to be caught. “What got me on this path of prevention was observing the nurses as they would admit to what they did,” he explains. “More often than not the nurses would say, ‘I wanted somebody to stop me. I needed help, didn’t know how to ask for it, and I was hoping somebody would stop me.’ That’s pretty powerful when you’re sitting there listening to this on a consistent basis.”</p><p>Leon implemented mandatory annual training for everyone in the hospital—from food service workers to surgeons—to recognize the warning signs of drug diversion. “If a nurse or anesthesiologist or physician is speaking with you and telling you they are having these issues, then you should say something,” Leon explains. “It’s not doing the wrong thing—you’re helping them, and that’s the message we sent out. Look, these individuals are not bad individuals. Something happened in their lives that led them down this path.”</p><p>Leon also had cameras installed throughout the hospital that allowed him to observe diversion but also kept his investigations accurate. “We had a nurse who was highly suspected of diverting,” he says. “With the cameras I was able to show that she wasn’t diverting, just being sloppy. The employees appreciated the cameras because it showed they weren’t diverting medication, they just made a mistake.”</p><p>Over time, HCMC personnel became more comfortable coming forward with concerns about their coworkers. Before the facility started the annual training, Leon caught at least one diverter a month. Before he retired, he says, that number had dropped to one or two a year.</p><p>“The success of our program at HCMC was the fact that we paid more attention to educating rather than investigating,” Leon says. “You have to keep those investigative skills up, but you have to spend equal amount of time on prevention and awareness.”</p><p>Mitchell points to algorithmic software that can identify a potential diverter long before their peers could. Taking data such as medicine cabinet access, shift hours, time to waste, and departmental access allows software to identify anomalies, such as a nurse whose time to waste is often high, or a doctor who accesses patients’ files after they have been discharged. </p><p>“Most people are using the logs from the medicine cabinets trying to do statistical analysis,” Mitchell explains. “You find out 60 days or six months later, or you don’t see that pattern emerge by just using one or two data sets. That doesn’t help. The goal is to identify these people as quickly as possible so they are no longer a risk to themselves or the patients or anyone they work with.”</p><p>Murphy encourages facilities to be in full DEA compliance to mitigate diversion. “If somebody wants to steal or becomes addicted, they are going to find a way to do it, and sooner or later they are going to get caught, but then there’s a problem because the hospital has to work backwards to determine how much was stolen and reconcile all that,” he says. He also notes the importance of following up internally on each diversion case and figuring out what went wrong, and adjusting procedures to address any lapses. </p><p>“Every entity that has a DEA program should have diversion protocols in place because if they don’t they are playing Russian roulette with theft and loss and their DEA registration,” Murphy says.  ​</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Shrink Reduction<p>​<span style="line-height:1.5em;">Security’s long battle against retail theft continues, and it is far from won, but some retailers are making gains. Loss prevention strategies are becoming increasingly more sophisticated, with some retailers leveraging cutting-edge technology, analytics, and an even more engaged workforce to fight thieves and stay one step ahead of always-evolving shoplifting methods.</span></p><p> Global shrink has declined by 4.8 percent in the last year, due in part to an increased focus on loss prevention measures, according to a recent study of retail theft across the world. The report, The Global Retail Theft Barometer 2013-2014, examined the cost of merchandise theft in the global retail industry in 24 countries spread throughout Asia, Europe, North America, and South America.</p><p>What’s driving the progress? One major factor is increased investment in loss prevention programs. The study found clear correlations between how much a country’s retail industry spent on loss prevention and the retail loss rate in that country. Countries with the best shrink reduction rates had spent the most on preventive countermeasures, while those with the highest losses spent the least on prevention.</p><p>This is a lesson that some retailers in the United States could benefit from, says Ernie Deyle, former vice president of loss prevention for CVS/Caremark who now leads the shrink reduction and margin recovery practice for SD Retail Consulting. Deyle says that when he does “triage” work in the field, some stores consider loss prevention an expense area, a place where they minimize spending in hopes of minimizing costs. So the idea that loss prevention is actually a competitive asset area is “usually overlooked,” often to the detriment of the store’s financial bottom line. “When you control loss, you improve your profit,” says Deyle, who helped conduct the study in conjunction with The Smart Cube, a research and analytics firm. </p><p>However, simply spending more money on prevention is not the sole answer to the problem, Deyle adds. The report found that the most effective loss prevention programs are multifaceted: they often combine the strategic use of technology and physical security measures with data analytics.</p><p>For example, a multifaceted program might employ electronic article surveillance (EAS). EAS devices have been shown to be among the most effective of retail security technologies, the report found. But relying on one tactic or device, even one as effective as EAS, is “like putting up a gate with no fence,” Deyle says. </p><p>Instead, multifaceted loss prevention programs may couple an EAS system with a merchandising plan that covers product placement strategies to avoid theft. The merchandising plan might use analytics on loss data to determine things like what shelves are most vulnerable to theft, which items are most likely to be stolen, and when peak theft occurs. Product placement strategies might include the best arrangements and facings for items to minimize theft, Deyle explains. For example, arranging products in a way that takes longer to lift them off the shelf can deter some shoplifters. “They want quick in, quick out, without being noticed,” Deyle says. </p><p>Moreover, loss prevention plans should be constantly evolving. Shoplifters who are foiled will change their practices accordingly, so retailers need to continually change their tactics as well. “It’s about being strategically positioned,” Deyle says. “You need to stay ahead of the curve.” </p><p>While the 4.8 percent global shrink decline is encouraging, retail shrink still costs an estimated $128 billion worldwide, evidence that theft is still a serious problem for the industry, according to the report. The loss is the equivalent of 1.29 percent of sales in each of the 24 countries examined in the study. The annual cost of shrink to households, as passed on from retailers, ranges from $74 to $541, depending on the country. </p><p>Roughly two-thirds of shrinkage worldwide (slightly more than 65 percent) is due to shoplifting, followed by employee theft. In most countries (16 of 24), shoplifting is the biggest cause of shrinkage, but this can vary. For example, in the United States, employee theft ranked first at 43 percent, with shoplifting next at 37 percent. In Norway, a low shrinkage country, administrative losses are the major source of shrinkage.</p><p>Comparatively, shrinkage rates across the 24 countries in the report range from 0.83 percent to 1.7 percent. Mexico recorded the highest rate—1.7 percent—followed by China with 1.53 percent. The lowest shrinkage rates were in Japan, Norway, the United Kingdom, and Turkey. </p><p>In the United States alone, retail theft costs $42 billion annually, equal to an average of $403 per household. Shoplifters and dishonest employees most commonly target products that are easy to conceal and then resell.  Some of the most frequently pilfered items include mobile phones, spirits, fashion accessories and jewelry, makeup products, and computer tablets.  </p><p>Almost all types of U.S. retail stores were hit by employee theft and shoplifting, but the most affected were U.S. discounters, with losses equaling 2.78 percent of sales; pharmacies/drugstores, 2.16 percent; and supermarkets/grocery retailers, 1.38 percent. These three types of stores witnessed the highest shrink rates because of the widespread prevalence of organized retail crime combined with relatively lower loss prevention spending, according to the report. </p><p>While retailers are making progress with sophisticated loss prevention programs, another recent report points the way toward an alternate means of reducing retail shrinkage—by improving the engagement level of the workforce. </p><p>This report, Making the Link: the Role of Employee Engagement in Controlling Retail Losses, surveyed more than 200,000 staff members in 1,570 stores under three European retail chains. Employee engagement was measured across 18 factors, such as “staff believe their ideas and suggestions are taken seriously” and “staff feel appreciated and valued.” Four indicators of retail loss were examined: shrinkage, waste, cash loss, and lost sales driven by out-of-stock merchandise. The report was conducted by ECR Europe’s Shrinkage and On-Shelf Availability Group, with support from the University of Leicester. </p><p>The study found that 15 of the 18 employee engagement factors influenced store loss. It also found that the stores that had the highest loss rate could significantly reduce that rate with a more engaged workforce. The report “graphically highlights the difference that engaged and valued staff can make to retail profitability—not just by providing excellent customer service, but also through a reduction in the many and varied losses retailers experience,” write the authors of the report. (For more on employee engagement best practices, see “The Disengagement Dilemma” on page 52).  </p><p>Like the previous report, Making the Link also found that managers played a pivotal role in keeping employees engaged. To heighten engagement levels and reduce loss, the authors recommended that managers provide more opportunities for staff development, keep staff informed about the organization, solicit staff ideas, and make sure that staff have satisfying, manageable roles. </p><p>“For all the advances in technology and analytics, the importance of employees must not be minimized,” the authors write. “Retailing is fundamentally about people—principally the customer but also the employees tasked to service their needs.”</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Golden Rule<p>​</p><p>HIGH IN THE ANDES mountains of northern Peru, 375 miles north of the capital city of Lima, is the Yanacocha mine—Latin America’s largest gold mine. The site, which is majority-owned by Colorado-based Newmont Mining Corporation, consists of six open pit mines, four leach pads, and three gold recovery plants. More than 100 small, rural communities fall within its influence area. While communities situated near Yanacocha have been concerned in the past about the mine’s impact on local water supplies and a lack of communication from the company, Lee Langston, Newmont’s regional director of security for South America, says that most concerns are related to employment.</p><p>Tensions over those concerns resulted in a series of protests in August 2006. Farmers blocked the road to Yanacocha for one week, and production at the mine came to a standstill for two days. According to media reports, protestors’ original demand for jobs turned to anger over environmental concerns, and in one violent clash, protestors blocking the road threw stones at police. In the response, one farmer was shot and killed.</p><p>The incident highlights the often strained relationships between local communities and international extractive companies operating abroad. As a result of this and other security conflicts between Newmont and the communities surrounding the mine in recent years, the company is in the process of implementing a new approach to security that recognizes the importance of human rights and community outreach.</p><p>Human Rights<br>The mining industry has an increased awareness of the connection between community relations and security today compared to a decade ago. “I think increasingly there really is a recognition on the part of the mining companies we work with that there is a degree of indivisibility between what you are doing in terms of your community relations or your community investment and security,” says Aidan Davy, a program director for socio-economic contribution for the London-based International Council on Mining & Metals (ICMM), an industry group which counts Newmont among its members.</p><p>Davy attributes the change to the influence of the Voluntary Principles on Security and Human Rights, an initiative of private companies, governments, and nongovernmental organizations (NGOs), that is intended to provide guidance to extractive companies on how they can maintain the safety and security of operations while ensuring respect for human rights.</p><p>The Voluntary Principles, as they are commonly called, were established in 2000 and primarily address three issues: risk assessment, engaging with public security forces, and interacting with private security forces. For each of these issues, the Voluntary Principles provide several guidelines. Signatory organizations commit to abiding by the principles and submit annual reports on activities.</p><p>Extractive companies have historically taken a silo approach to security and community relations, Davy says, but the Voluntary Principles have led to a more synergistic approach. “Instead of taking the view of conventional security that our role is to protect our people and our assets in that order and [that] people outside the fence line or communities may represent a threat to either people or assets, the Voluntary Principles take the view that in legitimately providing security for people and assets, there is a genuine risk that you might compromise the safety, security, and wellbeing of people outside the fence line,” he explains.</p><p>That shift in perspective, he says, has helped companies realize the importance of aligning what they are doing in the security space to what they are doing in the community relations space. “That has had a profound influence, I would say, in terms of sensitizing people to the idea that these matters are closely related,” he says. </p><p>Slow Going<br>Davy admits that there is some public dissatisfaction about the lack of progress in implementation of the Voluntary Principles. “That absolutely is not the fault of companies exclusively,” he says. “I think it’s because, at its heart, the Voluntary Principles rely on a tripartite model of government, civil society, and company collective engagement and collaboration, and at times, I think they’ve failed to move this thing forward in a way that’s been collaborative.”</p><p>Indeed, one of the biggest challenges, according to Langston, is enforcing human rights in a foreign country and in remote areas. “The real challenge is that [we are] a private company, a foreign private company, [so] sometimes if it’s not approached delicately, government institutions can feel that you’re treading into their area of governing,” Langston says.</p><p>Davy says implementation guidance of the Voluntary Principles has also been lacking. “What’s been missing is practical guidance that will help people really move forward with implementation,” he says. An implementation guidance tool is currently being created by a coalition that includes the Voluntary Principles Secretariat, ICMM, the International Finance Corporation, the International Committee for the Red Cross, and the International Petroleum Industry Environmental Conservation Association (IPIECA). The guide should be available within a year, Davy says.</p><p>Newmont, which is an ICMM member, was one of the first companies to sign on to the Voluntary Principles in 2001. But Oxfam America, an NGO participant in the Voluntary Principles, lodged a complaint against the mining company in 2007 with the initiative’s Secretariat. That complaint was in response not only to the protests in 2006 and the death of farmer Isidro Llanos Chavarria but also to allegations later that year of illegal wiretapping, surveillance, and death threats by a private security company employed by Newmont against a prominent human rights activist and outspoken critic of the company.</p><p>Newmont and Oxfam America subsequently agreed to a third-party comprehensive review of Yanacocha’s security management and practices. The review consisted of interviews with company executives, Peruvian National Police authorities, representatives from two of the three hired security companies employed by Yanacocha, NGO personnel, and community leaders.</p><p>A summary of the review of Yanacocha’s security and human rights procedures was released publicly last summer. “The total review identified areas of strong performance as well as the processes that they felt Yanacocha could improve upon,” says Langston. Newmont and Yanacocha analyzed the review and then developed a plan of action to implement the report’s recommendations for a new approach to security and human rights.</p><p>New Action Plan<br>The plan of action that came out of the review included short-term objectives that would be implemented by the end of 2009, medium-term objectives that would be implemented by the end of 2010, and long-term objectives that would be done in 2011. In terms of implementing recommendations for the Yanacocha site, Langston, as regional security director, is responsible for ensuring that they are completed in the timeframe set by the committee.</p><p>One example of a short-term objective is the creation of a Risk Assessment and Conflict Resolution Office. Langston says the company had a similar office before but it was not as effective as it could have been. One problem was that it only addressed complaints filed directly with the office. For instance, if an allegation appeared in the media, it was not considered a legitimate complaint.</p><p>“Well, you have to be reasonable,” Langston says. “If it’s floating around in the media, you better address it as a complaint.” Now the office considers all allegations no matter how they get word of them. “One of our employees can say he heard something in a store, and that would be investigated,” Langston adds.</p><p>Investigations. Yanacocha now investigates all use-of-force incidents. “Anytime any of our security people have an incident, whether it’s with an employee or a contractor or a community member, that is reported and treated just as if it is an allegation so we can determine whether the force used was reasonable or not,” Langston says.</p><p>All such reports undergo a new process of evaluation as well. If the risk level is classified as low, the incident is evaluated by a human rights and security investigation committee, which includes the site security manager as well as representatives from legal and operations. Representatives from other relevant departments are also on the committee.</p><p>For instance, if an incident involves the community, someone from the social responsibility department is there; if an allegation concerns an employee or contractor, a human resources or contracts manager serves on the committee. They assess the allegation and determine whether it has merit.</p><p>If the allegation is deemed legitimate, the committee orders an investigation and picks an investigation team to report back with results and recommendations. The onsite committee must also keep the South American regional board, which mirrors the committee at the site level, informed.</p><p>If the risk level of a complaint is considered medium, the regional-level committee handles it, and if it is a high-risk complaint, corporate, which also has a similar body, investigates.</p><p>Working with police. Because the response time is so long from Cajamarca, a contingent of police officers is stationed at the mine and rotated on a monthly basis. The company pays the police officers a daily stipend and provides lodging and meals and makes a contribution to the police institution for their services as stipulated in a formal memorandum of understanding (MOU).</p><p>In addition, the MOU has provisions for additional response to the mine area if an incident should occur. However, one of Yanacocha’s medium-term objectives is to work with the police to make this MOU more transparent. The police acknowledge on their Web site that they have an agreement with the mine, Langston says, but they do not publish the contents of the MOU, which is important information for the local community to have. </p><p>One of the long-term objectives is to expand the police training to the regional and national levels, but it will take time. “Obviously it’s the state’s responsibility to do this kind of stuff,” Langston says. But, “[i]f we can help them with a reasonable cost to the company, we’re going to do that.”</p><p>The comprehensive review also recommended equipping police forces with nonlethal weapons, Langston says. “We’re not so sure [as a] company that we want to get involved in providing that type of material, because it’s nonlethal, but it’s offensive in nature,” Langston says. Currently the company provides protective gear for police who are stationed at the mine site or who are responding to an incident. These items include helmets, shields, padding, and other riot response equipment.</p><p>Equipping police raises concerns beyond just the cost to the company, Langston says. There are also legal concerns. “We need to be very cognizant of the Foreign Corrupt Practices Act when we talk about equipping people,” he says. “We have to have some means of monitoring the use of that equipment.” </p><p>Another objective the company hopes to meet by the end of this year is the establishment of regular, formal meetings with public security partners, which include the national police as well as the military. Newmont’s security officials currently engage in formal, high-level meetings with these partners at least once a year, but the company is negotiating with Peru’s interior and defense ministries to set up a formal schedule that would include meeting twice a year at the ministry level and quarterly with generals at the regional level.</p><p>The purpose of the meetings is to assess collaboration and discuss ways to improve performance within the framework of the Voluntary Principles. Yanacocha’s security manager, Jose Antonio Rios Pita Diez, CPP, currently meets with local police on a weekly basis.</p><p>Human rights training. In 2008, in an effort to improve the company’s implementation of the Voluntary Principles even before the review was completed, Yanacocha launched two training programs designed to raise awareness among employees and contractors about the importance of respecting human rights. One program is basic training in human rights and provides an overview of relevant initiatives Newmont is involved with, such as the Voluntary Principles and the United Nations Global Compact. Each participant also receives a primer on human rights.</p><p>In the first year, 3,000 participants benefited from the program, including all of the security contractor personnel working for Yanacocha. The program continues on an annual basis.</p><p>The second training program launched the same year is training in the Voluntary Principles. This program targets the mine’s security staff, contractor personnel, and police assigned to the site. Training focuses on ways to ensure the safety of Yanacocha’s employees and operations while respecting human rights. </p><p>In the first year, the training was provided only to security and contractor supervisors and to public security officers assigned to provide support to the operation. In 2009, all security personnel received the training, which includes use-of-force instruction and a code of conduct for law enforcement officers. The training is being extended in 2010 to Newmont’s Conga project, which is also in Peru, and its Merian project in Suriname. </p><p>Community relations. Yanacocha’s security department has also launched a security-community integration program to improve relationships and trust between security personnel and local communities. As a part of the program, security personnel work with security contract personnel, the police, the military, and local businesses and organizations to plan one-day festivals in isolated communities in the mine’s area of influence. Some activities include music provided by the army or police bands, Andean folk dances, lunch prepared and served by security personnel, and social services, such as presentations on family planning, spousal abuse, and hygiene conducted by the police health unit.</p><p>The security department spearheads approximately one event per month, going to a different local village each time. Security personnel and their families attend. Not only do the events build trust between company and contract employees and the communities, but they also improve relations between the state law enforcement personnel and the local Indian communities, Langston says. </p><p>Yanacocha’s Diez says that it is important to venture into the community relations realm, even though others may consider it the work of an external affairs or social responsibility department.</p><p>“We are doing our work in a preventive way because if we have some problems in the road, the problem also will be for the security department and also for our company,” he says. “We are working in a preventive way in order to avoid these kinds of situations.”</p><p>On a regional level, Newmont is working with the Interior Ministry to assist and provide resources to the rondas campesinas, or rural peasant patrols, which have developed over centuries to provide security for their own rural communities. Each local community has its own ronda. Newmont provides them with minor equipment and gear that makes the ronda campesina stand out in the community, such as vests that say “Ronda” and identify the community; flashlights, boots, and some rain gear.</p><p>Results<br>The goal of these community outreach efforts at its simplest was—and is—to “put a face” on security. The hope was that if local residents got to know security personnel as people before there was an incident, then when they showed up on the scene to respond to trouble, the locals might be disgruntled, but they would be “less likely to pick up a rock or a stick and start to assault the guard. And that’s exactly what we’re seeing,” says Langston.</p><p>He says that security personnel are met more cordially on the road and that they now have conversations with members of the communities. Both Langston and Diez say the efforts at Yanacocha are also showing some tangible results. For example, the company experienced 25 roadblocks in 2007 and only one last year. The company also tracks conflicts that involve physical force, and those incidents have dropped from 64 in 2007 to six in 2009.</p><p>Langston has noticed a growing awareness that community relations affect security and vice versa. “Used to be security was checking the lunchbox at the gate, and it’s much more than that now,” he says. “You have to go beyond the fence, and that takes a whole different mind-set and set of skills.”</p><p>Stephanie Berrong is an assistant editor at Security Management.<br></p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465