News

One in four UK medium-to-large businesses experienced fraud in 2024.  The most common vulnerabilities cut across sector and food industry businesses have been amongst the victims.  They include cyberattacks, unauthorised push payment fraud, and cargo theft using sophisticated fake commercial documentation or company details.

 The UK Government have published their Fraud Strategy 2026 = 2029.  Highlights include

1 Increased investment

• Over £250 million of additional funding.

2  Strengthened public-private collaboration

Launch of a new Online Crime Centre in April 2026, with £31 million committed to improving intelligence‑sharing between law enforcement, national security agencies and private‑sector partners.

3 Sector‑specific interventions,

Including Calls for Evidence in 2026 on:

• proportionate measures to reduce anonymity in the UK communications sector;
• drivers of unauthorised push‑payment (APP) fraud.
• Development of a secure digital tool to manage UK telephone numbers.

4 Improving the reporting system

Further improvements to Report Fraud (introduced in December 2025), with a focus on better technology, faster referrals, and enhanced victim support.

5 Supporting victims

Introduction of a Fraud Victims Charter in 2027, establishing minimum national standards for response times, reimbursement guidance, prevention, recovery and access to support services.

6 Strengthening civil and criminal justice

• Introducing judge‑only trials for the most complex fraud cases to reduce delays in court.
• Consideration of Jonathan Fisher KC’s recommendations to tackle barriers to prosecution and modernise the legislative framework.
• Responsible use of AI to modernise disclosure processes. This is to address the problem that fraud cases take almost eight times longer than the average case to reach charge.
• Exploration of civil penalties for fraud and for facilitating money laundering,  These would be as an alternative or complement to criminal proceedings.

Additional commitments

• Sponsoring the Global Fraud Summit.
• Expanding the Stop! Think Fraud public‑awareness campaign.
• Increasing proactive policing as part of the national PROTECT response.

Summary taken from Lexology blog by Freddy Faull, Edmunds, Marshall & McMahon

Photo by Bermix Studio on Unsplash

This blog, from consultancy group Forensic Risk Alliance, outlines the principles that a company must follow to demonstrate due diligence under the UK Failure to Prevent Fraud Act.  It is not specific to the food industry but the principles are generic,.  These same principles are good practice even for companies in countries that do not have similar legislation (i.e. a legal onus to take due diligence to prevent fraud) and for smaller UK companies not within the legal scope of the act.  The blog discusses how the principles can be implemented in practice:

• Implement a risk-based approach
• Incorporate fraud into other risk assessments
• Use existing data and technology
• Employee involvement and training
• Cross-industry collaboration

The blog contains links to other open-access blogs and articles on the same topic.

There has been a lot posted recently about honey authenticity and test methods.  This blog from the FSA pulls it all together in one concise and systematic page.  It includes

• Honey sampling guidelines
• The weight of evidence approach to interpreting test results
• The UK AMWG review of the EU “From the Hives” report
• New testing methods developed under FSA-funded research

Food Fraud Prevention - Understanding ISO 31000 and Consequence in Risk Management

Welcome! In support of the Food Authenticity Network (FAN), this blog series reviews key topics related to food fraud prevention. Watch here for updates that explore the definitions of food fraud terms and concepts.

This post expands on our earlier discussion of ISO 31000’s ‘likelihood’ component in risk assessment to explore the final key concept of ‘consequence.’ In our next post, we’ll complete the risk assessment process by applying COSO-based Enterprise Risk Management (ERM) to set a precise risk tolerance level.

To recap, a vulnerability in risk management combines ‘likelihood’ and ‘consequence’ to assess potential outcomes. Both elements are essential for comprehensive risk evaluation. Let’s consider this with a familiar example: the consequence of a 5% chance event varies widely depending on the context. A 5% chance of stubbing your toe at night might require no precautions beyond possibly turning on a light (‘risk acceptance’), while a 5% chance of drowning would prompt more significant measures, such as wearing a life jacket (‘risk treatment’) or finding an alternative way to cross the water (‘risk avoidance’).

To recap, a vulnerability is a type of risk. A risk is determined by the combination of ‘likelihood’ and ‘consequence.’ Remember:

Risk Assessment Essentials in ISO 31000

• Risk (ISO 31000): “effect of uncertainty on objectives; [Reference 2]
  • NOTE 1: An effect is a deviation from the expected — positive and/or negative.
  • NOTE 4: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (2.19) of occurrence.
  • NOTE 3: Risk is often characterized by reference to potential events (2.17) and consequences (2.18), or a combination of these.

ISO definitions are carefully crafted through years of review across disciplines, emphasizing the importance of structured and universal terminology in risk management.

• “Consequence (ISO 31000): outcome of an event affecting objectives
  • NOTE 1: An event can lead to a range of consequences.
  • NOTE 2: A consequence can be certain or uncertain and can have positive or negative effects on objectives.
  • NOTE 3: Consequences can be expressed qualitatively or quantitatively.
  • NOTE 4: Initial consequences can escalate through additional effects. [ISO Guide 73:2009, definition 3.6.1.3]”

These guidelines provide a thorough framework for organizations assessing risks, helping them identify and respond to various outcomes more effectively.

The Importance of Consequence vs. Severity in Risk Management

To help frame the problem in a broader business sense, ‘consequence’ considers a broader interpretation of the terms. Specifically the term ‘severity’ insinuates only a negative outcome. Some methods refer to other more neutral terms, such as ‘impact’ or ‘outcome.’ In a business, there is a need for some level of risk-taking to meet performance growth and financial goals. However, the term ‘consequence’ covers a broader range of possibilities, including positive, neutral, and negative results. In the context of food safety, for instance, risk isn’t just about avoiding undesirable outcomes—it’s about managing them to meet an organization’s goals. “Many Food Scientists and Food Safety managers use the term ‘risk’ to define an unacceptable or intolerable level.” [Reference 3] This aligns with business risk-taking, where managing risk appetite allows for opportunities that may bring rewards.

For example, buying a stock involves risk, but it’s a controlled risk with the potential for reward. Risk assessment, in this sense, includes both ‘likelihood’ and ‘consequence,’ ensuring that resource allocation aligns with both risk tolerance and potential outcomes.

The Formula for Risk: Likelihood x Consequence

Effective risk management must account for both likelihood and consequence to allocate resources wisely. While every event is bad and disruptive, the likelihood of an event is important ONLY in relation to the consquence, and vice versa. It should be noted that a food fraud incident – or known fraud in a supply chain – is illegal. Unless the operators are a criminal organization, the likelihood would be defined as ‘100%,’ and the consequence is ‘illegal product,’ so this situation is an ‘intolerable risk.’ In this case, addressing vulnerabilities shifts from reacting to incidents to eliminating root causes that could lead to fraud.

Adjusting terminology to align with ISO 31000 can simplify this process, but defining your organization’s risk tolerance threshold is crucial—and often complex.

Coming Next: Determining Your Risk Tolerance and Risk Appetite

Our next post will cover determining your organization’s risk tolerance, examining both likelihood and consequence. Traditional risk assessment frameworks often assign this threshold to an undefined “someone” within the organization. However, this step is both critical and complex in the risk assessment process and requires careful consideration.

If you have any questions on this blog, we’d love to hear from you in the comments box below.

References

1. (R1) Spink, John W (2019). Food Fraud Prevention – Introduction, Implementation, and Management, Food Microbiology and Food Safety series, Springer Publishing, New York, URL: https://www.springer.com/gp/book/9781493996193
2. (R2) – ISO 31000 Risk Management, International Standards Organization (ISO), Updated 2023, https://www.iso.org/iso-31000-risk-management.html

3. Applying Enterprise Risk Management to Food Fraud Prevention (ERM2), 2017, Food Fraud Prevention Academy, https://foodfraudpreventionthinktank.com/wp-content/uploads/2021/05/BKGFF17-FFI-Backgrounder-2016-ERM-ERM2-v46-2.pdf