This week, the spotlight is on key regulatory risk issues currently faced by companies in the food and drink sector. Today we focus on how to go about mapping your regulatory risks.

Mapping your regulatory risks

There is often a "practicality disconnect" between understanding the regulatory framework within which your business operates (and therefore understanding the regulatory business risks that you face in a general sense) and what can be done to mitigate those risks in practice. Put another way, how do you go about scoping the regulatory risks faced by your business?

  • First, you need to understand the features of the sector within which you operate: is it oligopolistic; is sensitive data important; are contracts with government agencies involved? In the food and beverage industry, some levels within the supply chain are oligopolistic; there is often a high level of regulation (which can mean that there is a high degree of information sharing amongst competitors); and consumer data is increasingly important, not just for grocery retailers but also for suppliers that wish to engage directly with consumers in e.g. social listening projects.
  • Then, you should consider the incentives and training within your business: do employment contracts and promotion/appraisal criteria incentivise unwanted risk-taking; do sales targets compromise (the desired level of) compliance?
  • What are your early warning systems and who within your business is alerted when, e.g.: others in your sector are under investigation; the press reports a data breach; or business units materially under or over perform? The food and beverage industry is a key focus for regulatory authorities (trading standards; food safety; antitrust; data protection and bribery/corruption) because it offers high profile and high impact outcomes which resonate with consumers. Damage to reputation and brand are often far more costly than any direct regulatory penalties that might be imposed.
  • Finally, what is the action plan if and when a breach occurs: who will be responsible for ensuring specific actions are taken; will you need to review your key contracts; what, if anything, will you tell customers and employees; should you self-report to the relevant regulatory authorities; do you need to suspend any staff; and will you need to review IT systems and the document retention policy to ensure that evidence is not compromised? Substantial fines have been imposed by regulators on businesses that have failed to secure evidence of their own wrongdoing.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.