Why This Matters

Undeclared allergens are the leading cause of food recalls in the U.S., accounting for nearly half of all recall events in 2024. Of those label-related recalls, a staggering 83.85% stemmed from undeclared allergens. The average cost of a single recall? $10 million, not including lawsuits, reputational damage, or lost sales.

What Auditors See That You Might Miss

Auditors don’t just look at your label—they trace allergen risk through your entire system. Here’s where undeclared allergens often hide:

• Shared tools: Scoops, slicers, or utensils used across allergen and non-allergen products.
• Rework: Reintroducing product into the system without allergen traceability.
• Label printing: Manual label entry or outdated templates that miss allergens.
• Ingredient swaps: Last-minute substitutions not reflected in the label.
• Sanitation gaps: Incomplete cleaning between allergen runs, especially in dry environments.

How to Build Auditor-Visible Allergen Control

• Labeling: Automate label control and link it to approved formulations. Use mock audits to verify label accuracy.
• Separation: Create visual zoning, color-coded tools, and time-based scheduling to isolate allergens.
• Spill Clean-Up: Develop a technician-proof SOP with allergen-specific response steps and disposal protocols.
• Cleaning Validation: Use swabbing, ATP testing, or visual checks to confirm allergen removal—especially in dry clean areas.
• Create an allergen flow map: Show where allergens enter, move, and exit your system.
• Train for competence, not just compliance: Use verbal checks, not just sign-offs.
• Audit your sanitation program: Validate allergen removal with swabbing or visual checks.

Final Thought

Allergen control isn’t just about avoiding recalls—it’s about protecting lives. Auditors see beyond the label. So should you.

Most facilities treat corrective action like a fire extinguisher—grab it when things go wrong, spray the problem and file the report. But clause-backed corrective action isn’t about optics or containment. It’s about systemic recalibration.

• Damage control is reactive.
• Corrective action is architectural.

Start with the Right Problem

A corrective action plan begins with a precise problem statement—not a solution, or a justification.

• Define the issue without solving it.
• Let clause cues guide your lens:
1. “Systemic” → not isolated
2. “Repeat finding” → ineffective past action
3. “Gap in control” → architectural flaw

If the finding reads like déjà vu, your system isn’t learning—it’s looping.

🔌 Corrective Action Is a Switch

Think of corrective action like a switch:

• Insert it → the problem disappears
• Remove it → the problem returns

If the issue persists with post-correction, you didn’t find the root—you found a symptom.

• Root cause analysis isn’t about blame.
• It’s about solving correcting the system that created the problem

🛠️ Correction vs. Corrective Action

Correction: An immediate fix to contain or resolve the issue (e.g. Re-cleaning a contaminated surface)

Corrective Action: Systemic change to prevent recurrence, based on root cause analysis (e.g. Revising sanitation SOP and retraining)

🎯 Match the Action to the Cause

If your root cause is “lack of training,” your corrective action isn’t “update the SOP.” The action must directly neutralize the root cause.

✅ Verification Isn’t a Checkbox

Verification must evaluate effectiveness, not just confirm completion.

Ask:

• Did the problem reoccur?
• Did the system behave differently post-action?
• Can we prove the fix worked under stress?

🌐 Preventive Action—The Look Across

Preventive action isn’t a bonus—it’s a systems mindset.

Use the root cause to scan adjacent systems:

• If one SOP was flawed, are others built on the same logic?
• If one operator misunderstood, is the training model flawed?

Corrective action closes the loop. Preventive action expands the lens.

🧭 Closing Thought

Corrective action isn’t a form. It’s a philosophy. When done right, it’s the difference between a facility that survives audits—and one that evolves through them.

Legacy isn’t built on fixes. It’s built

HACCP Without Blind Spots

By: M.R. Trace

Hazard Analysis and Critical Control Points (HACCP) is the backbone of food safety systems. It’s clause-backed, globally recognized, and mandatory in regulated environments. But here’s the uncomfortable truth:

Many HACCP plans look complete—until you audit them.

WHAT I SEE AS AN AUDITOR

I’ve reviewed hundreds of HACCP plans. Some are robust. Most are performative. Here are recurring gaps that compromise safety, traceability, and credibility:

• No mention of rework – Product re-entering the process isn’t addressed. Risk is recycled, not mitigated.
• Waste streams ignored – Disposal logic is missing. What leaves the system isn’t tracked.
• Customer returns excluded – Returned product is outside the hazard lens. That’s a blind spot.
• Flow chart not verified by HACCP Coordinator – No signature, no ownership. Just a diagram.
• Flow chart doesn’t match hazard analysis – Steps are skipped, merged, or mislabeled. The map doesn’t match the terrain.
• High-risk steps identified but not mitigated – Hazards are acknowledged, then left hanging. No CCP. No control.
• No clause-backed justification for exclusions – “Not applicable” is used like white-out, not like logic.

If a step is excluded, it must be evaluated and justified—per clause, not convenience.

METAL DETECTOR ≠ HACCP PLAN

One of the most common missteps I see:
Facilities treat the metal detector as their only Critical Control Point
It’s installed, calibrated, and documented—so they assume the job is done.

But here’s the clause-backed reality:

• Metal detection addresses one hazard type metal fragments.
• It does not mitigate biological, chemical, or other physical hazards (e.g., brittle plastic, glass, bone).
• It’s a last-line defense, not a comprehensive control strategy.

If your HACCP plan has one CCP — and its metal detection—you better have clause-backed justification for every other hazard being controlled upstream.

Otherwise, you’re not managing risk. You’re outsourcing it to a machine.

WHAT A CLAUSE-BACKED HACCP PLAN LOOKS LIKE

• Every process step is mapped, verified, and owned
• Rework, waste, and returns are addressed with hazard logic
• High-risk steps trigger mitigation — not just acknowledgment
• Flow chart and hazard analysis are synchronized and clause-referenced
• HACCP Coordinator signs off — not just in theory, but in practice
• Not applicable is justified with clause-backed rationale, not convenience
• CCPs are validated — not assumed

FINAL THOUGHT

HACCP plans don’t fail because the hazards are invisible. They fail because the system pretends not to see them. If your flow chart is decorative, your hazard analysis is incomplete, your CCPs are unvalidated, and your exclusions are unexamined— you don’t have a HACCP plan. You have a liability.

What a Food Safety Team Should Actually Be Doing

By: M.R. Trace

In most facilities, the food safety team gets mentioned in audits, training slides, and org charts—but what does it actually *do*? More importantly, what *should* it be doing?

Let’s strip away the fluff and look at the real work of a food safety team, not the ceremonial stuff. The operational stuff. The kind that keeps systems sharp, risks visible, and decisions grounded.

First, Define the Team

A food safety team isn’t just QA and the plant manager. It’s **cross-functional by design**. That means:

• Production brings process realities
• Sanitation brings frontline insight
• Maintenance brings equipment context
• Purchasing brings supplier and spec awareness
• R&D or Product Development brings formulation foresight
• Quality/Regulatory brings system oversight

When these voices are in the room, the team becomes a **decision-making engine**, not just a compliance checkpoint.

What Should Be on the Agenda?

Here’s what a food safety team should be reviewing regularly—not just when an auditor’s coming:

1. Site Inspection Nonconformances

• Review internal audits, GMP walks, and sanitation inspections
• Trend findings over timeespecially repeat offenders
• Focus on identifying and correcting root causes, not just surface fixes

2. Ingredient, Process, Customer Changes or Product Changes

• Any new ingredient, equipment, or formulation should trigger a review
• Focus especially on new allergens — even trace introductions
• Ask: Has this change been risk-assessed and communicated clearly?

3. HACCP Plan Review

• Revisit hazard analysis when processes shift or new risks emerge
• Don’t just “update the document” — challenge the assumptions
• Ask: Is our plan still relevant to what’s actually happening on the floor?

4. PRP and CCP/Preventive Control Effectiveness

• Review monitoring records and corrective actions
• Look for patterns: missed checks, repeated deviations, vague responses
• Ask: Are our controls working, or are we just checking boxes?

Final Thought

The food safety team isn’t a formality. It’s a forum. A place where operations, quality, and strategy intersect. When it’s functioning well, it doesn’t just protect the brand—it drives continual improvement.

Advantages of Outsourcing your ISO implementation Project

Do you have customers requiring ISO certification and don’t know where to begin?

ISO 9001 and other ISO standards are based on certain requirements. These requirements vary depending on the standard. An organization seeking certification is responsible for establishing, documenting, implementing, and once certified, maintaining the ISO system.

Can an organization’s personnel implement the requirements on their own?

Of course they can! If the organization can expend the time and energy of one of the managers to attend a couple of weeks of training and dedicate a good part of the next several months to documenting and implementing the requirements, then yes. Once the requirements are learned, the challenge can be applying these requirements in their respective operation.

Then Why Engage a Certification Consultant?

Time and money. While there is a cost in hiring a consultant, there is also a cost for a company to utilize internal resources.

The fundamental advantage is that a good consultant will provide common sense explanations in understanding ISO 9001. The standard is full of vague requirements leaving individuals new to ISO with a sense of frustration trying to nail down, “what does this mean?”

Aside from this, a good consultant can help with proven methodologies and supply you with sample forms, etc. Many companies feel that they need to invest in software or otherwise incur other expenses to implement an ISO system. This is not the case.

A good consultant will develop level one and two documents for you and will include the interaction of processes. Your documentation should reflect what your company does. It should also meet the requirements of the standard, leaving you with a manageable system. This is one of the biggest pitfalls…companies choosing to tackle this on their own often over document creating more work for themselves down the road in doc modification.

Consultants can also help with quality objectives, management review, internal audits and corrective action.

Conclusion

Overall, hiring an ISO expert will expedite your ability to achieve certification more quickly, which will in turn, keep your customers happy.

Holiday Greetings from Perry Johnson Consulting, Inc.

We at Perry Johnson Consulting (PJC) want to take a moment to express our heartfelt gratitude to you – our clients, partners, and supporters. Your trust and collaboration have been instrumental to our success this year, and we are truly honored to have been part of your journey.

The holiday season is a time for reflection and celebration, a moment to pause and cherish the company of friends and family. With this in mind, our offices will be closed on December 25th and January 1st, to give our hardworking team the opportunity to enjoy this time with their loved ones.

As we prepare to welcome 2025, we are filled with excitement for the opportunities and growth it will bring. We look forward to continuing to serve you with the same dedication and excellence you’ve come to expect.

From all of us at Perry Johnson Consulting, we wish you a joyful holiday season and a new year filled with health, happiness, and success.

Warmest regards,
The Perry Johnson Consulting Team

Preparing for Certification Audits: Common Pitfalls to Avoid

I recently had a conversation with Jason Leighton, Certified Lead Auditor at Perry Johnson Consulting. Jason’s 20+ years’ experience in the ISO Industry includes implementation of quality management systems in hundreds of organizations. He has also conducted certification audits on behalf of a registrar.

We discussed some of the common nonconformances found during certification audits, primarily with companies that implemented the requirements without outside assistance from a technical expert.

Per Jason, the three common issues found during certification audits are:
1. Issues with documentation
2. Lack of Employee Training and awareness of the quality management system
3. Addressing nonconformances through corrective action

Documentation Issues – Organizations struggle to understand the breadth and depth of the documentation needed for a quality management system. Some organizations fail to meet the minimum documentation requirements while others over document their system. Each presents itself with problems that are difficult to overcome. Engaging an expert to prepare your quality and procedures manual so that it meets the criteria of the standard but is easy to maintain will alleviate problems both in document control and in certification audits. A good consultant will also guide the company in the records the company must maintain and should be able to provide you with sample forms etc.

Lack of Training – Often employees don’t have an understanding of the ISO requirements, and this makes it difficult for them to respond to the auditor. Training employees is critical. An implementation firm that offers hands on training and classroom training is what is recommended. Independent consultants will not likely offer course training with student materials etc. Also, it is important to note that webinars are useful but do not take the place of a training course on the topic as they are usually very short in duration.

Addressing Nonconformances – Organizations struggle with effective root cause analysis and systemic corrective actions. Root cause analysis training should be part of the implementation plan.

Jason goes on to say that any failure to meet a requirement leads to a nonconformity thus delaying certification. If there are findings/nonconformances found during the certification audit, the organization must re-evaluate their system to determine where the systemic failure has occurred and make changes to prevent its recurrence. In addition to delaying certification for a few months, the company may have to spend additional funds if a second visit is required by the registrar auditor.

The Bottom Line – It’s true, hiring a certification consultant does cost money. Second guessing in how to appropriately respond to ISO requirements can cost a company much more in time/money. The number one cost to a company is their staff, ask any controller. Be prudent and engage an experienced certification consulting firm such as Perry Johnson Consulting. Your road to certification will be shortened, cost you less and the quality management system will be easier to maintain.

Contact us at [email protected] to see how we can help.

---

Information/Data Security

Did you Know?

Organizations spend resources on Antivirus Software, Intrusion Detection and Prevention Systems, and set up Firewalls.

Despite our attempts, data breaches continue to cost companies millions of dollars.

Why?

Depending on the study/research*, it is said that as much as 95% of data breaches are caused by HUMAN ERROR… 19 out of 20 breaches. This information is both astounding and terrifying.

Human error can be attributed to misconfigured security settings, or accidentally sharing information that is sensitive. It can be as simple as an employee clicking on a link that could expose the organization’s data to cyber criminals. These cyber criminals then hold this crucial information for ransom. Trillions of dollars are spent on cyber-attacks… a staggering number that is on the rise.

What’s The Solution?

If 95% percent of the breaches are caused by human error, it is crucial that companies implement an ISO 27001 management system that can greatly reduce the chances of a cyber-attack.

Certification to ISO 27001 is crucial, as organizations realize that managing their data is equally as important as the software or systems they employ.

To become certified, an organization must implement the requirements and employ an accredited third party that, through an audit, will certify their Information Security Management System (ISMS).

By contracting with a reputable ISO consulting firm, the management system can be implemented in months.

Conclusion

The benefit of certification is obvious. Savvy organizations and business owners realize that this layer of protection is essential.

For more information, a complimentary executive overview can be found on our website www.pjcinc.com along with upcoming ISO 27001 training course dates.

*IBM Study-2021

Author: Carrie Hayden – Vice President

---

Can a Consultant be Available During a QMS* Registration Audit?

This is a question that has been asked of me many times. While a registrar may allow the consultant to be present during management system audits, a representative of the organization must respond to the auditor and present evidence.

Clause 4. Puts the responsibility of establishing, documenting, implementing and maintaining a quality management system on the company (not the consultant).

If the consultant also performs internal audits for the organization and manages the corrective action, they could be the right individual to respond to questions about those processes. The idea of the consultant answering all of the questions about all processes would be unlikely.

Be mindful that a consultant can be present but must not be disruptive and cannot attempt to control the audit.

In as much as it limits the role a consultant may play in an audit, the benefit of having a consultant available can be to assist on your reaction to a nonconformance, perform root cause analysis, and determine corrective action during the audit.

*The exception to the above is IATF 16949 (automotive audits) where it is not permitted for a consultant to partake in an audit.

Author: Carrie Hayden – Vice President

---

Benefits of ISO 9001 Certification

What is the benefit of ISO 9001? That’s the question asked by many companies that are on the fence as to whether, or not they will gain anything from it. Over the years I have gone back to clients we have prepared for certification and asked what their biggest benefits have been from becoming certified, and below are a few of the most common answers.

Increased Business

There are many companies that will only buy from suppliers that are ISO 9001 certified. This is a big untapped market for companies that have never been certified before. Once you’re certified, placing the ISO 9001 Certified logo on your website, brochures, and social media sites is a good place to start and don’t forget to educate your sales team on the benefits. Review previously lost prospects due to not being certified and reach back out to them now that you are. These are all good ways to increase your business with ISO 9001.

Improved Productivity and Employee Satisfaction

When adding ISO 9001 properly, one of the first things that happen is an increase in morale. Giving employees a voice in the quality process, gives them ownership in the system and individual accountability moving forward. Employees working in the process have firsthand knowledge of what their unnecessary procedures are. By documenting these procedures and having discussions with management on where these unnecessary steps can be eliminated, it increases productivity and improves employee satisfaction.

Continuous Improvement

ISO 9001 standard requires the organization to continually improve the suitability, adequacy and effectiveness of the QMS (quality management system). ISO 9001 also requires management reviews. These reviews need to include decisions and actions related to opportunities for improvement including changes to the QMS, and any resources needed to accomplish the improvements. You can only consistently improve if you are always looking for ways to do so.

Enhanced Customer Satisfaction

By monitoring the expectations of the customer, and their perception of how well the company has achieved them, it allows the company to identify additional areas for improvement. This increases customer satisfaction over time.

Conclusion

ISO 9001 can enhance your business operation in several ways by making it more efficient, allowing you to streamline your processes, open a new marketable customer base, reduce overall costs, enhance employee/management engagement and improve customer relations. Contact Perry Johnson Consulting at [email protected] for easy set up and implementation of ISO 9001.

Author: Ralph Black – Business Development Manager

---