Frito Lay North America, which is a subsidiary of Pepsico, oversees a massive food production operation that brings in $12 billion in annual sales. The company’s 30 manufacturing plants and 1,500 storage facilities generate 3.2 billion pounds of processed consumer foods each year. More than 21,000 employees and 40 contract manufacturing partners ensure that 16 billion bags of Frito Lay products—everything from Cracker Jack to Sun Chips—hit the shelves yearly.
Frito Lay executives have known for some time that the company’s supply chain was complex, but until 9-11 they did not consider that it might also be dangerous. “The terrorist attack raised new possibilities. The defense of our supply chain became very important, because we had to consider that food could be used as a weapon” says Peter Hayes, senior group manager of the company’s manufacturing operations support and food security division. Hayes and his team embarked on a food defense program that would protect the company’s supply chain, including warehouses, manufacturing facilities, and employees. The program includes an ongoing analysis of the company’s physical security, regular audits, and tabletop exercises for executives.
Physical security. Hayes began the process by visiting company facilities and conducting a survey of existing security measures. Then he used threat exposure analysis to determine the risk level of each facility.
After conducting the survey, Hayes found that more than half of the manufacturing plants had no perimeter fencing; only half had an operable CCTV system. Most facilities that assembled and packed finished products had perimeter fencing, but only half had alarms and only one-third had access control.
While the lack of consistency was troubling at first, the company was anxious to avoid a cookie-cutter approach. “We wanted to give each facility the tools they needed to maintain adequate security,” says Hayes.
The company considered four main security measures for each facility: CCTV, access control, perimeter fencing, and guard services. To determine which measures were needed at a given location, Hayes applied a numerical ranking for each facility. This ranking was based on the severity of a threat, multiplied by the likelihood of such an event occurring, multiplied by how easily the threat could be detected.
For example, Hayes explains, the team considered how to rate the threat of arson at each facility. Such an event was ranked on the severity scale based on how quickly a fire would spread, which depended on what product was manufactured or processed at the facility, and how much damage would be done. The other numbers were determined by how easy it would be for someone to start such a fire and how quickly a fire would be detected.
To fine-tune these numbers, Hayes and his team consulted front-line employees and held brainstorming sessions. “Employee input was terrific and very helpful,” says Hayes.
Once a facility was given a numerical ranking for each risk, Hayes factored in the size of the facility, the volume of food it produced, and its CAP Index score—indicating the level of crime in the vicinity. These numbers were then applied to determine the specific security measures that should be implemented to mitigate the threats.
At a minimum, each facility was fitted with perimeter fencing and an access control system, which was monitored and controlled on site. Most locations also received (if they didn’t already have) a CCTV system. The cameras are not monitored, but the feeds are recorded and kept for 30 days. Only locations with the highest risk score were given security guards.
The security system was in place by 2004. Earlier this year, Hayes contracted with an outside consulting firm to reassess the security measures to make sure they were still appropriate. “We wanted to make sure that we weren’t being ruled by our emotions after 9-11,” he says.
Overall, Hayes says, the security features were still judged necessary. “What we put in place is largely correct and still relevant to the risks we have today,” he concludes.
However, technology has made some things possible that were once out of reach. For example, standalone CCTV and access control were necessary for the original installation, because centralization was too expensive. The new assessment indicates that a central, common access control card for all facilities is economically viable. CCTV could also be monitored from a central station. “One of the recommendations is that we could consider a centralized system,” says Hayes. “We will be looking at that now.”