Skip to main content

Beira VACCP Framework (BVF): a quantitative methodology to prevent food fraud

· 11 min read
Israel Munguia
Israel Munguia
Consultant and Instructor

I have spent years working in food safety, and during all that time I kept running into the same frustration: when a company has to comply with a food fraud requirement —under FSSC 22000, BRC, IFS or SQF— there is no clear reference methodology to lean on. HACCP has the Codex Alimentarius. TACCP has PAS 96. VACCP, however, had been left orphan.

After a lot of reading, writing, scrapping and starting over, I decided to close that gap. This week I published the Beira VACCP Framework (BVF) version 1.0, a complete, quantitative and auditable methodological guide to implement VACCP. And, just as importantly, I published it under a Creative Commons license so that any company, consultant, certification body or authority can use it without asking for permission.

This article is the introduction I wish someone had handed me ten years ago: what food fraud is, why it should matter, what problem the BVF solves and how it is structured.

1. What Is Food Fraud?

Food fraud is the deliberate and intentional substitution, addition, tampering or misrepresentation of food, ingredients, packaging materials, labelling or product information, carried out for economic gain.

The definition hinges on two words: deliberate and economic. We are not talking about a process error, an accidental contamination, or an ideological act of sabotage. We are talking about someone within the supply chain who decides to deceive in order to make more money.

To put it in perspective, it helps to compare the three systems that coexist within a Food Safety Management System (FSMS):

SystemWhat It ControlsMotivation Behind the EventMethodological Reference
HACCPFood safetyUnintentional (bio/chem/physical hazards)Codex Alimentarius
TACCPFood defenseIntentional — to cause harm (terrorism, sabotage)PAS 96
VACCPFood fraudIntentional — economic gainBVF v1.0

The three are complementary. None replaces the others. And yet, until now, only two of them had a recognized reference methodology behind them.

The 7 Types of Food Fraud

Food fraud is not a single thing. The most widely used taxonomy (based on the work of GFSI and the Food Fraud Prevention Think Tank at Michigan State University) distinguishes seven types:

  1. Substitution — Replacing an authentic ingredient with a lower-value one (horse meat sold as beef, wild salmon swapped for farmed).
  2. Addition or dilution — Adding a substance to increase volume or weight (honey diluted with corn syrup, milk extended with water and starch).
  3. Concealment — Hiding defects, deterioration or contamination (fish treated with carbon monoxide to fake freshness).
  4. Misrepresentation — False claims on labels or documents (false geographic origin, "organic" without certification).
  5. Unapproved enhancements — Addition of unauthorized substances (melamine in infant formula, Sudan Red in spices).
  6. Counterfeiting — Imitation of a brand or protected designation (counterfeit wines, copies of PDO/PGI products).
  7. Stolen goods — Stolen product reintroduced into the market through parallel channels.

2. Why Should We Care?

If you work in the food industry, there are at least four reasons to take food fraud seriously.

First, public health. Even when the motivation is economic, the consequences can be sanitary. The best-known case —melamine added to infant formula in China in 2008— sickened more than 300,000 babies and killed at least six. The motivation was profit; the outcome was a public health crisis.

Second, reputational damage. The horse meat scandal in Europe in 2013 did not cause a single illness, yet it sank sales, brought down brands and forced contracts to be rewritten across the supply chain. Consumer trust, once broken, takes years to rebuild.

Third, regulatory and certification pressure. Since 2017–2018, the major GFSI-recognized schemes have all incorporated explicit requirements:

  • FSSC 22000 §2.5.4 — Vulnerability assessment and mitigation plan.
  • BRC Global Standard V9 §5.4 — Vulnerability assessment and mitigation plan.
  • IFS Food V8 §5.6 — Documented vulnerability assessment procedure.
  • SQF Code Ed. 9 §2.7 — Food fraud program.

And all of these requirements share a common problem: they describe what must be done, but not how to do it.

Fourth, audit findings. The lack of a defined quantitative methodology is one of the most recurring findings in FSSC 22000 §2.5.4 audits. The organization has an "assessment", but the auditor asks how those scores were reached, why this ingredient is "high" and that one is "medium", and the answer is usually a mix of intuition and an improvised spreadsheet.

3. The Problem: VACCP Existed Without a Methodology Behind It

The requirement to assess food fraud vulnerability has been part of GFSI schemes for nearly a decade. Valuable tools exist —the SSAFE Food Fraud Vulnerability Assessment Tool, resources from the Food Fraud Prevention Think Tank, databases such as HorizonScan, RASFF or the USP Food Fraud Database— and there is abundant scientific literature.

What did not exist was a structured methodological framework comparable to the Codex for HACCP or PAS 96 for TACCP, including:

  • Defined quantitative scoring criteria.
  • An explicit vulnerability formula.
  • A decision tree to identify critical control points.
  • A step-by-step implementation procedure.
  • Documented compatibility with FSSC 22000, BRC, IFS, SQF and ISO 22000.

Without that backbone, every organization invented its own. Every consultant proposed their own. Every auditor evaluated with different criteria. The result: assessments that were hard to reproduce, difficult to audit and, above all, of limited use for making real supply-chain decisions.

That is what pushed me to write the Beira VACCP Framework.

4. Beira VACCP Framework (BVF): What It Is and What It Proposes

The Beira VACCP Framework (BVF), version 1.0, is a methodological guide that establishes the first structured, quantitative reference for implementing VACCP. It was designed to be:

  • Applicable to any organization in the food chain, regardless of size or category (manufacturing, retail, distribution, food service, primary production, packaging, animal feed).
  • Compatible with FSSC 22000, BRC, IFS Food, SQF and ISO 22000:2018 (it includes a step-by-step compatibility table).
  • Auditable, with clear criteria and records that support every decision.
  • Practical, with a vulnerability-category approach designed for organizations with extensive portfolios (5,000–40,000 SKUs).

The Theoretical Foundation

The BVF is grounded in Routine Activity Theory (Cohen & Felson, 1979), adopted by the SSAFE/GFSI model. The core idea: for a fraudulent act to occur, three elements must converge —an attractive target, a motivated offender and the absence of a capable guardian—. Applied to food fraud, this translates into a three-dimensional model:

Vulnerability = f (Opportunity, Motivation, Countermeasures)

Unlike a classic risk analysis (likelihood × consequence), this model recognizes that fraud is committed by a rational human being responding to incentives. That is why countermeasures do not add up: they divide. The stronger the controls, the lower the resulting vulnerability.

The Three Pillars

Each pillar is broken down into four sub-factors —twelve in total— and each sub-factor is scored on a 1–5 scale with explicit descriptors:

PillarSub-factors Evaluated
OpportunityAvailability of substitutes · Supply chain complexity · Ease of undetected adulteration · Volume and transaction mode
MotivationEconomic value of fraud · Documented history · Economic pressures of sector/region · Regulatory environment
CountermeasuresSupplier audit program · Analytical capability · Traceability system · Organizational culture

The scores combine into an overall vulnerability formula that classifies each evaluated item into four levels —low, medium, high and critical— with differentiated actions. For cases that fall near the threshold, the BVF includes a specific decision tree to confirm the determination of a Vulnerability Critical Control Point (VCCP), analogous to a CCP in HACCP but applied to the fraud context.

The detailed scoring criteria, the full formula and the decision tree are developed in the book — that is where the framework becomes operational.

The 12 Implementation Steps

The BVF organizes implementation in twelve sequential steps, deliberately paralleling the HACCP structure from Codex (5 preliminary steps + 7 principles = 12 steps), so that any team familiar with HACCP can adopt it without a learning curve:

  1. Assemble the VACCP team.
  2. Define the scope (with a category approach for extensive portfolios).
  3. Describe products and map the supply chain.
  4. Gather food fraud intelligence.
  5. Identify vulnerabilities.
  6. Evaluate Opportunity.
  7. Evaluate Motivation.
  8. Evaluate Countermeasures.
  9. Calculate overall vulnerability and classify.
  10. Determine significant vulnerabilities and VCCPs.
  11. Develop the mitigation plan.
  12. Verification, review and continual improvement.

To this is added an incident management protocol in four phases (containment, investigation, communication and closure), a minimum list of records, and the regulatory compatibility table with the main GFSI schemes.

The Vulnerability-Category Approach

One of the BVF contributions that resonates most with retail, distribution, 3PL and food service operations is the vulnerability-category approach. Evaluating product by product is reasonable when you manage 30 or 40 ingredients; it is unworkable when your portfolio runs into thousands of SKUs.

The BVF proposes grouping items that share five criteria (product family, applicable types of fraud, supply chain profile, economic value range and common countermeasures), evaluating the representative item of each group and applying the score to the entire category —with individual escalation rules for cases that warrant it—. It is not a shortcut: it is the only practical and scientifically defensible way to keep a VACCP system functional when the scope is massive.

5. A Conscious Decision: Open License

When I finished the manuscript I had to decide how to publish it. The decision was clear: Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0).

This means that any company, consultant, certification body, regulatory authority or academic can use the Beira VACCP Framework, adapt it and integrate it into their own systems, without asking permission.

Why? Because I honestly believe the ecosystem needs it. If the framework sits behind a permission gate, it does not solve the problem it set out to solve. I want it to be used. I want it to be discussed, criticized, improved. I want an auditor in Madrid, a consultant in Lima and a quality team in Chicago to be able to pick up the same reference and speak the same language.

Free access to the digital version is hosted on Zenodo with a permanent DOI (zenodo.19625756), for anyone who needs to work with the document, cite it in a thesis or attach it to an internal manual.

6. The Full Methodology, in the Book

What you have read so far is the outline of the framework. The operational methodology —the scoring criteria for each sub-factor with their five levels described, the vulnerability formula with its classification ranges, the decision tree for VCCPs, the assessment matrix and mitigation plan templates, the step-by-step incident protocol, the detailed correspondence tables with FSSC 22000, BRC, IFS, SQF and ISO 22000, the recommended intelligence sources and the worked calculation examples— is in the book.

I wrote it for the food safety team that has to put it into practice in a real operation, the consultant who needs a reference they can defend in front of a client, and the auditor who needs reproducible criteria to evaluate an organization.

Get the book

Beira VACCP Framework (BVF): Vulnerability Assessment and Critical Control Points for Food Fraud Prevention (v1.0) is available on Amazon in paperback and eBook, in three languages:

7. What Comes Next

This is version 1.0. It is deliberately versioned because it is meant to evolve: with feedback from those who apply it, with the use cases that get reported, with the incorporation of detection technologies that are barely emerging today (portable spectroscopy, blockchain, DNA-based methods), and with shifts in the regulatory landscape.

I will manage and publish future versions of the BVF myself as official versions of the framework, incorporating contributions that add value to the methodology.

If you implement it in your organization, use it in an audit or a training course, find an error or a possible improvement, send it through the official contributions channel: [email protected]. Every observation is welcome and will be considered in future revisions of the framework.

8. From Framework to Tool: BVF in AdminISO

Having the framework solves the what. Bringing it into a real operation is a different story: matrices scattered across spreadsheets, versions that overwrite each other, VCCP monitoring that no one knows where to record, and an audit where reconstructing the analysis trail becomes an odyssey.

That is why, alongside the book launch, AdminISO already includes a module that digitizes the Beira VACCP Framework end to end, faithful to the v1.0 methodology. It is not a glorified spreadsheet: it is the framework turned into software.

AdminISO — BVF Module

With AdminISO you implement the Beira VACCP Framework without building anything from scratch:

  • VACCP team and scope documented with version control.
  • Vulnerability categories and grouping based on the BVF’s five criteria.
  • Assessment matrix with the 12 sub-factors preloaded, automatic calculation of O, M, C and V, and level-based classification.
  • VCCP decision tree integrated step by step.
  • Mitigation plan with owners, frequencies and monitoring records.
  • Fraud intelligence and re-assessment triggers.
  • Full audit trail: who scored, when, and with what evidence.
  • Compatibility with your HACCP, TACCP and FSMS systems on the same platform.

Discover the BVF module on AdminISO →