Standard Regulatory Response Process
Although the Safe Food for Canadians Regulations (SFCR) came into force on January 15, 2019, certain requirements are being phased in over the following 12 to 30 months. For more information, refer to the SFCR timelines.
On this page
- 1.0 Purpose
- 2.0 Authorities
- 3.0 Definitions
- 4.0 Acronyms
- 5.0 Standard Regulatory Response Process
- 6.0 Appendices
- Appendix 1 – Guideline for developing a control response plan
- Appendix 2 – Description of enforcement responses
To describe the Canadian Food Inspection Agency (CFIA) Standard Regulatory Response Process that recommends responses to potential or realized risk and non-compliance to regulatory requirements or permission conditions. This document is intended for the CFIA Inspectorate.
The CFIA is responsible for administering and/or enforcing the following Acts and their respective regulations:
- Agriculture and Agri-Food Administrative Monetary Penalties Act
- Canadian Food Inspection Agency Act
- Feeds Act
- Fertilizers Act
- Food and Drugs Act (as it relates to food)
- Health of Animals Act
- Plant Breeders' Rights Act
- Plant Protection Act
- Safe Food for Canadians Act
- Seeds Act
In addition to the terms defined below, other definitions related to regulatory response activities may be found in the Compliance and Enforcement Operational Policy.
- The state of conformity of regulated parties with legislative requirements
- Compliance history
A regulated party's history of non-compliance that resulted in enforcement responses taken by CFIA in the previous 5 years. Compliance history is constituted of two components:
- internal administratively collected history of non-compliance captured through communications with the regulated party, including inspection reports, letters of non-compliance (LoNC) and meetings with the regulated party (MwtRP). This information is required to ensure that non-compliance is documented to form the basis for enforcement responses; and
- history of enforcement responses such as administrative monetary penalties (AMPs) or prosecutions that may be used for statutory purposes such as the issuance of AMPs, the issuance, renewal, suspension or cancellations of licenses and/or in the context of prosecutions
- Control action
- An action that is taken for the purpose of controlling risk when a regulated commodity or process poses or may pose a risk to human, plant or animal health, the environment, economy or trade
- Control response plan
- For the purpose of this document, a plan that identifies a series of steps that the CFIA will initiate in response to an event that may require the mitigation of risk
- Enforcement action
- Actions taken by the CFIA in response to non-compliance
- A biological, chemical or physical property that may cause an unacceptable risk to human, animal or plant health or the environment
- Inspection report
- For the purpose of this document, the primary mechanism by which the CFIA communicates non-compliance to the regulated party
- Instance of non-compliance
- Each occurrence of non-compliance against a regulatory provision
Official consent granting legal authorization to a regulated party to conduct specified activities (for example, permits, certificates, licences and registrations). For the purposes of this document there are two types of permissions:
- those used to operate – includes licences, registrations or other authorizations enabled by legislation that grants permission to operate an establishment or perform prescribed activities
- those used to trade – includes export certificates, import permits and ministerial exemptions which are transactional and may be cancelled as a means of controlling risk with or without non-compliance
- Regulatory response
- Actions taken in response to non-compliance or risk
- The product of the likelihood of the occurrence of a hazard, and the severity of its consequences
- AAAMP Act
- Agriculture and Agri-Food Administrative Monetary Penalties Act
- Administrative monetary penalty
- Canadian Food Inspection Agency
- Enforcement and Investigation Services
- integrated Agency Inspection Model
- Inspector non-compliance report
- Letter of non-compliance
- Meeting with the regulated party
- Other Government Department
- Policy and Programs Branch
- Regional Director
- Records Document Information Management System
- Standard Inspection Procedure
- Source and risk factor (investigation)
- Standard Regulatory Response Process
5.0 Standard Regulatory Response Process
The CFIA is dedicated to safeguarding food, animals and plants, which enhances the health and well-being of Canada's people, environment and economy. As part of these responsibilities, the CFIA needs to respond effectively and efficiently to:
- events that the CFIA aims to control such as pest and disease incursions or food contamination events; and
- non-compliance to regulatory requirements or permission conditions by regulated parties
The CFIA's regulatory response can be in the form of control actions, enforcement actions or both. Regulatory control actions are undertaken to mitigate risk while enforcement actions may also be undertaken to respond to non-compliance. For example, an inspector may need to seize and detain a commodity that may cause a risk to humans, plants or animals (control action) as well as initiate the process to issue an AMP (enforcement action) if actions or inactions of a regulated party are in contravention to legislation enforced by the CFIA.
Figure 1 summarizes the relationship between the control and enforcement components of the regulatory response process which is further elaborated in the text below. The relationship is depicted as linear (control flowing to enforcement) to demonstrate the urgency to address any real or potential risk(s) immediately.
Control is part of the compliance, control and enforcement continuum. The purpose of the control process is to determine the nature and extent of a potential or actual risk to inform risk assessment and risk mitigation decisions. These risks may originate from a process, commodity or regulated party action that may or may not comply with legislative requirements. The outcome of the control process determines the control actions to be implemented to limit or prevent risk for the specific inspection case.
Control covers a wide range of actions triggered in response to situations where regulated commodities or the actions of a regulated party pose or may pose a risk to human, plant or animal health, the environment, the economy or trade.
Control actions include, but are not limited to:
- seizure and detention
- quarantine/movement controls
- treatment order
- cancellation or refusal to issue an export certificate, permit (for example, plant or animal health import permit), ministerial exemption or other document
- refuse entry where authorized under the legislation
- order removal from Canada
- order the start or stop of an activity
- add conditions to a permission to control a risk
- order vaccination of an animal
All actions listed above are made possible by powers and authorities granted to the CFIA and its inspectors through the legislation enforced by the Agency.
For some situations, control response plans or other guidance documents inform inspectors on the steps to take to control the relevant risk (for example, Food Investigation Response Manual, Hazard Specific Plans). Where these guidance documents do not exist, the Inspectorate ensures that the full control process (Appendix 1) is followed by seeking guidance as needed via the established communication or supervisory channels. In these cases, the Inspectorate works with subject matter experts from Inspection Support, PPB, Science Branch or other groups to develop a control response plan for the specific event as per the process identified in Appendix 1.
5.1.1 Control Process
Figure 2 outlines the steps followed by an inspector when an event triggers the need for a control response. Possible triggers could be:
- inspection results
- industry or public complaint
- disaster event
- notification by regulated party
- disease / pest outbreak
- illness Outbreak
- referral from other government departments (OGD)
When an event occurs, the inspector applies the following steps to determine if control actions are required and if so, where to obtain guidance on how to respond.
Determine if there is a risk that requires a control action to be taken by considering the following question:
Is there a potential for impact on:
- human, animal or plant health, or
- the environment, or
- the economy or trade
Consult business line or commodity specific guidance and legislation. Seek expert advice from Operational Guidance and Expertise (OGE), Policy and Programs Branch (PPB) or Science Branch, if required. If no control action is required, go to Step 6.
Ensure that the CFIA has the legal authority to respond to the event. If not, transfer the case to the appropriate responsible party or OGD
Determine if a business line specific control response plan or guidance for the specific type of event exists. If no specific control response plan or guidance exists, request guidance through established communication channels
Follow the Determine if a business line specific control response plan or guidance for the specific type of event appropriate control response plan or guidance to determine which control actions are required
Initiate any required control actions
After effectively implementing control actions to mitigate the risk(s) or having decided that no control action is required, proceed to assess whether non-compliance has occurred. Presence of non-compliance sets into motion the enforcement portion of the regulatory response process
The purpose of the enforcement process is to determine the most appropriate enforcement action to take when responding to non-compliance of regulatory requirements or permission conditions. The process is intended to provide an objective, fair, effective, predictable and transparent enforcement response where:
- actions are proportional to the non-compliance and do not unduly penalize the regulated party
- actions are focused on correcting non-compliance, preventing re-occurrence and promoting compliance
- regulated parties understand their regulatory obligations and the CFIA's responses to non-compliance and that consistent responses are taken; and
- when actions do not achieve correction of non-compliance and/or prevention, enforcement may be escalated within the Agency's enforcement continuum to hold accountable those who persist with non-compliant behaviour
Harm, compliance history, and intent are factors the CFIA considers when determining the most appropriate enforcement response.
- Harm – refers to the seriousness of harm or potential harm related to the non-compliance; such as the potential impact on human health, the animal or plant resource base, the environment, marketplace deception, the economy or trade
- History – takes into consideration the compliance history of the regulated party
- Intent – the intent of the regulated party to commit a contravention or cause harm, such as information that demonstrates the regulated party knowingly contravened the legislative requirements or did so through negligence
Enforcement activities cover a wide range of measures including, but not limited to, letters of non-compliance, issuance of administrative monetary penalties (AMPs), actions on permissions to operate (for example, licences) and recommendations made by EIS that the regulated party be prosecuted.
Figure 3 outlines the process flow for the enforcement response initiated when non-compliance occurs. In this process flow, the inspector consults the Enforcement Decision Matrix (Table 3) in all instances of non-compliance as soon as possible after initiating or completing control actions. Where the non-compliant party holds a permission to operate issued by the CFIA, the inspector also consults the Permissions Action Process Flow (Figure 4) to determine which, if any, action is appropriate for the specific inspection case.
5.2.1 Enforcement process
When non-compliance occurs, the inspector applies the following steps to assist with the determination of the appropriate enforcement action to recommend.
Step 1: Evaluate the non-compliance
- Review the information available on the non-compliance(s) listed in the inspection report being considered for an enforcement response including:
- the number of separate instances of non-compliance under consideration
- examine all objective information relevant to the non-compliance(s)
- the sections of applicable Acts and/or Regulations that have been contravened
- the number of separate instances of non-compliance under consideration
- Confirm that the regulated party has been informed in writing of the non-compliance and review any information concerning their response
Step 2: Determine the level of harm introduced by the non-compliance
- Determine the level of harm that may occur as a result of the non-compliance by referring to Table 1, below, which provides a detailed description of each level of harm. There are five levels of harm to provide more options for inspector interpretation and analysis of the information collected during the inspection
- Determine the level of harm that best represents the circumstances of the non-compliance being assessed. This determination is a reflection of the harm that has or could be caused by the non-compliance, regardless of the compliance history or intent of the regulated party. Determination of the level of harm is to be made separately for each instance of non-compliance
Step 3: Determine the history and Intent of the regulated party
- Assess the compliance history and intent of the regulated party to assist in determining the most appropriate enforcement response to be recommended
- The Categories of likelihood of compliance (A to E) are described in Table 2. Each category is described as a combination of compliance history and intent which provides an indication of the likelihood of future compliance. The enforcement response is escalated along the continuum from very high likelihood of compliance to no indication of future compliance
|History / intent level||Description of compliance history / intent|
- Determine the level of compliance history / intent (A to E) that best represents the inspection case being assessed. This determination is based on the regulated party's compliance history coupled with indications of intent for the instance(s) of non-compliance being assessed
Step 4: Identify the options for enforcement response
- Using Table 3, identify the enforcement response options that correspond to evaluations of the harm (horizontal axis) and history/intent (vertical axis) of the inspection case being assessed
- Identify the most appropriate enforcement response from the options available. Please note that the response options listed in Table 3 are recommendations: they may be influenced by aggravating or mitigating factors determined during inspection
- Consider also how the CFIA has responded to the regulated party’s non-compliance over the last five years, including:
- internal administratively collected history of non-compliance captured through communications with the regulated party, including inspection reports, letters of non-compliance (LoNC) and meetings with the regulated party (MwtRP), that may be used to form a basis for future legislated enforcement responses;
- enforcement undertaken through an administrative monetary penalty (AMP) or recommendation to prosecute – tracked through the National enforcement tracking system (NETS); and
- instances where the CFIA suspended, refused to renew or cancelled a licence, permit or registration due to non-compliance
|Compliance history and intent||Level of harm|
|Level 1||Level 2||Level 3||Level 4||Level 5|
(Highest level of compliance history and/or lowest level of intent)
|LoNC Table Note 1||LoNC Table Note 1||MwtRP * Table Note 3 / AMP Table Note 4||EIS investigation Table Note 5|
|B||LoNC Table Note 1||MwtRP * Table Note 3 / AMP Table Note 4||MwtRP * Table Note 3 / AMP Table Note 4||EIS investigation Table Note 5|
|C||MwtRP * Table Note 3 / AMP Table Note 4||MwtRP * Table Note 3 / AMP Table Note 4||EIS investigation Table Note 5||EIS investigation Table Note 5|
|D||MwtRP * Table Note 3 / AMP Table Note 4||MwtRP * Table Note 3 / AMP Table Note 4||EIS investigation Table Note 5||EIS investigation Table Note 5||EIS investigation Table Note 5|
(Lowest level of compliance history and/or highest level of intent)
|EIS investigation Table Note 5||EIS investigation Table Note 5||EIS investigation Table Note 5||EIS investigation Table Note 5||EIS investigation Table Note 5|
- Table note 1
LoNC – letter of non-compliance
- Table note 2
MwtRP – meeting with the regulated party
- Table note 3
MwtRP * – meeting with the regulated party for inspection programs that do not have access to administrative monetary penalties (AMP) as an enforcement response
- Table note 4
AMP – administrative monetary penalty – may be issued as a notice of violation (NOV) warning or penalty
- Table note 5
EIS investigation – may result in a recommendation for prosecution or other enforcement actions
Actions against permissions (for example, suspension of licenses) may be taken concurrent to the above actions.
- Appendix 2 provides a brief description of the recommended responses listed in Table 3
Step 5: Identify options for actions on permissions to operate
In the case of regulated parties that hold a permission to operate, actions in addition to those described in Table 3 are also available. Actions on permissions may be taken alone or in combination with the enforcement actions in Table 3 and are enabled by provisions of legislation under which the permissions were issued.
- Determine if the regulated party holds a permission to operate. If no, proceed to Step 6
- If the non-compliant party holds a CFIA-issued permission to operate, review the harm associated with the non-compliance and assess the history and intent of the regulated party including previous actions taken on the permission
- Apply the permissions action process flow described in Figure 4 to identify the most appropriate action on permissions (for example, LoNC, suspension, or cancellation), if any, for the specific inspection case
If a permission holder is non-compliant, they are, depending on the inspection, given the opportunity to return to compliance before an action is taken on their permission.
If the permission holder does not return to compliance, refer to commodity or business line guidance to see if the criteria for cancellation of the permission have been met.
If the criteria have been met, recommend suspension. If they have not, refer to commodity or business line guidance to see if the criteria for suspension of the permission have been met.
If the criteria for suspension have been met, recommend suspension of the permission, if not recommend a letter of non-compliance.
If the permission holder operates while suspended or does not return to compliance within required timeframe, recommend cancellation of the permission.
If the permission holder does not operate while suspended and returns to compliance within required timeframe, recommend reinstatement of the permission.
Step 6: Determine which enforcement response(s) to recommend
- Review the possible enforcement responses identified in Steps 4 and 5
- Consult the appropriate enforcement guidelines (Food, Agricultural Inputs, Plant and Animal Health) to determine if there is any business line or commodity specific guidance which indicates a legislated or preferred response relevant to the inspection case being assessed
- Select for recommendation the enforcement response(s) that best fits the inspection case, is authorized by the relevant legislation and will result in an enforcement response that is objective, fair, effective, predictable and transparent
Step 7: Confirm authority to perform the recommended enforcement response
- Review the chart below to determine who is authorized to conduct the enforcement response to be recommended
|Type of enforcement response||Performed by||Recommended oversight|
|Issuing a LoNC||Administrative action – inspector||Supervisory|
|Meeting with the regulated party||Administrative action – manager||Manager|
|Issuing a notice of violation (AMP warning or with penalty)||Inspector designated under AAAMP Act||RD or delegate|
|EIS Investigation||EIS||Management oversight body|
|Suspension of Permission to Operate||Delegated to RD||Management oversight body|
|Cancellation of a Permission to Operate||Delegated to RD||Management oversight body|
Step 8: Recommend the enforcement response
AMPs, EIS investigation and suspension or cancellation of a permission to operate require management oversight. It is recommended that, as a minimum, supervisory oversight be applied to the issuance a LoNC and meeting with the regulated party.
- Submit the recommendation for enforcement response using the established channel and method for the type of enforcement response being recommended
Step 9: Supervisory or management oversight review and approval
The responsible oversight body (supervisor or management oversight) reviews the details of the enforcement response recommendation to ensure the enforcement response will be objective, fair, effective, predictable and transparent. To do so, the oversight body:
- verifies the assessment of harm, history and intent
- verifies that the recommended response is authorized by the relevant legislations
- requests clarification or additional information that may be missing from the file
- approves the recommended response or proposes an alternate response if it is determined that the initial recommended response is not considered objective, fair, effective, predictable and transparent
Step 10: Perform the enforcement response
After the Oversight Body approves an enforcement response, the inspectorate initiates the process to carry it out.
- the Inspectorate applies the specific procedural document for the enforcement response being performed
- the person (title/position) designated by legislation or CFIA policy to perform the enforcement response signs any official notices or documents required to carry out the response
Step 11: Record the analysis and decisions for the enforcement response
All documents or records associated with the enforcement response must be created and maintained in the manner approved by the CFIA (for example, a database, electronic document management system, hard copy records, etc.). The records must also be retained in accordance with the CFIA policy on record management.
The following types of information concerning the enforcement response must be maintained:
- the analysis and recommendations of the inspector
- the decision of the oversight body including, if applicable, the reason for approving an alternative enforcement response to the one being recommended
- the information concerning the enforcement response that was taken including copies of any related documents provided to the regulated party
The specific procedural document for each enforcement response provides the Inspectorate with more detailed guidance on how and where to record relevant information.
Appendix 1 – Guideline for developing a control response plan
This guideline describes the steps to consider in the development of a control response plan. This guideline is used by CFIA staff responsible for providing control response guidance to the Inspectorate.
The management of contamination events (food and feed), animal or plant diseases and/or pest incursions is a key responsibility of the Canadian Food Inspection Agency (CFIA). When these events occur, the inspectorate uses business line or commodity specific guidance to apply the control response and carry out any required control actions. When guidance to respond to a particular event has not previously been established, CFIA employees, particularly those responsible for providing guidance to the inspectorate, are required to develop a control response plan consistent with this guideline. When developing a control response plan, the responsible employees must ensure, often at short notice, the application of rigorous scientific methods and the implementation of sound control procedures, sometimes under the spotlight of intense public attention.
The CFIA responds to risks in the following two ways:
- Initial control response
The CFIA determines the scope of regulatory control actions and the appropriate response to mitigate the risk. Control actions may include quarantine, seizure and detention, recall, disposal, etc.
- Long term management response
When eradication or elimination of a risk is not possible or may take several months or years, the control actions may be prolonged, for example, to establish regulated areas and control movement or production. Long term responses are most often taken up by other CFIA functions such as implementing new import controls, improving enforcement strategies for some regulatory requirements, enhancing guidance for field operations, etc.
In both cases, inspectors tasked with performing control actions require guidance that provides the necessary information to ensure an appropriate response to the risk. Control response plans are documents that provide inspectors with the step by step process to follow when an event occurs that may require the implementation of control actions. They exist in various forms including hazard specific plans, the Food Investigation Response Manual or other commodity or business line specific guidance. Control response plans may be highly detailed and thoroughly completed documents or they may be very basic directions. The latter is particularly true when a plan does not already exist and the inspectorate requires urgent guidance on the appropriate control response during an event. Regardless, all control response plans are developed by considering the topics described in Steps 1 to 6 below.
Figure 5 describes a linear process. However, in some situations the process steps will repeat, they will be postponed and revised, and many of them will be done simultaneously.
Step 1: Conduct preliminary assessment
The first step in a control response plan includes initial information that should be reviewed by the inspectorate in order to make a preliminary determination regarding the jurisdiction, validity and potential significance of an event. The plan may also provide guidance on assigning a priority and whether any immediate control actions should be implemented prior to continuing to step 2.
Step 1.1: Determine jurisdiction and validity
When an event occurs, the inspectorate must determine whether the event is one that requires the initiation of control activities. To enable this, a control response plan identifies when a specific event would trigger the plan to be put into action. Specifically, the plan guides the inspectorate on how to assess the following:
- validity – the control response plan indicates the parameters or conditions that, if met, require the plan to be implemented
- jurisdiction – the control response plan indicates the responsibilities of CFIA in implementing the various aspect of the plan. This is particularly important when the scope of an event results in multiple authorities having some jurisdiction. For clarity sake, the plan should identify which elements are within CFIA jurisdiction, within the jurisdiction of another authority or shared by both
If necessary, the plan informs the inspectorate on how to redirect the file to the appropriate authority if the CFIA is not the responsible authority.
Step 1.2: Determine priority
When a control response plan includes guidance on how to prioritize work, this guidance is based on factors such as:
- hazard level/type
- nature of the hazard
- distribution and likelihood of spread
- likelihood of exposure of susceptible populations
- potential impact of the hazard on humans, plants, animals, on economy and trade in commodities regulated by the Agency or on the environment
- availability of control measures effective in reducing the risk
- visibility of the event
- public and media interest
- potential impact on trade in commodities regulated by the Agency
Including guidance on assigning a priority level during the preliminary assessment will help to inform the inspectorate on the urgency of the issue so that they may prioritize the response in consideration of other duties. This step in the plan differs from a formal risk assessment, as described in Step 3 – Assess Risk.
Step 1.3: Determine next steps
A control response plan identifies whether immediate actions are required to contain or mitigate a real or potential risk. If immediate actions are required, the plan indicates the appropriate action(s) to perform and direct the inspectorate to any supplemental guidance needed to perform the task (eg: refers the inspectorate to operational guidance on how to perform a product seizure and detention).
Step 2: Source and risk factor (SRF) investigation
A source and risk factor (SRF) investigationFootnote 1 is conducted to verify if the incident represents a risk. The SRF investigation determines the nature and extent of the event. Investigations may involve inspection, epidemiologic, environmental and laboratory components. These elements complement each other to characterize the event, potential causes and risk factors, thus allowing decisions to be made regarding risk and appropriate control measures.
In this step, a control response plan guides the inspectorate on the type of information to gather to ensure that an accurate and complete SRF investigation can be conducted.
The SRF investigation guidance contained in a control response plan is based on the following principles:
- timeliness: incidents involving the occurrence of a pest/disease, illness or injury, or high priority events, should be investigated promptly and according to established priorities. Timeframes should be proportional to the severity of the potential risk
- appropriateness: the scope of an investigation should be proportionate to the potential hazard and the likelihood of its occurrence
- consistency: the investigative procedures should be congruent and consistent with internal policies, procedures, guidelines and standards
- thoroughness: based on potential risk, SRF investigations should attempt to identify all implicated or potentially affected commodities, processes or actions
- accuracy: investigations should strive to detect and identify the specific hazard in all affected or potentially affected commodities. Information collected should facilitate decision making by being as exact and concise as possible
- collaboration: collaboration and cooperation between stakeholders is necessary to ensure investigation activities are performed in a timely, effective and appropriate manner
- transparency: disclosure of information pertinent to the investigation may be needed to ensure stakeholders are able to perform their duties and fulfill their responsibilities to the best of their abilities. The CFIA must also adhere to access to information and privacy provisions
Step 2.1: Develop an SRF investigation plan
A control response plan guides the inspectorate on how to plan the SRF investigation when required. This includes information on:
- how to the characterize the nature and urgency of the event
- specific areas or activities to be investigated
- the process to be followed for gathering information
- required timelines for the investigation
- any required components (for example, inspection, epidemiologic, environmental, laboratory)
- the teams to involved in each component
- how the components work together to support the overall investigation
- how to respond to unique considerations that the investigation raises or could potentially raise (for example, legal considerations or collaboration issues with regulated parties or government partners)
- if any approvals are required and by whom prior to conducting the SRF investigation
- where to record the approval process or other documentation as needed
The extent of guidance in a control response plan on SRF investigations is dependent on the size and/or complexity of the event for which the plan was developed. Routine events that are investigated in a short period of time may require relatively simple guidance on how to perform the SRF investigation with supervisory approval. More complex or high profile events may require more detailed guidance on how to perform the SRF investigation. In those scenarios, the guidance may indicate the need for a higher level of approval.
Step 2.2: Prepare for the SRF investigation
A control response plan identifies resource material or contacts needed in preparation for the SRF investigation such as:
- related operational guidance material (for example, Standard Inspection Procedure)
- when and who to contact for specific activities or components of the SRF Investigation (using established communication channels)
Step 2.3: Collect information
Gathering information means to carry out the SRF investigation. A control response plan specifies how the information obtained during the SRF investigation will be gathered, whether by inspection, testing, epidemiological and environmental survey or other methodsFootnote 2. During the course of the SRF investigation, information collected may lead to new investigation avenues. When these new avenues are reasonably foreseeable, a control response plan provides guidance on how to investigate those avenues as well.
Guidance on recording and organizing information ensures the information is collected in a manner that facilitates analysis, risk assessment, decision making and risk management strategy development.
Step 2.4: Verify and analyze data/information
A control response plan provides guidance to the inspectorate, as needed, on how to:
- organize information that has been gathered
- determine if the information is clear, factual, and complete
- analyze the data/information by examining it in ways to reveal gaps, relationships, patterns, trends, etc.
A control response plan provides the necessary guidance on how to analyse the information so that the inspectorate can:
- confirm whether or not a risk may exist
- confirm the type of hazard
- determine the causative agents and their sources
- identify the commodity, process or action associated with the issue
- determine the scope of the event
- describe and locate any affected or potentially affected commodities, processes or actions
- determine or confirm the root cause of the event, if possible
- identify risk factors, if possible
A control response plan also identifies when subject matter expert advice should be sought.
Step 2.5: Scope the event
When performing the SRF Investigation, the inspectorate attempt to identify the full extent of the potential risk to public, animal or plant health, on economy or trade in commodities regulated by the Agency or on the environment.
Guidance on how to determine the scope of an event is an important part of a control response plan and is based on the level of potential risks or impacts. Guidance to help the inspectorate answer the following questions is included:
- what else has been or may have been affected?
- where is it?
Determining the scope of an event may involve sampling and testing and analysis of supporting information to determine the possible presence of a hazard.
Step 3: Assess risk
The SRF investigation may confirm that the situation represents a potential risk which needs to be assessed for the purpose of making risk management decisions. Assessing risk involves making a quantitative or qualitative assessment of the probability of the occurrence of an adverse event and the potential severity of its impact on humans, plants, animals, on economy or trade in commodities regulated by the Agency or on the environment.
When necessary, a control response plan provides guidance on how to access or conduct a risk assessment based on the following steps:
Step 3.1: Evaluate need for a risk assessment
A control response plan identifies the whether there is an existing risk assessment that addresses the present situation. A risk assessment may not be required if one of the following exists:
- a risk assessment document addressing exact or similar situations, with a similar set of assumptions (for example, HSP, existing operational guidance document)
- a set of procedures, or a precedent that specifically addresses the event at hand
In these circumstances, the guidance could direct the inspector to apply the principles or pre-existing risk assessment of to implement specific procedures.
Step 3.2: Request risk assessment
A control response plan indicates when and how an inspector should request a risk assessment for the specific event.
The CFIA either conducts the assessment internally (this may require engagement of units outside of the Operations Branch) or makes a request (through PPB) to an external agency or party. The determination to proceed internally or externally is dependent on the roles and responsibilities that the CFIA shares with other government departments, by mandate or through existing Memoranda of Understanding.
Regardless of where the assessment is performed, a formal written request will be required. Specific information collected during the SRF investigation may be required in an accessible and understandable format by those conducting the risk assessment. A control response plan indicates the type of information needed for the risk assessment and any details on how and to whom that information is to be provided.
Step 3.3: Conduct risk assessment
If a control response plan provides information on conducting a risk assessment, it is based on the following:
- risk assessors evaluate all the information on the event and conduct the risk assessment using an internationally recognized process
- risk assessors are SMEs, within or outside the CFIA, who can quantify and/or qualify the hazard depending on the event
- when risk assessor required additional information, it may be requested and would require the inspector to refer back to Section 2.3 – Collect Information to gather the necessary information
Step 3.4: Receive risk assessment
When the risk assessment is received, it is reviewed by the requester to ensure all information is correct and that it addresses the request. The risk assessment is to be compared with existing documents pertaining to similar situations for consistency purposes.
If any clarifications are needed or discrepancies identified, they will be brought to the attention of the assessors for explanation and resolution. The risk assessment will be documented in the appropriate inspection system and used for making risk management decisions. The risk assessment will be considered final once the assessors are satisfied that it is concise, complete, and accurate and that no further clarification is needed.
Step 4: Make decision
The purpose of this section of a control response plan is to guide the inspectorate on how to identify and assess the appropriate actions to be taken to mitigate the risk based on the risk assessment and other relevant information. Some of the steps may be omitted or performed in less detail depending on the situation. The process described in a control response plan allows decisions to be made in a timely manner and according to established accountabilities and processes (that is, made by the right people with the right advice according to established processes).
Step 4.1: Analyze risk assessment
A control response plan guides the inspectorate on how to respond to the possible outcomes of the risk assessment and any additional information provided by the assessors. For example, if the risk assessment indicates a specific risk is present, the control response plan directs the inspectorate to any existing guidance or procedures to respond to the specific risk.
Step 4.2: Determine scope of the required mitigation
Control response plan guidance on implementing mitigation actions in response to an even are developed in consideration of the following factors:
- the geographical distribution of the risk
- the type of hazard
- the risk it poses to human, animal or plant health, the economy, trade or the environment
- whether any illnesses, pest or disease are associated with the commodity
- the ease of commodity identification and its distribution
Development of this step might require significant consultation depending on the cost or time it would need for the inspectorate to implement the guidance.
Guidance suggesting that no further control action is required also indicates how the inspectorate is to close the file (see Section 6 – Close Control Case) or transfer it for another type of activity (for example, compliance verification, enforcement).
Step 4.3: Identify and assess risk mitigation
A control response plan indicates the mitigation options available to the inspectorate for responding to the event. If guidance on how to perform the mitigation option are described in an existing procedure, a control response plan refers the inspectorate to that guidance document so that the option can be conducted without delay. Where an operational procedure does not exist, the control response plan provides the inspectorate with guidance on how to implement immediate or long-term actions which may be necessary to control the risk.
When developing the mitigation options to include in a control response plan, the following assessments are conducted to ensure the guidance will be deliverable. Consultation with key stakeholders may be required prior to finalizing the control response plan.
Assess the Benefits and Challenges of the Mitigation Options – Consider the positive and negative aspects of the implementation of the proposed option, including but not limited to:
- consistency (CFIA mandate, existing CFIA or other government programs, international obligations, previous actions taken, etc.)
- practicality of implementation
- impacts on Canadian pubic, stakeholders and/or impacts on trading relationships
- short-term and long-term sustainability
- anticipated risk reduction
- description of the expected result or outcome
Assess the Feasibility and Financial/Human Resource Implications of Each Proposed Mitigation Option – In addition to the previous elements, assess each proposed option for:
- financial implications (for example, implementation cost, implementation funding, travel/ equipment costs, overtime, contracting out, etc.)
- human resource implications (for example, staff/expertise required for implementation, need for hiring, staff to ensure continuation of activities, etc.)
- feasibility (for example, level of practicality and effectiveness, monitoring effectiveness, potential challenges, etc.)
Step 4.4: Develop the risk mitigation plan
The Risk mitigation plan is the part of a control response plan that describes the risk mitigation decision as well as immediate and long-term actions to be implemented.
Risk mitigation plans can be scaled appropriately based on the size and/or complexity of the event for which a control response plan is being developed. They may be modified or enhanced as necessary as new information becomes available. In these situations, the decision and the rationale for these modifications will be documented appropriately.
When describing the risk mitigation plan in a control response plan, the following content is included:
- objectives, specific steps and required actions:
- the current information that needs to be considered when choosing the appropriate mitigation option and the objectives of the mitigation options and how to meet them
- the probable course of events:
- the elements that may have taken place or will take place to mitigate the risk for a contaminant event or the occurrence of a pest/disease
- defining case-closure criteria:
- the criteria that must be met to close the case. Case-closure criteria demonstrate that the control action or combination of control actions has succeeded in controlling the risk posed by the hazard
- defining verification requirements:
- the methods used to verify that the case closure criteria were met
- assignment of responsibilities and provide timelines for implementation:
- when more than one group is involved in delivering the mitigation plan, the risk mitigation plan identifies the specific function/group with timelines for completion. Where other sections/functions need to be consulted, the plan specifies the process for obtaining advice (for example, who is responsible for linking with the section/function, what are the deadlines for obtaining the advice, how will the advice be considered for implementation)
- notifying stakeholders:
- the risk mitigation plan identifies when information is to be shared with specific branches within the CFIA, other government departments, the industry and the public
- determine resources/schedule:
- for non-routine situations, resources and costs for implementing the risk mitigation plan may be required and are determined based on the urgency, scope and timelines for completion. In these situations, the plan indicates that resources should be assessed in collaboration with management
- consultation with experts:
- the risk mitigation plan indicates conditions under which consultation with experts may be required to ensure the risk mitigation plan meets regulatory and program requirements (for example, for non-routine events)
- demobilization of resources:
- if the implementation of the risk mitigation plan will result in activities outside of normal business, guidance includes an exit strategy for ongoing activities such as increased oversight, laboratory testing, enforcement, communications, and the transition back to normal business
Step 5: Mitigate risk
The purpose of this step in a control response plan is to communicate, implement and verify the effectiveness of the control actions and decisions identified in the risk mitigation plan.
Step 5.1: Communicate risk mitigation plan
The inspectorate will be required to communicate the plan to internal and external stakeholders, as appropriate, in order to solicit input, clarify roles and responsibilities/partnerships and facilitate logistics for implementation.
- Communication Plan
When a communication plan is required, it includes the following
- process for communicating with external stakeholders
- partners to be contacted and the type of information to be shared
- deadlines for consultation, if applicable
- identification of spokespersons in both official languages
Step 5.2: Implement risk mitigation plan
A control response plan indicates how to:
- implement the risk mitigation plan
- ensure the completeness and accuracy of the case file
- confirm that all tasks in the risk mitigation plan have been assigned, as appropriate
- co-ordinate the verification and follow-up activities
The guidance also indicates how records are to be maintained to ensure that, as each task is completed, the appropriate inspection / information management system is used to record the following:
- date/time of start/completion
- individuals, parties, organizations involved
- location of implementation
- effectiveness of element execution
Step 5.3: Verify completeness and effectiveness of actions
The effective implementation of all elements of the risk mitigation plan with the specified timeframe must be verified and documented.
A control response plan provides the inspectorate with guidance on how to verify the effectiveness of actions to ensure that control actions were taken by the regulated party to mitigate the risk. This may include activities such as inspection, sampling, data analysis, etc.
Once the verification requirements are met and the risk is controlled, it can be determined that the plan was implemented and effective. If this determination is made, the guidance should direct the inspectorate to proceeds to Step 6 – Close Control Case.
A control response plan also guides the inspectorate on how to respond should the verification indicate that the risk mitigation plan was not effective. This guidance considers the possible causes including:
- if the risk mitigation plan was implemented correctly, the risk mitigation plan itself may be faulty possibly due to:
- if the risk mitigation plan was not correctly implemented, then the guidance should indicate that it must be re-implemented. The inspectorate should be referred back to Step 5.2– Implement risk mitigation plan.
Step 5.4: Conduct follow-up activities
Follow-up activities are important to evaluate the potential of re-occurrence of the event. They can include short and long term activities such as; conducting a follow-up inspection, sampling, etc. If a root cause analysis was conducted by the industry, this information can help determine the source of the event, reduce the possibility of reoccurrence of the event and helps direct the follow-up activities.
A control response plan directs the inspectorate on the follow-up activities to be implemented, such as compliance verification activities or application of the enforcement response.
Step 6: Close Control Case
This step in a control response plan describes the steps to be implemented when closing the control case. In order to close the case, the inspectorate verifies that all relevant information, including the rationale for closing the case, has been appropriately documented and that all of the steps have been followed.
Step 6.1: Develop rationale for control case closure
A control response plan indicates the conditions that must be met before a control case can be closed. Those conditions should align with one of the following:
- the case closure criteria, as defined in the risk mitigation plan, have been met
- the threat is removed
- a policy decision is made to de-regulate the contaminant, pest or disease rather than continue to attempt control or eradication
- the situation has changed and the control function is no longer required
A control response plan indicates how information on closing the control case should be documented to ensure the following information is retained:
- background information on the event, including response objectives/goals and how they were achieved
- factors considered for the case closure recommendation (based on the case closure criteria described in the risk mitigation plan)
Step 6.2: Approve closure of control case
For more complicated events, closure of the control case is approved by individuals with authority to make the decision (inherent to their position or delegated). In these instances, a control response plan identifies who is responsible for approving the closure of the control case. When key elements are complete or documented, the decision maker provides the rationale for closing the case.
Step 6.3: Demobilize control resources
Some cases may involve a demobilization plan which requires approval as described in Step 6.2. Once approval is granted, demobilization can proceed. The demobilization plan is part of risk mitigation plan and is often needed when Emergency Operation Centres or the Incident Command Structure has been mobilized.
Guidance on demobilizing the response considers the following factors:
- management should monitor and evaluate the continuing need for both personnel and tactical resources
- the demobilization process most often occurs in a stepwise fashion and is not a sudden cessation of all incident operations. For example, a regional or area team may need to pursue control activities while activities in another region or area could be back to normal
- internal and external stakeholders should be informed of demobilization activities, as appropriate
- demobilization for routine incidents is often simple and does not require a formal written demobilization plan
Step 6.4: Conduct lessons learned exercise
If a control response plan is being developed for more complex situations, it should include guidance on the expectation or lessons learned exercises or similar review mechanisms. These activities provide valuable feedback on the completeness and effectiveness of the control response plan and contribute to continuous improvement of the guidance for the inspectorate. The Lessons Learned exercise may also be used to determine the effectiveness of the CFIA's general preparedness for a control response as well as its response to a particular event. Lessoned learned activities consist of a debriefing session conducted in a timely manner following response to an event and identify strengths and weaknesses of plans, policies and procedures.
In the case of extended response efforts, it may be beneficial if the guidance indicates a timeframe for periodic, interim Lessons Learned exercise to identify any issues that need to be addressed and resolved immediately.
Step 6.5: Communicate control case details
A control response plan indicates how the inspectorate should record all inspection documents related to the case in the appropriate system. The information can then be transferred within CFIA (for example, Program Management, Risk-Based Oversight, Enforcement etc.) for appropriate actions.
Some situations may require communicating with external partners/stakeholders for an update on the results of the implementation of the risk mitigation plan. Stakeholders may include:
- regulated parties involved in the case
- industry associations
- other government departments (federal/provincial/municipal/local)
- foreign government and agencies
- general public
The expectations for communication are included in a control response plan, as appropriate.
Appendix 2 – Description of enforcement responses
- Date modified: