Food fraud is the deliberate substitution, addition, manipulation, or misrepresentation of food, ingredients, packaging, or product information for economic gain. It is not accidental contamination, nor ideologically motivated sabotage: it is someone in the supply chain choosing to deceive in order to make more money. And every GFSI-recognized scheme — FSSC 22000, BRC, IFS, and SQF — has required a documented vulnerability assessment and mitigation plan for almost a decade.

The historical problem is that VACCP (Vulnerability Assessment and Critical Control Points) lived without a reference methodology. HACCP has the Codex Alimentarius. TACCP has PAS 96. VACCP had no equivalent framework — until the publication of the Beira VACCP Framework (BVF) v1.0.

This article is for the people who actually have to take VACCP into operation: why doing it in spreadsheets is a bad idea, what the BVF requires as a methodology, and how it is implemented end to end with software.

Why spreadsheets are no longer enough

Almost every first VACCP assessment I see in audit lives in Excel. It works — until it doesn’t. These are the problems that show up without exception:

No real version control. There are three files ending in _v2_final_REV.xlsx and nobody knows which one was used in the last audit.
Scores are not traceable. The auditor asks why a given ingredient ended up “high” and the answer is “the team decided” — without evidence of who, when, or under what criteria.
The mitigation plan disconnects from the assessment. Actions live in another file or in emails. Nobody knows whether the verifications were actually executed.
Fraud intelligence gets lost. RASFF alerts, HorizonScan reports, and industry news are read and forgotten. They never trigger a re-assessment.
The portfolio is massive. A retail, distribution, or food service operation handles 5,000 to 40,000 SKUs. Evaluating one by one in Excel is unworkable.
No role separation. Anyone with the file can change approved scores. There is no immutable approval workflow.

The operational consequence: when the FSSC 22000, BRC, or IFS audit comes around, reconstructing the traceability of the assessment becomes an ordeal. And clause §2.5.4 (FSSC 22000), §5.4 (BRC V9), §5.6 (IFS V8), or §2.7 (SQF) ends up as a finding.

The Beira VACCP Framework (BVF), in one page

The Beira VACCP Framework (BVF) v1.0 is the first structured, quantitative reference methodology for implementing VACCP. It was published in April 2026 under a Creative Commons license (CC BY-SA 4.0), allowing any organization, consultant, or certifier to adopt it without asking permission.

The BVF builds on Cohen and Felson’s Routine Activity Theory (1979) and translates it into a tri-dimensional model for food fraud:

Vulnerability = f (Opportunity, Motivation, Countermeasures)

Each pillar is broken down into four sub-factors — twelve in total — scored on a 1–5 scale with explicit descriptors:

Pillar	Sub-factors evaluated
Opportunity	Availability of substitutes · Supply chain complexity · Ease of undetected adulteration · Transaction volume & mode
Motivation	Economic value of the fraud · Documented history · Sector/region economic pressure · Regulatory environment
Countermeasures	Supplier audit program · Analytical capability · Traceability system · Organizational culture

The result is classified into four levels — low, medium, high, and critical — and significant cases are confirmed using a dedicated decision tree to determine a Vulnerability Critical Control Point (VCCP), the food fraud equivalent of a HACCP CCP.

Implementation is organized into 12 steps — deliberately mirroring the HACCP Codex structure (5 preliminary + 7 principles) — so any team familiar with HACCP can adopt them with no learning curve:

Form the VACCP team.
Define the scope (with the category-based approach for large portfolios).
Describe products and map the supply chain.
Gather food fraud intelligence.
Identify vulnerabilities.
Assess Opportunity.
Assess Motivation.
Assess Countermeasures.
Calculate global vulnerability and classify.
Determine significant vulnerabilities and VCCPs.
Develop the mitigation plan.
Verification, review, and continual improvement.

The complete framework — with the scoring criteria for each sub-factor, the vulnerability formula, the decision tree, and the cross-reference table to FSSC 22000, BRC, IFS, SQF, and ISO 22000 — is published in the book and described in the BVF launch post.

Implementing the BVF with software: step by step

Once the methodology is clear, the question stops being what and becomes how. Taking the 12 BVF steps into a real operation requires a system that holds up the decisions, records the evidence, and notifies when something needs attention. This is what changes step by step when you use software:

Steps 1–2: team, scope, and vulnerability categories

The VACCP team is documented with profile, competence, and training records. Scope is defined by business unit, plant, or line — and, crucially, the BVF’s category-based vulnerability approach is applied: instead of evaluating SKU by SKU, materials are grouped by family, applicable fraud types, supply chain profile, economic value range, and common countermeasures.

In AdminISO, materials live in a master QMS catalog that is shared across HACCP and VACCP. Information is not duplicated: the same material is evaluated for safety and for fraud from the same record, keeping cross-traceability between both systems.

Step 3: supply chain

A visual editor maps the flow from primary origin to end customer: suppliers, intermediaries, transport, storage, production, packaging, distribution. Each node is linked to the materials that pass through it. This matters because supply chain complexity is one of the Opportunity sub-factors — and having the formal map prevents scoring it “by feel.”

Step 4: food fraud intelligence

The BVF requires integrating external sources (RASFF, HorizonScan, USP Food Fraud Database, regulatory alerts, industry press) and internal ones (own incidents, customer complaints, supplier findings). In software, every intelligence report is logged with source, date, affected materials, fraud type, and relevance level — and can automatically trigger a re-assessment of the affected categories.

Steps 5–9: vulnerability assessment

This is where the difference from spreadsheets is most visible. Each category — or material, if evaluated individually — receives scores for the BVF’s twelve sub-factors. The system:

Automatically computes Opportunity, Motivation, and Countermeasures.
Applies the BVF global vulnerability formula.
Classifies the result as low, medium, high, or critical.
Renders a visual matrix that shows where vulnerability is concentrated across the portfolio.

Every score is recorded with who graded it, when, with what supporting evidence, and with what justification. There is no “the team decided”: there is a trail.

Step 10: decision tree and VCCP

For significant cases, the BVF decision tree is integrated step by step. The user answers the questions on screen and the system records the path that led to determining (or ruling out) a Vulnerability Critical Control Point. When the audit asks “why is this material a VCCP and that one isn’t?”, the answer is an immutable record, not a hallway conversation.

Step 11: mitigation plan

Each VCCP generates mitigation measures with owner, deadline, monitoring frequency, verification method, and supporting evidence. The plan does not live in another file: it lives linked to the assessment that originated it. Verifications are scheduled, generate reminders, and capture their outcome with supporting files.

Step 12: verification, review, and continual improvement

The periodic review of the VACCP system is calendar-driven. Every review is documented with who reviewed, what decision was made (maintain, update, escalate), supporting evidence, and the next review date. Re-assessment triggers — supplier change, intelligence alert, incident, process modification, audit finding — are linked to the affected assessment automatically.

What changes, in practice

Ordered by what matters most when the audit arrives:

Dimension	Spreadsheet	Software with BVF (AdminISO)
Methodology	Everyone invents their own	BVF v1.0 pre-loaded, identical across every site
Calculation	Manual, error-prone	Automatic, with the BVF formula applied consistently
Traceability	Who/when/why is lost	Every score with author, date, and immutable evidence
Versioning	Files like `_v2_final_REV.xlsx`	Workflow `draft → in review → approved → archived`
Approval	Loose emails	Immutable approval with digital sign-off by the responsible role
Large portfolio	Unworkable above 200–300 items	BVF category-based approach, scalable to tens of thousands of SKUs
Fraud intelligence	Read and forgotten	Logged and linked to categories; triggers re-assessment
Mitigation plan	Lives in another file	Linked to the originating VCCP, with schedule and evidence
Incidents	No protocol	BVF four-phase protocol (containment, investigation, comms, close)
Standards compatibility	One assessment per scheme, duplicated	A single assessment, mapped to FSSC 22000, BRC, IFS, SQF, ISO 22000
Integration	HACCP, TACCP, and VACCP in separate files	Same master catalog and platform for all three systems

Compatibility with FSSC 22000, BRC, IFS, and SQF

The BVF is designed to be compatible with every GFSI scheme, and the AdminISO VACCP module preserves that compatibility:

FSSC 22000 §2.5.4 — Vulnerability assessment and mitigation plan.
BRC Global Standard V9 §5.4 — Vulnerability assessment and mitigation plan.
IFS Food V8 §5.6 — Documented vulnerability assessment procedure.
SQF Code Ed. 9 §2.7 — Food fraud program.
ISO 22000:2018 — Risk management applied to fraud.

A single VACCP assessment, built with the BVF, supports an audit against any of these schemes — without rewriting documents per standard.

How it fits with HACCP and TACCP

VACCP does not replace HACCP or TACCP: it sits alongside them. The three systems are differentiated by the motivation behind the event:

System	What it controls	Motivation	Reference methodology
HACCP	Food safety	Unintentional (bio/chem/physical hazards)	Codex Alimentarius
TACCP	Food defense	Intentional — to cause harm (terrorism, sabotage)	PAS 96
VACCP	Food fraud	Intentional — economic gain	BVF v1.0

In AdminISO, all three —HACCP, TACCP/Food Defense, and VACCP— share a single platform within your Food Safety Management System.

How to get started

If your organization already has HACCP in place, the steps to implement VACCP with the BVF in software are:

Activate the Food Fraud (VACCP) module within your FSSC 22000 plan.
Form the VACCP team with the required profiles (quality, procurement, supply chain, intelligence).
Reuse your materials catalog from the HACCP module — nothing is duplicated.
Define vulnerability categories based on the five BVF criteria.
Map the supply chain using the visual editor.
Load the fraud intelligence relevant to your sector and geography.
Score the twelve BVF sub-factors for each category.
Run the decision tree to confirm VCCPs.
Define the mitigation plan with owners, frequencies, and verifications.
Schedule the periodic review and connect re-assessment triggers.

The Food Fraud module in AdminISO is integrated within the FSSC 22000 and Food Protection plans and applies the Beira VACCP Framework (BVF) v1.0 end to end: catalog, calculation, decision tree, plan, incidents, and standards compatibility.

See the AdminISO FSSC 22000 plan →

See the AdminISO Food Protection plan →

And if you want to understand the methodology before implementing it, read the official BVF launch post on the Beira blog: Beira VACCP Framework: a quantitative methodology to prevent food fraud.

VACCP With Software: How to Implement a Food Fraud Vulnerability Assessment Using the Beira VACCP Framework (BVF)