VACCP (Vulnerability Assessment and Critical Control Points) has been standard food safety practice for a decade. The methodology is sound: map your supply chain, identify economically motivated fraud vulnerabilities (ingredient substitution, dilution, counterfeiting), assess likelihood and impact, and define mitigation controls. TACCP (Threat Assessment and Critical Control Points) applies the same logic to intentional threats (sabotage, contamination).
But VACCP and TACCP were designed for stable supply chains. They assume that your regular suppliers exist, are accessible, and can be verified. They assume that when a supplier fails, you have time to audit alternatives. The Strait of Hormuz closure has shattered that assumption. Geopolitical disruption is now forcing manufacturers into emergency sourcing scenarios that current VACCP/TACCP frameworks may not adequately address.
The question facing food safety teams in May 2026 is not whether VACCP/TACCP are theoretically valuable. It is whether the current methodology captures the fraud vulnerabilities created when supply chains fail under geopolitical stress.
What VACCP and TACCP Actually Assess
VACCP is defined as a systematic method to defend a food supply chain from economically motivated dishonest conduct — ingredient dilution, species substitution, counterfeiting, mislabelling. The methodology identifies weak points in your supply chain where an economically motivated fraudster could exploit you. It asks: What is the financial incentive? How easily could substitution occur? How likely would detection be?
TACCP assesses intentional threats — sabotage, extortion, terrorism, malicious contamination. Both frameworks are now standalone audit focus areas in BRC Issue 9 and GFSI-recognised standards, with food safety teams expected to maintain documented assessments and evidence of mitigation effectiveness.
The gap between what is documented and what actually works is where most audit findings are now being raised, according to recent audit trend analysis. This gap is about to widen significantly.
The Gap: Geopolitical Disruption as a Fraud Accelerant
Current VACCP methodology assesses fraud vulnerability in isolation. It answers: "Given my normal supply chain, who could cheat me and how?" It does not adequately answer: "When my supply chain fails, who will I be forced to work with, and what fraud risks does emergency sourcing create?"
Geopolitical disruption creates a specific fraud vulnerability that VACCP was not designed to capture: the forced abandonment of normal supplier verification timelines. When the Strait of Hormuz closes and your dairy ingredient supplier cannot deliver because their raw milk source is stuck in shipping queues, you do not have weeks to audit alternatives. You have days or hours. This time compression is not a fraud risk that VACCP typically addresses — it is assumed that you have time to verify.
In VACCP language, the "likelihood" of fraud increases when time pressure forces you to accept suppliers you have not fully verified. The "impact" increases when you accept emergency suppliers at volume. But VACCP assessments are rarely written to capture this scenario. They focus on "normal" supply chain fraud risks, not crisis-driven sourcing.
Food fraud cases documented in 2026 show exactly this pattern: companies under time pressure accepting suppliers referred by brokers, requesting certificates via email without verification, and committing to orders before third-party testing could occur. The fraud that followed was not detected at point of delivery — it was detected weeks or months later in audit or recall. By then, the fraudster had moved on to a different target.
Why Current TACCP Does Not Capture This Either
TACCP is more narrow in scope: it focuses on intentional threats — someone trying to sabotage your product or contaminate it deliberately. Geopolitical disruption does not fit the TACCP threat model. The fraud created by supply chain disruption is not a deliberate threat to your specific product; it is an economically motivated decision by a fraudster to exploit a general market condition (oversupply of unverified suppliers, time pressure, verification gaps).
So TACCP does not apply. But VACCP should apply — and this is where the methodology falls short. VACCP asks "How vulnerable are we to fraud?" but assumes a stable environment in which you can execute normal verification procedures. It does not ask "How vulnerable are we to fraud if our supply chain collapses?"
What Needs to Change
1. VACCP Should Include a "Crisis Sourcing" Scenario
VACCP assessments should now explicitly include a scenario: "If my primary supplier fails, what is my secondary source, and can I verify them within 48 hours?" For each critical ingredient, the assessment should define: minimum verification requirements under time pressure (unannounced verification call, certificate verification through the issuing body, commitment to testing on receipt), and consequences of proceeding without this verification (hold product, initiate investigation, source alternative).
This is not a new control. It is a gap in current VACCP methodology that needs to be documented.
2. Geopolitical Risk Should Be Explicitly Named in Risk Assessment
Current VACCP assessments identify fraud risks by ingredient type and supplier type. A new risk category should be added: "Geopolitical Disruption of Primary Supply Routes." For ingredients sourced from or transiting through high-risk regions (Middle East, South China Sea, etc.), the assessment should identify: What are the critical chokepoints? What is the likelihood of closure? What is the impact on my supply chain? What emergency sourcing options exist, and what are their verification gaps?
This elevates geopolitical supply chain risk from "external assumption" to "documented vulnerability."
3. VACCP Mitigation Controls Should Address Emergency Sourcing Timelines
Current VACCP mitigation controls typically include: supplier audits, certificate verification, testing protocols, contract terms. These are appropriate for normal sourcing. Emergency sourcing requires abbreviated controls that are still effective: unannounced verification calls (speak to named contacts to confirm they actually exist), certificate verification through the issuing body (not email), and commitment to authenticity testing on first delivery (oils, dairy, specialty ingredients).
These abbreviated controls should be pre-defined and pre-approved in the VACCP document, so that when crisis sourcing occurs, procurement can implement them immediately rather than negotiating what "good enough" means under time pressure.
Strengthening Your HACCP System — Updated VACCP/TACCP Scope
SafetyCore's triggered review feature is designed for exactly this purpose: when a significant change occurs (supplier failure, new supplier, process modification, incident), a structured HACCP review is initiated. A triggered review should now include: a reassessment of VACCP/TACCP in light of the change, with specific focus on whether emergency sourcing has created new fraud vulnerabilities, whether supplier verification timelines are adequate, and whether testing protocols are adequate for the new supplier.
The immutable audit trail documents this reassessment. When the FSA or a BRC auditor asks how you assessed fraud risk following a supplier change, you have evidence that the reassessment occurred and what it concluded.
What You Should Do This Week
Pull your current VACCP and TACCP documents. For each critical ingredient, answer: If my primary supplier fails today, who is my secondary source? Can I verify them within 48 hours? What verification steps can I execute in that timeframe? If the answer is "I don't know" or "I can't", you have identified a gap in your current VACCP. This gap is not theoretical — it is a real vulnerability that the 2026 Strait of Hormuz closure has already exposed in UK food manufacturing.
Brief your quality and procurement teams on the gap. Define emergency sourcing procedures that include verification steps that can be executed under time pressure. Document these in your VACCP assessment. This is now a standard BRC audit question: "How would you source ingredients if your primary supplier failed?" Have documented answers ready.
The Strait of Hormuz may reopen. But geopolitical risk to supply chains is permanent. VACCP and TACCP frameworks are fit for purpose — they just need to be expanded to explicitly address crisis sourcing as a fraud vulnerability scenario.
If you're reviewing your VACCP/TACCP documents after reading this, SafetyCore's triggered review framework gives you a structured way to update your vulnerability assessments and document the reasoning. Start a free trial at safetycore.co.uk.
References: Entecom: VACCP & TACCP in 2026; UNCTAD: Strait of Hormuz Disruptions and Global Trade; BRCGS: Food Safety Standards
LinkedIn Summary: VACCP and TACCP assume stable supply chains. The Strait of Hormuz closure breaks that assumption. When suppliers fail under geopolitical stress, companies turn to unverified alternatives. Current VACCP methodology doesn't adequately capture fraud risk in emergency sourcing scenarios. Time to expand the framework. #FoodSafety #VACCP #TACCP #SupplyChainRisk