BRC vulnerability assessments are causing sites to get non-conformances on their audits.
Section 5.4 was the most updated section in BRC V7 and is causing 16.1% of sites to get a non-conformances on at least one of the clauses. Sites also seem to be getting stung on clause 18.104.22.168. in the raw material risk assessment section, for not including fraud.
Because BRC have put the requirements for a vulnerability assessment in two places in the standard (in 22.214.171.124 and also section 5.4), this is understandably causing sites some confusion. So in this post, I’ll try to answer some of the questions I’m most commonly asked about BRC vulnerability assessments and provide you with some top tips in the process!
Do I need to include food fraud in my raw material risk assessment, if I have a vulnerability assessment?
No. It’s confusing because it’s shown in two places, but you just need to have covered the assessment once.
You can either do the whole thing separately (I would advise this) for section 5.4 or you can include it in your current raw material risk assessment – as long as you meet all of the requirements that are in 5.4 as well.
If you want to learn more about raw material risk assessments we covered that in a previous post which you can read here – Newsletter 20 – Raw Material Risk Assessment.
Do I need to include packaging in my vulnerability assessment?
No. BRC have made this really confusing because they have stated in clause 126.96.36.199 that packaging must be included in the raw material risk assessment.
However, if you look at clause 5.4.2 is states that the assessment must be carried out on all food raw materials.
So, you only need to include packaging in your raw material risk assessment, not in your vulnerability assessment.
Do I have to be part of a membership such as Campden or Leatherhead in order to prove that I have the required information sources for my assessment?
No. Memberships are expensive and there are a lot of other ways of getting the information that you need. I’ve created a list of all the possible sources of free information that I use, and I’ve included instructions on how to set up an account to DIGG (which I just love) – which provides you with all the current news articles on the subject.
To get your copy of my free information sources fact sheet – just click the button below. You will be directed to our sign up page for smart knowledge and can access the download from our downloads page that is in the link supplied with your welcome email. We will need your name and email address – this is protected and not shared.
Make sure you can provide evidence to the auditor of how the information is being received, that someone is actually looking at it and doing something with it. Just having emails coming into you isn’t enough – you have to be able to prove that someone looked at them, considered them and where they were relevant to your business, the team reviewed them and acted on them.
Is there a set way of grouping the raw materials?
No. You can group them whichever way suits you. Just make sure that all raw materials are covered and that the threats associated with specific raw materials in a group are covered.
Which do I use for my BRC vulnerability assessment – TACCP or VACCP?
TACCP (threat analysis and critical control point) and VACCP (vulnerability assessment and critical control point) are one and the same thing to me. It’s all about how vulnerable you are to a threat having an impact. I’ve explained this more in a previous post which you can read here – BRC Newsletter 10 – TACCP & VACCP Demystified!
The BRC standard mentions TACCP – do I have to use this method?
No. BRC have just provided this as an example, you can use whatever method you choose. Just make sure that it is documented, so you can prove to the auditor how the method works.
If you would like to learn more about the method we use in our book, which has been recommended by Chris Elliott, you can find out more here – Assessing Threat Vulnerabilities for Food Defence.
How do I know what threats to cover? The possibilities are endless, I can’t do it all!
This is a really important question.
It’s really easy to get overwhelmed with all the possibilities of the things that could go wrong. It’s key to ensure that you only cover the really pertinent threats, otherwise your assessment could go on forever and you’ll tie yourself up in knots!
When I’m carrying out a vulnerability assessments for my clients, there are 3 main areas I consider:
- Threats from the supply chain
- Known threats & plausible threats
- Threats generated from claims on pack
Supply Chain Threats
In order to comply with the BRC vulnerability assessment – clause 5.4.2, you must take threats into account which are generated from the length and complexity of the supply chain.
This is because the horse meat scandal highlighted that the length and complexity of the supply chain, made it impossible in some cases, to actually understand where the product came from. Each time the product changes hands this provides increases the risks. Using agents or brokers where the original manufacturer or packer of the product is unknown, is a risk and one which is no longer an option to us.
The main threats that you need to consider are things like:
- Are agents and/or brokers being used?
- Is the raw material imported from a country where there is a known threat?
- Are vehicles transporting the materials sealed? (If not, how do you know the product that you’re expecting is actually the product on the vehicle?)
Make sure you’ve mapped out the supply chain for your materials – this doesn’t need to be complex to comply with BRC, it could just be a description of the steps in the supply chain. (Be aware though that some retailer standards expect a much more detailed approach)
Known Threats & Plausible Threats
It’s really important to not get carried away here. If you do, you’ll end up highlighting a lot of issues that you don’t know what to do about.
Work your way through the groups of raw materials and list any threats that have occurred before (known threats), relating to that group.
Then work your way through the list again and list all of the plausible threats for each group. By plausible, I mean, raw materials that are at risk from fraud due to their cost or availability. You may not be able to find evidence that shows that the threat has occurred before, but you believe that it is highly likely that it could.
Be careful here, to not start listing things that are unlikely to occur. It’s important to keep your list of threats focused. You can always (and you should) add more later, as new information is received, and new threats are highlighted to you.
Threats Generated from Claims on Pack
I find this a really useful way of keeping the BRC vulnerability assessments that I do, really focused on the pertinent threats. We’ve recently updated our raw material vulnerability documentation packs and both the standard pack and the bells & whistles packs, now include a template on how to do this, with set questions that help you decide what to include.
Our packs have helped more than 60 sites to complete their vulnerability assessments, and pass their BRC audits and we’ve had some amazing feedback! You can find out more about our packs, by clicking the picture to the left.
Work your way through the list of the products that you produce, listing all the claims that are made on pack, which are generated by a raw material. This will give you a list of the threats for your products.
That’s Your List!
Once you have your list from each of the 3 areas of consideration, just put these on your assessment.
You don’t need any more to start with.
If that means that a group of raw materials do not have any threats associated with them, that’s fine – just state that there are no known threats at this stage. Don’t make them up to fill the gap – but do keep your workings of the assessments you’ve done from the 3 areas you’ve considered. You can use this as evidence to show your auditor that you have considered all the relevant raw material threats.
Do I have to test all of my raw materials?
No. If you’ve carried out your BRC vulnerability assessment as I’ve described above, your protection measures (and so any testing requirements) should just be focused on the really important threats.
Testing is one method, but it’s not the only one. Before applying a test, think if there is anything else you can do to protect yourself. Would the threat be visible in the raw material, or could it be detected through taste? Checks at intake should always be applied before resorting to testing.
If you decide you have to test, consider and risk assess the frequency at which it needs to be done. I’ve written a previous post on vulnerability testing, you can read that here – BRC Newsletter 12 – Vulnerability Testing, to test or not to test?
The data from BRC shows that the number of sites getting a non-conformance on clause 5.4.3, where you actually have to apply the protection measures required from your vulnerability assessment, is quite low – only 1.5%. So, it shows that the sites that have carried out their assessments effectively, are implementing them well!
What’s your experience?
I hope you’re found this useful. From what I’ve heard from sites, BRC auditors seem to be getting stricter on the compliance to BRC vulnerability assessment clauses. The sites I spoke to last year were finding that the auditor was happy, as long as, they had started their assessment and they didn’t’ necessarily expect it to be finished and implemented. Not so for the sites I’ve spoken to more recently – where the auditors expectations were much higher.
I’d love you to share your experiences from your audits with regard to vulnerability assessments – so we can all learn from them, by posting your comments in the box below (please don’t worry your company name won’t show if you’d like to stay anonymous). What was your auditor’s expectations? Did you feel that they were well trained in this area and ‘know their stuff’? Did they have any specific things they were looking for?
As always, if you have any questions with regard to vulnerability assessments, or anything else BRC related, please feel free to post them below and I’ll get right back to you!