was successfully added to your cart.


Raw material and supplier risk assessment

Back in December 2015 we published this article about raw material risk assessment and the changes in issue 7. For Issue 8, BRC have added some additional changes, so I’ve updated the article to include these and bring it up date. The original information and action still stands, so I thought it best to keep it and build on it. I’ve highlighted in the article though, which parts are new for Issue 8.

So, here we go! First let’s break down clause 3.5.1 into its separate parts and explain the aim of each part: – a raw material risk assessment is required, to determine the inherent risk of the raw material.  The output of the risk assessment is to produce:

  1. Goods in acceptance criteria
  2. The initial raw material assessment, that feeds into the supplier approval & monitoring risk assessment – a supplier approval & monitoring risk assessment, to determine the risk of using that supplier.  The output of the risk assessment BRC states is to determine:

  1. The criteria for how each supplier should be approved
  2. How the supplier should be monitored

In my opinion there should be a third as well – to start the process of working out what risks are associated with raw materials and therefore risks to the finished product, this information should be used as a base for your HACCP hazard analysis. – that where agents and brokers are used, the manufacturer should be assessed rather than the agent/broker, UNLESS, the agent/broker has a:

  1. BRC Agents & Brokers certificate (or another comparable GFSI recognised certificate)
  2. Storage & Distribution certificate WITH wholesale module
  3. Food Safety certificate WITH the Traded Products module that covers the product you’re buying
  4. Or, for packaging – a Packaging certficate WITH the traded products module that covers the packaging you’re buying – that exceptions are handled, which means how raw materials are accepted in emergencies where the raw material or supplier has not been approved following the normal process.

Up until Issue 7 was published, it was very common for auditors to ask for a raw material risk assessment and if the site produced a supplier risk assessment then this was deemed acceptable. Since Issue 7, this has not been the case, as auditors now recognise that a raw material risk assessment and a supplier risk assessment are two very different things…

raw material risk assessmentThe purpose of a raw material risk assessment is to assess the inherent risks of the raw materials. This can happen even before the supplier has been decided.

The purpose of a supplier approval & monitoring risk assessment is to take the output from the raw material risk assessment and combine this with the risk of getting that raw material from a particular supplier.

For example, the raw material risk assessment may determine that raw filleted fish is a high risk ingredient, because of the micro risks from fish and also the possibility of left over bones from the filleting process.  The high risk result would then be put into the supplier approval & monitoring risk assessment for each supplier who supplies the fish.  One supplier may be really great and therefore they would come out with a lower risk result and another supplier may not be so great and come out with a higher risk result.

The purpose of a raw material risk assessment is to assess the inherent risks associated with purchasing the raw materials, so that controls can be put in place to ensure that this doesn’t impact on production and more importantly on the consumer.

An inherent risk is something that is characteristic of that raw material, a bit like it’s expected that you’ll get a small amount of stones in raw cereals or dried fruit, or salmonella in raw egg.  A supplier risk assessment doesn’t assess the inherent risk of the raw materials.

BRC Issue 8 changes…

In issue 8 BRC have added three important changes to this section of the standard, these are:

  1. Frequency
  2. Additional inherent hazards
  3. Constant information inputs


Previously we had to review our risk assessment annually. That’s no longer the case. One of the themes of change in issue 8 is that many frequencies have been removed, as BRC shift to applying a review where something changes. Which makes perfect sense if you think abut it. You don’t wait to change raw materials or suppliers of raw materials until your annual review is due. You do it when you need to. So, your raw material (and supplier) risk assessment should be no different. If you make a change, the risk assessments now need to be reviewed – and this should be done before the change takes place, so any risks involved are managed properly.

Additional inherent risks

So, BRC have added two new risks to consider, these are:

  1. from legal requirements
  2. due to species or variety cross contamination

Legal requirements: You should already have any legal requirements built into your raw material risk assessment, so just go back and check you do.

Species or variety: The species and variety requirement, builds on the need to assess vulnerability.

Go through your raw materials and where you’re making a claim about them, due to species or variety as you need to add this to your risk assessment.

For example ‘British’ chicken, ‘Madagascan’ vanilla or ‘Alphonso’ mango.

Now, this is where this gets a little confusing. In issue 7, we were clear that a raw material risk assessment just looks at the risks of the raw materials – not taking the supplier into consideration. We’d then feed the resulting risk, into our supplier risk assessment.

For vulnerability, for species or variety, that’s not purely the case, for two reasons:

1. The location of the supplier may have an impact, e.g ‘British’ chicken or ‘Madagascan’ vanilla
2. The standard refers to species or variety ‘cross contamination.’  So, what other varieties or species your supplier handles will have an impact.

So, what do,we do?

Well, first your raw material risk assessment needs to identify where a claim about variety or species is a risk. The identification of this, should drive a higher risk score, than a material without a claim.

The second thing to do, is when that raw material risk is fed in to your supplier risk assessment, you should in your supplier risk assessment, assess the risk of cross contamination. Let’s work through an example:

You’re buying Alphonso mango from both supplier A and also, from supplier B.
Alphonso mango has a claim so it’s a higher risk. Supplier A only handles Alphonso mango and doesn’t handle any other types of mango. Whereas supplier B handles lots of varieties of mango. Therefore, the risk of supplier A sending you the wrong species, is much less than supplier B. This should increase and reduce the risk from those suppliers accordingly.

In my opinion, we should also be highlighting as a minimum, where meat is used – as a risk. Although cross contamination of one fruit with another is not good (and so we should control it in the same way in principle too), cross contamination of one meat with another is a definite no-no. So, I would carry out a similar risk assessment exercise in my supplier risk assessment for all meat suppliers – to establish if there’s a risk of cross contamination of one meat with another.

Constant information inputs

This is another theme of change for Issue 8; where we now need to listen, and act upon, what’s happening outside of our site.

We need to proactively use external information to our benefit. So, if a recall happens you can learn from it. This means, we need to have sources of information coming in to us. We then need to have a process of logging it, reviewing it and where needed, take action. This doesn’t need to be complicated, a couple of simple email folders called ‘action required’ and ‘no action required’ is sufficient. Just make sure the process and who’s responsible for it, is captured in your procedure. So now, make sure you go through these changes and make all of the necessary amends to your procedure.

We have a downloadable e-documentation pack for Raw Material & Supplier Risk Assessment, which includes everything you need for raw material and supplier approval. It’s compliant with all of the GFSI recognised schemes, including issue 8 and also covers traded products. It also meets the requirements for supplier risk assessment for the FDA’s FSMA rule. Click the link below to view this, you can also order online.

If you have any comments you can share or queries, please add them to the reply box below. Please note, I’ve left the conversation from issue 7 in the comments below, as the comments are still relevant and could be useful to you.

Raw Material Risk Assessment

We’ve created a really handy cheat sheet to help you approve suppliers that are sending you certificates for schemes that they are accredited by. This should make it easier for you to understand. It might brighten up your office space too and it’s a great way to see boring information you can digest more easily!

If you’d like one, just complete the form below and we’ll email it to you. You will then be added to our BRC Material  & Supplier Approval list so we can update you about our solutions for this area of compliance with BRC Issue 8.


  • Karen says:

    HI Kassy
    I have reviewed my systems and I as you have mentioned, seem to have one system that blends raw material risk/ Supplier approval and monitoring. I will update accordingly and thank you for your post and flow chart. However a quick question, the BRC interpretation states that considerations are to be made for fraud & substitution in the raw material risk assessment. I have completed my raw material vulnerability assessment therefore does that score fit into the raw material risk assessment?

    • Kassy Marsh says:

      Hi Karen
      Great question!
      BRC in my view have over complicated the assessment of fraud and substitution by placing it in 2 parts of the standard – and also in 5.4.2. It makes it confusing.
      However, as long as you’ve carried out a raw material vulnerability assessment (as per 5.4.2), then you don’t need to do it again in You’ll notice in where it lists the things you need to take into account, next to ‘substitution or fraud’ it says – “(see clause 5.4.2)”.
      So, the raw material vulnerability assessment that you’ve already done is fine as it is, you don’t need to take substitution and fraud into account for your raw material risk assessment as well.

  • Karen says:

    That’s great thank you. I agree there is a little confusion having fraud etc in two places. Thank you for your help and your newsletters are a great help

  • Donna Restauri says:

    Hi Kassy!
    I was wondering if you could help me out with this question pertaining to raw material approvals. Reading through this newsletter about the 3rd party audit documents we are to receive from Suppliers. I’m stuck on whether or not I need to retrieve a not low risk Supplier’s actual audit report or receiving their audit certificate which is being verified along with receiving their recall and allergen policy and also in some cases receiving their quality and food safety policy would be sufficient to meet this bullet or do I need to get their audit report and/or do an onsite audit?
    Your help is much appreciated!

    • Kassy Marsh says:

      Hi Donna
      Sure, I’ll try my best 
      Ok – first BRC doesn’t recognise ‘high’ risk suppliers. They have two levels of risk only – low risk and not low risk.
      For low risk you can use a supplier questionnaire. For ‘not low risk’ you can’t use a questionnaire.
      If your supplier has a certificate that is GFSI recognised – then that is enough to approve them.
      If they don’t have a GFSI recognised certificate then you have two options:
      1. Audit them yourself
      2. Use a non GFSI recognised audit and handle it like it was your own. By this I mean, request the audit report and all the evidence of close out of the NCNs on the audit report. Check through them and sign them off.
      Unfortunately the suppliers that you are getting push back from will need to either move with the times or loose the business…. It’s only going to get tougher for them to with-hold information.
      I hope that helps?
      Thanks, Kassy

      • Donna says:

        Thanks so much Kassy, that helps alot. 🙂

      • Raffaela says:

        Hi Kassy,
        thank you so much for your helpful comments. You say above BRC has only two levels of risk, where do you get that from? We are working on updating our systems to 3.5 as per version 8.
        Thank you,

        • Kassy Marsh says:

          Hi Raffaela,
          This comes from the standard – they define the risk as low risk, or not low risk.

  • John Figgins says:

    Hi Kassy – Thank you for an informative summary.

    I’d like to highlight a couple of points in addition to your comments:

    Clause includes separate bullet points on both substitution and fraud, and variety/species cross-contamination. This was deliberate to ensure both were included. Therefore both the points you mention are valid but the idea of the variety/species cross-contamination should be very much focused on cross-contamination ie exactly the scenario you mention with the potential for meat species to cross-contaminate at a supplier’s site where multiple species are handled. However, sites shouldn’t limit this to meat, there may be other raw materials which could be susceptible to this type of cross-contamination.

    Absolutely agree that the aim of adding fraud & substitution to this clause is not to make sites duplicate work completed elsewhere. It is, however, vitally important that fraud/substitution risks are considered as part of raw material risk assessment, and importantly it should be considered when a new material (or source of material) is being considered. It would be a risky strategy for a site to start using a raw material without completing this part of the assessment, especially if they subsequently identified a genuine risk (which could potentially happen if assessment of this risk was left until the next scheduled review of the vulnerability assessment). Where sites are completing a separate vulnerability assessment (in accordance with section 5.4) it is perfectly acceptable to import the information/conclusions from the vulnerability assessment into their supplier approval without duplicating (obviously ensuring that the action is appropriately documented so it is clear).

    On the question of suppliers’ certificates/audit reports the Standard is not prescriptive so a site can select which is appropriate for them/the identified risks. The audit report obviously contains significantly more detail and has the added advantage that access can be provided (by your supplier) through BRC Directory so that its validity is authenticated. If a site receives photocopies/pdfs/etc sent directly to them (ie not using BRC Directory) from the supplier (either certificates or audit reports) then as part of the assessment, the site will need to confirm the validity of that certification ie how does the site know it is genuine, still valid, not out of date, the date of the next audit when new paperwork will be needed, etc. (This requirement is an addition to Issue 8). This can be checked by typing the supplier’s site code into BRC Directory and confirming that the supplier is listed as a certificated site (NB other certification schemes have different mechanisms for checking validity of certificates).

Leave a Reply