was successfully added to your cart.

We recently asked BRC to clarify whether a SALSA audit was acceptable to use as a form of supplier approval.  In this post we’ll explain their response and also the complications that I feel come with their response…

You may not have heard of the SALSA standard, so I’ll explain what it is first. SALSA stands for Safe and Local Supplier Approval.  It was launched in 2007 and was designed for small food processing businesses, who were not at the stage where they could meet the BRC standard.  It was developed by a working party, which included the BRC.

In version 7 of the BRC standard, the BRC made some slight changes to the requirements for supplier approval in clause
  1. They specified that a supplier approval questionnaire was no longer acceptable for suppliers, other than those that are deemed to be low risk.
  2. The requirement for approval of a supplier through a certificate was changed…

“third party audits or certification, e.g. to BRC Global Standards”

“certification (e.g. to BRC Global Standards or other GFSI-recognised scheme)”

The addition of the term “GFSI-recognised scheme” and the removal of the term “third party audits” to the clause, seems to imply that a non GFSI recognised certificate would no longer be acceptable.

SALSA is not a GFSI approved scheme and given that SALSA was developed in conjunction with the BRC, we wondered if this meant SALSA was not an acceptable form of approval.  I also wondered how sites would approve farm level suppliers as well, given that schemes such as the Red Tractor or the Lion Code are not GFSI approved. So we posed our question to SALSA and also to BRC.  The response was as follows:

“In summary clause provides 3 options (to approve a supplier):

  • an audit to a GFSI benchmarked scheme such as BRC Standards or GLOBAL Gap.
  • a supplier audit completed by your site*
  • if the supplier is low risk then a questionnaire may be acceptable

*A third party audit may be acceptable as an alternative to completing your own site audit where all the following criteria are satisfied:

  • the scope of the 3rd party audit covers all the items listed in the clause for supplier audits e.g. HACCP review, product safety, traceability, etc.
  • the competency and training of the auditor is known
  • you have access to a copy of the full audit report (a copy of the certificate alone is not considered sufficient)”

The BRC also stated that they had published a reply to this enquiry on the FAQ section of the website, but unfortunately I cannot find it, to be able to provide a link for you.

Therefore, you can approve a supplier through one (or more if you wish) of the following:
  1. a supplier approval questionnaire (only if they are low risk)
  2. a GFSI-recognised certificate
  3. carrying out your own audit of the supplier
  4. or using a non-GFSI approved certificated audit as long as you follow through the close out of the audit as if you’d carried it out yourself

This obviously gives you a lot of flexibility in order to approve your suppliers, which is great.  However, I have one main concern.

Generally, in my experience, in the food industry, as a manufacturer you would give your suppliers a risk rating.  The higher the risk the more time, focus and cost you would put into approving them.  If they were low risk the reverse would be true.  For this reason, I’ve always used a risk assessment method for approval, such as:

Supplier Approval

However, as BRC now states that an audit such as SALSA (which is a less detailed standard than BRC) can now be used as an alternative to a supplier audit – that means you can approve a ‘high risk’ supplier with a SALSA certificate as long as you follow through on closing out the audit non-conformances as you would your own audit.

This didn’t seem right to me, so I queried it again with the BRC.  They confirmed back that they do not recognise low, medium and high risk suppliers – but only low risk and those that are not low risk.

Therefore, to comply with the BRC you can use the following method to approve your suppliers:

Supplier Approval

Personally I think it makes the BRC clause very flexible, as for every supplier there now must be a way to approve them.  For example, in theory now could we argue that close out of an EHO report would be acceptable?  I am really surprised though that they don’t see the need for risk ratings other than low risk, it feels a bit like they’ve missed the importance of managing high risk suppliers and the need to carry out your own supplier audits.

However, it means that we can now risk assess our suppliers into low risk and non-low risk.  Then we can look at the non-low risk ones and decide given time, budget and our own businesses perception of risk of those suppliers, which ones we want to audit.  The rest we approve through a GFSI recognised certificate, or using a third party audit as our own audit.

What do you think?  Do you think that the clarification provided by BRC is a good thing?  I’d love to hear your thoughts – let me know using the comment box below.

Raw Material Risk Assessment

We’ve created a really handy cheat sheet to help you approve suppliers that are sending you certificates for schemes that they are accredited by. This should make it easier for you to understand. It might brighten up your office space too and it’s a great way to see boring information you can digest more easily!

If you’d like one, just complete the form below and we’ll email it to you. You will then be added to our BRC Material  & Supplier Approval list so we can update you about our solutions for this area of compliance with BRC Issue 8.


  • Karen says:

    HI Kassy
    Would that mean that we would pick up a non conformance if we ranked our suppliers as low medium and high risk? Are we saying that low risk suppliers are our high & medium risk suppliers and low suppliers are non low risk? Or the other way round? How come BRC don’t state their expectations within in the interpretation guide? great article thanks for the explanation although more confused 😉
    Thank you

    • Kassy Marsh says:

      Hi Karen,
      No I don’t think so – as long as you are defining which suppliers are low risk, the medium and high risk ones would be classed as ‘not low-risk’. I can only think it’s not covered in the interpretation guide because it was missed.
      Does that help?

  • Karen says:

    Thank you Kassy I have updated my approval risk assessment scoring and made it simpler to fit with BRC requirements. I guess they just want to see suppliers approved or not approved which makes sense as you can’t have half an approved supplier? But as you said you can almost approve everyone now. However in some ways having more flexibility on approval takes the pressure of smaller businesses as the one I work for would not be able to finance audits as most suppliers are in other countries. Plus just because they may not have certification in place doesn’t make them a bad supplier other factors can be taken into account such as supplier history quality of the product etc. Thanks for your help regards Karen

  • Clem Griffiths says:

    Hi Kassy, regarding Supplier approval please comment on this scenario.
    • Supplier A, GFSI, Strong QA core competencies; manufacturer.
    • Supplier B, Non- GFSI, Non HACCP, poor QA core competency; distributor, blender.
    • Product: 6 spices inherent risks clearly defined.
    Risk Assessment Method:
    Combination of ingredient risk and Supplier core competency to provide a supplier classification score
    • Score X = High risk – Do not approve
    • Score Y = Medium Risk = Not low Risk – Approve and require GFSI cert ,etc
    • Score Z = Low risk – Approve and use questionnaire
    Supplier A = medium risk = Not low risk use GFSI cert
    Supplier B = Score X = High Risk – Find a replacement supplier or mitigate using 2’nd part audit to food safety scope and track corrective action against NCRs.
    Thanks for your time.

    • Kassy Marsh says:

      Hi Clem,
      I totally agree with your scenario, it makes sense to me! I would also suggest that you would have a base line to mitigate against for supplier B. For example, if they don’t have a HACCP, then you can’t use them, even with an additional audit. Or that they have to correct the NCNs raised on the audit, prior to supply.

  • Clem Griffiths says:


Leave a Reply