We recently asked BRC to clarify whether a SALSA audit was acceptable to use as a form of supplier approval. In this post we’ll explain their response and also the complications that I feel come with their response…
You may not have heard of the SALSA standard, so I’ll explain what it is first. SALSA stands for Safe and Local Supplier Approval. It was launched in 2007 and was designed for small food processing businesses, who were not at the stage where they could meet the BRC standard. It was developed by a working party, which included the BRC.
In version 7 of the BRC standard, the BRC made some slight changes to the requirements for supplier approval in clause 126.96.36.199:
- They specified that a supplier approval questionnaire was no longer acceptable for suppliers, other than those that are deemed to be low risk.
- The requirement for approval of a supplier through a certificate was changed…
“third party audits or certification, e.g. to BRC Global Standards”
“certification (e.g. to BRC Global Standards or other GFSI-recognised scheme)”
The addition of the term “GFSI-recognised scheme” and the removal of the term “third party audits” to the clause, seems to imply that a non GFSI recognised certificate would no longer be acceptable.
SALSA is not a GFSI approved scheme and given that SALSA was developed in conjunction with the BRC, we wondered if this meant SALSA was not an acceptable form of approval. I also wondered how sites would approve farm level suppliers as well, given that schemes such as the Red Tractor or the Lion Code are not GFSI approved. So we posed our question to SALSA and also to BRC. The response was as follows:
“In summary clause 188.8.131.52 provides 3 options (to approve a supplier):
- an audit to a GFSI benchmarked scheme such as BRC Standards or GLOBAL Gap.
- a supplier audit completed by your site*
- if the supplier is low risk then a questionnaire may be acceptable
*A third party audit may be acceptable as an alternative to completing your own site audit where all the following criteria are satisfied:
- the scope of the 3rd party audit covers all the items listed in the clause for supplier audits e.g. HACCP review, product safety, traceability, etc.
- the competency and training of the auditor is known
- you have access to a copy of the full audit report (a copy of the certificate alone is not considered sufficient)”
The BRC also stated that they had published a reply to this enquiry on the FAQ section of the website, but unfortunately I cannot find it, to be able to provide a link for you.
Therefore, you can approve a supplier through one (or more if you wish) of the following:
- a supplier approval questionnaire (only if they are low risk)
- a GFSI-recognised certificate
- carrying out your own audit of the supplier
- or using a non-GFSI approved certificated audit as long as you follow through the close out of the audit as if you’d carried it out yourself
This obviously gives you a lot of flexibility in order to approve your suppliers, which is great. However, I have one main concern.
Generally, in my experience, in the food industry, as a manufacturer you would give your suppliers a risk rating. The higher the risk the more time, focus and cost you would put into approving them. If they were low risk the reverse would be true. For this reason, I’ve always used a risk assessment method for approval, such as:
However, as BRC now states that an audit such as SALSA (which is a less detailed standard than BRC) can now be used as an alternative to a supplier audit – that means you can approve a ‘high risk’ supplier with a SALSA certificate as long as you follow through on closing out the audit non-conformances as you would your own audit.
This didn’t seem right to me, so I queried it again with the BRC. They confirmed back that they do not recognise low, medium and high risk suppliers – but only low risk and those that are not low risk.
Therefore, to comply with the BRC you can use the following method to approve your suppliers:
Personally I think it makes the BRC clause very flexible, as for every supplier there now must be a way to approve them. For example, in theory now could we argue that close out of an EHO report would be acceptable? I am really surprised though that they don’t see the need for risk ratings other than low risk, it feels a bit like they’ve missed the importance of managing high risk suppliers and the need to carry out your own supplier audits.
However, it means that we can now risk assess our suppliers into low risk and non-low risk. Then we can look at the non-low risk ones and decide given time, budget and our own businesses perception of risk of those suppliers, which ones we want to audit. The rest we approve through a GFSI recognised certificate, or using a third party audit as our own audit.
What do you think? Do you think that the clarification provided by BRC is a good thing? I’d love to hear your thoughts – let me know using the comment box below.
We’ve created a really handy cheat sheet to help you approve suppliers that are sending you certificates for schemes that they are accredited by. This should make it easier for you to understand. It might brighten up your office space too and it’s a great way to see boring information you can digest more easily!
If you’d like one, just complete the form below and we’ll email it to you. You will then be added to our BRC Material & Supplier Approval list so we can update you about our solutions for this area of compliance with BRC Issue 8.