Given that you have a lot of risk assessments to create for Issue 6, we thought it would be a good idea to go through the principles of risk assessments and how you can ensure that you’ve got everything covered for all the different topics that you need to assess.
We’ve split this down into steps for you to follow and explained what you need to do at each step, so hopefully you’ll be able to follow along and create your risk assessments.
1. The topic
For each of the risk assessments you do, you need to clearly state what the topic is, so that when you’re audited, the auditor can see that you’ve covered the topic.
2. The purpose
Each topic has a purpose for you having to create the risk assessment, so you need to be clear on what you’re trying to achieve. So, write down what you’re trying to achieve by documenting the reason for doing the risk assessment. For example, for the topic of record keeping you have to carry out a risk assessment for how long you’re going to keep your records for, so the purpose of your risk assessment is record retention time. Or, for the topic of specifications, you have to risk assess the review frequency for your statement of compliance, so the purpose would be statement of compliance review frequency.
3. The hazard
You need to define that hazard that you’re trying to remove or reduce in your risk assessments. The hazard is what harm it could cause, to your business, to your customer or to the consumer. Consumer safety hazards sit in one of five categories; microbiological, chemical, radiological, physical or allergenic.
- Micro hazards are typically either pathogenic bacteria, viruses, and spoilage organisms. Pathogenic bacteria and viruses cause food poisoning whereas, spoilage organisms cause food to go off, such as mould.
- Chemical hazards can cause illnesses, and you would consider cleaning chemicals, engineering chemicals and chemicals in the packaging itself which may migrate into the product that is packed in it.
- Radiological hazards typically only relate to food, which has been contaminated from the surrounding area, such as produce farmed near nuclear power plants.
- Physical hazards are anything that shouldn’t in the packaging or in the product that is packed in the packaging.
- Allergenic hazards are protein based foods which cause an allergic response when eaten. In the EU and UK there are 14 allergens, but around the world these differ depending on which country you look at – so you need to know which allergens to consider for the country where the packaging will be used.
Because your risk assessments need to cover more than consumer safety, you also need to include quality hazards. Because a hazard causes harm, using the term hazard with quality isn’t really factually correct, they’re really defects. There are so many quality defects that could be applicable to your product, but they would all cause customer complaints. Which means for your risk assessments we have six categories; microbiological, chemical, radiological, physical, allergenic and quality defects.
Severity (sometimes also known as impact) is what will happen to the consumer or the customer if the hazard was to occur. It’s what impact it would have on the consumer or customer. So, for the consumer safety hazards we’ve talked about, it would be the type of harm it would cause. For safety, this is usually split into three levels of death, hospitalisation or injury.
For quality defects the severity wouldn’t cause harm to the consumer, but it may cause complaints.
One really important thing to note here, is that the severity score should always be the consistent throughout your risk assessments for the same hazard. The hazard of glass in a product should always have the same severity score. Eating glass would always hurt the same. It’s the likelihood of eating glass that would change (we’ll come on to likelihood soon). We always say to remember the following; the severity of getting hit by a bus would always be the same. It’s the likelihood of getting hit by a bus that would change.
To make sure that you’re consistent with your severity scores throughout all of your risk assessments, it’s a good idea to do your severity assessments first, before you start putting your risk assessment together. Work out what severity all of your hazards will have and write them down. That way you can use the severity assessment as you go through your risk assessments and then they’ll be consistent.
5. The event
The event is the situation that causes the hazard to happen. Going back to our bus theory, this is the event that caused you to get hit by a bus.
It’s important to think about the event and write it down clearly, because it will lead you to the right control. If you got hit by a bus because you didn’t look before crossing the road, then the control would be to look both ways before crossing the road.
If you don’t think about the event, you can end up creating a risk assessment which isn’t realistic and trying to put controls in place for something that’s not even going to happen. By writing the event that causes the problem, it makes you think practically, and you end up with a really focused risk assessment.
The control is what is going to stop the hazard from happening, or at least reduce it as much as possible. This links back to the purpose of doing the risk assessments. The control needs to answer directly to the purpose of why the risk assessment has been carried out in the first place. So, for the review frequency for statements of compliance, the control needs to be that a review would be carried out.
7. Control details
Once you’ve got your control, you need to build on it, as there needs to be a reason (purpose) for you doing the risk assessment. For the example above, for review frequency – you then need to go on to define how often the review will happen and this needs to be established, based on what you’ve found in your risk assessment. The higher the severity risk rating, the more thorough or frequent the control should be.
Because your risk assessments need to define what controls you need, you need to make sure you define them before you work out the likelihood of the event happening. Then, once you’ve got your control and defined your control details, you can then work out the likelihood of the event happening with the controls you’ve stated in place. This should mean that the likelihood result should be low risk, because you should have defined the controls needed to make it low risk.
Increased controls required
Once the risk assessments are done, that’s not the end. If any of the hazards that you’ve assessed then happen, you need to come back to your risk assessments, because essentially, it means that your controls were not thorough enough to stop the hazard from happening.
You then need to add this detail into your likelihood assessment and explain what has happened. For example, if you’ve had a complaint about a quality defect that you’ve covered in your risk assessment, you would then need to state that, and change the likelihood rating from low. Once you do that, it means you need to add in more controls, so you would state what those increased controls are.
If you follow these instructions you should be able to create a really good risk assessment, which is focused and defines all the controls you need for all the topics you need to cover.
We have also created you a severity risk assessment for the consumer hazards, which you can use. If you’d like a copy, please just let us know your email address and we’ll email it to you.