Supplier approval and monitoring for BRC Issue 8
The BRC have clarified and simplified the approval of suppliers in issue 8, which is great. They have also clarified that the process is split into two distinct parts – approval and monitoring. Monitoring tends to get forgotten, so it makes sense that they’ve split them out to help explain the differences. Let’s go through the approval processes and then we’ll look at monitoring.
So, how we approve a supplier is the same, for ingredients, packaging and also traded products. The approval of co-manufacturers is the same too – with one key difference, that an SAQ is not acceptable, as these suppliers are not deemed to be low risk. In the last article we looked at raw material risk assessment, so the output from this risk assessment, should then feed into your supplier risk assessment. If you’d like to read that article first, you can do here:
The aim of your supplier risk assessment is to determine if each supplier is – low risk or, not low risk. Now, if your risk assessment produces supplier risks as low, medium and high – that’s fine too. All the low ones would be low risk. And, all the medium and high risk ones would be – not low risk. Personally, I don’t like these terms, but it’s what BRC have decided, so that’s just the way it is.
Once we have our supplier risks, as low risk or not low risk, that defines how we can approve them. We have three options to choose from; a supplier questionnaire (SAQ), a GFSI certificate, or an audit.
- SAQ: You can only use this for low risk suppliers. You cannot use this for not low risk suppliers.
- GFSI certificate & Audit: You can use for both low risk and not low risk suppliers.
This is the easiest option to go for, if you can. All you need to do, is to check that the certificate is valid (it’s not fake) and that the scope of the certificate covers the products you’re buying from the supplier. If you can prove both those, you’re good to go.
If you can’t use a GFSI certificate, the best option you have is an audit. Now, this doesn’t mean you need to go and audit the supplier. You can use any third party audit, including non GFSI audits, such as Red Tractor, SALSA, ISO 22,000 etc. But if you use a third party audit, as your audit of the supplier, you need to prove a few things:
- That the audit has checked that the supplier has GMP, food safety, HACCP review and traceability in place.
- That any non-conformances to the audit have been closed out.
- That the scope of the audit covers the products you are buying from them.
How do I do this?
You need the supplier audit report and the evidence of close out of the non-conformances. Basically, you need to handle the third party audit of your supplier, as if you’d done the audit and make sure it’s closed out.
No third party audit or GFSI Certificate?
If they’re not low risk – then the only option left open to you, is to audit them. This means, you have to go and actually do the audit. If you have to go for this option, make sure that the auditor who does the audit is competent, so they’ll need to be able to prove that they are. The only real way of doing this is through a qualification. As a minimum they should have an internal auditing certificate, but ideally a lead assessor qualification.
If you need help with your supplier audits, we can help with this – we do supplier audits for quite a few of our clients. Just email Mel on firstname.lastname@example.org for more information. So, once you’ve approved your supplier, we then move into the monitoring phase…
This means that you monitor your supplier performance, use this information to re-assess them and then re-confirm the approval. Therefore, your supplier risk assessment needs to continue to assess their performance.
- Have any complaints been received, that were due to your suppliers?
- Have you had delivery issues with them?
- Have they created non-conformances?
You need to gather this information throughout the year and then review it each year. The information would need putting into the risk assessment, and where this changes the risk, the correct approval process would need applying.
If you have a low risk supplier, who is approved by an SAQ and because of their performance, the risk changes to not low risk, when the risk assessment is updated, then you wouldn’t be able to use an SAQ to approve them anymore. You would need to use a GFSI certificate, or an audit.
This is why the BRC say you can only use an SAQ for ‘initial’ approval. Because, the monitoring needs to prove on an ongoing basis, if they really are low risk, or not.
If you have any questions regarding this subject, or would like to share your thoughts, please do – by adding them to the reply box below. This article has been updated from the one we published for issue 7 above, so I’ve left the previous comments as they’re still valid and may be of use.
If you’d like to update your raw material and supplier approval and monitoring system, we have a pack for that!
We’ve created a really handy cheat sheet to help you approve suppliers that are sending you certificates for schemes that they are accredited by. This should make it easier for you to understand. It might brighten up your office space too and it’s a great way to see boring information you can digest more easily!
If you’d like one, just complete the form below and we’ll email it to you. You will then be added to our BRC Material & Supplier Approval list so we can update you about our solutions for this area of compliance with BRC Issue 8.