Supplier approval and monitoring for BRC Issue 8

The BRC have clarified and simplified the approval of suppliers in issue 8, which is great. They have also clarified that the process is split into two distinct parts – approval and monitoring. Monitoring tends to get forgotten, so it makes sense that they’ve split them out to help explain the differences. Let’s go through the approval processes and then we’ll look at monitoring.


So, how we approve a supplier is the same, for ingredients, packaging and also traded products. The approval of co-manufacturers is the same too – with one key difference, that an SAQ is not acceptable, as these suppliers are not deemed to be low risk. In the last article we looked at raw material risk assessment, so the output from this risk assessment, should then feed into your supplier risk assessment. If you’d like to read that article first, you can do here:

Raw material risk assessment article

The aim of your supplier risk assessment is to determine if each supplier is – low risk or, not low risk. Now, if your risk assessment produces supplier risks as low, medium and high – that’s fine too. All the low ones would be low risk. And, all the medium and high risk ones would be – not low risk. Personally, I don’t like these terms, but it’s what BRC have decided, so that’s just the way it is.

Once we have our supplier risks, as low risk or not low risk, that defines how we can approve them. We have three options to choose from; a supplier questionnaire (SAQ), a GFSI certificate, or an audit.

  • SAQ: You can only use this for low risk suppliers. You cannot use this for not low risk suppliers.
  • GFSI certificate & Audit: You can use for both low risk and not low risk suppliers.

GFSI Certificate

This is the easiest option to go for, if you can. All you need to do, is to check that the certificate is valid (it’s not fake) and that the scope of the certificate covers the products you’re buying from the supplier. If you can prove both those, you’re good to go.


If you can’t use a GFSI certificate, the best option you have is an audit. Now, this doesn’t mean you need to go and audit the supplier. You can use any third party audit, including non GFSI audits, such as Red Tractor, SALSA, ISO 22,000 etc. But if you use a third party audit, as your audit of the supplier, you need to prove a few things:

  1. That the audit has checked that the supplier has GMP, food safety, HACCP review and traceability in place.
  2. That any non-conformances to the audit have been closed out.
  3. That the scope of the audit covers the products you are buying from them.

How do I do this?

You need the supplier audit report and the evidence of close out of the non-conformances. Basically, you need to handle the third party audit of your supplier, as if you’d done the audit and make sure it’s closed out.

No third party audit or GFSI Certificate?

If they’re not low risk – then the only option left open to you, is to audit them. This means, you have to go and actually do the audit. If you have to go for this option, make sure that the auditor who does the audit is competent, so they’ll need to be able to prove that they are. The only real way of doing this is through a qualification.  As a minimum they should have an internal auditing certificate, but ideally a lead assessor qualification.

If you need help with your supplier audits, we can help with this – we do supplier audits for quite a few of our clients. Just email Mel on for more information. So, once you’ve approved your supplier, we then move into the monitoring phase…


This means that you monitor your supplier performance, use this information to re-assess them and then re-confirm the approval. Therefore, your supplier risk assessment needs to continue to assess their performance.

For example:

  • Have any complaints been received, that were due to your suppliers?
  • Have you had delivery issues with them?
  • Have they created non-conformances?

You need to gather this information throughout the year and then review it each year. The information would need putting into the risk assessment, and where this changes the risk, the correct approval process would need applying.

For example:
If you have a low risk supplier, who is approved by an SAQ and because of their performance, the risk changes to not low risk, when the risk assessment is updated, then you wouldn’t be able to use an SAQ to approve them anymore. You would need to use a GFSI certificate, or an audit.

This is why the BRC say you can only use an SAQ for ‘initial’ approval. Because, the monitoring needs to prove on an ongoing basis, if they really are low risk, or not.

If you have any questions regarding this subject, or would like to share your thoughts, please do – by adding them to the reply box below. This article has been updated from the one we published for issue 7 above, so I’ve left the previous comments as they’re still valid and may be of use.

If you’d like to update your raw material and supplier approval and monitoring system, we have a pack for that!

Raw Material Risk Assessment

Grab the cheat sheet…

We’ve created a really handy cheat sheet to help you approve suppliers that are sending you certificates for schemes that they are accredited by. This should make it easier for you to understand. It might brighten up your office space too and it’s a great way to see boring information you can digest more easily!

If you’d like one, just complete the form below and we’ll email it to you. You will then be added to our BRC Material  & Supplier Approval list so we can update you about our solutions for this area of compliance with BRC Issue 8.

Have your say…

17 thoughts on “Supplier approval and monitoring for Issue 8

  1. HI Kassy
    Would that mean that we would pick up a non conformance if we ranked our suppliers as low medium and high risk? Are we saying that low risk suppliers are our high & medium risk suppliers and low suppliers are non low risk? Or the other way round? How come BRC don’t state their expectations within in the interpretation guide? great article thanks for the explanation although more confused 😉
    Thank you

    1. Hi Karen,
      No I don’t think so – as long as you are defining which suppliers are low risk, the medium and high risk ones would be classed as ‘not low-risk’. I can only think it’s not covered in the interpretation guide because it was missed.
      Does that help?

  2. Thank you Kassy I have updated my approval risk assessment scoring and made it simpler to fit with BRC requirements. I guess they just want to see suppliers approved or not approved which makes sense as you can’t have half an approved supplier? But as you said you can almost approve everyone now. However in some ways having more flexibility on approval takes the pressure of smaller businesses as the one I work for would not be able to finance audits as most suppliers are in other countries. Plus just because they may not have certification in place doesn’t make them a bad supplier other factors can be taken into account such as supplier history quality of the product etc. Thanks for your help regards Karen

  3. Hi Kassy, regarding Supplier approval please comment on this scenario.
    • Supplier A, GFSI, Strong QA core competencies; manufacturer.
    • Supplier B, Non- GFSI, Non HACCP, poor QA core competency; distributor, blender.
    • Product: 6 spices inherent risks clearly defined.
    Risk Assessment Method:
    Combination of ingredient risk and Supplier core competency to provide a supplier classification score
    • Score X = High risk – Do not approve
    • Score Y = Medium Risk = Not low Risk – Approve and require GFSI cert ,etc
    • Score Z = Low risk – Approve and use questionnaire
    Supplier A = medium risk = Not low risk use GFSI cert
    Supplier B = Score X = High Risk – Find a replacement supplier or mitigate using 2’nd part audit to food safety scope and track corrective action against NCRs.
    Thanks for your time.

    1. Hi Clem,
      I totally agree with your scenario, it makes sense to me! I would also suggest that you would have a base line to mitigate against for supplier B. For example, if they don’t have a HACCP, then you can’t use them, even with an additional audit. Or that they have to correct the NCNs raised on the audit, prior to supply.

  4. Hi Kassy,

    With a supplier that we are approving using an SAQ, how do we verify the tractability of that supplier? As part of the SAQ I already ask if they carry out tractability tests. On your checklist for standard 8 you have “carried out a trace test on all suppliers who you have approved using an SAQ” – is this the same thing? And if so what should it involve? Going round in circles trying to get to the bottom of this one.

    1. Hi!
      To prove that a supplier approved using an SAQ, has the necessary trace systems in place, you need to carry out a trace test with them. You can do this remotely – ask them to do a trace on the product they supply you. They should send you copies of the paperwork and you’ll need to check it, sign if off and file it for audit.

  5. Hi Kassy,

    In terms of verifying supplier’s certification, I know the BRC Directory exists and it is very easy to use. Do you know if similar directories exist for FSSC 2200o or IFS, for example?

    Thank you,

  6. Dear Kassy,
    Above in the article it says”In the last article we looked at raw material risk assessment, so the output from this risk assessment, should then feed into your supplier risk assessment” but on your raw material risk assessment article it says ” A supplier risk assessment doesn’t assess the inherent risk of the raw materials.”. I am little bir confused can you please explain i? How are we supposed to combine the result of raw material risk assessment with supplier risk assessment?

    1. Hi
      The raw material risk assessment determines the inherent risk of the raw material. The result of this should then feed into the supplier risk assessment. A raw material with a high inherent risk, should increase the risk to the supplier that you buy it from. Does that make sense?

Share your thoughts…

Your email address will not be published. Required fields are marked *

We've tagged this article as: ,