This article walks you through the steps of supplier management. The following information complies with:

BRCGS Food Safety Issue 83.5 Supplier and raw material approval and performance monitoring
9.1 Approval and performance monitoring of manufacturers/packers of traded food products
4.16.6 Transport supplier approval
5.4.4 & 9.3.3 Verification of materials with claims
BRCGS Packaging Issue 63.7 Supplier approval and performance monitoring
7.1 Approval and performance monitoring of manufacturers/packers of traded packaging products
5.10.6 Transport supplier approval
3.10 Management of suppliers of services
4.3.10 Security verification of service suppliers
5.8 Incoming goods
BRCGS Agents & Brokers Issue 3
4.1 Approval and performance monitoring of manufacturers/packers of traded products
4.2 Management of suppliers of services
3.7.4 Traceability of low risk suppliers
4.4.3 Claims
Storage & Distribution Issue 43.5 Purchasing
10.2.1 Supplier approval and performance monitoring (traded products)
10.3.1 Supplier approval and performance monitoring (traded products)
7.1 Receipt of goods
FSSC22000 Version Management of services and purchased materials
7.1.6 ISO 22000:2018
9.2 ISO/TS 22002-1:2009
4.6 ISO/TS 22002-4:2013
4 ISO/TS 22002-5:2019
IFS Food Version 74.4 Purchasing
SQF Edition 92.3.4 Approved Supplier Program

The areas covered in this article are:


Suppliers that require management are:

  • Material suppliers, including traded products and outsourced products (copackers, subcontracted processes)
  • Services

Service suppliers you need to approve are:

  • Final mile delivery companies
  • Laundry
  • Maintenance of equipment
  • Pest control
  • Transport services
  • Third party ink kitchens
  • Staffing agencies
  • Contracted cleaning
  • Contracted servicing and maintenance of equipment
  • Equipment providers (e.g. pallets, racking)
  • Transport and distribution
  • Off-site storage or dispatch of materials or product
  • Laboratory services
  • Catering services
  • Calibration services
  • Product safety and quality consultants

The steps of supplier management are:

  • Risk assessment of the material or service
  • Risk assessment of the supplier
  • Determine the overall risk rating
  • Application of the relevant approval method
  • Monitoring of the supplier
  • Review of the risk assessments

Risk assessment of the material or service

risk assessmentThe purpose of a material or service risk assessment is to assess the inherent risks associated with it. At this stage the supplier isn’t yet considered.

When the supplier risk assessment is completed, the output of the material or service risk assessment is included, which results in a combined and overall risk rating of that material/service from that supplier.

This is because a level of risk of the material or service, can depend on which supplier you get it from.

For example:
The material risk assessment may determine that raw filleted fish is a high-risk ingredient, because of the micro risks from fish and also the possibility of left over bones from the filleting process.

The high-risk result would then be put into the supplier approval and monitoring risk assessment for each supplier who supplies the fish. One supplier may be great and would therefore come out with a low-risk result, and another supplier may not be so great so would therefore come out with a high-risk result.

The same theory works for suppliers of services. For example, you could have one logistics company who delivers a product for you who does it well, and another who delivers the same product for you and doesn’t do it quite so well. This would result in different risk ratings for each supplier.

Makes sense doesn’t it! You would want to put more of your time and attention onto the suppliers who were a higher risk.

What do you assess in the material/service risk assessment?

If you’re not risk assessing the supplier yet, then what do you risk assess? You’re looking specifically at the inherent risks associated with that material or service.

An inherent risk is something that is characteristic of that material/service. For example, it’s reasonable to expect that you’ll get a small amount of stones in raw cereals or dried fruit, or salmonella in raw egg. Or that a delivery service of chilled product would incur more risk than a delivery service of ambient product.

The risks you need to consider are:

  • Allergen contamination
  • Foreign-body contamination
  • Microbiological contamination
  • Chemical contamination
  • Radiological contamination
  • Variety or species cross-contamination
  • Legal requirements
  • Customer requirements
  • Geographical origins
  • Integrity and claims
  • Accuracy of printed packaging

The Standards also state that you need to take into account vulnerabilities from fraud and also threats from product defence. However, if you already have a vulnerability assessment and a threat assessment in place,  it doesn’t mean you have to repeat it. What it means, is that you must take into account the results of your vulnerability and threat assessments, where the supplier is the one that needs to apply the protection measures for you.

For example:
If your assessment identified that vehicles must be sealed and you used a storage and distribution supplier to deliver your product for you. You would need to get the supplier to apply the seals for you.

So then, the output of your vulnerability and threat assessments become an input to your supplier management risk assessments.

One of the outputs of your materials risk assessment, is that you must identify any intake checks that are required. These should include those identified due to claims as well.

Risk assessment of the supplier

This means that the inputs into your supplier element of your risk assessment are:

  • Fraud protection measures (from your vulnerability assessment)
  • Product security measures (from your threat assessment)
  • Significant risks from the material/service (from your material/service risk assessment)
  • Purchasing information (about how much you buy etc)

Using all these measures you can then assess the risk of that supplier.

Determine the overall risk rating

Overall riskThe purpose of working out the overall risk rating is to determine which approval methods you can use.

For BRCGS this then results in the use of one of two risk ratings:

  • Low-risk
  • Not low-risk

The tools that you have available to you to approve a ‘Not low-risk’ supplier, are less than the available tools for a ‘Low-risk’ supplier.

The terms low-risk and not low-risk can be confusing. We imagine BRCGS have used these terms, because they don’t want to pin a tag on a supplier which implies to the level of risk. If they’d gone with low-risk and high-risk instead, then you can imagine that there would be questions as whether suppliers are that risky that they should be classed as high-risk. And whether a medium risk category would be needed. So, we’ve ended up with low-risk and not low-risk.

What this means is that you can’t use a supplier questionnaire to approve a not low-risk supplier.

Application of the relevant approval method

As we’ve said you can use a supplier questionnaire, or an audit to approve a low-risk supplier.

For not low-risk suppliers, you can’t use a questionnaire, but instead you have to use an audit.

Low-risk supplier questionnaire

You can only use a supplier questionnaire to approve your low-risk suppliers. This means your supplier risk assessment must include a method which determines which of your suppliers are low-risk and which are not low-risk. If you do determine a supplier is low-risk, you must really be able to justify why this is the case – so make sure you can, if an auditor asks you to prove it.

A supplier questionnaire is basically a remote audit of your supplier – so it should be sufficiently detailed.

Once a supplier questionnaire is returned, it needs to be checked. This is to make sure that it’s been completed sufficiently and also to assess the information provided.

Remember, this is like doing an audit. So, the information should be assessed like an audit. For this to be completed thoroughly and consistently, a process is needed. For example, if a supplier states ‘No’ to a question, what does that mean? Is it acceptable or not?

The Standard states that the questionnaire must include enough information for you to be able to make a confident decision about the capability of the supplier. So, the way that the questionnaire is compiled and then assessed is key.

The Standard also states that you must assess product safety, traceability, HACCP review and GMP (for BRCGS) and also product quality, legality and authenticity (for IFS). So, you need to make sure this is included in the questionnaire.

When using a supplier questionnaire to approve an audit, you have to carry out a trace test with them. This is to check that their traceability system is effective. Verification of their traceability system needs completing prior to approval and also every three years as a minimum. Make sure that where you’ve used just a supplier questionnaire to approve a supplier, that you’ve got evidence of the verification of their traceability system too.

If you’re making a claim on pack and it relies on the compliance of a material, you need to ensure that the questionnaire is sufficiently detailed to prove that the claim will be met. For allergens, you’ll need enough information to carry out your allergen risk assessment.

The standard states that a supplier questionnaire must be re-issued every three years as a minimum. Plus, you need to get your suppliers to inform you if there are any significant changes to the information they’ve provided, during that three year period. Make sure that you have a statement explaining this on your supplier questionnaire, preferably just above the supplier sign off section. You don’t need to get your supplier to complete the questionnaire again, you can send them the one you have on file and ask them to check it.

Not low-risk supplier approval

For a not low-risk supplier, the only option you have to approve them is using an audit. And there are three types of audit you can use, which are:

  • A GFSI recognised audit
  • A non-GFSI recognised audit
  • A supplier audit

A GFSI recognised audit is the easier option to manage, because you only have to:

  1. Check that the GFSI certificate is valid (i.e. that it’s not falsified).
  2. Check that the scope of the certificate covers the product/service you are receiving.

The next option is a non-GFSI certificate, which requires more work:

  1. Check that the certificate is valid (i.e. that it’s not falsified).
  2. Check that the scope of the certificate covers the product/service you are receiving.
  3. Check that the scope of the audit covers traceability, product safety, product safety review and GMP (for BRCGS) and also product quality, legality and authenticity (for IFS).

The last option is to carry out an audit of the supplier:

  1. The scope of the audit must cover the processing of what you’re buying and its traceability, product safety, product safety review and GMP (for BRCGS) and also product quality, legality and authenticity (for IFS).
  2. You must use a competent auditor and be able to provide evidence for this.
  3. Complete an audit report as evidence.
  4. Where non-conformances are raised, manage the close out of these with the supplier.

Monitoring of the supplier

Once the supplier is approved, this isn’t the end. Supplier management is a continuous process, so the next step is to start monitoring the performance of the supplier.

The monitoring of the supplier is used in the risk assessment to re-assess the supplier and then re-confirm the approval. This may then change the supplier risk rating (up or down) meaning that the approval methods may change. That’s why the BRCGS Standard says that you can only use a supplier questionnaire for ‘initial’ approval of low-risk suppliers. Because, once the performance of the supplier is reviewed, this may change the risk rating to ‘not low-risk’.

For example;
If you have a low-risk supplier who is approved by a supplier questionnaire – and their performance when the risk assessment is updated changes the risk to ‘not low-risk’. Then, you wouldn’t be able to use a questionnaire to approve them anymore. You would need to use an audit.

What you assess the supplier on, will vary depending on the supplier and what they are providing, but it should include aspects such as:

  • Complaints that were due to the supplier
  • Delivery issues
  • Non-conformances


For material suppliers the performance monitoring review must be done at least once a year. For service suppliers you can do it less often, but at least once every three years.

Approval of suppliers must always be up-to-date, so make sure you track the expiry dates on certificates and request new ones before they expire.

Supplier questionnaires need to be reviewed no less than once every three years. Your supplier must make you aware of any changes within those three years as well, so you need this agreement with them in writing.

As well as planned reviews, you now need to apply horizon scanning to supplier management as well. This means, that you always need to be on the look out for new information which may impact the materials you buy and the suppliers you use. You have to take into account what’s happening in the industry and use it to pre-empt any issues that may be coming your way.

This means you need to have sources of information, including recall alerts coming in to you. A process of logging it, reviewing it and taking action if needed. This doesn’t need to be complicated, a couple of simple email folders called ‘action required’ and ‘no action required’ is sufficient. Just make sure the process and who’s responsible for it, is captured in your procedure.

So, basically the rule for frequency of review is that it has to be done as often as is needed – so that the system is always up to date.

Specific information on approving consultants

Approving consultants is a requirement of BRCGS Packaging Issue 6 and BRCGS Storage & Distribution Issue 4. So, here’s what to look for when approving your consultant.


This seems obvious, but there are a few things you need to look for, that make all the difference. A consultant should be an expert in their field – this means they should have the very best qualifications in their field.

A food safety consultant should have HACCP Level 4 and also Food Safety Level 4 – Level 3 isn’t good enough. What’s particularly important is that they should have done this recently. Standards have changed massively in just the last few years, so doing a qualification in the 1990’s doesn’t really cut it anymore.

Also, don’t accept certificates of attendance. You need a certificate that proves that they completed and passed a test – attending a course doesn’t make you qualified.

Those that are really good at what they do, won’t need to have a recent qualification, as they practise it every day, but the problem is – you won’t be able to assess their ability, so if you’re in any doubt about this – you really need to go with a qualification.

Consultants should also have a qualification in the standard that they are going to help you with. So, if you’re working to BRCGS, then they should have a BRCGS qualification. Preferably the full 5-day course. If you’re working to food, then they must have the food BRCGS certificate. As storage and distribution and packaging standards are a food-related, they should either have the food certificate OR the specific BRCGS certificate.


Ask for references. Any good consultant will have lots of clients that are happy to give you a reference. If they don’t then there’s something wrong – don’t be afraid to ask for references and make sure you follow-up on them.


Beware if they’re readily available. When you need something, you tend to need it now – it’s normal. But be aware, if you call a consultant and they are free to see you straight away, this isn’t always a good sign. If they’re good, then they will be busy.

Too good to be true?

When it sounds too good to be true – it usually is! Employing the services of a food safety consultant is a two-way street. They bring their expertise, but you still need to get involved. You need to get involved in setting up the systems, because you need to make sure they happen every day, if they’re going to work properly.

If a consultant says, that they can do it all for you and get you through the audit (without you having to do much or even be there), then this is a big no-no. Your consultant needs someone to work with while they’re at site. Don’t leave them on their own, you need to be with them – to learn from them.


Ask for evidence by asking them to show you a piece of their work. A good consultant will write procedures which look professional, don’t contain spelling or grammar mistakes and – this is really important – you should be able to pick a procedure up, read it and understand it. If when you’ve read it, you still don’t know what you need to do, well – then it’s not that good, is it?


Ask for a contract or agreement in writing. You need to have a formal agreement with your consultant. It needs to detail what they’re going to do for you as a minimum.


If you carry out performance reviews with your full-time employees, why not do this with your consultant? It’s a great opportunity if you do it each year, to establish what you want to work on in the next year and review if you achieved what you set out to do last year.

Specific information on approving packaging

Packaging approvalUp until the release of BRCGS Food Safety Issue 8, we all thought we knew what primary packaging was. The Standard said we only had to approve primary packaging, not secondary and tertiary.

Primary packaging was the packaging that came into contact with the food or drink, Secondary, was the next layer of packaging, such as the label or retail carton for example. The tertiary was generally the palletisation packaging, that type of thing.

When Issue 8 was published, we were given a new definition of primary packaging:

“The packaging that constitutes the unit of sale to the consumer or customer (e.g. bole, closure and label of a retail pack or a raw material bulk container).”

This means now, that the scope for approval of packaging has widened, because you now need to take consumer or customer packaging into account.

Consumer Packaging

If you’re producing product that’s packed ready for the consumer, i.e. in consumer packaging – now, primary packaging is anything that the consumer receives when they buy the product.

Customer Packaging

This is confusing. Where you’re making a product that is for further processing, i.e. you sell it to a customer, who then does something with it – all the packaging you send it in is called customer packaging and therefore primary packaging. However, BRCGS have stated that it doesn’t apply to the pallet and the shrink wrap. Just everything else.

To approve a packaging supplier

Approval of food packaging needs an understanding of what makes food packaging safe.

You need to know:

  • What certification packaging manufacturers should have.
  • What to look for on the specifications or certificates.
  • What testing is required.

Non-food contact packaging will still need approving, but you don’t need to worry so much about the level of detail you go to – as there’s less risk to the product.


There are four GFSI recognised certificates that food packaging manufacturers can go for:

  • IFS PACsecure
  • FSSC 22000
  • SQF Code for Packaging
  • BRCGS Packaging

ISO 9001:2008 is another certificate that is common with suppliers, however this isn’t GFSI recognised and it isn’t specific to food packaging, so it won’t comply with the requirements to cover traceability, product safety, review, and GMP. Therefore, it can’t be used to approve a supplier.

What you should be looking for on the specifications or certificates

There are two minimum elements that you need to check on your packaging specifications:

  1. That the manufacturer has designed the packaging for the application in which you are going to use it.
  2. That it conforms to legal requirements.


It’s important that the supplier provides you with information about what applications are suitable for the packaging to be used in. For example, would the plastic be suitable for freezing – this is clearly important if you’re going to be using it to pack frozen products. The supplier should have carried out checks on the packaging to establish what it’s suitable for, and provide you with this information.

In the EU, it’s packaging law that every delivery of food contact packaging is accompanied by a ‘Declaration of Compliance’ and it’s required by BRCGS. This document contains key information about the packaging to ensure that it’s safe for food use, such as:

  • Functions or known uses (acceptable applications of the packaging).
  • Storage conditions which are required to ensure that the packaging is not affected by temperature etc.
  • Migration (we’ll come on to this in testing below).
  • Composition (the ‘recipe’ to which the packaging is made).
  • Post-consumer recycling instructions.
  • A declaration of compliance to the legislation in the required country(s).

It’s the responsibility of the packaging manufacturer to provide the Declaration of Compliance.  Therefore, it’s the suppliers responsibility to establish all of the above information, and carry out the checks and tests to be able to prove it if required.

If you’re using a manufacturer who doesn’t understand how their product will perform when used in a food application (because they don’t typically make food contact packaging), and so can’t provide the information to complete the Declaration of Compliance – you’re essentially accepting the responsibility of their product for them. If something was to go wrong,  you need to ensure that you’ve covered all the checks and testing on their behalf, that they would normally provide. Remember though, even if you had proved that the packaging is acceptable for your food application, your supplier will not be producing the packaging under food conditions – therefore you can’t be assured that it will be safe. We would recommend strongly in all cases, if your supplier doesn’t understand the regulations around the production of food packaging, don’t use them – find another supplier.

If you’d like to find out more about the Declaration of Compliance in the EU, the FSA have created a guidance document which is really helpful, which we’ve provided below.

FSA Guidance Document

Legal Requirements

There are legal requirements that you must adhere to, depending on what country you’re going to sell your product to. Remember, it’s not the country that you’re manufacturing the product, but where you’re actually going to sell it.  So, if you export product you need to understand the legislation in the countries you export to.

In the EU there a number of pieces of legislation:

What testing is required?

The main aim of all the regulations and requirements is to ensure that the packaging that you use, which comes into contact with the food, is safe and doesn’t contaminate the product.

The reason why there’s legislation around what materials can be used in food contact packaging, is because over time, we’ve come to realise that some chemicals used in the production of packaging can ‘leak’ out of the packaging and contaminate the food. Those chemicals that have been found to do this, which then pose a health risk to those that then consume the food, have been banned in some countries.

Most countries (EU, Australia and New Zealand etc.) have therefore stated that it’s law to carry out migration testing. Migration testing is a test to establish if the chemicals in the packaging, migrate (leak) into the food.

Your packaging supplier should have carried out this testing and should be able to provide you with the evidence that the packaging passed the migration tests.

They don’t need to carry out this test for every piece of packaging that they produce, but they should be able to provide you with the test information for:

  • Each type of material
  • In each type of application (e.g. stored at ambient conditions, stored at freezing conditions etc.)

The testing also needs repeating each time the material or the application changes – so ensure that the migration certificate or information is up-to-date for the materials and applications used.

Need help with your supplier management system?

Managing suppliers can take a great deal of time and effort, so your system must be simple and effective.

Unlike other systems, our pack makes sense of a complicated subject to provide a clear path for supplier success.

It’s by far the quickest, easiest and most affordable route to BRCGS Global Standards Compliance.

We hope you’ve found this useful. If you’ve got any information you’d like to share, or want to ask a question about this topic – just use the comments box below.

Have your say…

11 thoughts on “How to risk assess and approve your material and service suppliers

  1. Thanks for the article.
    Can you please elaborate regarding ‘Low-Risk’ and ‘Not-Low Risk’ Risk rating system for BRCGS as I found these Terms confusing?
    My understanding when I read first was Low Risk = ‘Low Risk’
    Not Low Risk = Risk less than ‘Low Risk’
    However, upon reading the article again I understood that ‘Not Low Risk’ = ‘High Risk’ or ‘Risk higher than Low

    1. Hi Clavis
      You’re very welcome.
      Your second understanding is correct – ‘not low risk’ is a higher risk than low risk.

  2. Hi,

    When selling product in the UK what legislation should be on the Declaration of Compliance? Is the Regulation England 2012/2619 Materials and articles in contact with food suitable for whole UK?

  3. Hi Kassy,
    Since this article also covers service supplier, may i ask a few questions
    1. Do we need to define low risk and now low risk for service supplier as well?
    2. if so, do we need to have different approval options? low risk (questionnaire) and now low risk (audit or certificate)?
    3. Do we need to verify the traceability system on the initial of the approval and every 3 years as well?
    4. Do we need to re-issue the questionnaire every 3 years as well?


    1. Hi Leab,
      So yes and no. BRCGS put transport and storage suppliers in the ‘services’ pot, so you would need to define low risk and not low risk for these. Basically, anyone who handles the product must be risk assessed as low risk or not low risk and the typical approval options (GFSI cert, audit and SAQ for low risk only) must apply. Therefore, the trace for SAQ still applies. For other services you can come up with your own system, including approval and monitoring methods.
      I hope that helps.

  4. Hi Kassy,

    I am updating my QMs for BRCGS issue 4 and looking at vulnerability assessments. We are the hauler and are employed to transport goods on behalf of our customers.
    When it comes to vulnerability risk assessing, where do I have to start?
    1. Do I need to risk assess the goods we transport,
    2. the customers
    3. the suppliers?
    4. or the sub contractors that we hire?
    5. we are also based on a site that is controlled by a landlord – who are BRCGS Food safety – do they need to be included in my risk assessment as they are providing a service to us

    1. Hi
      You just need to focus on the area for which you’re directly responsible – so the transport side. This needs to include any sub contractors – so you either need to specify the requirements to them (following vulnerability assessment) or get them to do it and check it.
      For transport it’s all down to vehicle security – there’s hardly any distrinction between vulnerability and threat assessment (for product defence). It’s just the reasons that’s different.
      Fraudsters would steal the product to sell it and that could include stealing (for example) printed packaging so that they can put substandard product in it.
      Hope that helps.

  5. I’m getting myself in a bit of a twist with my raw material risk assessment – probably over complicating it!
    Can anyone guide me on how they score the severity. For example, getting beef from a BRC accredited butchers who handles no other allergens, so the likelihood of allergen contamination is low. However, if there were to be contamination, depending on the allergen is could be fatal so would I still score the severity as high eg. 5 on a 5 x 5 matrix?

Share your thoughts…

Your email address will not be published.

We've tagged this article as: ,