Section 4.3 of Agents & Brokers is really more about the TACCP elements (i.e. malicious threats and security), but obviously there is potentially some overlap with section 4.8 (if you're also preparing for the new Issue 2 standard) that would be more of a VACCP approach.
We have both BRC Agents & Brokers and BRC Food certification, so are in the lucky position of already having confirmation that the systems meet BRC requirements thanks to several years of audits against issue 7 of the Food standard, and as the systems are shared between the two we don't need to write anything new.
Our approach has been to split this into two distinct parts: A TACCP study focussed solely on food (and to some extent broader business) security, and a VACCP approach where I wrote a system of my own to suit the particular activities of our business and the nature of the raw materials we source.
For the TACCP, I'd recommend looking at PAS96 as it's more widely recognised in the UK than e.g. Carver + SHOCK etc. It takes a little while to get your head around it, but work through it slowly and it'll start to make sense if you're familiar with other risk-based approaches like HACCP. Indeed you'll need to do some very similar things in terms of assembling a multi-disciplinary team etc, but you could do that once you've got a better understanding for yourself, as you'll probably need to explain it to the rest of the team!
For the VACCP, I completely agree with your approach - we get loads of VACCP questionnaires from customers and I confess I'm completely baffled by the concept of asking your supplier whether they are trustworthy. Has anyone’s supplier ever said “no, we’re really dodgy” in response to these questions?!
Nonetheless I'm guessing that certification bodies find this to be acceptable as it certainly seems to be quite prevalent!
Are you buying finished products each with multiple ingredients, or sourcing the separate component ingredients and then paying a separate entity to do the final manufacturing for you as a subcontracted process?
If it’s the latter I’d split the risk assessment into two parts – one for your ingredients and one for the processors to whom you’re subcontracting the work, although arguably they’d have very limited incentive to adulterate if they don’t own any of the materials.
For the former, my approach would be to list out your products and assess both in terms of the manufacturer and the product/components.
For the manufacturer, you’re looking at the usual areas:
Are they GFSI-certified?
Any other useful certification-based controls in place?
What is your supplier risk score for them?
Are they based in a region you’d consider higher or lower risk?
How well do you understand the supply chain prior to them, and what risk status would you assign to it?
Is there a (reliable!) testing regime in place to verify the authenticity of key ingredients?
This should give you an overall risk score for the manufacturer.
For the ingredients, again you’ll probably want to consider the usual categories that you’ll see in most training/information materials on VACCP:
Is there a history of adulteration?
Are there any current/emerging issues? (you’ll need to cite suitable sources of “horizon scanning” data)
Is it a high-value ingredient? (we also consider changes in price as well as absolute price - so for example if the market value shoots up we’d assign an increased risk as there is greater incentive to adulterate)
What testing or other controls are currently in place?
Are the ingredients from higher-risk origins?
How well do you understand the supply chain, how transparent is it and what risk status would you give it?
Is the raw material of a nature that can easily be adulterated? Powders, liquids etc typically far easier to hide adulterants in than would be the case for a solid – consider e.g. difference between apple juice and a whole apple.
We also have a category for “other” – basically just gives the option to add in any extra specific considerations on a case-by-case basis, although for most products it’s marked as “n/a”.
As you’re dealing with composite finished products, you could either consider them as a whole or do each component independently and then combine the results. I don’t know how large your product range is, as that will have an effect on how practical it is to do each component separately. I’d personally favour the latter as the more thorough approach, but either should probably be ok as long as you can justify what you’ve done.
At the end of this you should then have an overall risk score for the product/ingredients.
You can then combine the two parts (manufacturer risk score and product/ingredients risk score) to give a final overall risk status for the product that you purchase from each manufacturer, and can then move onto the question of what to do about those where the risk score is higher than you’d like…
First post (other than a brief one in the introductions section) on IFSQN and apologies that it’s quite so long, but it’s a topic that is quite sizeable and there are so many different takes on it!
Hope it helps in any case.