Vulnerability Assessment Template
Hi,
My name is Ulrich Schraewer and I consult food manufacturers in achieving and/or maintaining the BRC Global Standard for Food Safety.
The new Issue 7 introduced a new type of assessment. Under Clause 5.4.2 a vulnerability assessment is required for raw materials.
I sat down and came up with one option how to do this assessment and to be compliant with the standard. Please find attached a short pdf file which shows my approach to do a vulnerability assessment. The excel template can be downloaded from my website.
Best Regards.
Ulrich
Attached Files
Thank you for sharing Ulrich, I am sure members will find it very useful in dealing with this new and sometimes confusing topic.
Regards,
Simon
Hi Ulrich,
Interesting contribution. Thank you. I have a few comments/queries –
(1) Seems to me that the approach is (ultimately) more of a 2-way (Occurrence x Detection) than a 3-way “RPN”.
(2) afaik, the 2-way or RPN formats are attempts to simplify the Grand-scale FMEA layout into visually handleable chunks.
I’m no statistician so unsure as to the combinatorial rigor where the sub-rankings are added/multiplied respectively. Is this procedure(s) validated anywhere or just ad hoc. ? The manipulations are presumably related as to whether the subs are dependent/independent/inclusive/exclusive.?
( I guess one could equally(?) just calculate an average of the 4/2 subs respectively and then use this pair of averages as multipliers. The latter route would have some analogy to methods available for CCP/OPRP determination.)
(3) The calculated “RPN” output levels as linked to specific courses of actions are unstated in attachment. Do they exist ? (I vaguely recall there are some traditional RPN cut-off settings although these maybe based on a 10-point scale).
Again, thanks for the input.
This got a thumbs up last week at a Issue 7 audit.
Attached Files
Hello Marshall, nice simple overview of a complex data set. So you total up the row for overall risk. What are your action levels? For example I see Honey is highest score...what controls would be different for honey as compared with for example garlic bread.
Thanks for sharing.
Regards,
Simon
Simon,
See attached file.
I did some "real world" modeling and came up with some numbers in the 52-55 total score range.
I made the action level 50. The auditor was good with that.
It's important to remember that t he Standard does not say HOW you have to do this vulnerability assessment, it just says that you HAVE to do it.
Marshall
Attached Files
Hi Marshall,
Thanks for the table. It looks nice.
Like Simon, I have similar queries to those of my previous post although will be no surprise if BRC are determinedly oblivious to such subtleties.
Interesting to see if SQF et al follow BRC's trailblazing. Somehow i doubt it. After all, that's what the FS in GFSI is for, i think ?.
Simon,
See attached file.
I did some "real world" modeling and came up with some numbers in the 52-55 total score range.
I made the action level 50. The auditor was good with that.
It's important to remember that t he Standard does not say HOW you have to do this vulnerability assessment, it just says that you HAVE to do it.
Marshall
Excellent Marshall. You did it. :clap:
Simon,
See attached file.
I did some "real world" modeling and came up with some numbers in the 52-55 total score range.
I made the action level 50. The auditor was good with that.
It's important to remember that t he Standard does not say HOW you have to do this vulnerability assessment, it just says that you HAVE to do it.
Marshall
Hi Marshall,
Just saw the 2nd Post.
Thanks for the SOP and Congratulations on yr Modelling to validate yr vulnerability assessment.
As you say, all Risk Assessments are subjective, both in style, format and implementation.
i suspect you have confirmed the prediction in my previous post.
So presumably the version in OP should also fly well.
Thank you Marshal (and all IFSQN members) this is like Simon said ( :giggle: ) a great looking approach to a seemingly large project. Keep up the support.
G
Thank you Marshal (and all IFSQN members) this is like Simon said ( :giggle: ) a great looking approach to a seemingly large project. Keep up the support.
G
Simple Simon said. :ejut:
Sorry don't want to spoil this intelligent thread. :off_topic:
Thank you all for your feedback's.
This is just my solution or one option for a vulnerability assessment, which I wanted to share.
Obviously the user(s) can use different risk levels. I found 5, 3 & 1 quiet good as it really shows a difference in the final PRN.
In relation to Charles comment. Yes you could specify a certain course of action in line with a certain PRN.
I choose not to and once the user(s) conducted the vulnerability assessment for all raw materials they will have a number of high PRNs.
Those are the materials/suppliers which need to be addressed first. Actions will vary depending on where e.g. a higher risk was identified.
Filling the table with life/details still remains the biggest challenge.
Therefore I included some helpful links were comprehensive data can be retrieved from.
Best is to download the excel file and start experimenting and see how the PRN changes.
Enjoy.
Regards
Ulrich.
Hi Ulrich, I think that 5, 3 and 1 is a good way (and not an easy cop out) to draw out different risk levels and thus priorities for action.
Regards,
Simon
Indeed, the Vulnerability bandwagon has some similarities to the early days of HACCP where CCPs were springing up from every speck of dust in the Factory. The current result is an encyclopedical list of possible causes of vulnerability. And considerable logistical pain for we-know-who.
One analysis concluded it was far more important to prioritize control of any Vulnerabilities rated at achieving ranking scores of >=8/10 than to worry about an overall vulnerability number. I guess this represents a preference towards development of VACCP rather than VA. Coming soon ?
UK fraud gurus seem to be more interested in focusing on Profit criteria rather than Likelihoods of Occurrence. Cultural influences perhaps.
Very Helpful Information and like Simon - this very useful in dealing with this new and sometimes confusing topic - good on ya Mates!!
re
Hai Simon,
You mean, its okay not to put so much detail about the assessment? the number would be okay to represent the whole thing? what if the auditor would ask the details?
thanks,
Joan
HAi guys,
I've got some questions:
BTW, since we directly purchased from the ingredient manufacturer, should i still need to consider where did they get the ingredients they used for our ingredients? hahaha...im confused..
How would i know that they're telling the truth, could a piece of paper saying the origin can be enough for this?
Based on risk you take it as far as you can and you get as much evidence as you feel is prudent.
You could ask your ingredients suppliers if they have a GFSI certification and also whether they have a vulnerability assessment of their own and perhaps get a copy of their procedure or at least the scope of their VA system. And yes you can accept a piece of paper with country of origin. You should build up a relationship with suppliers and know whether you can trust them or not.
Regards,
Simon
Hai simon,
Thanks a lot for the input, as of now, i just send them questionnaire which i also based from VA. And i'm just hoping that they will respond it.:)
Regards,
Joan
That's a start Joan. :smile:
Hai simon,
Thanks a lot for the input, as of now, i just send them questionnaire which i also based from VA. And i'm just hoping that they will respond it.:)
Regards,
Joan
Depending on the questionaire format and style if they want your buisiness they will endevour to answer it. If they dont well then as part of risk asessment for that supplier they would rate as unsuable in my opinion.
Depending on the questionaire format and style if they want your buisiness they will endevour to answer it. If they dont well then as part of risk asessment for that supplier they would rate as unsuable in my opinion.
Hi David,
And the (I predict) likely supplier response is probably why BRC are dumping the diligence acquisition on the manufacturer. Means to an End.
For example see this post -
Hi,
My name is Ulrich Schraewer and I consult food manufacturers in achieving and/or maintaining the BRC Global Standard for Food Safety.
The new Issue 7 introduced a new type of assessment. Under Clause 5.4.2 a vulnerability assessment is required for raw materials.
I sat down and came up with one option how to do this assessment and to be compliant with the standard. Please find attached a short pdf file which shows my approach to do a vulnerability assessment. The excel template can be downloaded from my website.
Best Regards.
Ulrich
Hi Ulrich. thank you for sharing your assessment. Can you explain to me what PRN is? Thank you. Erin Mahr
Hi Ulrich. thank you for sharing your assessment. Can you explain to me what PRN is? Thank you. Erin Mahr
Hi Erin Maher,
I think PRN = Priority Risk Number
it's more typically used to multiply 3 categories but here only two (Likelihood of Occurrence, Likelihood of Detection)
Hi Simon and all other contributors I got much assistance on developing 5..4.2 version 7.0 standards.
once again thanks to all guys