17 replies to this topic

[rosanna060208]

Hi Guys,

 

Our company is BRC certified and want to use a supplier overseas who is ISO 22000 certified.

 

Would this be a problem for BRC. 

[BrummyJim]

Hi Rosanna,

 

BRC allows a lot of flexibility on this matter. 3.5.1.2 says that you can use GFSI, full audits or (for low risk) questionnaires. The implication here is that you risk assess your suppliers/raw materials so you know what matters.We're BRC and some of our suppliers only have HACCP, and one (very low risk) has nothing. We do have a rolling audit programme (risk based of course) where we audit our suppliers on a 3-4 year basis.

[nkonstas]

Hi,

how you assess your supplier as high/medium/low risk. Here is what I've done and please help me if I made sth wrong. If all my raw materials are low risk, my suppliers (either agents or manufacturers) are suppling our company for over 10 years and are big companies whith no ancidents or complaints from our side. Big trustworthy and competitive partners. So can I assess them as low risk. they have Iso22000 (agents) and the manufactures from the raw materials that they supplu to us have brc or ifs or fssc.

[Charles.C]

Hi,

how you assess your supplier as high/medium/low risk. Here is what I've done and please help me if I made sth wrong. If all my raw materials are low risk, my suppliers (either agents or manufacturers) are suppling our company for over 10 years and are big companies whith no ancidents or complaints from our side. Big trustworthy and competitive partners. So can I assess them as low risk. they have Iso22000 (agents) and the manufactures from the raw materials that they supplu to us have brc or ifs or fssc.

 

Hi nkonstas,

 

I assume yr query is oriented to your BRC.

I first assume yr supplier is the manufacturer.

 

IMO you are perhaps missing the (BRC) point regarding "H/M/L risk" suppliers. (IMO BRC should have glossary clarified their interpretation of "H/M/L Risk." They didn't.)

 

From BRC 3.5.1.2,  with a few red insertions as per my interpretation of BRC7

The [supplier] approval and monitoring procedure shall be based on [raw material] risk and include one or a combination of:

•  certification (e.g. to BRC Global Standards or other GFSI-recognised scheme)

•  supplier audits, with a scope to include product safety, traceability, HACCP review and good manufacturing practices, undertaken by an experienced and demonstrably competent product safety auditor

or, for suppliers assessed as [raw material] low risk only, supplier questionnaires.

 

 

I deduce that in a BRC context you have appropriately (ie as per 3.5.1.1) determined yr raw materials as (BRC "defined") low risk. And implemented a (BRC) appropriate supplier monitoring scheme.

 

Therefore, IMO, with respect to supplier "qualifications" -

 

(a) Minimally, for BRC, you only need supplier questionnaires.

(b) A GFSI recognised certification would (much) suffice.

(c) A BRC-appropriate supplier audit would also suffice.

 

For an Agent there are additional requirements as per 3.5.1.3.

 

I am unaware of any relevant BRC comments in their Interpretation Guidelines (IG) so these may disagree with my interpretation. (Then again, the IG contents are theoretically non-auditable. )

 

PS - iso22000 is not GFSI recognised. (I didn't even realise an Agent could be certified to iso22000 ?)

 

 

 
 

[JV.Legal.Alliance]

In appendix 9 ( Glossary ) of BRC Food 7 Requirement , there are no definition of i.e and e.g . Both terms are Latin pharase. That is the thing we should think about.    In clause No .3.5.1.2 is slightly different from 3.5.4.2.  In 3.5.1.2 mentioned that " one or a combination of  certification ( e.g. to xxxxxxxx ) "  I observed that in this clause standard use "e.g":  e.g. stand for exempli gratia  means just for example.  Eee-gee is not i.e ( i.e means that is ) .  If requirement intend to give specific issues , i.e will be used in the standard instead of e.g.    While clause NO .3.5.4.2 give us only two choices . 1 BRC , 2 GFSI scheme recognized.

 

In addition, in Interpretation Guideline of clause 3.5.1.2 ( page 36 ) mentioned that "   therefore include a range of

activities, such as the following:

• A third-party certification scheme incorporating product safety, such as the Global Standards for

food, packaging, storage and distribution, or agents and brokers. " 

[Tony-C]

To add to previous posts BRC Guidance states:

Approval must be based on a risk assessment of the supplier and could therefore include a range of activities, such as the following:
• A third-party certification scheme incorporating product safety, such as the Global Standards for food, packaging, storage and distribution, or agents and brokers.
• A successful site audit which as a minimum covers product safety, traceability, HACCP and good manufacturing processes. This audit must be completed by an appropriately experienced and competent auditor (i.e. someone who has completed training in auditing techniques and with experience of auditing, and knowledge of the product, ingredient or processes being audited). 
• Where risk assessment (completed as part of this clause) indicates that a supplier is low risk (e.g. due to history of trading with the site, the nature of the raw materials traded etc.) the completion of a supplier questionnaire may be sufficient. If a supplier questionnaire is the only mechanism used to assess a supplier (i.e. there are no additional activities such as supplier audits) then it is important that the questionnaire (and replies from the ingredient supplier) contains all the relevant information to allow the site to confidently make a decision on approval.

 

​Kind regards,

 

​Tony

[Charles.C]

Hi Guys,

 

Our company is BRC certified and want to use a supplier overseas who is ISO 22000 certified.

 

Would this be a problem for BRC. 

 

So what was the conclusion ? Yes or No ?

 

Seems to be a draw so far ?

 

@vipatikom - Sorry but I didn't quite understand the intended meaning of yr Post ?

 

@Tony - Thks for the quotation.

BRC seem to regard a  "X  risk" supplier as some kind of  hybrid entity. i suspect the "eg...etc" implies that they will go along with any plausibly logical  criterium(a)  provided there's a risk assessment somewhere in the deliberation. Sitting on the Fence as usual..

[JV.Legal.Alliance]

In my point of view, ISO 22000 Certified Supplier ( clause 3.5.1.2 ) is OK , but ISO 22000 certified outsourced processing ( clause 3.5.4.2 ) is not acceptable.

[Tony-C]

In my point of view, ISO 22000 Certified Supplier ( clause 3.5.1.2 ) is OK , but ISO 22000 certified outsourced processing ( clause 3.5.4.2 ) is not acceptable.

 

Both your statements could be right or wrong, as I have posted previously, more details are needed so that informed and relevant advice can be offered.

 

Kind regards,

 

Tony

[Koko LMQ]

Dear

 

you can see issue advised from BRC in FAQ, ISO 22000 is accepted if you ask the full audit report from your supplier and covering the 4 parts of traceability, GMP, HACCP,  and product safety and also request the Auditor Profile.

 

Cheer,

NY

 

[Charles.C]

Dear

 

you can see issue advised from BRC in FAQ, ISO 22000 is accepted if you ask the full audit report from your supplier and covering the 4 parts of traceability, GMP, HACCP,  and product safety and also request the Auditor Profile.

 

Cheer,

NY

 

 

Hi Koko,

 

Thks for the input but can you supply a link/ more detail regarding the "FAQ" to which you refer.

 

I remain amazed that, as per my Post 8 and considering the clausal relevance of the "Low/High Risk" terminologies as used, BRC afaik have never enlarged/exampled upon their preferred criterion(a). This is in contrast to their IG treatment of Vulnerability Assessment.

 

The IG one-line comment quoted in Post 6 is ambiguous IMO, eg how to prioritise Risk-related factors?. (eg the evaluated Raw Material "Risk" is a necessary and sufficient datum ?). (eg - Possibly for "High" it is but for "Low" it  isn't ?)

[Tony-C]

Hi Koko,

 

Thks for the input but can you supply a link/ more detail regarding the "FAQ" to which you refer.

 

 

Hi Charles,

 

See page 8 https://brcglobalsta...ue_7_faqs-1.pdf

 

Kind regards,

 

Tony

[Koko LMQ]

Hi Koko,

 

Thks for the input but can you supply a link/ more detail regarding the "FAQ" to which you refer.

 

I remain amazed that, as per my Post 8 and considering the clausal relevance of the "Low/High Risk" terminologies as used, BRC afaik have never enlarged/exampled upon their preferred criterion(a). This is in contrast to their IG treatment of Vulnerability Assessment.

 

The IG one-line comment quoted in Post 6 is ambiguous IMO, eg how to prioritise Risk-related factors?. (eg the evaluated Raw Material "Risk" is a necessary and sufficient datum ?). (eg - Possibly for "High" it is but for "Low" it  isn't ?)

Hi Charles C,

FAQ can be accessed via BRC Participate.
 

Koko

 

[Charles.C]

Hi Koko,

 

Thks for response.

I assume the (relevant) material you are referring to in Post 13  is identical to that given in Tony’s link in Post 12.

 

I like yr brief summary in Post 10 but i suspect that for some situations it may represent an over-simplification (eg maybe Post 9).

I might change my opinion when BRC’s Glossary offers a practical definition of a “Low Risk Supplier”.

 

@Tony

Thks for link. “Sort of”  reinforces (for manufacturing suppliers) this document previously discussed, i think, in early 2016 -

 

 BRC7- Clarification of an acceptable supplier audit.pdf   969.68KB   43 downloads

[Koko LMQ]

Hi Charles,

 

Yes, it is the same FAQ which Tony posted.

 

However, there are various thoughts about the term of Low Risk Suppliers, mostly in Thailand interprets this as Low Risk materials then try to use the Qnaire rather than the GFSI certificated suppliers. ISO 22000 is another choice when FAQ allowed.

 

Cheers,

 

Koko LMQ

[Tony-C]

Hi Charles,

 

Yes, it is the same FAQ which Tony posted.

 

However, there are various thoughts about the term of Low Risk Suppliers, mostly in Thailand interprets this as Low Risk materials then try to use the Qnaire rather than the GFSI certificated suppliers. ISO 22000 is another choice when FAQ allowed.

 

Cheers,

 

Koko LMQ

 

 

To add to previous posts BRC Guidance states:

• Where risk assessment (completed as part of this clause) indicates that a supplier is low risk (e.g. due to history of trading with the site, the nature of the raw materials traded etc.) the completion of a supplier questionnaire may be sufficient. If a supplier questionnaire is the only mechanism used to assess a supplier (i.e. there are no additional activities such as supplier audits) then it is important that the questionnaire (and replies from the ingredient supplier) contains all the relevant information to allow the site to confidently make a decision on approval.

 

As per my previous post that may be sufficient but, it would be better if you found even low risk suppliers certified to a GFSI benchmarked standard.

 

Kind regards,

 

Tony

[Charles.C]

Hi Charles,

 

Yes, it is the same FAQ which Tony posted.

 

However, there are various thoughts about the term of Low Risk Suppliers, mostly in Thailand interprets this as Low Risk materials then try to use the Qnaire rather than the GFSI certificated suppliers. ISO 22000 is another choice when FAQ allowed.

 

Cheers,

 

Koko LMQ

 

Hi Koko,

 

Thks for input.

 

Regarding the "Red" - this was my own assumption/approach when i earlier devised a response to the relevant BRC clauses.

 

May i ask whether, as far as you know, if auditorially the above assumption has been generally found acceptable ? (assuming that a satisfactory material Low Risk assessment was presented).

[JV.Legal.Alliance]

As we know that FAQ in BRC Food 7 become requirement in BRC Food 8.. "Where the supplier audit is completed by a second or third party, the company shall be able to:–– demonstrate the competency of the auditor

–– confirm that the scope of the audit includes product safety, traceability , HACCP review and good manufacturing practices

–– obtain and review a copy of the full audit report "  

 

I am thinking about general data protection regulation. Information in supplier site is very risky to be distributed as in full audit report may contain some confident commercial information. Confidential disclosure agreement between third party auditor are well aware, but full audit report is very risky to be spread out by customer site. In case of violence, it is not easy to prove that information was spread by customer or third party auditor. Information security policy between customer and supplier may need to be concerned. Third party auditor should think more on content in audit report preparation. 

 

In term of competency of auditor, CAB which accredited by IAF AB should be recognized. Assignment of competent auditor is the must for such CB.  Some personal information of auditor can be disclosed if CV or competency review information sent to customer without any control.

 

What do you think ?

Jack.

Principal Witness Assessor

Edited by Jakkrit Vipatikom, 08 August 2018 - 10:10 AM.