I've attached an example vulnerability assessment based on egg powder being the raw material. It pretty much boils down to applying 'low', 'medium', and 'high' risk ratings to each of the vulnerability parameters. Just sharing in case it's useful to you.
Hi Duncan,
Thanks for yr input. Nice compilation although this is a somewhat "simplistic" approach as compared to, say, HACCP where "Risk" is typically based on Likelihood and Severity. (BRC/IFS advocate a "vaguely" analogous methodology to HACCP but adapted for Vulnerability Assessments).
An additional difficulty with the Qualitative approach presented (and also for analogous Quantitative versions) is how to make a specific (ie combined) conclusion for the overall vulnerability when you have 6 components which, in the current case, respectively yield -
LOW V. =2 Occurrences
MEDIUM V. = 3 Occurrences
HIGH V. = 1 Occurrence
This is a well known "combination" problem occurring in many different fields and has generated some complex mathematical discussion (mostly over my head) however a number of "approximate" solutions have been proposed/published such as -
(1) Replace "Qualitative" by "Quantitative" values and take a straight average of the data. Then implement a Subjective Grading System. This is essentially as per earlier Posts in this thread.
(2) Use BRC's adapted 2-way matrix and ("somehow") make an intuitive average.
(3) As per (1) but introduce Subjective weighting coefficients for the respective inputs.
(4) IFS (and Codex/Micro-Risk Assessment) (conservatively) recommend/suggest to take the highest individual Risk component as decisive.
All the above options, just like HACCP, have their respective caveats however afaik all these methods (and many, sometimes IMO more questionable, others) have been accepted for auditorial purposes.