I work for a company that supplies ingredients to food manufacturers across numerous countries. These ingredients are sourced worldwide so this starts with a risk assessment per product type/country of origin/volume.
All new suppliers are assessed using this risk assessment model & dependent on identified risk they are either audited or are required to provide specific documents (eg. pesticide results/heavy metal/environmental pathogen monitoring results/TACCP/VACCP/HACCP etc.).
These records are stored in a cloud based system (with expiry dates so we’d know, for example, when a supplier’s BRC certification expired & they would be obliged to add the updated certificate when due) and documents are checked to approve a new supplier. This is linked to our specification system so that each delivery is recorded and assessed, allowing us to register any non-conformances and to monitor the supplier’s ongoing performance (reassessing the risk dependent on this).
There is also a separate quarterly risk assessment (survey of RASFF/FDA recalls & equivalent for other regions) linked to specific regions/product types and we also monitor country specific alert sites (eg. FSA) continually. Part of the T&C of trading is that a manufacturer is obliged to advise us if they lose certification or have a food safety incident – obviously this relies on self-declaration unless you have a huge team and/or the resource to monitor this continually?.
It’s early days for us but it seems to be working quite well so far & the benefit of the cloud based system is that quality/procurement contacts at all sites are advised immediately if there is an issue with a specific supplier.
Best of luck – supplier management is always a challenging area & I haven’t yet seen any system that is 100% foolproof.