Struggling with Supplier Approval Program

Hi guys, I am really stuck on this part of the program and the program I wrote seems to be conflicted and I have encountered many issues. For example, I calculate the overall supplier risk based on criteria-based risk assessment. Our main supplier is a distributor and almost all the products have different manufacturers. When I assign risks for each material (which comes from the same supplier), I then have too many different "overall supplier risks" (low/med/high) from literally the same supplier and my monitoring method & frequency are based on the supplier risk. It is impossible to have different monitoring procedure for each material which come from the same supplier but with different manufacturers which would lead to different risks and different monitoring frequency and requirements because that would make the whole receiving and monitoring way too complicated.

Also, once in a while, my company would buy new ingredient from the "approved supplier" using a form called "new inventory item policy" (written by someone else in the past) but it doesn't even includes any food safety screening of the distributor/manufacturer, they are only asking for documents like the specifications and kosher cert to be approved, I am thinking of making the approved supplier to do a self-assessment like completing the Supplier Questionnaire when buying and approving a new item. 

What should I do guys to fix this and make it all works and make sense as a program? I have spent way too much time on this part and my boss has been putting pressure on me but I am pretty much a one man army at this small company. I would appreciate if anyone could help me clear out this confusion. 

We're FSSC certified, I'm not familiar with Primus. Though, I'm pretty sure there's not much difference between 2 schemes requirements to evaluation of suppliers. What I've developed here (and I'm also 1-men army) is a simple program which is working fine through almost 10 years. I'm getting LOGs from distributor (or manufacturer) and GFSI cert's, halal/kosher/organic cert's from manufacturers. Those not GFSI certified are asked to complete Supplier Evaluation questionnaire (I have specific questionnaires for ingredient, packaging, chemical and service suppliers) to assess their food safety management programs and controls in place. Every new supplier is assessed based on the info they provide.  

What types of ingredients are you getting that they all have such different risks?

Maybe I skipped a step but this is how I managed our program: I created a spreadsheet with each of the suppliers' names, physical addresses of the manufacturing sites, and all certifications I needed, such as third party audit, kosher, etc. for that specific site. Contact information included the vendor, but the supplier is the company that actually manufactures the ingredients. Because this was Excel, I had the expiration dates in a column and they would highlight the cell different colors if I was getting near expiration and needed the certificates renewed. I sent an e-mail to all our vendors and asked them to have the address of manufacture on the CoA (this was a bit tedious at first). This was then checked with our database by a receiving clerk to make sure we were allowed to receive this material in the building. New materials had to be vetted, so they needed all their specs, certifications, etc. and sometimes it would even involve a test batch. We only had one item that was technically higher risk, liquid egg, but it was pasteurized so we decided that proper documentation would suffice. We did have an annual self assessment, which was sometimes a pain to get manufacturers or vendors to fill out. 

Risk for the individual ingredient was managed in the HACCP plan, independent of vendor or manufacturer so monitoring was dependent on whether the ingredient needed it or not and if it was manufactured at a location that is higher risk. 

I didn't consider a vendor low/medium/high risk. I made sure I had all appropriate documentation from each manufacturer, and risk was assigned to the individual ingredient. Though if a manufacturer can't provide a GFSI third party audit certificate or we would consider them high risk for any reason, we would not be dealing with them in the first place.

I don't know if this helps, depends on what you're making. 

Hi olenazh and ebb30, thanks for your responses, I really appreciate it.

We are getting flour, egg, butter, milk and etc. We are basically a bakery manufacturing company.

I am assessing risks for each material, service & approved supplier because thats what SQF required. 

I have attached my excel spreadsheet here which shows the whole process of approving and monitoring if you wanted to take a look at it. My main problem is having to deal with different 'supplier' risks since they're not from the same manufacturer, how do I rate my supplier with multiple items supplied? It would be too much if we had to have different monitoring based on the "manufacturer risk". I feel like there is a bug in my supplier program and I don't know how to fix them.

Here is my spreadsheet.

I think, you're combining too much data in 1 form (Supplier information + Product risk assessment + Supplier evaluation & approval) - that's why it seems confusing. Also, I wouldn't put so much info under each section: like, for instance, Cost or Product recall in Suppl. evaluation, or Volume of supply & Information level in Suppl. information. Also, some info is duplicated (e.g. GFSI, LOG, Kosher in both Supplier info and Material risk assessment) 

I agree with previous comments, that is a lot of information on one spreadsheet. I am only familiar with SQF but also have my program built on FSMA requirements. 

I recommend investing the time separate the ingredient risk assessment and the supplier approval. To better manage all the ingredients in our facility, I made categories on workbook so that everything is easier to find. On your supplier approval spreadsheet, I do recommend having all the ingredients and all the suppliers for them. It is a bit of a headache at first since you might have 5 types of flour and maybe 2 suppliers for each one with each supplier having 2 manufacturing sites. Once it is organized and you filter the columns, it's easier to manage. 

I also noticed on your post that you mentioned having 1 supplier but different manufacturers. I couldn't tell from the post if this means that it is 1 supplier with different manufacturing sites, or a supplier such as a distributor, that procures many items and keeps them at a warehouse until they receive a client's order. In any case you would still have to have each manufacturing site listed as the approval is for each site.

When a program was written by someone else and is from 'back in the day' it is most likely based on outdated information. I have found it better to just start from scratch and build the program based on my understanding of the process and the requirements.

Thanks for you guys' feedbacks. 

Do you think you can show me some example or template on how you did it?

Much appreciated.

Hi MMQA, to answer your question, the supplier is a distributor. In that case, you're saying we would have to approve each manufacturer site? What if our supplier/a distributor is GFSI certified, do I still have to approve each site for the material they supplied to us? I would understand if the supplier don't have any food safety program or 3rd party audit, but what about supplier that is GFSI or 3rd part certified?

Hi MMQA, to answer your question, the supplier is a distributor. In that case, you're saying we would have to approve each manufacturer site? What if our supplier/a distributor is GFSI certified, do I still have to approve each site for the material they supplied to us? I would understand if the supplier don't have any food safety program or 3rd party audit, but what about supplier that is GFSI or 3rd part certified?

Its best practice to keep your distributor's GFSI certificate on hand but the one you should be interested in is the one from the manufacturing site. They are the ones processing the ingredient, the distributor just houses it. If you are under FSMA you will need it for each manufacturing site.

Note: If your distributor keeps temperature controlled inventory then yes, definitively request and keep their certificate.  

Thanks MMQA, do you have an example on how you fulfill both SQF and FSMA requirements for the supplier approval program? Does it need to be separate or I can combine them together? It'd be great if you could guide me through this program, I feel like my mind is about to explode.

Hi avryl,

I suggest you browse the Primus threads here. IIRC yr query has come up previously.

Primus tend to have specific requirements as do BRC, SQF etc. There is not always a one- size- fits- all solution.

Dear @olenazh 

can you please give the idea what are the question you have asked in for ingredient, packaging, chemical and service suppliers 

Dear @olenazh 

 

can you please give the idea what are the question you have asked in for ingredient, packaging, chemical and service suppliers 

Please, see attached the samples of my questionnaires.

Hi guys, I am really stuck on this part of the program and the program I wrote seems to be conflicted and I have encountered many issues. For example, I calculate the overall supplier risk based on criteria-based risk assessment. Our main supplier is a distributor and almost all the products have different manufacturers. When I assign risks for each material (which comes from the same supplier), I then have too many different "overall supplier risks" (low/med/high) from literally the same supplier and my monitoring method & frequency are based on the supplier risk. It is impossible to have different monitoring procedure for each material which come from the same supplier but with different manufacturers which would lead to different risks and different monitoring frequency and requirements because that would make the whole receiving and monitoring way too complicated.

 

Also, once in a while, my company would buy new ingredient from the "approved supplier" using a form called "new inventory item policy" (written by someone else in the past) but it doesn't even includes any food safety screening of the distributor/manufacturer, they are only asking for documents like the specifications and kosher cert to be approved, I am thinking of making the approved supplier to do a self-assessment like completing the Supplier Questionnaire when buying and approving a new item. 

 

What should I do guys to fix this and make it all works and make sense as a program? I have spent way too much time on this part and my boss has been putting pressure on me but I am pretty much a one man army at this small company. I would appreciate if anyone could help me clear out this confusion. 

Hi Avryl,

Can you post the specific clause as required by Primus ?.

You are probably over-killing their expectations.

If risk assessment is specifically mentioned, this can often be interpreted as requiring some kind of a scoring system.

I enclose 2 risk-based procedures (ve2,ve3) for supplier approval + a 3rd (ve1)  illustrating the combination of material risk status and supplier evaluation rating.

These procedures involve significant data effort. Simpler scoring approaches exist but I'm not familiar with Primus.

 ve2 - Supplier Approval and Rating Program.pdf   286.99KB   546 downloads

 ve3 - vendor approval program.docx   49.65KB   482 downloads

 ve1 - Supplier Risk Assessment.pdf   37.1KB   524 downloads

Hi Avryl,

I presume you are referring to this  -

1.06.03: Is there a written procedure detailing how suppliers and service providers are evaluated, approved, and include the ongoing verification activities including monitoring? Note that supply chain preventive controls and supply-chain-applied controls are also mentioned in Module 7.

 

 As a minimum, the procedure should detail the following where relevant:
  •  Agreed specifications
  •  Letters of guarantee
  •  Methods of evaluating approved suppliers and service providers (including second or third party audits where relevant, at least for raw  materials and primary packaging)
  •  Methods of approving approved suppliers and service providers
  •  Methods and frequency of monitoring approved suppliers and service providers
  •  Methods of reviewing approved supplier and service providers performance and status (including removal of approved status)

 

I deduce the ^^^(red) is yr primary query.

Regarding yr previous attachment, IMO you have too many material risk levels for operational purposes. I suggest (low-medium)/high is enough.

i note that Primus make no specific mention of including Fraud Vulnerability in this section.

The attachment ve2 in previous post gives a "simple" (simplistic ?) answer based on a combined risk factor. The absolute numbers shown are obviously arbitrary unless you wish to involve  AQL type scenarios.

The initial monitoring frequency values should be as frequently as possible within logistic feasibility in order to generate performance data. The latter then enables feedback control to be applied such as reducing/increasing monitoring activity.

As previously noted, the data should be manufacturer-specific

Primus seems to make no specific mention of Risk-based so yr interpretive options are presumably flexible within the requirements tabulated above..

I have encountered one "minimal" approach where a standardised, routine, lot sampling frequency is designated for Low/High Risk Materials and this is then adjusted upwards/downwards based on (graded) Supplier Audit and (graded) on-going Performance (similar concept to the traditional AQL monitoring logic).

Although generic, this FDA document explains the above aspects quite well IMO.

 Draft-Guidance Supply Chain Program, Ch.15.pdf   490.04KB   386 downloads

(esp. 15.7.4, 15.11)

Please, see attached the samples of my questionnaires.

This is amazing, thank you for your contributions