Blog

Supplier verification is one of the most important parts of a food safety management system. It determines how much oversight each supplier receives, how often documentation is reviewed, and how closely COAs or testing results are monitored. A good risk-based supplier program does not treat all suppliers the same. It gives more attention to high-risk materials and suppliers, while keeping oversight appropriate and manageable for lower-risk items. This structure helps FSQA teams stay focused on the areas that influence food safety most.

GFSI standards expect facilities to evaluate supplier risk and adjust verification accordingly. This guide explains how to build a practical, risk-based supplier verification system that fits the way food plants actually operate, not just what the standard requires on paper.

1. Why Risk-Based Supplier Verification Matters

A risk-based system helps FSQA teams direct their time and resources where they have the greatest impact. Not all materials require the same level of oversight. A simple corrugated box supplier should not have the same requirements as a supplier of allergen-containing raw ingredients or RTE materials. Treating both with the same level of scrutiny leads to unnecessary work in some areas and not enough oversight in others.

A strong risk-based program provides:

• Clear documentation expectations
• Predictable review frequency
• Better use of FSQA time
• Stronger supplier accountability
• Better alignment across purchasing and receiving
• Improved audit readiness

Risk-based verification is not complicated to design. It requires structure, consistent application, and regular re-evaluation.

2. Start With Supplier Risk Categorization

The foundation of the program is risk categorization. Many facilities use three or four tiers, but the key is defining risk clearly and consistently.

High Risk

Suppliers of materials that directly impact food safety, such as:

• Raw agricultural ingredients
• Allergen-containing ingredients
• RTE products
• Micro-sensitive materials
• High-moisture ingredients
• High-variability ingredients

These suppliers require the most rigorous documentation and ongoing oversight.

Medium Risk

Suppliers of:

• Low-risk ingredients
• Food-contact packaging
• Dry, shelf-stable materials

These suppliers require structured documentation but fewer high-frequency checks.

Low Risk

Suppliers of:

• Non-food chemicals
• Non-contact packaging
• Office supplies
• Low-impact materials

Oversight focuses primarily on documentation completeness and occasional review.

Once risk levels are set, FSQA can define expectations for each category.

3. Required Documents Based on Risk Level

The next step is defining which documents are required for each level.

High Risk Suppliers Should Provide:

• GFSI certificate or third-party audit
• Supplier questionnaire
• Up-to-date specifications
• Allergen and regulatory statements
• COAs for each lot or defined testing frequency
• HACCP or hazard analysis summary
• Environmental or micro controls if applicable
• Annual supplier evaluation

Medium Risk Suppliers Should Provide:

• GFSI certificate or equivalent audit
• Supplier questionnaire
• Specifications
• COAs for periodic lots
• Allergen statements
• Annual review

Low Risk Suppliers Should Provide:

• Basic supplier information
• Proof of legitimacy
• Specifications when applicable
• Annual review

A clear matrix helps FSQA onboard suppliers consistently.

4. Defining Verification Activities by Risk

Verification includes all tasks FSQA performs to confirm suppliers are meeting requirements. Activities should be defined by risk.

High Risk Verification Activities

• Review COAs for every lot or regularly based on material type
• Review micro or chemical results closely
• Conduct periodic supplier audits or request additional information
• Perform incoming testing
• Conduct ongoing review of performance and deviations
• Verify allergen and regulatory statements regularly
• Complete detailed annual evaluations

Medium Risk Verification Activities

• Review COAs periodically
• Monitor complaints and deviations
• Validate changes in specs or documentation
• Conduct standard annual evaluations

Low Risk Verification Activities

• Confirm documentation completeness
• Review performance annually
• Update supplier information as needed

This structure ensures that high-impact materials receive the attention they require.

5. Verification Frequency: How Often Should FSQA Review Suppliers?

Frequency should match risk level.

High Risk

• COA review for every lot or defined testing schedule
• Documentation review quarterly or semi-annually
• Annual supplier performance review
• Additional testing as needed

Medium Risk

• COA review monthly or per shipment
• Documentation review annually
• Annual supplier review

Low Risk

• Annual documentation check
• Minimal COA review
• Simplified annual review

These frequencies should be written into FSQA procedures so they can be applied consistently.

6. Handling Supplier Changes in a Risk-Based System

Supplier changes influence verification requirements. High-risk suppliers require closer attention when changes occur.

Changes may include:

• Formula updates
• Allergen additions or removals
• Packaging changes
• Country-of-origin shifts
• Process modifications
• Label changes

For high-risk suppliers, FSQA should evaluate the change promptly and adjust verification if needed.

7. Managing Supplier Performance Data

Tracking performance helps FSQA make decisions about approvals, probation, or disqualification.

Performance data may include:

• COA accuracy
• On-time delivery
• Documentation completeness
• Complaint frequency
• Deviation severity
• Supplier responsiveness
• History of specification issues

High-performing suppliers can remain at their designated risk level. Poor-performing suppliers may require:

• Temporary elevation to higher risk
• Additional verification steps
• Escalation for corrective action
• Disqualification

A consistent performance review process helps FSQA make objective decisions.

8. Designing the Annual Supplier Evaluation

Annual evaluations are required by GFSI standards and serve as the anchor of the risk-based program. A good evaluation includes:

• Current risk level
• Performance summary
• Documentation completeness
• Deviations and nonconformances
• COA failures
• Complaint trends
• Changes in supplier operations
• Approval status for the next year

Facilities should document a clear approval decision:

• Approved
• Approved with conditions
• Probationary
• Not approved

Evaluations should be simple enough to complete but detailed enough to support audit review.

9. Avoiding Common Pitfalls in Risk-Based Supplier Programs

FSQA teams often encounter predictable challenges when implementing a risk-based system.

Common pitfalls include:

• Risk categories defined but not followed
• Suppliers not updated after changes
• COA review inconsistent with risk
• Performance data not trended
• Annual evaluations incomplete
• Purchasing using unapproved suppliers
• Specs out of sync with COA expectations
• Risk levels not reviewed annually

These issues create avoidable audit findings.

10. Keeping the Program Manageable During High Volume

A risk-based system simplifies workload by focusing effort where it matters most. FSQA can maintain control by:

• Using a structured verification matrix
• Assigning clear ownership for COA review and file maintenance
• Reviewing high-risk suppliers more frequently
• Using templates for evaluations
• Conducting quick monthly checks on high-risk documentation
• Involving purchasing and receiving in verification steps

Operational rhythm matters more than complexity.

11. Preparing the Risk-Based Program for a GFSI Audit

Before an external audit, FSQA should review:

• Risk categories and definitions
• Supplier list categorized by risk
• Verification matrix
• Completed annual evaluations
• COA review logs
• Supplier performance summaries
• Corrective actions linked to suppliers

Auditors expect to see not only documentation but also clear evidence that the program operates consistently across the year.

How Certdox Supports Risk-Based Supplier Verification

Certdox helps FSQA teams categorize suppliers, store required documents, track verification activities, trend performance, and prepare annual evaluations. COAs, specs, questionnaires, complaints, and nonconformances can be linked directly to supplier profiles. FSQA teams can see upcoming expirations, monitor changes, and keep risk-based verification predictable throughout the year. Certdox supports a structured supplier verification system that stays audit-ready without adding complexity.