Quantitative Risk Assessment in HACCP Plans – Decisions, Decisions…

By ETQ on March 14, 2011
Moldy fortune cookie. Fortune reads: "I should have been rejected but someone missed a critical control point.'

Last week, I spoke about how to set up a Risk Matrix and the considerations on how to determine risk scales. I mentioned how Risk methods provide the objectivity needed for many organizations, but a team is need to ultimately make the decision.

I was reviewing some material in the Food Safety industry, and once again Risk came up, specifically to HACCP. HACCP (Hazard Analysis Critical Control Points) in itself is a Risk Management Tool, and is adopted by many of the GFSI Compliance standards. It is concerned with looking at the various potential hazards within the food safety plan and assessing what types of controls need to be put in place. Controls like these come in many flavors (no pun intended), most notably Prerequisite Programs or Critical Control Points (CCP). What I was interested in was, “How do you accurately determine whether a step in the process is a CCP or not?”

I learned there are two schools of thought to this. One is the Decision Tree and another is Quantitative Risk Assessment.

Decision Trees seemed to be more common in HACCP Plans, maybe because most HACCP Plans haven’t automated to the point where Risk has become necessary. But as more Food Safety Management Systems become automated, new technologies are introduced that streamline the process. The trouble with decision trees, in my opinion, is that it lends itself to subjectivity. Depending on who is filling out the decision tree, the answer could change. That is not to say that there is a problem with decision trees OR the person filling them out – but the combination of the two can be problematic.

HACCP needs logical, systemic methods for determining the significance of a hazard in a repeatable way. Risk Assessment is the best method for this. It relies on a defined verbal scale, it uses a singular, common mathematic method for determining a hazard, and sets guidelines for actions based on the result. Furthermore, it is a repeatable mtehod – if done properly, the risk matrix will spit out the same result every time.

Let’s take an example. Here’s a hazard for a step that involves a potential CCP – Pathogens (lovely):

Food HazardsWe know the hazard and the severity/likelihood, but we still need to come up with a determination of whether a CCP is necessary. A decision tree would look something like this:

That's a crazy decision tree(My head hurts looking at this)

Or…we can try and put the hazard into a Risk Matrix, using the verbal scale and assigning a weight to each level on the scale:

verbal scale for riskriskmatrix food

Now, we have a repeatable and systemic matrix for looking at the risk. We can setup our risk thresholds (let’s say for this example 1-10 is a CCP), and then apply the verbal scale to the matrix:

riskmatrix food2And then we have a quantitative result to draw from. We can then enter it into the hazard analysis, and record the results:

Hazard withrisk

It’s not enough to just have a risk matrix, in food safety or any other compliance-related process. You need a team in place to analyze the risk and leverage the data to make the decisions. There is always “tweaking” based on other factors and human experience. HACCP is about common sense. Risk will help to automate it and give a consistent, auditable, and logical result. But experience is also important in determine hazards. So there is a marrying of the two methods that will ultimately make for a efficient Food safety system.