There has been confusion over use of the terms “risks” and “hazards,” which has caused issues in the certification audit process. Issues reported include International Organization for Standardization (ISO)-certified facilities failing the transition audits to revised ISO standards that contain requirements for risk-based thinking. This can lead to the food safety professional asking: Is risk something new or is risk a redefinition of existing practices?

When we look at food safety issues, we see the use of the terms “risk” and “risk analysis” being used more often in the literature. In fact, terms like “risk” and “risk management” are increasingly used throughout many industry sectors. ISO has published a series of standards on risk management (Table 1). Furthermore, ISO is incorporating the concept of risk-based thinking into new revisions of the management systems standards including ISO 9001 (quality), ISO 14001 (environment) and ISO 22000 (food safety).

The U.S. Food and Drug Administration (FDA) incorporated the concepts of risk into Food Safety Modernization Act (FSMA) requirements for Hazard Analysis and Risk-Based Preventive Controls. Nongovernmental organizations such as the Food and Agriculture Organization of the United Nations, the World Health Organization and Codex Alimentarius Commission (Codex) have published numerous articles and standards on the applications of risk assessment in the production of safe food.

“Risk” as a Buzzword
Table 2 provides a series of definitions for “risk” and “hazard” as the terms are used in the food safety literature. Understanding the definitions is important, because they can reduce confusion in communicating about food safety, especially to external stakeholders such as regulatory authorities, external food safety auditors, customers and suppliers.

ISO 22000 has an interesting note associated with the definition of “food safety hazard”: The term “hazard” is not to be confused with the term “risk,” which, in the context of food safety, means a function of the probability of an adverse health effect...and the severity of that effect...when exposed to a specified hazard. Risk is defined in ISO/IEC Guide 51 as the combination of the probability of occurrence of harm and the severity of that harm.

Thus, in 2005, ISO 22000 separated the concepts of hazards and risks.

If we look at the definitions and new FSMA Preventive Controls for Human Food rule as well as the training material that supports the regulations, the emergence of risk appears to be inherent in the process of developing the food safety plan.
Short History of Risk Analysis in Food Safety

It is useful to understand the background of the incorporation of risk analysis into food safety systems. The concept started in the development of the Hazard Analysis and Critical Control Points (HACCP) process during the late 1950s and early 1960s. HACCP can be seen as the first step in significantly improving food safety by going from a reactive/inspection approach to ensuring the production of safe food to a preventive/process approach to ensure the production of safe food. The HACCP process focuses on the following:

•    Determine how the system can fail. Failure can occur either with the ingredients and components used for the product or with all the activities that are associated with the manufacturing, packaging, storage and transportation of the food, including personnel practices.

•    Identify the potential causes of the failure.

•    Develop critical controls to validate, monitor and verify the parts of the food safety system.

•    Take appropriate action(s) to prevent the failure of the food safety system.

The concepts of risk analysis are not fully or formally developed and incorporated into the traditional HACCP literature. However, when a food safety professional identifies a hazard, that individual conducts some sort of risk analysis. The hazards are assessed for severity and likelihood of occurrence. Therefore, the concepts of risk analysis are incorporated into the Hazard Analysis process. Food hazards have been grouped into the classic three major categories—biological, chemical and physical hazards. FSMA has further identified two additional hazards—radiological hazards and allergens.

As HACCP evolved, the concept of prerequisite programs (PRPs) was added as part of the food safety system that incorporated HACCP. PRPs identified the necessary activities to minimize nonsignificant hazards that were not addressed by CCPs. This allowed the HACCP plan to focus on controlling significant food safety hazards. The PRPs keep the HACCP plan simple and make it function more effectively and more robustly; PRPs became the place were activities necessary for food safety were identified and categorized. Thus, very few changes were made to the 12 steps of Codex HACCP.

Next was the development of the Global Food Safety Initiative (GFSI)-recognized food safety standards. A major contribution of these standards was to divide the traditional PRPs into the following parts:

•    Activities that are part of a management system, such as training or internal audits

•    Activities that are part of the traditional Good Manufacturing Practices, such as sanitation and pest control

In addition, the GFSI standards required assessing the effectiveness of the PRPs and taking appropriate actions when there was a deviation from planned activities.

As HACCP was developing, the preventive/process control approach was also being applied to other industries around the world. All these activities led to the development of the ISO risk management standards (Table 1) and publication of books such as Principles of Risk Analysis.[5]

Incorporation of the Risk Concept into Food Regulations
With the success of HACCP, regulatory agencies started to move from an inspection/reactive-based regulatory system to a prevention/process control regulatory system. This was done by incorporating HACCP into regulatory requirements. In addition, organizations such as Codex published HACCP guidance as part of the Good Hygiene Practices standard and started to formally apply the concept of risk analysis. The Codex risk analysis approach is divided into the following activities:

•    Risk assessment
    •    Hazard identification
    •    Hazard characterization
    •    Exposure assessment
    •    Risk characterization

•    Risk management

•    Risk communication

Risk analysis can be used to develop guidance documents to address food safety hazards of public health concern. In general, these governmental activities can be thought of as developing a high-level strategy for food safety.

Industry uses high-level regulatory strategies and regulations to develop the operational strategies to control processes to minimize the risk of manufacturing food that may cause a food safety incident. This approach has led many food safety professionals to state that if a food contains a significant hazard, the hazard must be controlled before the food is consumed. Therefore, from a risk analysis perspective, a company may not actually conduct a complete risk analysis. The severity of the hazard usually does not enter into the analysis at the facility level. The only factor that enters into the analysis is the frequency or probability of occurrence of the hazard.

Risk and FSMA
Recently, with the implementation of FSMA requirements, risk has been formally incorporated into U.S. food regulations under FDA jurisdiction. This was codified in the Hazard Analysis and Risk-Based Preventive Controls for Human Food rule.

This rule is designed to take a proactive approach to ensure food safety. It builds on the HACCP regulations for juice and seafood HACCP and HACCP-based regulations for low-acid canned foods. The regulations are designed to do the following:[1]

•    Minimize the risk of producing food products with food safety hazards

•    Take a preventive approach rather than a reactive approach to food safety

•    Allow process control regulations to work with other food safety regulations such as Current Good Manufacturing Practices

•    Allow the facility to focus on issues that present the greatest risk to food safety

Most facilities have a limited amount of resources to allocate for the food safety process. The risk approach allows the organization to focus resources on the most important controls to minimize the risk of shipping product that can cause a food safety incident.

The preventive controls requirements mandate the development of the food safety plan. This plan replaces the traditional HACCP plan. Risk is used as a tool to develop the plan. Going back to the definitions of risk (Table 2[1–4]), ISO defines risk as the effect of uncertainty (variation) on objectives. If one looks at risk from this perspective, one can relate the causes of risk to the sources of variation that are identified in fish bone or cause-and-effect diagrams. The major sources of risk are thus:

•    Materials (ingredients, packaging materials, work in process and finished products)

•    People

•    Environment

•    Machines

•    Methods

•    Measurements

As a result of these potential sources of uncertainty, an effective Hazard Analysis can be developed. The most effective food safety plan will be specific to the facility, product and process.

Risk-Based Auditing
Modern auditing principles are moving toward a risk-based approach to auditing food safety management systems. One place to start with understanding a risk-based audit is to review the ISO definition for risk: “Risk is the effect of uncertainty on objectives.” From a food safety perspective, the objectives are appropriate food safety objectives that become the starting point of the audit. The auditors can determine whether the facility has an effective food safety management system by determining whether the food safety objectives are met. The audit can then focus on issues that pose the greatest risk to food safety. The auditor incorporates the concept of severity of an issue and likelihood of occurrence into the audit plan. The objective of the risk-based audit is to provide a report that has maximum benefit and buy-in by management so that the food safety system can be improved and made more robust.

“Risk” and “risk analysis” are terms that are evolving in the food safety literature. The underlying question is whether this risk is something new or a redefinition of existing practices. The answer makes a difference for those who are responsible for food safety systems. As I have looked at the issue, food safety professionals have used risk principles in their work. Therefore, I tend to side with those who would say it is a redefinition of existing practices. We should change our approach to discussing risk in the context of food safety.

As Bob Dylan once sang, “The times they are a-changin’.” I heard a presentation by an ISO auditor who said he failed over 50 percent of the organizations that were making the transition from being certified under ISO 9001:2008 to being certified under ISO 9001:2015. One of the biggest causes of failure was not applying the concepts of risk-based thinking to the quality management system. I do not know whether these organizations failed to apply the concepts of risk-based thinking or used an informal risk-based thinking process that failed to meet the auditor’s expectations.

I find these actions disconcerting because we typically apply risk principles in our everyday activities, even though we may not use a formal process for risk analysis. A formal risk-based approach to food safety will address the following:

•    Determination of acceptable levels and unacceptable levels for food safety risks or hazards

•    Identification of mitigation strategies for the identified risks

•    Development of a food safety plan or HACCP plan to address the risk

•    Implementation of the food safety plan or HACCP plan

•    Determination of the effectiveness of the food safety plan or HACCP plan

•    Continuous improvement of the food safety system

Risk-based thinking will be formally part of the revision of ISO 22000. Therefore, organizations that are certified to FSSC 22000 will have to deal with this issue. In addition, “risk” is a term that is widely used in the Food Safety Preventive Controls Alliance training material for the Preventive Controls for Human Food rule. Therefore, to ensure accurate communications with customers, suppliers, regulatory authorities or external auditors, it is recommended that facilities adopt and use the term “risk” in their food safety vocabulary.

One excellent source of risk as applied to food can be found at the food risk website This website is operated by the Joint Institute for Food Safety and Applied Nutrition in collaboration with FDA and the U.S. Department of Agriculture Food Safety and Inspection Service.    

John G. Surak, Ph.D., is the principal of Surak and Associates. He is a member of the Editorial Advisory Board of Food Safety Magazine. His website is He can be reached at

1. Food Safety Preventive Controls Alliance. Hazard Control and Preventive Control for Human Food Training, 1st ed. (Bedford Park, IL, 2016).
2. Codex. 1999. Principles and Guidelines for the Conduct of Microbiological Risk Assessment, CAC/GL-30 – 1999, Codex Alimentarius Commission, Geneva, Switzerland.
3. ISO. 2005. ISO 22000:2005 Food Safety Management Systems – Requirements for Any Organization in the Food Chain. ISO: Geneva, Switzerland.
4. ISO. 2009. ISO 31000:2009 Risk Management – Principles and Guidelines. ISO: Geneva, Switzerland.
5. Yoe, C. Principles of Risk Analysis (Boca Raton, Fl: CRC Press, 2012).