A supplier approval program is the standing system a food company uses to decide which suppliers it is allowed to buy from: qualifying each supplier before the first purchase order, requiring the right documents, and monitoring performance so approval is maintained or withdrawn over time. It is the gate every ingredient and packaging supplier passes through, and the reason a buyer cannot simply order from whoever is cheapest.

Most food safety problems are bought, not made. The contaminated spice, the mislabeled allergen, the packaging that fails migration limits, they arrive at your dock from a supplier, and no amount of in-house control fully compensates for a supplier you never should have approved. A supplier approval program is how you manage that risk at the source. This post covers how to risk-rank suppliers, which documents approval requires, how ongoing monitoring works, and how the program relates to the narrower regulatory requirement of supply-chain preventive controls.

What is a supplier approval program?

A supplier approval program is a documented process for evaluating, approving, and re-evaluating the suppliers who provide your ingredients, packaging, and outsourced processing. It answers one question continuously: is this supplier fit to supply this material, and do we have the evidence to prove it? Approval is a status, not a one-time event, it is granted on evidence, maintained by monitoring, and revoked when performance or trust breaks down.

Every GFSI-benchmarked scheme requires one. Whether you certify to SQF BRCGS, or FSSC 22000, the code expects a documented program for approving suppliers and for the ongoing verification that they continue to meet your requirements. Auditors treat a missing or paper-thin approval program as a serious finding, because it is the control standing between your process and every hazard your suppliers could introduce. Our GFSI certification guide covers how the schemes frame it.

It helps to draw a clean line up front, because two related things get confused:

How do you risk-rank suppliers?

You risk-rank suppliers by the hazard the material carries and the confidence you have in the supplier, then let that ranking set how much evidence approval requires. A high-risk material from an unproven supplier earns an audit and lot testing; a low-risk material from a certified, long-trusted supplier earns a specification and a certificate. Matching effort to risk is what keeps the program both credible and affordable.

Two inputs drive the rank. First, the intrinsic risk of the material: does it carry a pathogen, an allergen, a mycotoxin, a chemical hazard, or a fraud incentive, and does your process include a step that controls that hazard downstream? A raw spice added to a ready-to-eat product is high risk; a corrugated shipper is low. Second, the confidence in the supplier: their food safety certification status, their history with you, their process maturity. Plot the two and the tier falls out.

Supplier approval risk matrix Approval effort follows material risk MATERIAL HAZARD → SUPPLIER CONFIDENCE → HIGH HAZARD, LOW CONFIDENCE audit + GFSI cert + COA/lot testing before first PO HIGH HAZARD, HIGH CONFIDENCE GFSI cert + spec + COA per lot, periodic audit, verify testing LOW HAZARD, LOW CONFIDENCE spec + questionnaire + sample approval, watch early lots LOW HAZARD, HIGH CONFIDENCE spec + certification review, annual re-approval glance Re-rank as evidence accumulates: a clean history lowers the bar, an escape raises it.
The approval risk matrix. The tier sets which documents and activities approval requires, so scrutiny lands where the hazard lives.

What documents does supplier approval require?

Supplier approval runs on a defined document set, and the tier decides which documents are mandatory. The point is not to collect paper for its own sake, each document answers a specific question about whether the supplier is fit to supply.

DocumentWhat it provesTypical requirement
SpecificationWhat you are actually buying: the agreed limits for the material, including food safety parametersRequired for every material, signed by both parties
Food safety certificationThat the supplier runs a benchmarked food safety system audited by a third partyGFSI certificate for higher-risk materials; verify it is current and covers the right scope
Certificate of analysis (COA)That a specific lot meets the specification on the parameters that matterPer lot for higher-risk materials; periodic for lower-risk
Supplier questionnaire / self-assessmentThe supplier's own programs where no third-party audit existsCommon for low-to-medium risk in place of an audit
Audit reportThat an independent party verified the supplier's system on siteSecond- or third-party audit for high-risk suppliers and hazards
Allergen and regulatory statementsAllergen status, country of origin, and applicable regulatory declarationsRequired where allergens or regulatory claims are in play
The core approval document set. Which are mandatory depends on the supplier's risk tier; a certificate on file must be current, in-scope, and actually verified.

The single most common weakness is treating a certificate as a filed artifact rather than a verified fact. A GFSI certificate in your folder means nothing if it expired last quarter, covers a different facility, or excludes the product you buy. Approval means someone checked, and set a reminder to check again before it lapses. The specification is the other frequent gap: buying to a purchase-order description rather than a signed specification leaves you with no agreed standard to hold the supplier to when a lot goes wrong. This is the same discipline your broader supplier quality management program applies across all purchased materials.

How do you approve and monitor suppliers?

You approve a supplier by gathering the tier-appropriate evidence and having a qualified person sign off, then you monitor performance so approval stays earned. Approval is the beginning of the relationship, not the end of the work, a supplier who was fit two years ago may not be fit today. Here is the program in seven steps.

  1. Define the material and its hazards. Before you can approve a supplier you have to know what the material carries. Run the hazard analysis for the ingredient, pathogen, allergen, chemical, physical, fraud, and note whether your process controls each hazard or the supplier must. This connects directly to your HACCP plan.
  2. Risk-rank the supplier-material pair. Combine material hazard and supplier confidence to set the tier. Rank the pair, not just the supplier: the same supplier may be low-risk for one item and high-risk for another.
  3. Collect the required documents. Gather the specification, certification, COA arrangement, questionnaire, and audit appropriate to the tier. Missing documents mean not-yet-approved, not approved-with-exceptions.
  4. Verify, do not just file. Confirm the certificate is current and in scope, the specification is signed, and the audit is recent and relevant. Verification is the step that separates a real program from a folder of PDFs.
  5. Approve with a signature and a status. A qualified person records the approval decision, the basis for it, and any conditions. Give each supplier-material a clear status: approved, conditionally approved, or not approved.
  6. Monitor performance continuously. Track incoming nonconformances, COA compliance, and delivery against each approved supplier. Feed it from receiving data and nonconformance records you already generate, not a once-a-year memory exercise.
  7. Re-approve on a schedule and on triggers. Re-evaluate on a defined cadence, annually for higher-risk, and off-cycle whenever a certificate lapses, an audit expires, ownership changes, or an escape occurs. Withdraw approval when the evidence no longer supports it.

How does the program satisfy FSMA and GFSI?

The approval program satisfies GFSI schemes directly and provides the foundation FSMA's supply-chain program builds on. For GFSI, the codes require a documented approach to approving suppliers and verifying they keep meeting requirements, exactly what the program above produces. For FSMA, the U.S. preventive-controls rule adds a specific layer: when your hazard analysis finds a hazard that is controlled by the supplier rather than by your process, you must have a supply-chain program with approved suppliers and defined verification for that hazard.

The relationship is nesting, not duplication. The supplier approval program is the wide gate every supplier passes through; supply-chain preventive controls are the extra, regulated scrutiny applied to the specific supplier-controlled hazards FSMA cares about. Build the approval program well and the FSMA piece becomes a documented subset of it rather than a separate system. The supply-chain preventive controls guide covers exactly when that regulated layer kicks in and what verification it demands.

The supplier approval program contains FSMA supply-chain preventive controls One nests inside the other, they do not compete SUPPLIER APPROVAL PROGRAM every supplier and material, governed by risk SUPPLY-CHAIN PREVENTIVE CONTROLS FSMA Subpart G: supplier-controlled hazards only, mandatory verification Build the outer program well and the FSMA layer becomes a documented subset of it.
How the two relate. Supply-chain preventive controls are the regulated core inside the broader approval program, not a separate system.

By the numbers. The regulatory and benchmark anchors for supplier approval:

Where does the program live?

An approval program is a document- and date-management problem as much as a food safety one: certificates that expire, audits that age out, COAs that must match specifications lot after lot, and nonconformances that need to roll up by supplier. On paper and in scattered folders, the expired certificate is discovered by the auditor, not by you, and the slipping supplier is spotted after the recall, not before. Capturing approval status, document expiries, and incoming performance as connected records turns the program into a live control with reminders and trends instead of a binder that is accurate only on the day it was assembled. That is the kind of plumbing Harmony's connected data model handles alongside the supplier quality and traceability records you already keep, so approval is something you can prove in minutes, on any supplier, on any day. No rip-and-replace.