Risk assessment is not to be confused with hazard analysis. They are related but different considerations. Whereas hazard analysis involves the identification of the types and sources of hazards, risk assessment is the determination of the actual harm that could be suffered due to the identified hazards. A detected hazard cannot be without the associated risk that must be assessed. On the other hand, a risk assessment may also be needed where a specific hazard has not been identified. For example, assessing the risks associated with buying ingredients from one supplier versus another. This may be done simply on the basis of projected vulnerabilities rather than due to any specific hazard that has been identified. The risk of using certain received materials may be assessed even when a specific hazard has not been identified. For example, if a company, with a preset meat cooking program for a particular size range for raw meat cuts, receives cuts of meat that fall outside of that range, a risk assessment is expected to be done. From that assessment, a decision to adjust the cooking program may be made to ensure the proper cooking of the received lot. Another decision may be to simply ship the meat to another operation with a system that is designed to properly cook any meat cut size. It is important to note with this example that raw meat or improperly cooked meat is not a hazard. The presence of pathogens in the meat is typically the likely hazard. This applies equally to raw, under-cooked and cross-contaminated cooked meat. Where the presence of pathogens is not confirmed, there is no pathogen hazard. Just as the presence of pathogens is possible, the raw meat or improperly cooked meat may also not have any pathogens present.
Where a hazard is not correctly identified and/or a risk assessment is not properly done, implemented risk mitigation measures are likely to be invalid, ineffective and inefficient. It is also worthy of note that a risk assessment that is based on commonsense is not sufficiently scientific and methodical. A risk assessment process must be methodical and must include the consideration of actual situations, circumstance and realities faced by an operation. Existing literature detailing the risks associated with similar operations are helpful. However, simply customizing such existing literature to suit your operation may not be sufficient. Each operation must also be independently examined. All identified risk mitigation measures must be properly challenged or tested and proven valid. The effectiveness of the mitigation measures must also be verified through actual utilization and evaluation in real operation situations before they are to be accepted as routine control measures.
A good risk assessment and control program must be supported with a good change management program.
Some of the material for this post was drawn from the SSQA Implementation Manual and some of the terms described such as "Difficult to Manage Situations (DMS)" as in DMS-HACCP are described in detail in this manual.