Why Your HACCP Risk Matrix Is the Most Important Document in Your Facility
If you’re running food production in the US, you already know that the FDA’s Food Safety Modernization Act (FSMA) and USDA FSIS regulations don’t give you much wiggle room. One undocumented hazard, one gap in your Hazard Analysis and Critical Control Points (HACCP) plan, and you’re looking at a Class I recall, an import alert, or worse. Yet a surprising number of food safety teams still treat the HACCP risk assessment matrix as a bureaucratic checkbox rather than the operational nerve center it should be.
This guide breaks down exactly how to build, read, and use a HACCP risk assessment matrix that actually works, complete with a downloadable template you can put to work today. Whether you’re a food safety manager at a mid-size processor, a quality director preparing for a BRCGS or SQF audit, or a consultant helping a client get their HACCP plan in order, this post is for you.
What Is a HACCP Risk Assessment Matrix?
A HACCP risk assessment matrix is a structured tool that combines two variables for every identified food safety hazard:
- Likelihood (or probability): How often could this hazard realistically occur given your current controls?
- Severity (or consequence): How serious would the health impact be if a consumer were exposed to this hazard?
You plot each hazard on the matrix, multiply the two scores, and get a Risk Priority Number (RPN). That number tells you whether the hazard is a Critical Control Point (CCP) requiring a formal critical limit and monitoring plan, a Control Point (CP) managed through prerequisite programs (PRPs), or a low-risk item documented and monitored but not requiring CCP-level intervention.
The methodology aligns directly with Codex Alimentarius HACCP principles (the international reference standard), as well as FDA FSMA’s Preventive Controls for Human Food rule (21 CFR Part 117) and USDA FSIS HACCP regulations (9 CFR Part 417).
The HACCP Risk Assessment Matrix (5 x 5 Grid)
Below is a standard 5×5 matrix calibrated for food safety contexts. Severity runs across the top (columns); Likelihood runs down the left (rows). Risk scores are the product of the two dimensions.
| Likelihood \ Severity | Negligible (1) | Minor (2) | Moderate (3) | Major (4) | Critical (5) |
| Almost Certain (5) | 5 — Low | 10 — Medium | 15 — High | 20 — Critical | 25 — Critical |
| Likely (4) | 4 — Low | 8 — Medium | 12 — High | 16 — Critical | 20 — Critical |
| Possible (3) | 3 — Low | 6 — Low | 9 — Medium | 12 — High | 15 — High |
| Unlikely (2) | 2 — Low | 4 — Low | 6 — Low | 8 — Medium | 10 — Medium |
| Rare (1) | 1 — Low | 2 — Low | 3 — Low | 4 — Low | 5 — Low |
Table 1: HACCP 5×5 Risk Assessment Matrix. Green = Low (1-6), Yellow = Medium (7-10), Orange = High (11-15), Red = Critical (16-25).
How to Score Each Dimension
Severity Scale
Severity reflects the worst plausible health outcome for a sensitive consumer (think immunocompromised individuals, pregnant women, infants). Use Table 2 as your guide:
| Score | Severity Level | Health Impact | Regulatory / Business Impact |
| 1 | Negligible | No illness expected; cosmetic issue only | No regulatory concern |
| 2 | Minor | Mild, self-limiting illness; small population | Minor complaint; no recall |
| 3 | Moderate | Moderate illness; medical attention possible | Potential recall; FDA/USDA notification |
| 4 | Major | Severe illness; hospitalisation likely | Class II/III recall; enforcement action |
| 5 | Critical | Death or permanent disability possible | Class I recall; DOJ/criminal liability |
Table 2: Severity Scale for HACCP Hazard Analysis.
Likelihood Scale
Likelihood scores reflect the probability of a hazard occurring at a given process step given your current control environment. Score on a 1-5 scale:
- 1 — Rare: Occurs less than once every 5 years; strong preventive controls in place.
- 2 — Unlikely: Has occurred once in the past 2-5 years; controls generally effective.
- 3 — Possible: Has occurred in the past 12-24 months; controls partially effective.
- 4 — Likely: Occurs several times per year; controls inconsistently applied.
- 5 — Almost Certain: Occurs frequently or controls are absent/ineffective.
Important: Score likelihood BEFORE applying your current controls (inherent likelihood) and then rescore AFTER controls (residual likelihood). The gap tells you how much work your controls are doing. This mirrors the inherent-to-residual logic familiar from ISO 31000 risk management, applied to food safety contexts.
From Matrix Score to CCP Determination
Running a score through the matrix is only step one. The score then feeds into the CCP Decision Tree (Question 1 through Question 4 per Codex Alimentarius). Here’s a worked example across a typical processing line:
| Process Step | Hazard Identified | Control Measure | Risk Score | CCP / CP? |
| Receiving | Temperature abuse — Listeria in RTE dairy | Supplier CoA; temp log on delivery | 12 — High | CCP-1 |
| Cold Storage | Cross-contamination from allergen proximity | Segregated racks; colour-coded bins | 9 — Medium | CP |
| Cooking | Survival of Salmonella (insufficient heat) | Time/temp log; calibrated probe | 20 — Critical | CCP-2 |
| Packaging | Metal/glass contamination | In-line metal detector; glass audit | 8 — Medium | CCP-3 |
| Distribution | Cold chain break during transit | Refrigerated transport; GPS temp loggers | 6 — Low | CP |
Table 3: Example CCP/CP Determination for a Ready-to-Eat (RTE) Food Processor.
Notice how the cooking step scores 20 (Critical) despite having two robust control measures. That’s the point: it’s critical precisely because the hazard is so severe and likely if those controls fail. A Critical score should automatically trigger CCP designation and demand a documented critical limit, monitoring procedure, corrective action, verification, and record-keeping system.
Mapping All Three Hazard Types
HACCP requires you to assess biological, chemical, and physical hazards at every process step. A common mistake is over-indexing on biological hazards and treating chemical and physical hazards as afterthoughts. Your matrix must explicitly cover all three.
Biological hazards include pathogens like Salmonella, Listeria monocytogenes, E. coli O157:H7, and Cronobacter sakazakii. These typically score highest on severity. Temperature control, pathogen reduction steps, and sanitation programs are your primary mitigations.
Chemical hazards include allergens (a major source of Class I recalls in the US), cleaning chemical residues, mycotoxins, pesticide residues, and intentional food fraud adulteration. Allergen management alone warrants a dedicated risk assessment feeding into your matrix.
Physical hazards include metal, glass, bone, hard plastic, and extraneous material. In-line detection (metal detectors, X-ray systems) addresses these, and your matrix should reflect both the detection capability and the consequences of failure to detect.
Aligning Your Matrix with FSMA Preventive Controls
If you’re subject to FSMA’s Preventive Controls for Human Food rule, your Hazard Analysis is the regulatory equivalent of your HACCP hazard identification step. The rule requires you to identify hazards that are “known or reasonably foreseeable” and determine whether each is “significant” (i.e., requires a preventive control).
The FDA’s Hazards and Controls Guide provides commodity-specific hazard guidance that should inform your likelihood scoring. For example, if you process low-acid canned foods, Clostridium botulinum has a severity score of 5 almost by definition, and your matrix needs to reflect that regardless of how tight your retort controls are.
Key alignment points:
- Preventive Controls (Process, Allergen, Sanitation, Supply-Chain) map directly to your CCP and CP designations.
- Your Food Safety Plan (the FSMA equivalent of a HACCP plan) must include a hazard analysis, preventive controls, monitoring procedures, corrective actions, verification activities, and records.
- If you’re a Qualified Facility, your obligations are lighter, but you still need a hazard analysis on file.
Audit-Proofing: What BRCGS and SQF Auditors Actually Look For
Third-party certification audits under BRCGS Global Standard for Food Safety (Issue 9) or SQF Code (Edition 9) include a deep dive into your HACCP documentation. Here’s what auditors want to see in your risk assessment matrix:
- Evidence that all hazards were systematically identified — not just the obvious ones. Auditors will probe: did you consider intentional adulteration (Food Defense)? Environmental pathogens? Allergen cross-contact?
- Consistent, documented scoring rationale. If you score Listeria likelihood as 2 at cold storage, you need a documented reason — sanitation logs, environmental monitoring data, or supplier verification records that support that score.
- Residual risk scores that reflect actual control effectiveness — not wishful thinking. If your metal detector has a documented sensitivity gap at certain product densities, your residual risk for physical hazards needs to reflect that.
- Clear linkage from matrix score to CCP/CP designation and back to your monitoring plans. The paper trail needs to be airtight.
- Annual or event-triggered review records. Your matrix isn’t a one-and-done document. BRCGS Clause 2.8.1 requires annual review of the HACCP plan.
The 5 Most Common HACCP Matrix Mistakes (And How to Fix Them)
1. Scoring Severity at the Average, Not the Worst Case
Severity should always reflect the worst plausible outcome for a susceptible individual, not the average consumer. Scoring Salmonella as a 3 (Moderate) because most healthy adults recover misses the point: for immunocompromised individuals or infants, it can be fatal (score 5). Always anchor severity to the most vulnerable end-user.
2. Treating the Matrix as a One-Time Exercise
Your matrix must be a living document. Trigger a review any time you introduce a new ingredient, change a supplier, modify a process, receive a customer complaint related to a listed hazard, or get an adverse environmental monitoring result. Build this into your change management procedure.
3. Conflating CCPs and PRPs
A CCP requires a critical limit, continuous or frequent monitoring, defined corrective actions, verification, and records. A prerequisite program (PRP) manages hazards at a facility level without those formal requirements. Misclassifying a significant hazard as a PRP is one of the most common FDA warning letter triggers. When in doubt, default to CCP.
4. Missing Allergen Hazards
Undeclared allergens are the number one cause of Class I food recalls in the United States. Your HACCP matrix must explicitly address allergen cross-contact as a chemical hazard at every relevant process step, including receiving, storage, processing, packaging, and rework handling. Run a separate allergen risk assessment if your operation handles multiple allergenic ingredients.
5. No Validation Data Behind Your Scores
Saying cooking to 165°F reduces Salmonella by 7 log is standard microbiology. But can you document that your specific oven achieves that reduction under worst-case load and product thickness conditions? Validation data is what separates a defensible HACCP plan from one that collapses under regulatory scrutiny. Link your control measures to validated kill steps and supporting scientific literature.
Related Resources on riskpublishing.com
Looking to build out your full food safety risk framework? These related guides will help you connect the dots:
• Business Continuity Planning for Food Manufacturers — How to keep production running when a CCP failure forces a line shutdown.
• Key Risk Indicators for Third-Party Supplier Risk — Apply KRIs to your supply-chain control measures and monitor them proactively.
• ISO 31000 Risk Assessment Framework Explained — Understand how HACCP risk logic maps to the broader enterprise Monte Carlo Simulation for Risk Analysis: A Practical Tutorial — Advanced quantitative techniques for stress-testing your critical control points.
Getting the Most Out of This Template
The matrix above is designed to slot directly into your HACCP plan documentation. Here’s how to use it effectively:
- Assign ownership. Each CCP in your matrix should have a named responsible party. Who monitors, who records, who takes corrective action?
- Set KRI thresholds. Your monitoring data (temperature logs, metal detector checks, micro test results) are leading indicators of CCP performance. Define the early-warning threshold before you hit your critical limit.
- Run tabletop exercises. At least annually, walk your food safety team through a simulated CCP failure scenario using the matrix as the reference document. Who does what? Where are the gaps?
- Connect to your recall plan. If a hazard in your matrix reaches a critical score despite controls, your recall and withdrawal procedure should trigger automatically. Make that linkage explicit in both documents.
- Review with your PCQI. Under FSMA, your Preventive Controls Qualified Individual (PCQI) must oversee the preparation and review of your Food Safety Plan, which includes this analysis.
Download the Free HACCP Risk Assessment Matrix Template
The matrix tables above are available as a free downloadable Excel template at riskpublishing.com/haccp-risk-assessment-matrix-template. The template includes the 5×5 scoring grid, severity and likelihood scale definitions, a worked CCP determination example for an RTE food processor, and a blank hazard log you can populate for your own operation.
If you found this guide useful, share it with your food safety team, your PCQI, or your quality manager. And if you’re working through a specific challenge — an upcoming SQF audit, a new product line, or a post-recall HACCP redesign — feel free to reach out through the contact page. This is exactly what we’re here for.
Sources & Further Reading
1. FDA HACCP Principles and Application Guidelines — U.S. Food and Drug Administration
2. Codex Alimentarius: General Principles of Food Hygiene (CXC 1-1969, Rev. 2022) — FAO/WHO
3. 21 CFR Part 117 — Current Good Manufacturing Practice, Hazard Analysis, and Risk-Based Preventive Controls for Human Food — U.S. Government Publishing Office
4. 9 CFR Part 417 — Hazard Analysis and Critical Control Point (HACCP) Systems — USDA FSIS
5. BRCGS Global Standard for Food Safety Issue 9 — BRCGS
6. SQF Code Edition 9: Systems Elements — SQFI
7. ISO 31000:2018 Risk Management Guidelines — ISO
8. FDA Class I, II, and III Recalls — Overview — U.S. Food and Drug Administration
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.