In February 2024, Boar’s Head pulled 7 million pounds of deli meat after a Listeria monocytogenes outbreak linked to its Jarratt, Virginia plant killed ten people and hospitalized dozens more.
USDA investigators later described conditions they said should have been stopped by a working hazard analysis. The company’s HACCP plan existed. Its HACCP risk assessment matrix – the scoring engine that decides which hazards get a critical control point – did not do its job.
| What every food safety team should walk away with |
| A HACCP risk assessment matrix is the scoring engine that turns hazard analysis into defensible CCP decisions – not a stand-alone deliverable. |
| In the US, CDC estimates ~10 million illnesses, 53,300 hospitalizations and 900+ deaths a year from six priority pathogens – your matrix exists to attack that number. |
| FDA recalls over 2002-2023 show biological contamination and undeclared allergens drive roughly three-quarters of events – your severity scores should reflect that reality. |
| FSIS took 103 enforcement actions in early 2025, a 36% jump over 2024, and retrained 5,200+ inspectors on Listeria and public-health regulations – weak matrices are now audit magnets. |
| Direct recall costs average $10M per event, with large producers hitting $72.7M at the upper median. A mature HACCP risk assessment matrix pays for itself on the first near-miss it prevents. |
| Use a 5×5 (severity x likelihood) matrix with four action bands: Low, Medium, High, Extreme. Anything ‘High’ or above must land on a CCP, OPRP, or documented risk-acceptance with C-suite sign-off. |
| Tie the matrix to FSMA preventive controls, Codex CXC 1-1969 (2023), and ISO 22000:2018 so one score drives compliance across multiple frameworks. |
That is the gap this article closes. A HACCP risk assessment matrix is the quantitative bridge between hazard analysis and control decisions.
Done right, it takes a sprawling list of biological, chemical, physical, and allergen hazards and tells you, in one defensible number per hazard, where to place CCPs, where preventive controls are enough, and where you are accepting residual risk on purpose.
For a refresher on the underlying vocabulary, see our primer on the definition of hazard and risk assessment. Done wrong, the matrix becomes a colorful grid that passes audits and misses outbreaks.
We wrote this guide for food safety managers, QA directors, plant HACCP team leaders, and ERM professionals in the US food sector who need a HACCP risk assessment matrix that can stand up to FSIS verification, FDA FSMA inspection, GFSI audit, and – most importantly – a product liability deposition.
Every recommendation maps to Codex Alimentarius CXC 1-1969 (2023), NACMCF HACCP principles, FSMA preventive controls, and ISO 22000 food safety management. No fluff. No generic templates. Just the scoring logic we would use if our own family was on the consumer end of your supply chain.
The US Food Safety Reality Your HACCP Risk Assessment Matrix Must Confront
Before we talk scoring rules, let’s be clear about the problem we are trying to solve. A HACCP risk assessment matrix is not an academic exercise – it is a response to a measurable public health burden.
Teams migrating from a general-purpose risk assessment matrix into a food-specific one often understate severity until they see the numbers below.
CDC’s current burden estimate, corroborated by GAO-25-107606, puts the annual toll from six priority pathogens at about 10 million illnesses, 53,300 hospitalizations, and more than 900 deaths in the United States alone. Credible intervals stretch from 5.9 million to 15.4 million illnesses and up to 1,460 deaths per year. USDA Economic Research Service valuations translate that into roughly $75 billion in annual economic burden when lost productivity, medical costs, and premature mortality are priced in.
Figure 1. The US food safety burden a HACCP risk assessment matrix exists to reduce.
Now layer the recall data. A 20-year analysis of 35,000+ FDA recalls found that product contaminants drove 91% of events and processing issues the rest, with biological contamination and undeclared allergens together accounting for roughly three quarters of every recall.
Those are the two severity drivers your matrix must weight most aggressively. Any matrix that gives allergens a ‘minor’ severity score in the US market is wrong before you plug in a single likelihood value.
Figure 2. What drives US food recalls – biological contamination and allergens dominate.
What a HACCP Risk Assessment Matrix Actually Is (and What It Is Not)
With the stakes clear, let’s retire the textbook definition. A HACCP risk assessment matrix is the scoring tool you use during Principle 1 (hazard analysis) to multiply severity by likelihood and decide which hazards are significant enough to need a control measure, a preventive control, or a CCP.
It is not a HACCP plan. It is not a food safety management system. It is not a substitute for hazard identification. It is the quantification layer that makes every downstream decision defensible.
Pair it with a broader qualitative risk assessment for strategic hazards and with a foreign material risk assessment for physical contaminants that need their own treatment.
Three things a credible HACCP risk assessment matrix must deliver:
- A consistent numeric score for every identified hazard, reproducible across analysts and shifts.
- Clear action bands that trigger specific responses – CCP, OPRP, prerequisite program, or documented acceptance.
- An audit trail that ties each score back to evidence: CDC burden data, FDA recall history, process capability studies, supplier test results, or expert judgment.
The common failure mode we see on audit: teams build the matrix once, lock it in a binder, and never refresh it when recall data, regulatory guidance, or process conditions change.
The NACMCF HACCP Principles and Application Guidelines and Codex CXC 1-1969 (2023) both call for review at defined intervals and whenever changes occur. Treat the matrix as a living artifact, not a compliance ornament.
Severity: How to Score Consequences Without Lying to Yourself
Severity is where most matrices quietly collapse. Teams default to gut-feel scores, understate allergen and pathogen consequences, and end up with risk registers that make everything look ‘medium.’
The fix is a severity scale anchored to outcomes a regulator or plaintiff’s attorney would recognize. If you need the general theory behind anchoring qualitative scores to quantitative outcomes, our walkthrough on quantitative vs qualitative risk analysis is worth a detour.
A five-level severity scale for US food manufacturers
| Score | Level | Consumer outcome | Examples |
| 1 | Negligible | No illness; aesthetic or spec deviation only | Minor off-flavor, oversize tolerance breach |
| 2 | Minor | Short-term discomfort, no medical care | Low-level spoilage, benign foreign object |
| 3 | Moderate | Medical visit likely, full recovery | Non-invasive Salmonella strains, moderate chemical residue |
| 4 | Major | Hospitalization, long-term injury, vulnerable-population risk | STEC O157:H7, undeclared Top 9 allergen |
| 5 | Catastrophic | Death, permanent disability, multi-state outbreak | Listeria monocytogenes in RTE, Clostridium botulinum, mycotoxins at toxic levels |
Two non-negotiables. First, any Top 9 allergen failure in a product not declared as containing that allergen starts at Major (4) and moves to Catastrophic (5) when the target population includes children.
Second, Listeria monocytogenes in ready-to-eat products is automatically Catastrophic. The 2024 Boar’s Head outbreak is the case study.
Likelihood: Turning Frequency Data Into Honest Probability Scores
Likelihood is the other half of the HACCP risk assessment matrix equation, and the place where most food safety teams overweight their own experience and underweight external data.
The remedy is a five-level likelihood scale anchored to observable frequency, not to the phrase ‘it hasn’t happened here.’ When you need to model tail events under uncertainty, layer Monte Carlo risk analysis on top of the matrix for your highest-severity hazards.
| Score | Level | Expected frequency | Evidence base |
| 1 | Rare | <1 event per 10 years across comparable operations | Zero internal history plus peer-reviewed literature shows negligible rate |
| 2 | Unlikely | 1 event every 3-10 years | No internal incidents, but industry recall database shows occasional events |
| 3 | Possible | 1 event every 1-3 years | One near-miss in the last 3 years or moderate FDA recall frequency |
| 4 | Likely | 1+ events per year | Recurring deviations, process capability Cpk < 1.33, or active FDA warning letters to peers |
| 5 | Almost certain | Multiple events per year or continuous exposure | Ongoing deviations, recent own recall, or known uncontrolled process step |
Pull likelihood evidence from four sources, not one. Your own deviation logs and CAPA records are a start, but must be triangulated with the FDA Recalls, Market Withdrawals & Safety Alerts database, the USDA FSIS Recalls and Public Health Alerts page, and CDC’s FoodNet surveillance reports. Supplier SQF/BRCGS audit findings round out the picture for inbound materials.
Building Your 5×5 HACCP Risk Assessment Matrix Step by Step
Scoring anchors in place, we can assemble the matrix itself. The 5×5 risk matrix format – five severity levels against five likelihood levels – is the industry workhorse because it balances resolution against decision fatigue.
Below is the exact grid we recommend for US food manufacturers in 2026, with four action bands tuned to FSMA preventive-controls logic.
Figure 3. A 5×5 HACCP risk assessment matrix with four action bands.
Action bands that tie the score to a specific decision
| Score range | Band | Required action | Owner |
| 1-4 | Low | Manage through GMPs and prerequisite programs. Document rationale; no CCP required. | HACCP team lead |
| 5-9 | Medium | Operational prerequisite program (OPRP) or enhanced monitoring. Quarterly review. | QA manager |
| 10-16 | High | CCP or FSMA preventive control with critical limit, monitoring, verification, corrective action. Monthly KPI review. | Plant manager + QA director |
| 20-25 | Extreme | Reformulate, redesign, or halt. No production until residual risk returns to High or below with documented justification. | VP Operations + CEO sign-off |
A worked example. You’re manufacturing refrigerated ready-to-eat chicken salad. Hazard: Listeria monocytogenes post-cook contamination. Severity: 5 (catastrophic – RTE, no kill step). Likelihood: 4 (likely – based on FDA recall frequency for the category and a documented Listeria finding in environmental monitoring last year).
Score: 20. Band: Extreme. Action: Cannot ship until engineering controls (sanitary design review, hygienic zoning, Listeria-specific sanitation validation) move the likelihood score to 2 or lower, bringing the total to 10 (High).
A CCP then governs the residual risk through environmental monitoring with corrective actions defined under FSMA 21 CFR 117.135.
Mapping Your HACCP Risk Assessment Matrix to FSMA, FSIS, and Codex
The same matrix has to satisfy multiple regulators, and they don’t use identical vocabulary. The good news: once your severity and likelihood anchors are solid, mapping is mostly translation.
For the enterprise view that sits above all of these frameworks, see our guide to ISO 31000 risk management and how it interacts with the COSO ERM framework.
| Framework | What it calls the matrix output | Where the score lives | Key reference |
| FDA FSMA (21 CFR 117) | Hazard analysis with ‘known or reasonably foreseeable’ hazards | Food Safety Plan, Preventive Controls section | FSMA final rule, 2015 (updated 2024) |
| USDA FSIS (9 CFR 417) | Hazard analysis, reasonably likely to occur | HACCP Plan, CCP decision logic | FSIS HACCP guidance, 2025 update |
| Codex CXC 1-1969 (2023) | Hazard analysis, significant hazard | HACCP Plan Form 2 | FAO/WHO Codex General Principles of Food Hygiene |
| ISO 22000:2018 | Hazard assessment, significance | Clause 8.5.2 | ISO 22000:2018 standard |
| GFSI schemes (SQF, BRCGS, FSSC) | Hazard analysis and risk assessment | HACCP module of audit | GFSI benchmarking requirements v2024 |
One HACCP risk assessment matrix with four action bands is enough to feed all five frameworks if – and only if – your severity anchors cover the worst-case categories (Listeria, allergens, botulinum, heavy metals, mycotoxins) and your likelihood anchors pull from public recall and surveillance data, not just internal history.
The logic translates across industries as well – the same discipline underpins risk assessment in construction, where severity is measured in lives and likelihood in incident rates.
Why 2025 Was a Wake-Up Call for Weak Matrices
Regulators are not waiting for the next outbreak. Per the USDA FSIS Constituent Update of June 27, 2025, FSIS took 103 enforcement actions in the first part of 2025 – a 36% jump over 2024 – and retrained more than 5,200 inspection personnel on Public Health Regulations and Listeria control measures.
Two new generic egg-products HACCP models were published the same year. If your HACCP risk assessment matrix was last refreshed before that wave of verification, assume your next inspection will test it harder than the last one did.
Set a risk appetite statement at the board level that explicitly references ‘zero tolerance for RTE Listeria’ so plant-level decisions stay aligned.
Figure 4. FSIS tightened the screws in 2025 – weak HACCP matrices are now audit magnets.
The Cost of Getting It Wrong: Why the Matrix Pays for Itself
Skeptical executives want a dollar number. The Journal of Food Protection recall cost review (2024) puts median direct recall costs per firm at $3.0M to $72.7M for producers, $0.1M to $3.1M for non-restaurant retailers, and up to $2.3M for shippers and distributors. Indirect costs – lost shelf space, canceled contracts, litigation, brand erosion – typically run 5 to 10 times higher. Industry studies cluster the total average cost of a single US recall at around $10 million direct plus a 5-10x indirect multiplier.
Figure 5. Median direct recall cost ranges by firm type. Upper-median events alone can exceed annual food safety budgets by an order of magnitude.
Run the math against a mature HACCP risk assessment matrix program. Annual cost – including software, training, external validation, and extra lab work – rarely exceeds $250K for a mid-size plant.
A single prevented recall at the median direct cost delivers a 12x return before indirect costs. That return-on-control logic is the same argument we make for enterprise risk management investment at board level: you are not paying for the matrix; you are paying for the cost of your next recall, with or without one.
Where HACCP Risk Assessment Matrices Go Wrong – And the Fixes That Work
We’ve audited dozens of matrices across meat, poultry, dairy, produce, and ready-to-eat processors through our risk assessment consulting services. The same seven failure modes show up with uncomfortable frequency.
| Pitfall | Root cause | Remedy |
| Everything scores ‘Medium’ | Severity and likelihood scales not anchored to outcomes or data | Anchor each level with a numerical definition and an example from CDC/FDA data |
| Allergens treated as low severity | Team treats allergens as a labeling issue, not a safety hazard | Hard-code Top 9 allergens to a minimum Severity 4 for undeclared exposure |
| Matrix never refreshed | No trigger or owner for review | Codex CXC 1-1969 mandates review at defined intervals and on change; assign a named owner and a quarterly cadence |
| Likelihood based only on internal history | Small-N survivorship bias | Require triangulation with FDA/FSIS recall databases and FoodNet data |
| No action bands | Score is calculated but nothing happens below a threshold | Bind each band to a specific action, owner, and review cadence (see 5×5 table above) |
| CCPs and OPRPs not distinguished | Team conflates significant hazards with those controllable by prerequisites alone | Use the Codex decision tree plus your action bands to separate CCPs (High/Extreme) from OPRPs (Medium) |
| Matrix lives in one person’s head | Knowledge not institutionalized | Version-controlled spreadsheet or software, reviewed by multidisciplinary HACCP team, signed off by QA director |
Your First 90 Days: From Assessment to Activation
A credible HACCP risk assessment matrix does not need a 12-month consulting engagement.
You can have a defensible 5×5 live in 90 days with the following phased plan. If your team is new to structured risk scoring, walk through our general risk assessment process guide before Day 1.
| Phase | Days | Actions | Deliverables | Success metric |
| Phase 1: Assess | 1-30 | Gather hazards across process flow; pull CDC, FDA, FSIS, and own recall/deviation data; draft severity and likelihood anchors; benchmark peer matrices | Hazard inventory; anchor definitions; data pack | 100% of steps in process flow assessed; 4+ external data sources integrated |
| Phase 2: Build | 31-60 | Populate matrix with scores; validate with cross-functional team; map action bands; align with FSMA/FSIS/Codex | Completed 5×5 matrix; action-band register; regulatory crosswalk | Every hazard has a score, a band, and an owner; zero scores without evidence |
| Phase 3: Activate | 61-90 | Embed CCPs/OPRPs in HACCP plan; train line and QA staff; schedule reviews; wire KRIs to the board pack | Updated HACCP plan; training records; KRI dashboard | 100% of High/Extreme risks on a CCP/OPRP; board-level KRI dashboard live |
Figure 6. Residual risk declines fastest when the HACCP risk assessment matrix moves from Ad hoc to Managed within the first 6 months.
Turning the Matrix Into KRIs the Board Will Actually Read
A HACCP risk assessment matrix is only as useful as the signal it sends upward. Pair it with four key risk indicators and you’ve built the bridge from plant floor to board pack.
| KRI | Definition | Threshold (green / amber / red) | Owner |
| % hazards in High/Extreme band | Residual score >=10 after controls | <5% / 5-10% / >10% | QA director |
| CCP deviation rate | Deviations per 10,000 production units | <2 / 2-5 / >5 | Plant manager |
| Environmental monitoring positives (Listeria spp.) | % of Zone 2/3 swabs positive | <2% / 2-5% / >5% | QA manager |
| Open CAPAs >30 days | Count of overdue corrective actions tied to HACCP findings | 0 / 1-3 / >3 | HACCP team lead |
The Next Wave: Trends Your HACCP Risk Assessment Matrix Cannot Ignore
Three shifts are reshaping what a credible HACCP risk assessment matrix has to do between now and 2028. Ignore them and your 2026 matrix will be a 2020 matrix by the time the next FSIS visit arrives.
First, whole-genome sequencing and traceability are collapsing the gap between an outbreak and a plant-level attribution. CDC’s PulseNet and FDA’s GenomeTrakr have made it faster to trace a clinical isolate back to a specific line on a specific shift.
That changes your likelihood scoring – historical opacity is no longer a shield. Every positive environmental monitoring result needs to be treated as a near-miss that feeds the matrix.
Second, FSMA traceability for high-risk foods (21 CFR Part 204) comes into full enforcement in 2026, adding Key Data Elements and Critical Tracking Events for products on the Food Traceability List.
Your matrix needs a new column: traceability gap, scored on its own severity/likelihood basis, because a hazard you cannot trace is a recall you cannot contain.
Third, climate-driven hazards are pushing likelihood scores upward for categories most teams still treat as stable.
Mycotoxin occurrence in maize, Vibrio in shellfish, and heat-related pathogen growth in cold-chain breakdowns are all moving in the wrong direction. Refresh likelihood anchors annually against FAO, WHO, and NOAA climate-food-safety reports, not every five years.
The Bottom Line
A HACCP risk assessment matrix is not paperwork. It is the scoring engine that decides which hazards get a CCP, which get an OPRP, and which you are – on the record – willing to accept.
In a US food safety environment where CDC counts 10 million illnesses and FSIS enforcement is up 36% year over year, the matrix is the single most leveraged document in your food safety plan.
Build it against outcome-anchored severity and data-anchored likelihood. Bind every score to an action band with a named owner.
Refresh it quarterly and after every recall in your category. Wire its output into KRIs your board will read. Do that, and the next FSIS visit becomes a progress review, not an enforcement event.
What, So What, Now What
What: A 5×5 HACCP risk assessment matrix anchored to outcomes and data is the fastest way to bring a US food safety program into compliance with FSMA, FSIS, and Codex expectations.
So what: Weak matrices are now the single most common trigger for FSIS enforcement actions and GFSI major nonconformities, and the direct cost of a single preventable recall dwarfs the total program investment.
Now what: Run the 90-day roadmap above. Ask your QA director two questions by Friday: (1) when was the matrix last refreshed, and (2) how many hazards are scored High or Extreme without a CCP or OPRP behind them? If either answer is uncomfortable, you have your project charter.
Need a template, a second pair of eyes, or a full implementation partner? Talk to our food safety team or read our related pieces on foreign material risk assessment, hazard and risk assessment definitions, qualitative risk assessment methods, risk assessment matrix templates, 5×5 risk matrix, risk appetite and tolerance, key risk indicators, ISO 31000 overview, COSO ERM framework, ISO 22000 food safety management, enterprise risk management for food manufacturers, construction risk assessment parallels, our risk assessment consulting services, quantitative vs qualitative risk, and Monte Carlo in risk analysis.
References and Authority Sources
1. CDC Food Safety – Burden of Foodborne Illness in the US
2. US GAO – Food Safety: Status of Foodborne Illness in the US (GAO-25-107606)
3. FDA – HACCP Principles and Application Guidelines (NACMCF)
4. FDA – Food Safety Modernization Act (FSMA) Overview
5. FDA-TRACK – Preventive Controls and CGMP Measures
6. FDA – Recalls, Market Withdrawals & Safety Alerts database
8. USDA FSIS Constituent Update, June 27 2025
9. USDA FSIS – Recalls and Public Health Alerts
10. USDA ERS – Cost Estimates of Foodborne Illnesses
11. CDC FoodNet – Preliminary Surveillance Data
12. FAO/WHO Codex Alimentarius – General Principles of Food Hygiene, CXC 1-1969 (2023)
13. Journal of Food Protection – An Analysis of Food Recalls in the US, 2002-2023
14. Journal of Food Protection – Costs of Overly Broad Recalls (2025)
15. Food Safety Magazine – Recall: The Food Industry’s Biggest Threat to Profitability
16. ISO 22000:2018 – Food Safety Management Systems
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.