How-To Guide

How to Identify Food Safety Risks in Your Business

Step-by-step guide to identifying and assessing food safety risks in hospitality. Covers hazard categorisation, risk matrices, biological/chemical/physical/allergen hazards, and building a risk register.

Estimated time: 3 hours

Every food business operates with inherent risks. Raw meat carries Salmonella and Campylobacter. Cleaning chemicals can contaminate food surfaces. Broken glass can end up in a meal. Allergens can cause anaphylaxis within minutes. The difference between a business with a strong food safety record and one facing enforcement action often comes down to whether those risks were identified, assessed, and controlled before they caused harm, or only recognised after the damage was done.

Under EC Regulation 852/2004, food business operators must identify food safety hazards and implement controls proportionate to the risks. The HACCP principles (as defined by the Codex Alimentarius Commission) provide the internationally recognised framework for systematic hazard identification: categorising hazards as biological, chemical, physical, or allergenic, and assessing each in terms of likelihood and severity. The Food Safety Act 1990 further requires that food placed on the market is safe, and businesses that fail to identify foreseeable risks can face unlimited fines and criminal prosecution.

This guide takes you through a structured approach to identifying food safety risks specific to your operation, categorising them correctly, assessing their significance, and building a documented risk register that supports your HACCP plan and demonstrates due diligence to inspectors.

Step by Step

5 steps to complete

Map your entire food operation

Start by creating a process flow diagram that traces the journey of food through your business from delivery to service. Include every stage: goods receipt, dry storage, refrigerated storage, frozen storage, thawing, preparation, cooking, cooling, reheating, hot-holding, cold-holding, and service. Do not overlook support processes that affect food safety: cleaning, waste disposal, handwashing, equipment maintenance, and pest control. Walk through your premises physically and observe each process as it happens during a real service. What you observe in practice often differs from what you assume happens. Document the flow for each major category of food you handle: raw meat, raw fish, ready-to-eat foods, fresh produce, bakery items, and allergen-containing ingredients.

Categorise hazard types at each process step

At each step in your process flow, systematically identify the four categories of food safety hazard. Biological hazards include pathogenic bacteria (Salmonella, E. coli O157, Listeria monocytogenes, Campylobacter, Clostridium perfringens, Bacillus cereus, Staphylococcus aureus), viruses (norovirus, hepatitis A), parasites, and moulds that produce mycotoxins. Chemical hazards include cleaning product residues, pest control chemicals, naturally occurring toxins (such as solanine in potatoes or scombrotoxin in fish), heavy metals, and undeclared allergens resulting from cross-contamination. Physical hazards include glass, metal fragments, bone, stones, plastic, hair, plasters, staples, and pest droppings. Allergen hazards cover the 14 major allergens specified in UK law (Annex II of EU FIC Regulation 1169/2011): celery, cereals containing gluten, crustaceans, eggs, fish, lupin, milk, molluscs, mustard, nuts, peanuts, sesame, soya, and sulphur dioxide.

Assess the likelihood and severity of each hazard

For each identified hazard, evaluate two dimensions: how likely is it to occur (considering your current controls, premises, and practices), and how severe would the consequences be if it did occur. Use a simple scoring system. For likelihood: 1 (rare), 2 (unlikely), 3 (possible), 4 (likely), 5 (almost certain). For severity: 1 (negligible), 2 (minor illness), 3 (moderate illness requiring medical attention), 4 (serious illness or hospitalisation), 5 (life-threatening or fatal). Multiply likelihood by severity to get a risk score. A hazard with low likelihood but extremely high severity (such as an anaphylactic allergen reaction) still demands robust controls. Conversely, a high-likelihood but low-severity hazard (such as a minor quality defect) may require less intensive management.

Prioritise risks using a risk matrix

Plot your hazards on a risk matrix (likelihood on one axis, severity on the other) to visualise which risks demand the most attention. Risks scoring 15 to 25 are critical and require immediate, robust controls (these are likely your CCPs under HACCP). Risks scoring 8 to 14 are significant and need documented control measures and regular monitoring. Risks scoring 1 to 7 are lower priority but still need to be managed through prerequisite programmes (general hygiene practices). This prioritisation ensures you allocate your time, training, and monitoring effort where it makes the greatest difference to food safety, rather than spreading resources equally across all hazards regardless of their significance.

Document your risk register

Create a structured risk register that records every identified hazard, the process step where it occurs, its category (biological, chemical, physical, allergen), the likelihood and severity scores, the overall risk rating, the control measures in place to manage it, who is responsible for each control, and how often the control is monitored. Your risk register is a living document that feeds directly into your HACCP plan. Each high-priority risk should correspond to a CCP with defined critical limits, monitoring procedures, and corrective actions. The risk register also serves as evidence of due diligence for your local authority inspector and demonstrates that you have systematically considered the hazards in your operation rather than relying on general assumptions.

Expert Advice

Tips for success

Involve your kitchen team in the hazard identification process. The people who handle food every day are the most likely to spot risks that a desk-based analysis would miss, such as a prep surface where raw and cooked foods are routinely placed in quick succession.

Review your food safety incident records, customer complaints, and near-miss reports as part of the hazard identification process. Historical data from your own operation is the most relevant evidence of where your risks actually lie.

Pay special attention to the interfaces between process steps. The handover from one stage to another (for example, from cooking to cooling, or from preparation to service) is often where controls break down and hazards materialise.

Update your risk assessment whenever you change your menu, suppliers, equipment, premises layout, or staffing structure. A risk register that was accurate six months ago may not reflect your current operation.

Consider seasonal risks. Summer temperatures increase the likelihood of temperature abuse during deliveries and storage. Christmas party season increases volume and pressure, raising the risk of cross-contamination and allergen incidents.

Watch Out

Common mistakes to avoid

Focusing only on biological hazards and neglecting chemical, physical, and allergen risks

A comprehensive food safety risk assessment must cover all four hazard categories. Allergen incidents are one of the leading causes of food safety enforcement action in the UK, and physical contamination (glass, metal) can cause serious injury. Do not treat biological hazards as the only category worth assessing.

Assessing risks based on what should happen rather than what actually happens

Your risk assessment must reflect reality, not aspiration. If your procedure says raw and cooked foods are always stored separately but in practice the fridge is overloaded and separation is inconsistent, your risk assessment must account for the actual situation. Observe real practices during a busy service before scoring likelihood.

Creating a risk register once and filing it away

A risk register is only useful if it is reviewed and updated regularly. Schedule formal reviews at least every six months and after any significant change to your operation. An outdated risk register gives a false sense of security and will not impress an inspector.

FAQ

Frequently asked questions

What is the difference between a hazard and a risk in food safety?

A hazard is anything with the potential to cause harm to the consumer: a bacterium, a chemical, a physical contaminant, or an allergen. A risk is the likelihood of that hazard actually causing harm, combined with the severity of the consequences. For example, Salmonella in raw chicken is a hazard. The risk depends on your cooking controls: if you consistently cook chicken to 75°C core temperature, the risk is low. If your cooking process is unreliable, the risk is high. HACCP focuses on managing risks by controlling hazards at critical points in the process.

How many hazards should I identify for a small food business?

There is no target number, but a thorough assessment for a small restaurant typically identifies 15 to 30 specific hazards across all four categories and all process steps. If you have identified fewer than ten, you may not have been thorough enough. If you have identified more than 50, you may be listing every theoretical possibility rather than focusing on hazards that are realistically present in your operation. Focus on hazards that are relevant to your specific menu, processes, and premises.

Do I need a formal risk assessment if I already have a HACCP plan?

Hazard identification and risk assessment are integral parts of the HACCP process (Principle 1). If your HACCP plan includes a thorough hazard analysis with documented risk assessments for each identified hazard, you do not need a separate risk assessment for the same hazards. However, your HACCP plan may not cover all food safety risks in your business, such as structural hazards, pest-related risks, or risks from non-food operations that could affect food safety. A broader risk register can complement your HACCP plan by capturing these additional risks.

What are the 14 major allergens I must consider?

Under UK law (retained from EU Regulation 1169/2011), the 14 allergens that must be declared are: celery, cereals containing gluten (wheat, rye, barley, oats), crustaceans, eggs, fish, lupin, milk, molluscs, mustard, tree nuts (almonds, hazelnuts, walnuts, cashews, pecans, Brazil nuts, pistachios, macadamia nuts), peanuts, sesame, soya, and sulphur dioxide/sulphites (at concentrations above 10mg/kg or 10mg/litre). These must be identified in your risk assessment wherever they are present in your ingredients, recipes, or as potential cross-contaminants during preparation and storage.

Ready to simplify compliance?

Paddl automates the processes described in this guide. Digital records, automatic alerts, and complete audit trails for your hospitality business.

Start Free Trial View Features

Full access to all features · Dedicated onboarding support · Cancel anytime