How I Use the Food Safety Risks Template with Customers in Pilla

I'm Liam Jones, NEBOSH-qualified health and safety consultant, Level 3 Food Safety, and founder of Pilla. This is how I approach food safety risk identification in a food safety management system, based on close to twenty years in frontline operations and advising hundreds of businesses on compliance. You can email me directly; I read every email.

Most food safety management systems I review have a risk section. It's usually a page or two, copied from a template, listing the same five categories with the same generic wording. The business ticks the box, files it, and moves on. Then a new sous chef joins, starts prepping allergen-free meals at the same station as everything else, and nobody catches it because the risk policy was written for a different kitchen.

The document isn't the problem. The problem is that nobody sat down and asked what the actual risks are in this specific operation, with this layout, this menu, these customers, and this team. That's the part I focus on when I work with businesses, and it's what this article covers. I'll walk you through the five risk categories your policy needs to address, give you a template you can edit for your own setup, and flag the gaps I find most often.

Key Takeaways

  • What are food safety risks? Food safety risks are the specific hazards in your operation that could make a customer ill if not properly controlled. They fall into five categories: customer vulnerability, food types, untrained staff, visitors and contractors, and the operation itself
  • Why do you need a food safety risks policy? Regulation (EC) 852/2004 requires you to identify hazards and put controls in place. Your EHO expects to see that you've thought beyond the obvious risks and documented how you manage each one
  • How do you set it up in Pilla? Use the knowledge hub template below, edit it to match your operation, and share it with your team through the app so everyone has access and you can track who's read it
  • How do you automate the follow-up? Set up Poppi to chase staff who haven't acknowledged the policy and flag when it's due for review

Article Content

Understanding What's Required of You

Food safety risk identification is where your FSMS stops being a generic document and starts being yours. The law doesn't ask you to list every theoretical hazard in the food industry. It asks you to identify the hazards that exist in your operation and show that you've put controls in place for each one.

Regulation (EC) 852/2004 requires food business operators to identify any step in their activities that is critical to food safety and ensure adequate safety procedures are in place. In practice, that means working through five categories of risk: customer vulnerability, food types, untrained staff, visitors and contractors, and the operation itself. Your EHO will want to see that you've considered all five, not just the obvious ones.

The risks that catch businesses out are rarely the ones everyone knows about. Raw chicken cross-contamination gets talked about in every food hygiene course. But I've walked into kitchens where the chef had no idea that their cook-chill process created a separate set of risks, or that the elderly care home customers they were catering for changed their entire risk profile. One site I worked with had a vacuum packing operation running in a corner of the kitchen with no documented controls at all. The equipment was there, the staff knew how to use it, but nobody had assessed what could go wrong.

The five categories in the template cover the ground your EHO expects to see. Customer risks cover vulnerable groups: infants, the elderly, pregnant women, people with compromised immunity, and those with allergies or intolerances. Food risks cover everything from naturally high pathogen loads to spore-forming bacteria. Staff risks go beyond "lack of training" into lack of information, lack of supervision, and mismatches between someone's knowledge and their actual role. Visitor and contractor risks cover anyone entering your food environment without your training. And operational risks cover your layout, workflow, and catering techniques.

Senior managers, including executive chefs, head chefs, and food operations managers, are the ones responsible for working through these categories whenever any part of the FSMS is reviewed or changed. That includes identifying new controls, documenting everything, communicating changes to staff, and arranging extra training where needed.

Setting It Up as a Knowledge Hub Entry

I've built a food safety risks template in Pilla covering all five risk categories: customer vulnerability, food types, staff training gaps, visitors and contractors, and operational hazards. It gives your senior team a structured framework for identifying and recording the specific risks in your business.

In the knowledge hub, create a new entry and tag it with "Food Safety Management System". Use the same tag across all of your food safety policies so they are grouped together and Poppi can track them as a set. Assign the entry to all teams so that everyone in the business can access it.

The template is designed to be edited, not just filed. Each risk category needs to reflect your actual operation. If you cater for care homes, the customer vulnerability section should say so and explain how that shapes your controls. If you don't do vacuum packing or sous vide, remove those references from the operational risks section. If you've identified specific staff training gaps, name them. The EHO wants to see that someone has thought about this, not that you've pasted in a generic list.

Knowledge Hub Template·Specific Food Safety Risks

Specific food safety risks within the business

At our food businesses, the following food safety risks have been identified, senior food managers must consider these risks and apply appropriate controls to eliminate, control or mitigate these risks to ensure the safety of customers and clients.

  • Risks to different types of customer - these could be infants and young children, the elderly, pregnant ladies (and the unborn infant), people with low or compromised immunity and people who have food allergies and intolerances
  • Risks from different types of food - this could be because that particular type of food will have naturally occurring high levels of pathogenic bacteria, it could be that they are high protein, moist products and therefore will readily accept bacterial growth if contaminated, it could be the number of different stages that the food has undergone which could present a greater risk. Certain types of food are more vulnerable to other types of micro-organisms such as viruses, microscopic parasites, worms, mould, yeasts, natural toxins as well as toxins released by bacteria. Some bacteria can also form spores. Managers must understand these risks from different foods which may need some research as new foods are introduced into the offering
  • Risks from untrained staff - lack of information, lack of knowledge relative to their job role and lack of supervision, also not undertaking training commensurate with their work activities, not being trained in specifics such as allergen awareness, handwashing technique, correct cleaning and disinfection procedures, labelling procedures, how to use a probe correctly etc.
  • Risks from visitors, contractors, engineers, pest control etc. - and others who have not undertaken training and may be unaware of the good safety and hygiene procedures which are critical in a food environment
  • Risks from the food operation itself - and the type and style of catering employed by the business. Risks could come from a poor linear flow through the kitchen, ill-defined areas for unboxing, pot wash, storage, allergen free food preparation, risks of cross contamination. Some catering techniques will present further risks such as vacuum packing and sous vide, cook chill and cook freeze processes for example

Senior management including executive chefs, head chefs, food operations managers should identify all of these factors when reviewing, amending or editing any part of the FSMS, they must also identify any new control measures that will need to be implemented, everything must be documented and communicated to all staff, who may also require extra training and supervision.

This is a preview of the template. In Pilla, you can edit this to match your business.

What I'd want to see when reviewing this:

The most important thing is specificity. Each risk category in the template lists types of risk in general terms. Your job is to turn those into the actual risks present in your business. "Risks from different types of food" should become "we serve raw fish tartare, which carries parasite and bacterial risks, controlled by sourcing frozen-at-sea product and maintaining cold chain from delivery to plate." That level of detail is what separates a useful risk assessment from a filed-and-forgotten document.

The management responsibility section at the bottom ties everything together. Senior managers must review these risks whenever any part of the FSMS changes, whether that's a new menu item, a new supplier, a kitchen refurbishment, or a change in customer base. I'd want to see evidence that this actually happens: dated reviews, notes on what changed, records of staff communication.

Common mistakes I see:

The customer vulnerability section is usually too vague. Businesses write "we serve vulnerable customers" without specifying which vulnerable groups and what that means for their controls. If you cater for elderly residents, that's a different risk profile than a city centre bar. Name your customer groups and explain what extra controls you've put in place for each one.

The food risks section often lists the general categories but doesn't connect them to the actual menu. I want to see which specific foods on your menu fall into each risk category and what you do about it. "High-protein moist products" is a template phrase. "Our house-made mayonnaise uses raw egg and is stored at 3C with a 48-hour shelf life" is a risk assessment.

The staff training section rarely mentions the mismatch between someone's training level and their actual duties. A kitchen porter with Level 1 food hygiene covering a chef's prep station during a busy service is a risk. If that happens in your operation, it should be identified here with a control, whether that's additional training, restricted tasks, or closer supervision.

The visitor and contractor section is the one most often left generic. Businesses write "visitors must follow hygiene procedures" but don't say what those procedures are, who briefs visitors, or how contractors are supervised in food areas. If your pest control technician visits during prep, that's a specific risk that needs a specific control.

Automate the Follow-Up with Poppi

Writing the policy is one thing. Making sure your team has actually read it is another. Poppi can handle the chasing so you don't have to.

If you mark the knowledge hub entry as mandatory, Poppi will track who's read it and who hasn't. You can set up automations to chase staff who are behind, notify managers when someone completes the policy, and get a regular report showing where the gaps are.

Here are three automations I'd set up for any knowledge hub policy:

Overdue training reminders

Automatically chase team members who have mandatory policies they haven't read yet. Poppi sends the reminder so you don't have to.

Poppi
Poppi

Tom, you have 2 overdue policies to read and acknowledge

Video completion alerts

Get notified when a team member finishes reading or watching a policy, so you can track progress without chasing.

Poppi
Poppi

Emma has completed a mandatory policy

Training gap analysis

Get a regular AI report showing which team members are behind on mandatory policies and where the gaps are across your team.

Poppi
Poppi

Training Report: 87% team completion. Tom and Sarah behind on 2 mandatory policies, due 3 days ago.