Most food businesses assume their HACCP plan, RMP, or food safety programme meets the legislation and standards it needs to. Many are wrong, not because the plan is badly written, but because nobody has ever formally compared it against the parent requirements it is supposed to satisfy. Here is why that matters, and how to close the gap.
Writing a food safety plan is hard work. Whether it is a HACCP plan for a food manufacturer, a Risk Management Programme under the Food Act 2014, or a full food safety programme built to BRC or FSSC 22000, the process of documenting hazard analysis, critical control points, prerequisite programmes, and corrective action procedures takes months of careful effort from people who understand the operation intimately.
When that plan is finished and rolled out across the business, it represents a significant investment. The team knows it. The procedures are posted on the wall. The records are being kept. There is a reasonable confidence that the business is doing what it needs to do.
That confidence is often misplaced. Not because the plan is wrong in an obvious way. Because writing a food safety plan and verifying that it satisfies the specific requirements of the legislation, certification standard, or export programme it needs to comply with are two different activities - and most businesses only do the first one.
The second activity, formally comparing a food safety programme against the parent requirements it is supposed to meet, rarely happens in a systematic way. It happens informally, through the experience of the person who wrote the plan. It happens reactively, when an auditor raises a nonconformance. It occasionally happens through an expensive consultant review. What it almost never does is happen automatically, comprehensively, and in plain language that tells both the food safety manager and the operations director exactly where the programme stands.
A food safety plan that has never been formally compared against its parent legislation or certification standard is a plan with unknown compliance status. The team's confidence in it is based on effort. Auditors do not assess effort. They assess coverage.
The Gap Between Writing a Plan and Satisfying a Standard
A HACCP plan, an RMP, or a broader food safety programme is a document that describes how a specific business manages food safety risks in its specific operation. It is inherently particular: written for a specific site, specific products, specific processes, and specific hazards.
The legislation and standards it needs to comply with are general. The Food Act 2014 and its associated regulations set out principles and minimum requirements that apply across the entire food industry. ISO 22000 and FSSC 22000 define requirements that apply to any food business seeking certification, regardless of size, product type, or geography. BRC Issue 9 establishes criteria against which any food manufacturer can be assessed.
Translating general requirements into a specific programme, and then confirming that the specific programme actually satisfies the general requirements, requires a formal mapping exercise. Every clause of the parent standard needs to be traced to a specific element of the business's programme. Every element of the programme needs to be assessed against the clauses it is intended to satisfy.
This is not something that happens automatically when a plan is written. It is a separate analytical task, and it is the task that most food businesses skip.
What Gets Missed
The gaps and misalignments that a formal comparison reveals tend to fall into recognisable patterns.
Genuine gaps are the most straightforward: requirements in the parent standard that the business's programme simply does not address. This can happen because the person writing the plan was not aware of a specific clause, because the clause was added in a recent revision of the standard, or because the clause applies to a part of the operation that was not considered during the plan development process.
A common example in RMP development is the requirement for documented supplier approval processes. The Food Act regulations require that food businesses manage risks associated with incoming materials. Many RMPs address hazards at the point of receipt but do not include a formal documented process for assessing and approving suppliers.
Conflicts are less common but more serious. A conflict occurs when something in the business's programme actively contradicts a requirement in the parent standard. A critical limit that is less stringent than the minimum required by the applicable standard is a conflict. A training requirement in the plan that falls short of the competency standard required by the certification scheme is a conflict.
Conflicts at high severity - a CCP critical limit below the regulatory minimum, for example - represent genuine food safety risk, not just audit risk. They are the category of misalignment that matters most to fix before product moves rather than after an auditor visits.
Partial coverage is the most pervasive category, and the hardest to identify without formal mapping. Partial coverage occurs when the business's programme addresses a requirement but not completely. The clause is touched, but not fully satisfied. The procedure exists, but it does not cover all the scenarios the standard requires. The record is kept, but it does not capture all the information the certification scheme needs to see.
Partial coverage is particularly common at the interface between a business's own food safety programme and the export requirements or customer certification schemes layered on top of it. A HACCP plan that satisfies the Food Act requirements may only partially satisfy FSSC 22000 clause 8.5.2, which has more specific requirements for hazard analysis methodology. The plan covers the territory but not to the depth the certification standard requires.
Exceeded requirements are worth knowing about too. When a business's programme goes beyond what the parent standard requires - more frequent monitoring than the standard mandates, more detailed records than the certification scheme requires - it represents extra cost on the business.
How Programme Alignment Works
Porticus Programme Alignment is built specifically for this comparison. It takes a food safety programme - a HACCP plan, an RMP, or a broader food safety management system - and formally maps it against one or more parent standards, producing a structured alignment report that covers the above four categories of finding.
The output is not a pass or fail. It is a detailed, structured map of the relationship between the business's programme and the standards it needs to satisfy - something that previously required either a highly experienced auditor to produce manually or an expensive consultant engagement to commission.
The Difference Between a Good Plan and a Compliant One
A well-written food safety plan reflects genuine expertise about a specific operation. The person who wrote it knows the product, the process, the hazards, and the controls. The plan is operationally sound.
But operational soundness and regulatory compliance are not the same thing. A plan can be operationally excellent and still have gaps against the specific clause requirements of the certification scheme or legislation it needs to satisfy. It can be comprehensive in its coverage of genuine food safety risks and still fail to address a procedural requirement that the standard mandates. It can be technically correct and still use wording or documentation formats that an auditor assessing against the standard's specific requirements would find insufficient.
The gap between a good plan and a compliant one is not always large. In many cases it is a handful of specific items that need to be added, clarified, or strengthened. But it is almost always present when a formal comparison has never been done, because writing a plan to satisfy an operation and writing a plan to satisfy a standard are slightly different tasks that require slightly different thinking.
Knowing exactly where that gap is, in specific terms, before the auditor arrives is the difference between an audit that confirms what you already knew and an audit that surfaces what you did not.
Porticus helps solve these gaps.