ISO 9001:2015 formally adopts a more risk-based approach to Quality management. In this 3rd installment of Karen MacKenzie's 'The thing about auditing...' series looks at 7 ways which risk-based audits can provide a good return on your investment of time and wages.
The thing about auditing is that it is risk-based. We audit what is important – what poses the greatest risk to the organisation. Just as you would at home in carrying out checks last thing at night, you check the most important areas – the areas of highest risk: the front door, the back door, the windows, that the electrics are switched off.
In the same way, we audit the key risks. If they haven’t been identified then it’s an excellent opportunity to do so, and determine some preventive action for them. Remember that corrective action fixes what has gone awry and prevents recurrence; but preventive action prevents occurrence in the first place.
So back to our auditor’s skilful questioning:
The essence of risk-based audit is therefore customer-focused, starting with the objectives of the activity being audited, moving on to the risks posed to the achievement of those objectives, and then to the procedures and processes in place to mitigate the risks. Risk-based audit is therefore an evolution rather than a revolution, although the results obtained can be revolutionary.
This is the approach adopted by a more modern auditing approach and it is based on evaluating systems and processes rather than departments or functions. The Systems-Based Audit (SBA) is a horizontal rather than vertical approach, auditing across the organisation and looking for the areas where there are inconsistencies or interfaces where issues arise. Systems-based audit is therefore much less transaction-based than compliance-based; indeed the phrase ‘cradle to the grave’ is often used to describe it. To try it out, follow a small number of transactions through the system from start to finish and see if you can determine its effectiveness, for example its conformance with objectives and its ability to meet customer requirements.
Risk-based audit builds on this SBA approach focusing on the areas of the highest risk to the organisation, and uses a different starting point: business objectives rather than controls. Of course, the audit itself is a risk-based activity – the auditor is risk assessing when sampling. If I examine 10% of a given set of records to obtain sufficient, valid, reliable evidence of conformance, my risk assessment as an auditor is that I am prepared to ‘risk’ that the other 90% unseen by me likely are conforming. ISO 19011:2011 provides very good information on sampling for new and/or aspiring auditors, and is never wasted on experienced auditors!
At the end of the day we are dealing with quality assurance, and an audit decision provides assurance on the degree of conformance with a set of audit criteria. When an organisation holds up its ISO 9001 certificate to the world, it hopes it is providing assurance of its ability to operate in accordance with the requirements of ISO 9001, and the audit tool is one of those used to provide that assurance. It’s so ‘value-adding’ because it can evaluate if the processes within the system are operating efficiently and effectively. It can show:
The identification of these things in itself leads to the solution to the problems. You can’t fix what you don’t know is broken and you can’t improve what you can’t measure. Moreover, you can’t decide what the most important priority is without identifying the consequences of not doing it – i.e. the risk!
The auditor as risk assessor definitely features heavily in the modern audit role. An independent assessment of how well the organisation is managing its threats is clearly a very significant and important role, and plays a significant part as a value-adding activity. Auditing is too much of an investment not to expect to get value added benefits back from it. It must:
To be a good risk-based auditor takes many attributes, not least confidence… The thing about auditing is the ability to manage other peoples’ insecurities, with confidence.
If you missed Karen's earlier articles in this series, you can view them here:
The Thing About Auditing - Communicating
4 Reasons why Auditor Standardisation Meetings are a 'No-Brainer'
2023 Update: SQMC continue to provide opportunitues for individuals and private groups to update their Quality Auditor qualifications to the 2015 version of ISO 9001. Click here to view details of the course content, and book your place on the next dates while they're still available.