Why Auditing by Risk is the Most Meaningful Approach
Tim Keane
When we consider any process, it will contain risks of various kinds. They can be risks of a quality, safety, environmental, or financial nature, each type affecting a different stakeholder. However, for many, the audit approach does not reflect this fact.
Yet the operational standards we tend to be most familiar with (namely ISO 9001 for Quality, ISO 14001 for Environment and AS 4801 for Safety) are each actually risk based!
For Quality, ISO 9001 is basically a list of all the kinds of risk controls that might be relevant in any organisation. It is up to us to work out where those controls should be applied, and to what extent, based on understanding the risks in the process.For Environment, ISO 14001 tells us to first identify all the kinds of environmental risks that might exist. Then to rate them according to the impact they actually have, or are likely to have. Based on this ranking, an environmental plan can be established to control the risks, and improve environmental outcomes.
For Safety, AS 4801 tells us to identify the hazards that exist in the workplace. Then evaluate the risks and from this apply a series of controls (“Hierarchy of Controls”) to mitigate them.
Of course risk is measured in terms of probability (likelihood) and consequence: how likely is the event to occur and what would happen if it did occur?
So taking a simple example - say goods falling off the back of a truck - we can assess the consequences for each stakeholder.
- The quality consequence is that goods are damaged and will not be delivered on time.
- The safety consequence is that a person may be injured.
- The environmental consequence may be that dangerous goods are spilled and not contained.
- The financial consequence will be the loss of value of the goods.
Depending on the situation, the location and the nature of the goods themselves, the level of risk across the financial, quality, safety and environment spectrum will differ.
Using the Risk Continuum, a special diagnostic tool used by Quality Award Partners®, we are able to show that because risks are embedded within the processes, the controls must be embedded within the Management Systems that control those processes. By doing so we typically reduce the likelihood, and also control the consequence, of the event occurring.
So it makes sense that when we audit, we shouldn’t focus on auditing to comply with the Standards without thinking of what the Standards are trying to guide us to achieve. We should be thinking of the risks and how the system works to control the risks – reducing both the likelihood and the consequences.
The definition of risk in AS 4360 is “anything that can have an impact upon objectives”. All processes have a purpose or objective. Risks within the processes can have an impact on our ability to achieve the process outcome or objective, such as in the example of goods falling off the back of the truck.
Therefore, when we conduct process audits we need to think about each of the process risks. First, how likely is it to happen, and what the consequences are if it does happen. Then seek to confirm that appropriate control measures are in place to ensure that risk intensity is minimised.
Typically, control measures are embedded in the documented procedures. They can also include other aspects of a well-functioning organisation. In the context of audit we need to confirm that:
- trained and competent people are operating the process,
- that there is adequate supervision within the process,
- any automated controls within the IT system are effective,
- the nature of measurement, testing, inspection and cross checking is appropriate,
- levels of organisational knowledge which are brought to bear within the process are maintained and
- the kinds of reviews that happen are effective to assure due diligence.
That is why the definition of audit (in ISO 9000:2000) was changed from “obtaining objective evidence and evaluating it”, to “obtaining evidence and evaluating it effectively”: we need to consider the system and its interactions as a whole in order to make effective judgements.
There are many kinds of objective and subjective evidence that need to be reviewed. When auditing by risk we therefore need to identify what the risks are and how the system controls reduce the likelihood. If the likelihood is still unacceptably high, that the system reduces the consequences by placing controls in other areas of the risk continuum. These can include warnings, immediate actions for containment, and planned recovery approaches. This for example is the basis of disaster and contingency planning which is actually part of the TS 16949 specification for automotive, and is implied in the preventive action approach of ISO 9001.
The challenge for auditors of course is to make sure that there is actually a real risk, and to correctly evaluate its magnitude. To do this it is important to engage the auditee in discussing and reporting in terms of the system and its control of risk. This helps greatly with their engagement and perception of value of the audit.
Sometimes we encounter activities which don’t contain risks. Over time they may have been risk-proofed by the development of automated controls. An example of this is in many purchasing systems which have moved from manual to computer-based approaches over the years. On the other hand the activity may be redundant, unnecessary or wasteful. The risk based audit approach is very effective in highlighting this.
Finally in our audit planning we should be informed and guided by the risk profile of the organisation. Processes which are inherently more risk intensive typically require more frequent audit. That's what the standards want us to do. And after all, it makes sense to do it this way, doesn’t it?