Adapt to Today’s Risk Based Environment
by Hank Lindborg
Not long ago, during a discussion about innovation, a nontraditional student of mine told me that if my ideas were more than 18 months old, they were probably out of date.
Her successful experience in mining innovation and applying lessons learned in new situations—sometimes for new employers—prepared her for continual change in her profession. She’s what I call an “adaptive professional,” one whose practices include understanding an established body of knowledge, membership in professional associations and gaining professional certifications.
Rather than becoming disoriented in new environments, adaptive professionals develop a career path of deepening engagement.
Professions themselves often evolve, spiraling in new directions that require vision grounded in clearly defined frameworks and competencies. The intersections of auditing and areas such as risk management, social responsibility and education are examples.
The most dramatic example is risk, the topic of this column, for which I interviewed Greg Hutchins, another regular “Career Corner” columnist. In future QP “Career Corner” columns, I plan to report conversations with thought leaders on values, ethics and education.
Risk Based Assessments
Hutchins, a consultant with Quality Plus Engineering in Portland, OR, is also the author of many books and articles on quality, including the Standard Manual of Quality Auditing.1 As the developer of risk based Value Added Auditing, a term which he has registered as a service mark, he offers insight into how new challenges require both adaptation and rigorous preparation.
“Value Added Auditing is a risk control method for managing, planning, conducting and reporting performance, operational, homeland security and forensics audits,” Hutchins says. “More clients want higher levels of operational assurance and attestation than provided by an ISO 9001 systems audit.”
Hutchins notes that the Sarbanes-Oxley (SOX) Act of 2002, which requires the CEO and CFO to personally certify their responsibility for internal controls, and for disclosure to mitigate financial risk, has migrated to information systems so that adequate security controls exist to prevent the theft or corruption of data.
“Overall, after the 9-11 attacks, companies have required higher levels of assurance, assessment and reporting using technology subject matter experts.”
Hutchins points out that companies are looking for the same level of due diligence for operational, IT, and security assessments as they get from CPAs during financial audits.
What’s in it for You?
How relevant is such an approach to quality professionals today? Hutchins notes that as companies demand more than checklists, the International Organization for Stan-dardization (ISO) has developed new security standards, such as ISO 28000 series (supply chain security) and ISO 27000 series (information security).
“Quality auditors and operational auditors need to understand how to conduct these assessments if they want to expand their career opportunities,” says Hutchins. SOX is a statutory requirement, he adds, while an ISO 9001 audit might be contractual or voluntary.
“For this reason, ISO auditors have to pay attention,” Hutchins says. “ISO 9001 audits may go to a first, second or third level manager. SOX internal and operational audits go to the board of directors.”
So, Hutchins explains, as the level of risk to corporations and governments increases, audits become central to survival. More is required of auditors, who must be prepared technically and interpersonally to deal with top management and boards.
Hutchins lists five advantages of audits that add value:
- The approach complies with many federal and state assurance and auditing statutes and standards.
- They can be used for in-depth forensics analysis.
- They follow a risk based and process approach.
- They can be used for a high level of operational assurance and investigation, if required.
- They can be used for homeland security and other high level due care and due proficiency assessments.
Who now performs such audits? Hutchins says his consultancy employs engineers and scientists to conduct operational assessments for a range of clients, but he expects his framework to have broad influence.
“All quality organizations and auditors must demonstrate value,” he says. “Audits that add value are a natural extension of quality and ISO 9001 auditing. You can see that more ISO standards are moving in this direction. Quality departments and organizations will soon be moving to risk management and risk assessments.”
Lessons for Adaptive Individuals
To prepare yourself to take advantage of this change in quality and quality auditing, here are some tips:
- Focus on company or client needs during times of change. Hutchins took his knowledge of audit systems and harmonized it with growing demands for risk control.
- Learn to provide greater assurance through rigorous competencies. In his final active years in quality, Joseph Juran encouraged quality professionals to “look to finance” for performance models. Hutchins likens the due diligence of Value Added Auditing to that of financial audits conducted by CPAs.
- Develop a value proposition. Philip Crosby measured the importance of quality in an organization by the management level attained by quality professionals. More recently, ASQ has focused on engaging top management in quality. Hutchins’ approach to risk gets the attention of CEOs and boards.
1. Greg Hutchins, Standard Manual of Quality Auditing, Prentice Hall, 1992.
HENRY J. LINDBORG is executive director and CEO of the National Institute for Quality Improvement, which provides consulting in strategic planning, organizational development and assessment. He holds a doctorate from the University of Wisconsin-Madison and teaches in a leadership and quality graduate program. Lindborg is past chair of ASQ’s Education Division and of the Education and Training Board.