On the Lookout
Watching for risk is a growing part of an auditor’s duties
by J.P. Russell
Audit program managers have always dealt with risk in some manner. They’ve analyzed and evaluated risk, as well as monitored and reported it. Now, all of those activities are becoming a formal part of an audit program manager’s duties.
Risk has been integrated throughout the audit program management section of the ISO 19011 standard. The 2012 certified quality auditor body of knowledge (CQA BoK) includes guidance for managing risk, as well as the introduction of risk management tools.
It’s important to separate the job responsibilities into monitoring and reporting, and analyzing and evaluating. The two are performed using different cognitive levels, and require different knowledge and skills. Keeping them separate can help you better understand the job duties regarding risk management.
For the 2012 CQA BoK, the audit program should be evaluated relative to its performance regarding risk to the organization. For example, has the audit program contributed to lowering or maintaining risk levels? Does the audit program help ensure risk treatments are effective and that management controls are maintained to avoid unnecessary risks? The audit organization should determine metrics for monitoring and reporting its performance relative to risk.
The 2012 CQA BoK also states that an organization should analyze how the audit program affects its risk level and how the risk level can influence the scheduling of audits. If an organization has identified risks, there are levels of risk that can be described in financial and nonfinancial terms.
One of the most obvious risks is that an organization could lose its certification or license. Loss of license or certification could result in loss of revenue or shutting down operations. Processes more exposed to risk are more likely to be dangerous, hazardous, unsafe, costly or noncompliant, and thus should be audited more frequently than less-risky operations.
Clause 5.1 of ISO 19011 states that priority should be given to allocating the audit program resources to audit matters of significance within the management system. Matters of significance are high-level risks that need to be treated, including known hazards or costly consequences. This could be a type of risk-based auditing.
What you’re working toward
An audit organization must establish audit program objectives or goals. Whoever is responsible for managing the audit program should identify and evaluate the risks for the audit program. Clause 5.3.4 of ISO 19011 has identified specific risks that need to be managed. The risk aspects are:
- Failing to set relevant audit program objectives and determining the extent of the audit program (planning).
- Allowing insufficient time for developing the audit program or conducting an audit (resources).
- Having a team without the collective competence to conduct audits effectively (selection of the audit team).
- Ineffectively communicating the audit program (implementation).
- Failing to adequately protect audit records to demonstrate audit program effectiveness (records and their controls).
- Ineffective monitoring of audit program outcomes (monitoring, reviewing and improving the audit program).
ISO 31000 states that the risk management process involves establishing context and identifying, analyzing, evaluating and treating risk.1 In this case, the audit program manager is responsible for analyzing and evaluating risk, and must follow the risk management process steps or a similar model.
What’s your type?
The audit program schedule procedure should include considerations for risks when planning and scheduling audits for the organization.
There are audit program risks, such as those from clause 5.3.4 of ISO 19011 mentioned earlier. But there are many other risks that should be considered based on the type of the audit, audit history and nature of the organization being audited. Four audit process aspects to consider are:
- Criticality of the processes to be audited.
- Past audit performance.
- Changes in the processes or personnel.
- Maturity of the system.
ISO 19011 also requires that procedures include monitoring and reviewing audit program risks. The standard defines risk as the effect of uncertainty on objectives.2 The audit program has objectives, and any risks to the objectives should be identified, and significant risks should be treated or avoided. Monitoring might include a risk-based audit or periodic reassessments.
Managing audit program resources should include consideration for audit program risks. Because aspects of the audit program that represent a significant risk should have been identified, it should be easy to line up resources. For example, if you need to audit critical processes at a remote location, you will need a travel budget. If the objective is to initiate remote audits or e-audits, capital equipment and IT expertise may be necessary.
Clause 5.4.4 of ISO 19011 states that when an audit team leader is assigned to an individual audit, he or she should be given the information needed for evaluating and addressing identified risks to the achievement of the audit’s objectives or purpose.
What to watch for
It’s easy to come up with two or three dozen risks that could influence the achievement of individual audit objects. You need to know the activities that could make a significant impact on the achievement of the audit objectives. This can be done intuitively or by using a matrix that lists the potentially impactful activities and their estimated probabilities.
Risks may include getting a sufficient sample, completing the audit in a specified time frame and the availability of competent auditors. In this case, the audit team leader is expected to manage risk by analyzing and evaluating the impact of risks on the audit process.
The ISO 19011 standard mentions risk two more times in clause 5. It states that audit program records should include those addressing audit program risks. The records should include the risks discussed earlier as part of clause 5.3.4, as well as any other risks identified.
The last mention of risk in this section of ISO 19011 is that the audit program review should include an evaluation of the effectiveness of the measures used to address the risks associated with the audit program. It’s important to identify measures that are appropriate for the situation. Risk management includes prevention and appraisal costs.
The 2012 CQA BoK also has added a section on risk management tools. When risks need to be managed, certain tools can be used to identify, analyze and evaluate risks.
Methods for managing risk may include risk avoidance, mitigation or tradeoffs. Risk management tools can include failure mode and effects analysis, hazard analysis and critical control points, critical to quality analysis, health hazard analysis, error proofing and brainstorming. Auditors must know the methods and techniques for identifying and assessing risk so they can audit systems that require risks to be controlled.
Wrapping it up
In lieu of a standard or procedure requiring management of certain risks, the key to a risk management program is identifying and assessing risks. This is where risk management tools can be helpful.
There are many aspects of a process or organization that represent a risk. The organization’s personnel must determine which aspects are significant and must be treated. The decision to treat or mitigate risk aspects depends on the level of risk the organization is willing to accept.
When there is a risk management program, auditors may be asked to verify that risk treatments are maintained and effective, and to identify potential risks that must be assessed. The audit program interacts with almost all other functions of an organization and can be a key component in any risk management program.
As I mentioned in last month’s column,3 risk is the bull in the china shop. It affects the environment, occupational safety, food safety and many other areas. It covers all sectors. Risk management is a proactive approach to avoid surprises that could affect an organization’s sustainability and survival. And it won’t be long before organizations will have a vice president of risk instead of a vice president of quality, systems or compliance.
- International Organization for Standardization, ISO 31000:2009—Risk management—Principles and guidelines, clause 5.1, Figure 3: Risk Management Process, p. 14.
- International Organization for Standardization, ISO Guide 73:2009—Risk management—Vocabulary, clause 1.1, p. 1.
- J.P. Russell, "Game of Chance," Quality Progress, August 2012, pp. 52-54.
- International Organization for Standardization, ISO 19011:2011—Guidelines for auditing management systems.
J.P. Russell is president of J.P. Russell & Associates in Gulf Breeze, FL. He also is managing director of and provides training for QualityWBT Center for Education. Russell is an ASQ fellow, ASQ-certified quality auditor, voting member of the American National Standards Institute/ASQ Z1 committee and member of the U.S. technical advisory group for International Organization for Standardization technical committee 176. He is the editor of The ASQ Auditing Handbook, third edition, and author of several ASQ Quality Press books, including The Process Auditing and Techniques Guide, second edition.