In June 2018, the International Organization for Standards (ISO) is expected to release a revision of ISO 19011, its Guide to Auditing Management Systems.  The final draft is out.  Based on it, a sea change is coming for all ISO certifications.  However, the impact is not fully understood.  This piece discusses some of the implications.

Moving to Risk Based Assessment

While at the American Society of Quality (ASQ) World Conference, I had a discussion on ISO 19011.  It was with an individual who had attended all the ISO 19011 meetings.  It was indicated that ISO was moving to a risk base approach.  There were two reasons for this.  The first was to bring all the standards in line with ISO 9001:2015 which requires Risk Based Thinking.  The second was the rest of the world is risk-based thinking oriented.

These are important points.  In 2015, ISO 14001 was revised and became more risk based.  In 2018, ISO issued 45001, a new standard for Occupation Health and Safety (OH&S).  While the emphasis on risk for such a system is not new, the standard is more risk based. The same can be said for the ISO 19011 final draft.

ISO 19011

ISO revised the audit guide for two reasons.  First, there was a need for a broader approach to auditing management systems.  Second, to provide more generic guidance. There are three key process changes.  These are:

1. The expansion of the audit planning guidance
2. The addition of the risk-based approach to the principles of auditing.
3. The inclusion of guidance for risk auditing.

There are also changes in terminology to reflect an emphasis on process, as opposed to the object or thing being audited.

The guide is to be used by First, Second and Third-party auditors.  First party auditors are the organization’s internal auditors.  Second party auditors are external auditors.  Third party auditors are those conducting certification/accreditation, statutory, regulatory or similar audits. The ISO 19001 revision specifically affects first and third party (certification) audits.

With respect to risk being added to the principles of auditing, it appears in several aspects.  Risk is to be considered in the preparation of the audit plan. Further, any adverse risk event, which could disrupt the execution of the audit and make inaccurate its assessment, must be discussed with the client.  In most cases, this is standard practice. Thus, the change merely codifies existing practice.

The auditing of risk signals that all ISO certifications are going to be risk based.  The final draft states determination of the organization’s risks and how they are being managed can be included in the audit.  This makes it permissive.  However, the auditing of risk is not a standalone.  It should be “implicit in the entire audit of a management system”.  With ISO’s movement to risk-based standards, can will eventually mean must.

The objective of the risk management audit is to:

1. Give assurance on the credibility of the risk and opportunity management process;
2. Give assurance that the risks and opportunities are accurately determined;
3. Review how the organization addresses it determined risks and opportunities.

This assurance is to be based on examination of documents and discussions with management.  The auditor is to use professional judgement to assess management’s consideration of the potential sources of risk, such as environment and safety hazards.  The risks must be assessed within the organization’s context.  This guide to auditing risk, however, poses several challenges.

Challenges

The first challenge is the scope of the audit.  Risk is defined as the “effect of uncertainty.” The risks are associated with environmental aspects and safety hazards. The risks are to be placed within “changes to the auditee’s context”.   While this sounds good, it is all general.  The context might narrow the risks, except “context” is not defined.  ISO 31000:2018 defines context and assists with risk identification.  But, ISO 31000:2018 is not referenced.

Another problem is process versus object/thing.  In the past, the audit, of say ISO 9001:2015, was of the actions management took regarding quality related activities.  The revision requires that the risks to the audited system must now be identified and the adequacy of management’s actions determined. Yet, there is almost no guidance as to what a good or effective risk management system looks like.  If an audit is to determine the adequacy of risk management efforts, it should be done consistent with a recognized risk management standard, such as ISO 3100:2018.

The last challenge is the lack of risk management knowledge.  My ASQ Chapter has struggled with 9001:2015’s Risk Based Thinking.  Even the ISO certified auditors have struggled to explain it.   The audit guide does not assist in this respect.  Further, since it is relatively silent on a standard risk management process and company internal auditors tend to rely on COSO’s risk management guide, then baring any other guidance, it should suffice for certification purposes.  If that is the case, why have ISO 31000:2018?

Conclusions

With the publication of the ISO 19011 revision, ISO takes a major step.  Its publication signals that all ISO certifications will be risk based.  This means that the risks associated with conducting an audit must be identified and communicated to the auditee.  Further, risks to the system being audited, will have to be identified and management’s risk management evaluated for adequacy.

This poses several challenges for the auditor.  First, neither the risks or the risk management system are well defined.  This is unfortunate since ISO has such definitions in ISO 31000:2018.  Second, since the risk management process is ill defined, and most company internal auditors tend to relay on COSO’s risk management process, its use should suffice for certification purposes.  If that is the case, what good is ISO 31000:2018?

Bio:

James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence and a Certified Enterprise Risk Manager.  He has over ten year’s supervisory and managerial experience in both the public and private sector.  He has consulted on economic, quality and workforce development issues for state and local governments.  He has authored numerous articles on quality in government and risk analysis. jeffreyk12011@live.com