#22 – RISK BASED AUDITING REDUX – UMBERTO TUNESI

Posted on by

Umberto Tunesi pixI would fool myself if I had to admit that in a more than forty years career in laboratory, sales & technical support, quality inspection, quality, environment, safety audits in fields varying from any kind of chemicals to automotive components, I have not learned at least something on risk-based audit and risk management.

There is one major lesson I learned, that is, any investigation’s results depending on one’s own input, or – in other words – one will only find what he or she is looking for.

This is a tremendous bias, especially when risk auditing.

When auditing management systems – quality, environment, safety, etc. – for conformity to Standards, auditors – be they third, second or first party auditors – have to, almost blindly, fill check lists.

It is like as we, on Saturdays’ morning, together with our wife, go shopping in a mall and strictly  follow the shopping list we have drafted in the week before, and don’t look to what is on the shelves or to the best price offers.

If we were engineers and calculated the capability indexes of this process, we would be astonished at its inefficiency.

We have the Treasure Island map in our hands, but the trees that were put down as reference points are not there anymore, rocks have moved because of waves, and so on.

We must not forget that charted and analyzed records of process capability versus process risk is still an experimental science: for example, FMEA uses subjective attributes to classify Severity, Occurrence and Detection, and FMEA is probably one of the most widely used approach to risk prediction and risk prevention.

Risk auditors must therefore not be like bible-thumpers: they have to keep their mind open and their eyes and ears wide open.

Risk auditing is going to be a real tough job, especially when risk auditors will have to tell the audit’s client, that is the company manager, that everything is not really well, let alone perfect.

So, there are two basic lines of responsibility:

One: the auditors to look for, detect, risk-assess anomalies;

Two: the management to listen to and address the auditors’ findings.

Much is being said – and sold – on auditors’ and managers’ training to risk-oriented corrections, but, if we look at the publicly available figures, there is just one that keeps figuring in the top ten parade: the errors rate.

Leave a Reply

Your email address will not be published. Required fields are marked *