With the release of the Final Draft of ISO9001:2015 this week and its focus on risk-based Compliance Management, I thought I would share our approach to Risk-Based Auditing from our experience with the likes of Defence Aviation and the Australian Quarantine Inspection Service, both leaders in the field.
As parents we all agonise of the decisions of our children’s future. Friendships, University and career decisions invariable suck us into the minefield of “assisting” them in making the “right” decision. My son is just finishing Uni, and is looking to pursue a career in the secure profession of Acting. My original “advice” was to do a Business degree first. When I pointed out that there are only 30 places for 1800 applicants at the Queensland Conservatorium of Music (“The Con”), he replied he only wanted 1. I put my foot down but he went to The Con.
So why did he standout from the other 1800? Focus. A researched, planned, and committed approach, as opposed to going thru the motions and hope for success. Sound familiar? And that focus has paid-off. This year so far, he’s performed as a soloist at Queensland Performing Arts Centre’s 50 year concert, been a guest artist at the Pacific Government Ministers dinner, and has a lead in a new production of “Blood Brothers”.
So how do we apply “focus” to Audit & Inspection planning? Here is my 9 point plan for implementing a targeted Risk-based Audit & Inspection program.
1. Preparation
First you need to itemise the specific Framework requirements, whether they’re airworthiness regulations, food safety standards, or ISO9001:2015, and map them against specific tasks in your processes and procedures. If starting out just use the standards’ table of contents for the mapping. A Framework is a systematic and comprehensive breakdown of a discipline so use it not for compliance but for coverage.
Apply a weighting factor against each mapping as to its importance in affecting the outcome of that process or procedure. I prefer a 1-5 scale.
2. Planning
Planning is more than scheduling every 12 months. It’s about understanding your targets and having outcome objectives. Have a goal for your annual program (it will get the board’s attention), work out what affects it, and identify their criticalities. These are your targets.
You then need to set surveillance levels against each target by assess their impact. Yes, a risk assessment. Whether they be departments, locations, processes, or companies. Your paper clip supplier doesn’t need a 3 day onsite audit. Have a range of compliance surveillance techniques including self-assessment questionnaires, desk audits, statistical reporting, 3rd party certification, on-site reviews, etc.
3. Scheduling
Taking available resources into account, identify which targets to audit when. Your surveillance levels gives you you’re your frequency per target, then order by priority of effect on program goals.
Effectiveness of the system as a whole is conditional on full coverage of the Audit program so you need to ensure the entire Framework is covered over the long term, so you need to track when specific requirements were last checked against which targets and take this into account also.
4. Preparation
There is a balance between copying last year’s checklist and using a comprehensive system analysis. The key is to have a series of goal or target templates. Start with previous checklists by breaking up by outcome. For each audit select the relevant templates (multiple) and tailor to the audits goals. These questions/inspection items need to be linked back to the Framework for reporting & tracking coverage.
5. Assessing
Assessing is more than a tick or even a score 1-5/10. It needs to evaluate conformance, performance, and contribution i.e. multiple ratings. It is imperative to garner target input to performance, contribution and risk levels from a practical operational perspective. The board will rate the audit program on its contribution to the business objectives not the number of nonconformances identified.
Controls are there to PREVENT (future) problems and therefore their adequacy has to be measured against perceived threats i.e. a Threat & Vulnerability Analysis
6. Rating
Operational understanding of a system by those who run it is the key to managing uncertainty in the current disruptive business environment. It is close to impossible for an outsider to assess this. The best approach is to have operational management self-assess and include a predictive call on the future movement of ratings. When predictions prove to be out have them analyse why (a self-learning exercise).
7. Reporting
Obviously reporting must now include performance, contribution and risk in addition to traditional compliance and nonconformance. Also if must not only be outcome focused but also future focused as risk (uncertainty) relates to the future.
8. Close Out
The close-out stage of an audit/inspection is where there is the biggest deviation from the traditional audit. In risk based auditing the focus is more on the audit process itself than the follow-up on findings. Risk by definition is not static and in fact has probably moved between the original plan and the actual assessment. It is imperative that as much effort is put into ascertaining the risk profile, status, and contribution of the audit target as with is assessment of compliance & performance. The audit process and future surveillance plan needs to be developed at this stage, not leaving it to the next planning session.
9. Analysis
Unless you are running a FastTrack style proactive ERM, the Audit is the driver for Enterprise Risk Management reporting. In this case it needs to turn findings into control reviews ending in a re-rating of related risk profiles and exposures. This is why the review of performance and contribution is so critical in the Close-Out phase.
Trend is primary tool for analysis in risk based auditing as it drives the future surveillance programs. Trend Analysis in performance, contribution and risk has to be over the product/service lifetime cycle. Don’t overdo it.
In my last article The 4 Biggest Mistakes in Compliance Management I said being timely is critical to be relevant, and even more so with Risk Based Auditing. The real purpose of Audit is to give the board and executives an objective analysis of the organisations ability to achieve its strategic goals. Reporting must reflect this.
Bio:
Greg Carroll - Founder & Technical Director, Fast Track Australia Pty Ltd. Greg Carroll has 30 years’ experience addressing risk management systems in life-and-death environments like the Australian Department of Defence and the Victorian Infectious Diseases Laboratories among others. He has also worked for decades with top tier multinationals like Motorola, Fosters and Serco.
In 1981 he founded Fast Track (www.fasttrack365.com) which specialises in regulatory compliance and enterprise risk management for medium and large organisations. The company deploys enterprise-wide solutions for Quality, Risk, Environmental, OHS, Supplier, and Innovation Management.
Mastering 21st Century Risk Management” which will be available from the www.fasttrack365.com website in a couple of weeks. Meanwhile a recent Webinar on the topic can be seen at http://www.youtube.com/watch?v=nQoJj6FBxrY&feature=youtu.be in which we show how emerging best practices provide a good picture for how enterprise risk management should look in the 21st century.