How to Implement Risk Based Audits & Inspections

  • by gcarroll@fasttrackaust.com (Greg Carroll)
  • 18 Jul, 2015
With the release of the Final Draft of ISO9001:2015 this week and its focus on risk-based Compliance Management, I thought I would share our approach to Risk-Based Auditing from our experience with the likes of Defence Aviation and the Australian Quarantine Inspection Service, both leaders in the field.
Defence risk based auditing

 

As parents we all agonise of the decisions of our children’s future.  Friendships, University and career decisions invariable suck us into the minefield of “assisting” them in making the “right” decision.  My son is just finishing Uni, and is looking to pursue a career in the secure profession of Acting.  My original “advice” was to do a Business degree first. When I pointed out that there are only 30 places for 1800 applicants at the Queensland Conservatorium of Music (“The Con”), he replied he only wanted 1. I put my foot down but he went to The Con.

So why did he standout from the other 1800?  Focus.  A researched, planned, and committed approach, as opposed to going thru the motions and hope for success.  Sound familiar?  And that focus has paid-off.  This year so far, he’s performed as a soloist at Queensland Performing Arts Centre’s 50 year concert, been a guest artist at the Pacific Government Ministers dinner, and has a lead in a new production of “Blood Brothers”. 

So how do we apply “focus” to Audit & Inspection planning? Here is my 9 point plan for implementing a targeted Risk-based Audit & Inspection program.

 

  1.        Set Context

First you need to itemise the specific Framework requirements, whether they’re airworthiness regulations, food safety standards, or ISO9001:2015, and map them against specific tasks in your processes and procedures.  If starting out just use the standards’ table of contents for the mapping. A Framework is a systematic and comprehensive breakdown of a discipline so use it not for compliance but for coverage.

Apply a weighting factor against each mapping as to its importance in affecting the outcome of that process or procedure.  I prefer a 1-5 scale.

 

  1.        Planning

Planning is more than scheduling every 12 months. It’s about understanding your targets and having outcome objectives. Have a goal for your annual program (it will get the board’s attention), work out what affects it, and identify their criticalities. These are your targets.

You then need to set surveillance levels against each target by assess their impact.  Yes, a risk assessment.  Whether they be departments, locations, processes, or companies. Your paper clip supplier doesn’t need a 3 day onsite audit.  Have a range of compliance surveillance techniques including self-assessment questionnaires, desk audits, statistical reporting, 3rd party certification, on-site reviews, etc.

 

  1.        Scheduling

Taking available resources into account, identify which targets to audit when.  Your surveillance levels gives you you’re your frequency per target, then order by priority of effect on program goals.

 Effectiveness of the system as a whole is conditional on full coverage of the Audit program so you need to ensure the entire Framework is covered over the long term, so you need to track when specific requirements were last checked against which targets and take this into account also.

 

  1.        Preparation

There is a balance between copying last year’s checklist and using a comprehensive system analysis.  The key is to have a series of goal or target templates.  Start with previous checklists by breaking up by outcome.  For each audit select the relevant templates (multiple) and tailor to the audits goals.  These questions/inspection items need to be linked back to the Framework for reporting & tracking coverage.

 

  1.        Assessing

Assessing is more than a tick or even a score 1-5/10.  It needs to evaluate conformance, performance, and contribution i.e. multiple ratings. It is imperative to garner target input to performance, contribution and risk levels from a practical operational perspective.  The board will rate the audit program on its contribution to the business objectives not the number of nonconformances identified.

Controls are there to PREVENT (future) problems and therefore their adequacy has to be measured against perceived threats i.e. a Threat & Vulnerability Analysis.

 

  1.        Rating

Operational understanding of a system by those who run it is the key to managing uncertainty in the current disruptive business environment.  It is close to impossible for an outsider to assess this.  The best approach is to have operational management self-assess and include a predictive call on the future movement of ratings.  When predictions prove to be out have them analyse why (a self-learning exercise).

 

  1.        Reporting

Obviously reporting must now include performance, contribution and risk in addition to traditional compliance and nonconformance.  Also it must not only be outcome focused but also future focused as risk (uncertainty) relates to the future. 

 

  1.        Close Out

The close-out stage of an audit/inspection is where there is the biggest deviation from the traditional audit.  In risk based auditing the focus is more on the audit process itself than the follow-up on findings.  Risk by definition is not static and in fact has probably moved between the original plan and the actual assessment.  It is imperative that as much effort is put into ascertaining the risk profile, status, and contribution of the audit target as with is assessment of compliance & performance.  The audit process and future surveillance plan needs to be developed at this stage, not leaving it to the next planning session.

 

  1.        Analysis

Unless you are running a FastTrack style proactive ERM, the Audit is the driver for Enterprise Risk Management reporting.  In this case it needs to turn findings into control reviews ending in a re-rating of related risk profiles and exposures.  This is why the review of performance and contribution is so critical in the Close-Out phase.

Trend is primary tool for analysis in risk based auditing as it drives the future surveillance programs.  Trend Analysis in performance, contribution and risk has to be over the product/service lifetime cycle.  Don’t overdo it.

In my last article The 4 Biggest Mistakes in Compliance Management I said being timely is critical to be relevant, and even more so with Risk Based Auditing.   The real purpose of Audit is to give the board and executives an objective analysis of the organisations ability to achieve its strategic goals.  Reporting must reflect this.

 

by gcarroll@fasttrackaust.com (Greg Carroll) 5 April 2017
The benefits of SharePoint as a content management system and information portal tool are indisputable.  With great search functionality and user definable portal pages SharePoint is now the leading Content Management solution chosen by most IT departments. But what if your business demands strict document controls protocols, not just because it’s good practice but life depends on it?  Unfortunately there is generally a poor appreciation by IT departments of the importance of document control in mission critical business. 
by gcarroll@fasttrackaust.com (Greg Carroll) 15 September 2016
Senior management have to come to grips with the fact that Digital Transformation is not an Event but rather the operating environment of 21st century business. 
by gcarroll@fasttrackaust.com (Greg Carroll) 22 August 2016
Last week saw the latest in misguided innovation talkfests, the AFR Innovation Summit #Innovation16.  For several days academics, public servants, journalists, and corporate employees put forward their insights into how Australia can develop an Innovation culture. 
by gcarroll@fasttrackaust.com (Greg Carroll) 25 July 2016
Effectiveness is the holy grail of Compliance Management.  Whether regulatory or ERM, ensuring business is conducted as intended is the base requirement to optimising your organization’s performance.
by gcarroll@fasttrackaust.com (Greg Carroll) 17 June 2016
2016 has seen a virtual tsunami of compliance failures involving some of our largest companies. From Mitsubishi to VW, from ANZ to Target, almost weekly there have been media reports about some company employees having run amok – unbeknownst to their executives and boards. People are asking: “What happened to the compliance management systems that are supposed to monitor and prevent such abuses?” Executives and boards are naturally starting to question the entire compliance management function. 
by gcarroll@fasttrackaust.com (Greg Carroll) 7 September 2015
The Compliance Manager’s role in the modern organization is to enable/empower decision makers to take action and leave the building defensive walls to the Risk Manager with his heat maps. So how can compliance managers start realising their value adding role?
by gcarroll@fasttrackaust.com (Greg Carroll) 18 July 2015
With the release of the Final Draft of ISO9001:2015 this week and its focus on risk-based Compliance Management, I thought I would share our approach to Risk-Based Auditing from our experience with the likes of Defence Aviation and the Australian Quarantine Inspection Service, both leaders in the field.
by gcarroll@fasttrackaust.com (Greg Carroll) 3 July 2015
Mere compliance with a Framework is an insufficient audit approach; it is critical to assess whether it is current, timely, communicated broadly, and meets the needs of the business. The 4 biggest mistakes are:       Not being Outcome focused      Not using Risk base targeting      Not Value Adding      Not being timely
by gcarroll@fasttrackaust.com (Greg Carroll) 28 May 2015
Why, with the number of fertile minds that exist in our field, is it still a case of an irresistible force meeting an immovable object.  The paradox I believe, like our would-be entrepreneurs, is one of approach.
by gcarroll@fasttrackaust.com (Greg Carroll) 22 April 2015
Return of Investment (ROI) does not come for automating a process but from using it to add value.  Value adding comes from targeting time and resources, risk based thinking, and Business Intelligence where they can deliver the greatest benefit to achieving the organisation’s strategic goals. 
Show More
Share by: