by Eugene A. Razzetti
At some point during my 40-plus years of conducting audits under a variety of titles, I concluded that audits can have tremendous value for organizations, especially those that learn to effectively audit themselves. I also concluded that much of this value remains unrealized and uncollected. We all understand the value of audits with regard to the identification of nonconformities. But what happens then? Or is uncovering the nonconformity the end of the story? Worse yet, is apparent “conformity” the end of the story? It’s only when audits go beyond stated requirements and become value-added audits that the organization is supercharged, and a “deliverable” becomes an “enhancement.”
Here are ten ways in which value-added audits—especially to a standard such as ISO 9001, ISO 14001, or ISO 28000—not only benefit, but can also supercharge an organization.
Value-added audits: Training internal auditors to do value-added audits
We all know that ISO 9001 certification requires organizations to have qualified internal auditors. Often, these well-intentioned folks come in from another department, count somebody else’s beans, write a report, and that’s that. Very few internal auditors, in my experience, really know when they are on to something. Once, during an ISO 9001 recertification audit, the management representative/internal auditor in an aircraft repair parts distribution center proudly told me that a recent audit of deliveries revealed that on-time deliveries had increased “10.73 percent.” The objective of the strategic plan had been a 10 percent increase by the end of the year, and they had made it. “That’s great,” I said with genuine gladness. “How did you do it?” No answer. Together, we made a simple search of the last year’s shipping data and confirmed that on-time deliveries had indeed increased. However, they had done so because early deliveries had decreased. Late deliveries were unchanged.
The internal auditor had completed the audit as scheduled. The quality manager had met his goal. The president was satisfied with the report, and all was right with the world. Value-added audits would have looked deeper and would have found potential problems where the actual audit did not. The moral of this story is that:
- Verifying conformity isn’t enough, especially when there is no apparent reason for improved performance.
- Train internal auditors to add value, investigating the inexplicable good news as well as the observable bad.
Value-added audits: Give the client an effective risk management program
International Organization for Standardization (ISO) standards, stakeholders, and good management practices expect organizations to develop meaningful risk assessment programs. These programs should identify threats, criticalities, and vulnerabilities to the organization’s missions and operations. However, identifying and assessing risks isn’t enough. Risks must be managed after they’ve been identified. I provide my clients with a tailored risk management program that not only identifies threats, criticalities, and vulnerabilities and assigns them uniform numerical values, but also considers external factors such as outsourcing and host-nation support. When the assessment is complete, I show clients how to project the effect of potential corrective actions. It’s in the modeling of potential corrective actions that, in my opinion, risk assessment becomes risk management. This is a good way to “game” potential courses of action before limited time and research-and-development funds are depleted. See figure 1 for an illustration of this kind of assessment.
Figure 1: Value-added audits: Risk management total picture
Value-added audits: Examine safety and security
After the pleasantries at the beginning of an audit, I take a tour of the facilities with the quality manager/management representative, and, ideally, the organization’s president. In addition to looking at the processes, I also look at the safety and security of issues such as:
- Safety equipment and features, such as emergency eyewash stations, fire extinguishers, sprinkler system coverage, and exit signage
- Stowage and whether emergency equipment or exits are blocked by pallets, raw materials, or finished goods
- Safety interlocks and remote shutdowns
- General cleanliness, hazardous materials storage, trip/fall hazards, and the need for hearing or eye protection
- Unsafe practices, such as servicing rotating machinery while it is running
There is nothing wrong with doing a “safety walk through.” You just might prevent environmental fines or loss of life or property. I do, in fact, get a true feeling for how management treats its people by the way it maintains the facilities and the speed with which it fixes potential problems. I have never toured a facility where I did not find something unsafe and worthy of mention during these tours. Most unsafe conditions hide in plain sight.
I know several auditors that will walk out of a facility if they feel that it’s unsafe. Walking out is an embarrassment, but pointing out unsafe conditions is value-added enhancement.
Value-added audits: Feedback, follow-up, and accountability: Three Musketeers or Three Stooges?
ISO standards require customer feedback, but leave internal feedback largely to the organization’s corrective and preventive action processes. Internal feedback should be considered communication that management receives regarding its actions or potential actions. Meaningful feedback requires effective communication, freely flowing in both directions. Meaningless or unsupported feedback (“I don’t like it because it’s all messed up.”) wastes time and depletes enthusiasm. For feedback to be meaningful, the original message must be clear. Value-added audits can identify all feedback mechanisms and evaluate those mechanisms according to the following criteria:
- Can feedback be obtained from multiple sources, through multiple channels?
- Does management routinely approach employees directly to assess whether the message was received as sent?
- Are employee sensitivities considered (e.g., do they feel their jobs are in jeopardy)?
- Is the message reinforced through actions, training, or presentations?
Follow-up means actively checking on the success or failure of an implemented decision or action (e.g., a process modification). Follow-up should confirm one of the following:
- No measurable improvement or degradation of the process. That is, it was not worth the effort and/or expense.
- A measurable degradation of the process. (“You made it worse, Dummy!”)
- A measurable improvement in accordance with the modification strategy; worth the effort and expense.
Follow-up is essential to the decision-making process and value-added audits can evaluate follow-up as an integral part of the processes being audited.
Accountability means having to report to, explain, justify, and be responsible or answerable to a higher authority; or the acceptance of the success or failure to achieve the stated objectives. It often carries with it positive (e.g., promotion) or negative (e.g., termination) recognition. Value-added audits evaluating decision-making processes should be able to confirm that the organization’s structure has accountability lines fully established and operational. The sometimes trendy establishment of “teams” confounds and may even eradicate clear lines of accountability. It’s easy to make a decision if the decision maker feels no accountability.
Value-added audits can confirm whether feedback, follow-up, and accountability profitably coexist, such as with the Three Musketeers (“All for one and one for all!”) or the Three Stooges (“Spread out!”).
Value-added audits: Metrics and measures of effectiveness—the CEO’s dashboard
It has been wisely said that what can’t be measured can’t be managed. CEOs need the ability to subjectively and objectively quantify the success or failure of operations, products, or services; measure components of those operations; and compare their findings with established standards.
With the right mindset and the right metrics, CEOs and managers can:
- Optimally plan entire processes based on missions, load locations, and available resources
- Establish completion goals (pieces/day, number of days required, required deadlines)
- Monitor and evaluate operations in progress, and assess the ability of assigned resources to meet the established goals and objectives
The metrics and measures of effectiveness on a CEO’s dashboard of decision-making tools must deliver credible, useful information, almost as immediately as would be expected in a car’s dashboard controls. Audits often confirm that decision-making models are in place and being used. Value-added audits, however, can confirm not only the existence of the models but also their strategic applicability—their currency, accuracy, and usefulness, as well as the data and logic from which they were developed.
Value-added audits: Training, competence, and awareness—focus on “qualification” and work your way backward
Compliance with ISO 9001:2008 clause 6.2.2 requires organizations to determine the competence required of personnel to create conforming products, provide training, and evaluate the effectiveness of the action taken. This is often easier said than done. Process audits reflect one of the following with regard to training, competence, and awareness in accordance with an approved standard:
- No documented standard exists
- A verbal standard exists, but there is no written/approved documentation
- Process documentation is in place, but not followed
- Process documentation does exist, and the process is performed in accordance with the approved documentation.
Even in organizations that have been certified to a standard for many years, training often takes place without the goal of qualification in sight. Value-added audits can confirm that organizations have fully defined the qualifications that their personnel are expected to achieve, determine what training is required toward that achievement, and if it’s being conducted effectively—or not.
Value-added audits: Strategic planning—converting lofty ideas into actionable milestones
There are many excellent books on strategic planning and just as many that are simply trendy. Many consultants have gotten rich by covering conference room walls with butcher paper and ink from magic markers. CEOs, not consultants, must decide the best approach to strategic planning, ensuring that:
- They have a clearly defined mission for the organization.
- They have a vision of how they want the organization to look to the outside world in general and to stakeholders in particular.
- They have identified all the gaps in the performance of those missions.
Then, after identifying the gaps, they must develop:
- Goals for the organization that address all pertinent areas of the mission and all areas in which gaps have been identified
- Objectives, in which each of the identified goals is quantified in accordance with established metrics
- A plan of action and milestones from the objectives, assigning personnel/divisions by name and tracking progress
Many strategic plans exist in name only, and line workers and managers often don’t even know of their existence. This only wastes time and discourages stakeholders. Value-added audits can optimize their contribution by starting with mission and vision statements and drilling down to the milestones—how they are developed, bracketed, assigned, and monitored, pointing out where planning may be deficient.
Value-added audits: Benchmarking and gap analysis—asking good questions and acting on the answers
Benchmarking and gap analysis can be described as seeking out, identifying, and attempting to emulate and improve on established standards, contract requirements, or other best practices. Auditors use them to compare actual organizational performance with established standards.
Internal benchmarking examines activities taking place inside the client’s walls, such as manufacturing, training, waste, or work in progress. External benchmarking can include customer satisfaction (on-time delivery, reliability/defect reports, etc.); competitors’ products; ISO 9001, ISO 14001, and other structured certification standards; and tradeshows, seminars, and workshops.
CEOs won’t know the results of their decisions or changes without an effective benchmarking strategy. Value-added audits can help determine how an organization is performing relative to how it should be performing. Then, state the reasons for the gaps and the required corrective actions, as suggested in figure 2.
Figure 2: Value-added audits: Performance gaps
Value-added audits: Turning recurring reports into management tools
An admiral I once served under told his staff that a new reporting requirement couldn’t be imposed without removing an existing reporting requirement. That helped to limit the quantity of reports required by operating forces, which had better things to do. Next, he tasked staff members to find redundant reporting requirements and eliminate or consolidate them. The next challenge should have been to determine what intelligence the reports actually contained, and whether anybody really needed them. They never addressed the quality or usefulness of the reports.
Reports cannot be useful management tools unless they can measurably contribute to:
- Making decisions
- Information collection and management
- Risk and vulnerability analysis, and the allocation of limited resources
- Plotting and prediction procedures
- Planning alternative courses of action
Value-add audits of an organization’s reporting requirements should:
- Ensure that the reports contain important information, reflect a genuine need, and contain measurable assessment and analysis useful for decision making.
- Determine whether separate but similar reports are being sent to different organizations, and, if so, create one report covering all the submission requirements.
Value-added audits: Continuous improvement—tying it all together in an effective organization
Auditors know that even the most robust management systems are short lived if they don’t support and encourage continuous improvement. Without the enduring cycle of plan-do-check-act (PDCA), neither the auditor nor the CEO can quantify the initial and long-term effect of decisions and changes on the organization.
Continuous improvement upholds and sustains not only ISO standards, but all demonstrations of enlightened, effective management. Value-added audits confirm that something can always be done better.
In summary, when organizations adopt the strategy and mindset of value-added audits and audit beyond stated requirements, excellence is achieved. I believe that if a client organization cannot successfully conduct its own value-added audits by the time I finish my audit, I didn’t finish the job.
About the author
Eugene A. Razzetti retired from the U.S. Navy as a captain in 1992. He is a Vietnam veteran and had two at-sea and two major shore commands. Since then, he has been an independent management consultant, project manager, and ISO auditor. He became an adjunct military analyst with the Center for Naval Analyses after September 11, 2001. He has authored two management books and co-authored MVO 8000, a corporate responsibility management standard. He is a certified management consultant with the Institute of Management Consultants and has served on boards and committees dealing with ethics and professionalism in the practice of management consulting. He is a senior member of the American Society for Quality and most recently assisted the government of Guatemala with the ISO 28000 certification of its two principal commercial port facilities. He can be reached at www.corprespmgmt.com or generazz@aol.com.
Tags: value-added audits.