by Lance Coleman
Risk elimination. Risk management. Risk mitigation. This is the language of upper management that we as auditors from any industry must learn if we truly want to effect positive change throughout our environment and conduct effect risk-based audits.
This is a challenge that was put forth by Allan Sayle, one of the keynotes at the 20th annual American Society for Quality (ASQ) Audit Division conference in Reno, Nevada, last year. He stated that if quality auditors wanted to remain relevant and keep from becoming marginalized, they need learn new skills and earn new credentials. More important, auditors need to move beyond compliance monitoring to determine how their work affects the corporate bottom line. This can be achieved in two ways: by driving continuous improvement (part two of this article series) or by managing risk—the subject of this article. I would further state that a truly robust audit program is a three-legged stool with the program platform resting on the three “legs” of compliance, risk management, and continuous improvement.
The first questions to ask about risk management and auditing are: Exactly what is meant by risk in a manufacturing environment, how is it assessed, and what does it have to (potentially) do with auditing? ISO 14971, used in the medical devices industry, defines risk as the combination of the probability of occurrence of harm and the severity of that harm. ISO 31000 defines risk more broadly as the effect of uncertainty on objectives. In your risk planning, you have to consider the producer’s risk—the risk of rejecting a good part as bad, along with consumer risk, which is the risk of accepting a bad part as good.
One commonly used metric for assessing risk is the risk priority number (RPN). This number is calculated by ranking each of the following, on a scale of one to 10, with one being best-case and 10 being worst-case scenario based on:
- Likelihood of occurrence
- Severity of occurrence
- Likelihood of detection
The figures are multiplied as:
RPN = likelihood × severity × mitigation
What does all this have to do with auditing? Actually, quite a bit. The four phases of auditing are planning, execution, closure, and reporting. (There are five phases if you decide to include follow-up as a part of the original audit, instead of its own separate event.) During each phase of the auditing process there is a risk assessment and risk management component, even when they are not recognized as such. Let’s take a look at how risk assessment and management naturally occurs within the audit program.
First, let’s discuss the hierarchy of risk. Every company must establish one as part of its risk management program. The prioritization below is common but by no means absolute or 100 percent consistent from company to company. How this risk is assessed may also vary from company to company or even from site to site within an organization.
- Functionality/intended use suitability
- Out of specification—variable
- Out of specification—attribute
- Out-of-control process
- Documentation issues
- Reject good parts as bad
During the planning phase of the audit program, decisions must be made as to what to audit, when to audit, and at what frequency to audit. Once you get beyond regulatory, standard, and customer requirements company exposure to risk is the driving factor in making these determinations. When planning an individual audit, audit focus and sampling level are determined by both historical data (when applicable) and risk exposure.
During the execution phase of an audit, determinations must be sometimes made on whether to stick with the original audit schedule or veer off to pursue an area of concern that comes up during the audit. First, determine how to proceed is if there is an immediate safety concern. Second, decide whether the issue or concern falls under the scope of the audit. Third, determine what level of risk exists if the concern wasn’t further explored. Another risk-based decision is made when determining whether to increase sample size based on what the auditor sees from an initial sample.
Classification of findings, determination of acceptable corrective actions, effectiveness verification, and time frames for subsequent actions all have an element of risk assessment. Also, determining whether to schedule a follow-up audit upon audit closure is just one more decision that is made based on risk to the company, customer, or public.
If an auditor is already doing all of this risk assessing and managing as part of a robust audit program, what is the point of this article? Well, we as quality professionals know that having method and structure to a process is a better way to achieve consistently positive results than letting things happen organically. Accordingly, we will talk about how to more formally integrate risk management into an audit program.
Let’s look at three concrete things that can be done to formally integrate risk management into the internal audit process.
- Changes to the baseline annual audit plan should be made based on areas of concern or opportunity identified in the annual senior management meeting.
- Definitions and methodology for classifying audit findings should reflect a previously determined risk assessment matrix.
- Reporting results and recommending action based on audit findings should reflect the assessment of risk as determined during the audit process.
These three suggestions will give you a good foundation for integrating risk management into your internal audit program.
If you have any comments or experiences (positive or negative) you would like to share or any questions on this article, please feel free to send me an e-mail.