Missing image

Internal Audits Using Risk Assessment

Posted by on in | 1,201 Views | Leave a response
Reduce risks using failure mode and effects analysis.
Reduce risks using failure mode and effects analysis.

by Roderick A. Munro, Ph.D.

The failure mode and effects analysis (FMEA) tool within the risk assessment methodology is used extensively in the automotive industry, as well as many other industries. The first question for the internal auditor is just how effectively is your organization applying the tool? Second, is there anything in this tool that we can use ourselves to make our internal audits more relevant and effective?

The basic purpose of FMEA is to evaluate the various risks associated with the process that is being reviewed. Even if you don’t currently use FMEA, you’re probably still concerned with how risk is managed in your organization. Many ISO standards (including the next revision of the ISO 9001) are starting to ask this basic question of management. How does this relate to auditing? Ask yourself just how good are the internal audits you are conducting. What risk is posed to your organization if the internal audit program is not as robust or effective as it needs to be? What is the cost to the organization? Is your organization using the internal audit program just as a task to be completed (only doing compliance audits is the most common failure that I see when evaluating organizations), or as a management tool to evaluate the organization, thus reducing the risks associated with running a company?

What is meant by the word “risk” as it relates to internal auditing? Traditionally, FMEA was an engineering technique used to identify and eliminate either known or potential issues from products before they reached the customer. This was achieved by evaluating the likelihood (risk) that some problem might occur in the design or manufacture of something. This risk analysis has been expanded and applied to many areas. (For example, I even used FMEA in my farming process.) More recently, many of the ISO standards (ISO 9001:2015, ISO 13485, ISO 14001, ISO 27000, ISO 31000, and others) are including discussions around the understanding and mitigation (methods of reducing the severity, occurrence or improving detection) of potential risks.

As the internal auditor conducts an audit within your organization, you should be asking the question of all processes, “What could go wrong?” and then start investigating how the process would handle those situations that are the most likely to occur. This could involve asking an operator why he or she is doing some task that may not be called out in the standard operating procedure (e.g., grinding paint from a hole in a metal part). Depending upon the answer (e.g., there is too much paint and it needs to be removed to allow the pin to be inserted), the internal auditor might find an audit trail that goes in an unexpected direction (e.g., a supplier or internal group is not processing the part through paint in a way the makes the part useful). This is beyond a compliance audit and is the foundation of what we call a process audit.

In the classical process FMEA, the scope of the tool is to evaluate the elements of a process on the basis of severity, occurrence, and the detection (when combined called the risk priority number [RPN]) of potential risks or nonconformities in the process. Many organizations artificially lower the reported RPN to satisfy internal management or customers without looking at the true effect(s) upon the organization or the long-term usage by the ultimate customer. Thus when an internal audit looks at the FMEA for the process being investigated, particular attention should be paid to what has gone wrong in the past and whether that item is identified in the FMEA. I will typically ask the design or process engineers what controls they have or use in determining the RPN and match that to the reality of the production or assembly lines.

As a form of benchmarking the internal audit process itself, the FMEA methodology can be used to ask the questions of how relevant and/or effective the internal audit program is. How effective has the internal audit program been at finding issues or concerns in the past? If external customers or the registrar are finding nonconformances in their audits (severity), has the internal audit found those items and if not, why not? In one case I encountered an internal audit finding that alerting management to a deficiency in their export license process led to a large governmental fine because the company did not respond to the internal audit. If the internal audit is finding a series of similar issues (occurrence), has the frequency of audit been increased to cover that particular topic? Are the external audits finding problems that the internal audits are missing (detection), and how could this occur if the internal audit process is robust?

A key component in my audits is to ask how management is using the internal audit program and results to better manage the organization. The internal audit program should be a tool of management to help ensure that processes are continually improving and not just compliant to the standards. With the ISO and business communities moving more toward the social responsibility approach, evaluating the business/organization to prevent risk whenever possible is becoming more and more a requirement of the various standards. This may require internal auditors to achieve new or improved skills and questioning techniques to better understand how well the organization is doing. And when we focus on continual improvement, we should also be reducing risk to our organizations.

So the answers to our first two questions should be a resounding yes; however, in many applications we see many opportunities for improvements in both how the FMEA is being used in organizations that require them as well as applications to help improve the internal audit process. When you become part of your organization’s internal audit program, your goal should be to continually improve your skills of questioning the system and using the process approach to reduce risks for your company.

About the author

Roderick A. Munro is a business improvement coach with RAM Q Universe Inc. He has more than 30 years of experience in the service and manufacturing industries. He is an ASQ Fellow, Certified Manager Quality and Organizational Excellence (CMQ/OE), Certified Quality Engineer (CQE), and Certified Quality Auditor (CQA). Munro is also a Fellow of the Charter Quality Institute (CQI) of England and has been a lead auditor under the International Registrar of Certified Auditors (IRCA) for nine years. He is the co-author of  The ISO/TS 16949 Answer Book published by Paton Professional.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.