by Peter Holtmann
How many standards do you really know well? I mean inside out and back to front. Now, how many standards are you being asked to audit? This is either in a single audit or across the scope of offerings to a client.
If your answer were the same to both questions, I would rate you a hardcore, consummate professional auditor. Kudos to you! If the answers don’t match, then I would say this is a perfectly normal situation.
More new standards are being introduced into the workplace. This is good for world trade, for business, and for industry. This is worrying for the auditor and the registrar: Just how are they to keep up?
I see auditors routinely being asked to cover content for multiple standards during a single audit. This may be because they are auditing private standards as an inclusion to core programs, they are trying to broach multiple standards as part of a process-based audit, or they think they are adding value.
I’m not sure that this approach is adding value to the act of auditing. I hear the anecdotal evidence of “cut and paste” reporting to cover the needs and to reduce the amount of hours spent on a job. I hear of auditor burnout as auditors try to be competent across all programs and give ever more audit dollars/hours to the client.
I’m also not sure that clients are getting value from this approach. They may be trying to achieve compliance for reasons that do not align with business outcomes. For example, complying with 15 different food safety standards (yes, there are this many and more!) to try and capture the largest number of retailers is not an example of good business outcomes.
The logical approach in this process would be to manage risk with the client. The term “risk management” appears in many standards these days. The auditor must now be prepared to perform a risk assessment before and during an audit. So what role does this play in assisting the customer through selection and use of emergent standards? Should the auditor be doing this? Yes: Assessing risk means assessing what risks are involved in undertaking a process of risk management that includes correct selection of standards.
When confronted with a client’s system, a common process is to identify what practices are being performed on site. This establishes process-based auditing flow. So when undertaking this, seek out how a particular standard or series of standards can address the risk.
If a single standard can cover the range of identified risks, that single standard should be sufficient. Most standards have enough elasticity to permit prevention or control to key processes experienced on site.
Where multiple standards are selected, determine how they relate to one another. How much overlap is there, does the suite address all risks, is there another approach, or do all risks even need to be controlled by a standard?
When standards are already implemented, or if it is a mature system, determine the value the standard is bringing to the business outcomes. Ask yourself if the standard has served its purpose and whether it should still be utilized.
What’s the risk in not taking this approach? Risk lies with the auditor: Staying current and competent is a challenge. When being asked to perform audits in new standards that are recent entrants to the international stage, it’s often inconvenient as well as a significant investment in time to stop and get the training required to achieve the necessary competence to conduct audits.
Most auditors I meet are time-poor. They are either on audits, on their way to audits, or writing audit reports on their way to other audits. Finding the time to learn about another standard can be a low-order priority.
What I anecdotally experienced from standards owners—usually a leading industry body or organizations within an industry—is that the intent of the standard is being lost as the auditor tries to impose current audit thinking onto it. The result is that key elements are not being given focus and outcomes for standards users can be overlooked.
Case-in-point: The recently launched standard for sustainable event management. ISO 20121 was provided to registrars to begin creating audit frameworks. The end product was an experience by some event planning bodies that the audit focused almost explicitly on ISO 14001, with very little focus on community engagement, financial management, control of welfare and safety of event-goers, access to events for people with limited mobility, etc.
Best laid plans and all… I’m sure there was no direct intention to provide an audit outcome that bypassed industry expectations. I’m sure the industry may have missed an opportunity to engage the registrar and the auditors before and during audit framework preparations. I’m sure that the experience for industry changed their perception of the conformity assessment fraternity.
This experience points to the need for auditors to be engaged in the process of determining how or even if a standard has value and relevance to an industry and how they can best serve the auditee by delivering competent outcomes.
Auditors in the field have tremendous experience in liaising with auditees, imparting knowledge of applications of standards against processes, and offering a record of compliance to the intentions of the standard. I would say, therefore, that auditors have a role to play in advising how and when new standards should be implemented.
About the author
Peter Holtmann is president and CEO of Exemplar Global (formerly RABQSA International Inc.) and has more than 10 years of experience in the service and manufacturing industries. He received his bachelor’s degree in chemistry from the University of Western Sydney in Australia and has worked in industrial chemicals, surface products, environmental testing, pharmaceutical, and nutritional products. Holtmann has served on various international committees for the National Food Processors Association in the United States and on the Safe Quality Foods auditor certification review board.