by Peter Holtmann
Auditing is risky business. The choice of becoming an auditor, choosing your field of expertise, gaining an understanding of the standards, and applying to technical areas all rely on a professional’s competence. What underlies this competence is the confidence to complete the task. This confidence is achieved through the ability to resolve the risk inherent in the process. Let’s talk risk.
Compliance auditing, surveillance and inspection audits, internal audits, and reviews all operate on the same premise—review past performance against current practice to predict future compliance. This is very similar to risk analysis. The auditor is looking for risks and assessing their likelihood of occurrence and the severity of the risk in the event the risk is realized. If the risk is high, a corrective action is issued; if it is low, an observation; if the risk is managed, the organization is in compliance.
However, risk is subjective and depends on an individual’s assessment of likelihood and severity, which, in turn, is determined by an individual’s appetite for risk. Let me expand on this topic: risk is usually equated with finances or health and safety. Gambling or investment is something we attribute to risk. Would you leverage your life savings on an investment? Some of you would have immediately yelled, “Are you crazy?!” Others may have said, “Depends on the odds.” In health and safety if I had said to you, “Let’s go cave diving this weekend,” some of you would have said, “Never in a million years!” while others may have said, “Sounds like fun!”
This concept of risk is emerging in the auditing profession as an attribute that is to be considered. Currently, ISO/TC 176 is developing a new ISO 19011, which integrates risk. Clauses 5.2.3, 7.3.1(e), 7.3.3(b), 7.6.2, A.2–A.4, and B.2–B.5 speak of knowing how to identify and assess risk as an audit outcome.
Clearly, an auditor needs to perform risk assessments before, during, and as part of making findings after an audit, but where is the training coming from, and more important, how do we understand the risk appetite for the auditor/team leader? From my experience, risk management training is not a part of any auditor training courses. I also have not yet seen an agreed upon international standard for risk management. So how do we determine auditors’ competence in risk management knowledge? In this instance, there is no ability to rely on industry experience, as risk hasn’t yet become part of the language of “doing business.” Environmental impact studies and workplace safety assessments are prevalent but not common place and they don’t translate into a risk assessment methodology.
Next, there is the question of risk assessment methodology. Are we talking Monte Carlo analysis, Pareto, causal analysis, or a combination of these? How should the audit professional determine when to deploy various tools or understand their appropriateness?
Now onto my subject of choice: the individual. An individual’s risk appetite must be considered. To become an auditor is to understand the risks involved. In some fields, audit/inspectorate outcomes carry a legal responsibility for the lifetime of the product or service inspected, such as in electrical inspections. After an electrical installation is completed it falls upon an individual to inspect for compliance to rules and safety of use. Should the inspector sign off on the work, he or she is as liable as the installer for the lifetime of the installment. Death, injury, or damage caused by faulty installation is as much the responsibility of the inspector as the installer.
In the conformity assessment field, an auditor makes claims that the outcomes are only as good as the evidence presented at the time of audit. Let’s take food safety (FS) for instance. An auditor can inspect a food product manufacturer and make the assessment that based on the evidence presented, the organization is following FS practices and that the food is safe to eat. In the following week, the factory undergoes a major product recall based on FS risks. Where is the auditor in this chain of events? He or she is somewhat protected by the disclaimer of “audit,” and yet the risk assessment the auditor performed is an outcome of his or her “satisfaction” with what he or she observed, discussed, and reviewed during the audit. There is a disconnect.
Understanding the knowledge competence for risk is equally as important as understanding the personal risk attributes of the auditor. In the financial sector, assessments of risk attributes of financial planners and their clients are already occurring. In the United Kingdom, the Financial Services Reform Act says that risk must be addressed before providing service. So it is possible to assess personal risk behaviors as a quotient of providing a competent, managed (risk) service.
Can the risk behavior assessment be adapted to the conformity assessment sector? Yes. We are in the process of breaking ground in this area. Behavior or personal inventory has been a consideration of auditor competence since 2004 and has been deployed through psychometric tools.
The term psychometrics was first used early in the 20th century and is defined by Merriam-Webster as “the psychological theory or technique of mental measurement.” Although the term is somewhat new, measuring the mind is an age old technique, dating back to the Han Dynasty in China. Great strides have been made over the last century in the science of measuring mental processes. It is easiest to think of “mental measurement” in three primary areas: measurement of knowledge, measurement of skill (or performance), and measurement of psychological attributes.
The declaration that an individual is competent can be made based on measurements of these three areas. Using risk management as an example, the knowledge of risk and the means in which it’s identified and assessed, the skills involved in responding to the risk, and lastly the individual’s tendency toward (or aversion of) risk can be measured. If we begin our argument that all individuals engage in some sort of risk-taking, we must clarify in what environment that individual is taking risks and why. The individual who said, “Depends on the odds” when investing his life savings may say, “Never in a million years!” about cave diving because he’s an investment banker and not a strong swimmer.
Why this difference and why would it vary among individuals? Although it is relatively easy to measure one’s knowledge and skill, it becomes more difficult to measure how an individual may behave because to do so requires a measurement of personality. Measuring an individual’s knowledge of risk and the means to identify and assess it can be easily quantified by developing and administering a multiple choice test from which we receive a specific range of scores that can be interpreted as pass/fail. Measuring an individual’s skill at responding to the risk can also be quantified either by developing and administering a writing assessment or by using a scoring rubric and assessing the individual as he or she responds to a risk. These results can also result in a very specific range of scores that are interpreted against pass/fail standards.
Measuring an individual’s risk aversion or tendency becomes more difficult because one’s own risk type may depend on his or her knowledge level and skills, as well as aspects of his or her psychological attributes, such as personality. For example, the linking of the type A personality with the increase in heart problems. Dr. Meyer Friedman linked the highly competitive, high-strung personality to a higher probability of heart problems based on his observations and study. Although many of us might conclude that we cannot change our personality, we can change our behaviors that are correlated with those personalities. One Friedman study found that those who received counseling had a marked decrease in behaviors that are typical of type A personalities. We might conclude that as patients became increasingly self-aware of their behaviors, they could decrease their heart risk.
The same could be true for an individual’s risk type. One might argue that if individuals have adequate knowledge and skills within an industry, their risk tendencies will mirror those of their peers.
With this information at hand, personality risk assessment can be used to gain a better understanding of risk-based audit outcomes. The theory of identifying auditor risk is to allow an examination of the likelihood of a mistake or an incorrect or incomplete audit. It’s likely that those working in audit roles may tend toward a specific personality profile and furthermore that high-performing auditors may have an even more distinct profile.
The Risk-Type Compass, developed by Matt Trickey and Geoff Stewart, is a psychometric tool that can be used to measure an individual’s predisposition to risk and capacity to manage it. The two main personality scales that underpin risk predisposition are estimated to be Calm: Emotional, which concerns the more emotional side of risk taking, from fearful or anxious to composed and optimistic; and Daring: Measured, which indicates an individual’s preference for a methodical approach or, conversely, a spontaneous and adventurous approach to risk.
Auditors are likely to need to be prudent, thorough, organized, and compliant. These are characteristics associated with a Measured rather than Daring disposition, or a lower score on the Daring: Measured scale. This leads to the hypothesis that auditors will have lower levels of Daring: Measured compared to the general population.
Calm: Emotional concerns emotional stability. High scorers on this scale are likely to be cool-headed, calm, and optimistic, but at the extreme seem almost oblivious to risk. Those with lower scores are likely to be apprehensive and pessimistic about risk taking and alert to any threats in their environment. They will put security at the top of their agenda. This could be linked to an ability to spot the risks associated with products assessed by auditors. This leads to a second hypothesis: that auditors will have lower levels of Calm: Emotional compared to the general population.
These personality scales are used to place individuals into risk types determined by the Risk-Type Compass, ranging from the most risk averse (the wary type), to the most risk tolerant (the adventurous type). It’s likely that certain risk types will be more prevalent; specifically, there will be a greater prevalence of risk types associated with a more apprehensive, careful, and cautious approach to risk taking, i.e., wary, intense, and prudent types.
Furthering the concepts of personal risk, the theory can predict patterns of work. It may be the case that teams with a balanced distribution of risk types perform better than those with concentrations of certain types. Conversely, it could also be the case that teams with high numbers of certain types (such as those likely to be associated with higher auditor performance) will perform better than those with a balanced mix.
There are those among us that are regarded as good auditors for one of many reasons. One reason is how we conduct ourselves on-site. The professionals in our field may owe their performance to the way that they manage themselves, i.e., they are strategically self-aware. Such people would be aware of their strengths and limitations and understand how they may affect others. They may know how to compensate for weaknesses, rein in excesses, maximize their assets, or improve their performance.
“Strategic self-awareness” or “political awareness” are ideas that crop up in discussion or as a focus of coaching, but I am not aware that such an assessment exists as a formal psychometric. RABQSA International Inc. is working on this now with Psychological Consultancy Ltd. and will have a research project for risk types among auditors operating shortly.
Using this theory, we could predict if an auditor is placing him or herself and client at risk using psychometric analysis. These data would be used to influence choice of auditor for standard, technical area, and risk level of process. It can even be used to determine certification type, length, and continuing professional development activities.
When planning, undertaking, or reporting on audit outcomes, risk management is an emerging area which requires research and analysis. The results of assessing risk in personnel and the process will further advance the industry and the auditing professional. While ISO/TC 176 has begun to frame the premise of risk and how it should be demonstrated, the market must be given time to define, examine, and record the risk of the auditing professional.
The risk of managing risk is not yet managed and forms all good intent without direction. I am hoping to provide some direction by conducting this study of risk of personnel and applying it to the process of certification. I like to think that this is an exciting and important service being offered back to the industry. Should you be interested in becoming a part of the research work and survey group, please contact me.
About the author
Peter Holtmann is president and CEO of RABQSA International Inc. and has more than 10 years of experience in the service and manufacturing industries. He received his bachelor’s degree in chemistry from the University of Western Sydney in Australia and has worked in industrial chemicals, surface products, environmental testing, pharmaceutical, and nutritional products. Holtmann has served on various international committees for the National Food Processors Association in the United States and on the Safe Quality Foods auditor certification review board.