By Mike Richman
This regular column in The Auditor is intended to shine a light on the people, standards, and events that mean the most to auditors and registered organizations.
In this segment, we chat with Greg Hutchins, the founder of the Certified Enterprise Risk Manager (CERM) Academy and author of the books, Value Added Auditing, Risk Based Auditing, Supply Chain Risk Management, and ISO 31000:2018. He is offering a presentation titled, “The Future of (Quality) Auditing” during Exemplar Global’s forthcoming Future of Auditing Expo.
Mike Richman: What, in your opinion, does the future of the industry look like from the perspective of auditors’ careers?
Greg Hutchins: Great question. ISO recently announced the number of companies that are ISO 9001/ISO 14001 registered. The numbers were interesting for one big reason: Overall registrations dropped in one year by 20 percent. I haven’t seen that since 2000, and that was a concern to me. Why? Because something is changing in the life cycle of ISO registrations. I think what’s changing is the fact that companies now have a higher requirement for auditing and the certification bodies aren’t pushing it as much as they used to, perhaps because of [lower] profit margins. What does that mean for auditors? I think there are going to be fewer management system auditors, but they are going to be making a lot more money, because according to ISO 19011:2018, all management system audits are going to be risk-based audits. They are going to provide a higher level of assurance to the customer, they are going to require more knowledge from the auditors, and the auditors that remain will be more highly trained and better compensated.
MR: What is risk, why is it called out in ISO 9001:2015, and how does it play into the broader themes of organizational competitiveness in the global economy?
GH: We’re living in the age of VUCA, which is an acronym for volatility, uncertainty, complexity, and ambiguity. And in this age of VUCA, companies want a higher level of risk assurance. ISO saw that and they modified ISO 19011:2018 to have the requirement for risk-based audits. And just to be clear: ISO 9001 is a “what is” document; ISO 19011:2018 is a “how to” document. Let me explain that for a second. ISO 9001 has requirements—adherence requirements, audit requirements. This the “what is” language that an auditor looks at. ISO 19011:2018 is the “how to” document, meaning how to audit against these requirements and how to plan, conduct, and report a risk-based audit. Those two documents go hand-in-hand—the “what is” document, ISO 9001, and the “how to” audit document, ISO 19011. In terms of competitiveness, companies want a higher level of assurance that the right controls are in place, that risk is being mitigated, and that the company is basically monitoring what it has to so it can meet its objectives, which is a new and fundamental element of ISO 9001. Now, companies have objectives that they have to meet, and any risks that hurt the company or stop the company from meeting its objectives must be mitigated.
MR: Who should “own” risk-based thinking within an organization, and how can auditors verify that such thinking exists during an audit?
GH: Let’s first define risk-based thinking. A common misconception is that you can audit somebody’s thinking. False. All you can audit are the artifacts, the evidence, and the information that comes out of the thinking. What we’ve done for many years at my organization is to operationalize RBT, risk-based thinking, in terms of two criteria. We defined RBT as risk-based problem solving and risk-based decision making. If a company does those two things and has artifacts to demonstrate it, then you can audit against that. Bottom line, you can’t audit somebody’s thinking, but you can verify adherence against evidence, information, and the audit trail on problem solving and decision making. Who owns it? I think the organization owns RBT, and everybody in the organization is responsible for their risk-based problem solving and risk-based decision making. Auditors verify that against data, artifacts, process flow charts, or other evidence, but it has to be demonstrable, and it’s got to be relevant and sufficient to the auditor.
Exemplar Global’s Future of Auditing Expo will take place October 14–31. Click here to register.
About the author
Mike Richman is the principal of Richman Business Media Consulting, a marketing and public relations company working with clients in the worlds of manufacturing, consumer products, politics, and education. Richman also hosts the web television program NorCal News Now, which focuses on social, economic, and political issues in California. He is a contributor to (and former publisher of) Quality Digest.