9001:2015, Internal Audit, Quality Tools, Risk Based Auditing

Internal Audit Schedule Part 3 – How To’sday!

Leave a comment

Risk Based Internal Audit Schedule

The past two “Toolsdays” have explored various options for generating an internal audit schedule. This week, I wanted to spend a little dedicated time on what is called a “Risk Based Audit Schedule”. There are versions of this found out in the Interwebs, and frankly – I think most of them are just too complicated for most companies. If you’re a multinational aerospace company or deal with medical device directives then yes, by all means, investigate and ensure you’re doing all you can to mitigate risk by every means necessary.

But for most of us, simply adding the concept of risk to their management system is a huge gain for very little effort. This is especially true for those who are ISO 9001 registered. Starting with the audit schedule; going through the process of determining risk, is a stepping stone to finding opportunities for improvement in every area.

While the concept of Risk has been in place for some of the other ISO standards, notably ISO 13485 for Medical and in the Aerospace standards (AS9100 et al) it is new to ISO 9001 – or will be, when the next version arrives in 2015.

Companies will likely be searching for ways to incorporate risk awareness into their management systems. The Internal Audit Schedule is a common-sense early target.

What is Risk?

Risk-based Internal Auditing is a method that considers the intersection of Likelihood and Consequence to help determine where, and sometimes, how – audit resources are put into play. Resources in terms or time, frequency and auditor expertise.

Risk DeterminationBasically if, in a given process, something catastrophic could result and it is likely to occur then it will be given a higher priority and prime resources over a process where catastrophe is unlikely.

Consider the process of welding support structures compared to stenciling the company logos on them .

The welding operation should receive more detailed, deep and frequent audits versus the logo-application process.

Sometimes, however, there may be a seemingly benign consequence – say a missing manual, but it is quite likely to occur. This should be given added attention (and a good investigation for process capability, as an aside).

Similarly, there may be an unlikely event with tragic consequences. Even though tight process controls and inspection steps nearly ensure detection of a weld error, because the consequence may be dire and tragic, then this too is worthy of heightened attention.

Scoring Risk

Part of the process in creating a Risk Based Audit Schedule is generating a relative score for risk. This can be calculated based on likelihood and consequence.

If you’re familiar with FMEAs then this concept is familiar as well, but it can be simplified for our purposes. If you aren’t familiar with FMEA then – well, another day, my friend – another [Tues]day (okay, I made you a link to the Wikipedia entry – just make sure you come back!).

Basically we need a few pieces of information – or, technically, data:

  1. Function or Process
  2. What could go wrong
  3. A rating (L) from 1-10 of our confidence in the controls in place to identify or prevent the occurrence (10 being no confidence in detection or prevention)
  4. What will happen if that went wrong
  5. A rating (C) from 1-10 of that Consequence (10 being tragic)

This may take some doing and require a knowledgeable cross-functional team, but it is a worthy exercise for creating an audit schedule – and quite useful beyond that.

For each auditable area simply take the L and multiply it by the C to get a number – let’s call it “Ra”.

The Risk Based Schedule

With each process, along with its Ra score identified we can lay down our risk based audit schedule. Should look something like this:

RBA basic sched

The higher the Ra score, the stronger the team and the more frequently it will be audited.

Naturally, yours will be fleshed out more, and you’ll define somewhere the compositions of the audit teams. “A” in this example would be your more experienced day shift auditors, “C” possibly an experience night shift auditor, and “B” is a team with some trainees.

Those are the basics of creating a risk based internal audit schedule, and I hope it’s enough for you to sink your teeth into and run with it. Feel free to message me with questions, or leave a comment below.

Thanks again for listening, and now – please – go forth, and calibrate thyself.

Sal

Leave a Reply

Your email address will not be published. Required fields are marked *