The ISO General Assembly is a Big Deal in the world of standardization (our world, as luck would have it) and it is being held this week. This year, the 36th anniversary, is hosted by the Russian Federal Agency on Technical Regulating and Metrology (GOST R) in St. Petersburg, Russia and will run until the 21 September. This is not the first time the meeting has been held in Russia, by the way, the members met in Moscow back in 1967.
The General Assembly is an opportunity for ISO members to meet and exchange ideas, eat food and dance. Well, I made up the dancing part to see if anyone was paying attention. Come to think of it, maybe there is some dancing – who knows? Representatives from over 130 countries will be there – maybe some of us can attend next year? Anyone??
There are two good places to get information on it at the moment:
on ISO.org – they have a dedicated page for it (of course) – it updates frequently.
I’ve posted a variety of YouTube videos, as a play list, below. If your Spanish is rusty you may want to skip ahead on the first one, though there are subtitles. It is, after all, an international organization….
The pasttwo “Toolsdays” have explored various options for generating an internal audit schedule. This week, I wanted to spend a little dedicated time on what is called a “Risk Based Audit Schedule”. There are versions of this found out in the Interwebs, and frankly – I think most of them are just too complicated for most companies. If you’re a multinational aerospace company or deal with medical device directives then yes, by all means, investigate and ensure you’re doing all you can to mitigate risk by every means necessary.
But for most of us, simply adding the concept of risk to their management system is a huge gain for very little effort. This is especially true for those who are ISO 9001 registered. Starting with the audit schedule; going through the process of determining risk, is a stepping stone to finding opportunities for improvement in every area.
While the concept of Risk has been in place for some of the other ISO standards, notably ISO 13485 for Medical and in the Aerospace standards (AS9100 et al) it is new to ISO 9001 – or will be, when the next version arrives in 2015.
Companies will likely be searching for ways to incorporate risk awareness into their management systems. The Internal Audit Schedule is a common-sense early target.
What is Risk?
Risk-based Internal Auditing is a method that considers the intersection of Likelihood and Consequence to help determine where, and sometimes, how – audit resources are put into play. Resources in terms or time, frequency and auditor expertise.
Basically if, in a given process, something catastrophic could result and it is likely to occur then it will be given a higher priority and prime resources over a process where catastrophe is unlikely.
Consider the process of welding support structures compared to stenciling the company logos on them .
The welding operation should receive more detailed, deep and frequent audits versus the logo-application process.
Sometimes, however, there may be a seemingly benign consequence – say a missing manual, but it is quite likely to occur. This should be given added attention (and a good investigation for process capability, as an aside).
Similarly, there may be an unlikely event with tragic consequences. Even though tight process controls and inspection steps nearly ensure detection of a weld error, because the consequence may be dire and tragic, then this too is worthy of heightened attention.
Scoring Risk
Part of the process in creating a Risk Based Audit Schedule is generating a relative score for risk. This can be calculated based on likelihood and consequence.
If you’re familiar with FMEAs then this concept is familiar as well, but it can be simplified for our purposes. If you aren’t familiar with FMEA then – well, another day, my friend – another [Tues]day (okay, I made you a link to the Wikipedia entry – just make sure you come back!).
Basically we need a few pieces of information – or, technically, data:
Function or Process
What could go wrong
A rating (L) from 1-10 of our confidence in the controls in place to identify or prevent the occurrence (10 being no confidence in detection or prevention)
What will happen if that went wrong
A rating (C) from 1-10 of that Consequence (10 being tragic)
This may take some doing and require a knowledgeable cross-functional team, but it is a worthy exercise for creating an audit schedule – and quite useful beyond that.
For each auditable area simply take the L and multiply it by the C to get a number – let’s call it “Ra”.
The Risk Based Schedule
With each process, along with its Ra score identified we can lay down our risk based audit schedule. Should look something like this:
The higher the Ra score, the stronger the team and the more frequently it will be audited.
Naturally, yours will be fleshed out more, and you’ll define somewhere the compositions of the audit teams. “A” in this example would be your more experienced day shift auditors, “C” possibly an experience night shift auditor, and “B” is a team with some trainees.
Those are the basics of creating a risk based internal audit schedule, and I hope it’s enough for you to sink your teeth into and run with it. Feel free to message me with questions, or leave a comment below.
Thanks again for listening, and now – please – go forth, and calibrate thyself.
The Internal audit schedule, covered partially in last week’s Toolsday is something with which many companies struggle. We’ve covered how the various standards state the requirement, and what is expected. And some other considerations such as should they be done by an outside party, how they can be used to help prepare for formal auditor credentials and what parts of the business should be included.
There are many styles and formats used in the wild to accomplish the task. Regardless of the format, the internal audit schedule will involve, primarily, some event occurring at some point in time.
Fig. 1
The events will be related to the requirements against which we are auditing; expressed perhaps as locations or documents or processes or some combination of these.
The time can be expressed as any calendar date, in any granularity that is consistent with the culture of the company. If I’m asked which time-frame resolution is best, and not given any other considerations, I will always say quarterly. Some corporate cultures dictate the schedules be defined down to the day – whatever works.
And, while you’ll not find any specific requirement for the time period in which a “full cycle”, or in which the entire scope of registration is covered – the correct answer is “within a calendar year”.
Options to consider
Process-based
Typically, the best audit schedules are process-based. What is a process? The fairly common definition says it is something that has inputs and outputs.
ISO 9001 defines it as “set of interrelated or interacting activities which transforms inputs into outputs”.
Fig. 2
Some processes are documented, some are not – the different standards each have requirements for what is to be formally documented and what is not needed to be.
The standard schedule looks pretty much like Figure 2.
Floor plan
This choice is an interesting one, and I like it. What it entails, simply, is to take a floor plan of the organization and section it off in slices of time. And this covers, in most implementations, about 80 percent of what needs to be covered – the rest earns an honorary position in the schedule (I will explain).
It is important to include all areas of the company; all buildings, including outbuildings and designated outdoor functional areas (storage, for example).
It is essentially a process-based audit, with a different way of illustrating it. So in this way, interrelated processes could easily be grouped together, especially if they are physically proximate.
This method makes it easy to see logistical inefficiencies as well, which is a nice bonus. While it makes sense to group Receiving, Incoming Inspection, and Stock Room, for example, if these blocks are scattered at the four corners of the map then a potential inefficiency becomes obvious.
Floor plan-based audits work best when there is a good balance between complexity and compartmentalization. If the processes are very complex, then they should be compartmentalized (there should be an inverse relationship between complexity and compartmentalization).
There are some areas, however, that need to be artificially, or “virtually” added to the Floor Plan schedule and these are processes which are not contained within a physical boundary. These would typically be support functions, such as preventive maintenance (in the case where there isn’t a dedicated department), or occasionally Information System support which is either performed by an outside provider, or through a corporate office. Improvement activities, such as continuous Improvement, Corrective Action, and Preventive action, as well as the Internal Audit function itself are also not typically located in a physical area. These are simply added to the schedule as a separate, virtual area.
Depending on the standard, other areas will need to be considered virtual as well.
How to ensure the full standard is covered in a Floor Plan-based Schedule
Once you’ve created your floor plan, take the standard; each clause and subclause, and make sure it has a counterpart on the layout. You should have to do this once, before you start using the system – and again each time the Internal Audit function is audited.
Document-based
What is meant by a document-based audit? Well, using the documents that have been created within the Management System as a basis for the audit. This would be distinct from using your ISO standard of choice (I’m going to leave that to third-party audits). Let’s discount this one out-of-hand.
Fig. 3
Almost – baring two considerations. The first thing needed to do this is to include the Quality Manual as one of the documents used, with the caveat that the manual is of the sort that mirrors each requirement of the standard. I say this because some quality manuals are quite short (I know of one that is three pages long) – and as it stands now, ISO 9001:2015 won’t even require the use of a Quality Manual (though it will still be a convenient container for several sub-component requirements). Short manuals like mentioned above, are difficult to audit from without referencing the standard unless – here’s the second consideration, the management system has chosen to document every process. Not all standards require this (do any?), so this can be problematic.
If this is attempted then the schedule must include a provision to track the revisions of the documents over time, so nothing is missed (as I’ve shown in Figure 3).
Where this becomes problematic is when forms and other documents are involved. Should forms be included on the list? Or should there be an audit policy directing that whenever a document references another, then that document gets audited (and recorded) as well. It’s a bit of a logistical annoyance if you ask me. A document-based audit schedule is not my weapon of choice.
There is a hybrid of this and a process-based schedule that can work quite well, and that’s shown below (Figure 4).
Fig. 4
Risk-based
Definitely something to consider as risk management, or at least risk consideration becomes a familiar part of every ISO Management System standard.
The details of how this is done, along with a few other tidbits – will be covered in the next installment.
