This week, Greenlight Guru is hosting a series of webinars called the "Risk Management True Quality Summit Series." The talks cover a whole range of topics related to risk management. As this post goes live, the series has a couple hours yet to run. You might be able still to catch the last talks live. Recordings will be made available through the Greenlight Guru Academy, though I'm not quite sure on what terms. Check it out.
The last webinar on Tuesday was by John Thompson of Emergo by UL, on the application of risk management in audits. I've done quite a few audits over the years, and we've talked about them at some length in this blog before, so I was interested to see what he had to say. And while his examples were naturally chosen from the medical device industry, much of what he had to say was applicable to anyone.
He started by reminding us that ISO 19011:2018, clause 4(g), encourages the use of a "risk-based approach": "The risk-based approach should substantively influence the planning, conducting and reporting of audits in order to ensure that audits are focused on matters that are significant for the audit client, and for achieving the audit programme objectives." And then he talked through what this means in practice. If the standard asks us to apply a risk-based approach to the planning, conducting, and reporting of audits, this entails several things.
Scheduling audits
- Are there areas of the organization with an unusually high number of complaints, or corrective actions?
- Are there areas where the process KPIs are bad?
- Are there areas where external bodies (such as your registrar, or some public authority like the FDA) have found nonconformities?
- Are there areas which have implemented new processes?
- Have there been recent corporate acquisitions?
All of these areas should get special attention when you schedule your next audit. (At the same time, don't get so carried away that you forget to carry out routine audits in the other areas often enough to meet your basic requirements.)
Selecting auditors
- Do all of your auditors know how to audit?
- Can they show you documented evidence?
- Do they all understand sampling techniques?
- Do you have enough auditors?
Also, have external bodies found nonconformities that your internal audits missed? This is a red flag 🚩🚩 that something is wrong. If this happens, investigate whether your regular internal auditors are going too easy on the organization. Maybe you can invite someone from the other plant in the next state to come audit you, while you go audit them. Sometimes a fresh pair of eyes can see things that you no longer see because they are too familiar.
Conducting audits
When you start asking questions, check if the people you audit are aware of risk as well.
- Is this task controlled using risk?
- Do you inspect the incoming goods from our high-risk suppliers any differently from the ones from our low-risk suppliers?
- What risks are there in the process you are carrying out right now?
- How do you control them?
- Have you ever discovered a risk that no-one knew before? What did you do about it?
Reporting audits
When it's time to write the report, remember that you aren't the last person who is going to care about risks in this organization. Present your results in such a way that the next person can see what risks you discovered this time around.
One way is to highlight trending data across functions. An Opportunity for Improvement may look trivial by itself; but if there is a stream of nonconformities on exactly the same topic across half a dozen other organizations, it may be part of a bigger picture.
Or you can collect the results by function, to highlight which functions need the most ongoing attention. Thompson suggested a table like this to aggregate the overall risk in each area:
Notice that in this example, Purchasing actually has the fewest findings of any function listed. But since three of them are Major nonconformities, they still show the highest overall risk rating.
It was a good talk. If you missed it, check out the Greenlight Guru Academy to see if the recording is still available.
Very thought-provoking post. Thank you for summarizing Mr. Thompson's presentation here. I found this via your myASQ post this morning and it is timely for me, having been through a detailed audit this week as auditee, and soon preparing for our organization's next internal audit in a couple of months. I will share with the members of our internal audit team.
ReplyDeleteI am delighted to hear that the post was helpful. Thank you for letting me know, and by all means please feel free to forward it to anyone else that can use it!
Delete