1226/2017 How to Aucil "Risk-Based Thinking" | Oxebridge Quality Resources
“Tony rac ry v
How to Audit “Risk-Based Thinking”
by Christopher Paris | Apr 14, 2015 | Guidance Document |
‘The future of how certification bodies (CBs) will aut the
new ISO 9001:2015 “isk based thinking" language Is
already setting, ike a wet clay inthe oven. In shor, they
are going to default to traditional risk management
techniques and impose FMEA on their clients. It won't
matter if you are making tanks forthe miltary or
muffins in a bakery, you are going to be doing FMEA
because they auditor's dor't know any other way, That
contradicts what ISO 9001's authors intended, butts
what is going to happen.
But ifthe CBs are wrong, then what isthe righe way to
audit something lke RAT, which doesnt actually have
any requirements? How do you audit “thinking”? Some
have argued it's impossible, but i's not it’s just
challenging, Let's take a look.
‘The Audit Process
First, les understand what aucitors are supposed to do, They are supposed to gather objective evidence to assess
the conformity of a company against ISO 9001 requirements. That means there needs to be two inputs into the audit
process: requirements and evidence.
Lets take thatin reverse order and understand what “objective evidence" is. In short, objective evidence is evidence
that is gathered independent of the auditor's opinions and biases, and which can be confirmed ata later date by any
thied party. For decades, auditors have been trained to believe thatthe only acceptable forms of evidence are
documents and records, This isnot true. Other forms of objective evidence include:
+ Direct observation of work by multiple parties
+ Direct observation of work by a single party (when a job is only performed by one person)
+ Gathering of intellectual evidence (.e, conversations)
+ Sounds, smells, tactile evidence
+ ss. and so on,
When auditing RBT it wil be imperative for CB auditors to avold the reliance on documents, records and procedures
since the standard specifically does NOT require them. Auditors who demand to see such documentation because "I
can't audit otherwise” should be shown the door. And I mean that in the Old Western saloon bar fight way.
‘So the second input isthe requirement itself. For RBT, as I said, there are no firm requirements for documents,
records, processes or resources. One need merely think" about risk when crafting and managing @ QMS. The idea
behind this approach was to, according to one TC 176 representative, “address risk according tothe context ofthe
organization.”
41 Some organizations might be required to take a heavy, formal approach in order to provide the
necessary level of confidence in thelr abllty to provide consistent conforming product. Inthe automotive
context, design and process FMEA would be expected, and possibly other risk-based things lke sampling
criteria ete. In the Food context we have HACCP; and so on. Clearly though, it wouldn't be appropriate for
2 small mom & pop store selling innocuous hardware products to have to go through a full FMEA. So we
hups:iiwew oxebridge.com/emma/how-io-audleriskbased-thinking! M41226/2017
hups:siwew.oxebridge,comlemmashow-io-audltisk-based.
How to Aull "Risk-Based Thinking" | Oxebridge Quality Resources
‘ame up with the “risk-based thinking” phrase as a way of diluting the push for out-and-out risk
management
Ok, that’s simple enough. But what does 1SO 9001 actually require? From this standpoint, the 9001:2015 DIS calls
ut the need to assess risks in the following areas:
+ Determining the context of the organization
+ Determining the processes needed for the QMS
+ Risks associated with assuring product or service conformity
+ Post-delivery risks
‘There's also a general theme running that risks should be considered throughout the QMS regardless of whether i's
speciticaly called out in a clause or not. It appears, then, that we have very loose, vague language defining how 88T
is tobe implemented, and (again) that’s by TC 176' design. The intent was for the company to determine the level
of rigor to be used,
So that leaves us with the need to find
those badly trained auditors who probably should have retired 10 years ago.
ard” evidence of a “soft” intangible. Impossible? Only ifyou are one of
‘The Good
Instead, this sa situation that requires gathering of intellectual evidence, typically through conversations. Auditors,
we find, actualy don't know how to document a conversation, so here is what an audit report might look like:
‘Le isk based thinking, el interns with Bo the VP Engineering and jm the President
Managemen indicated that during the development ofthe QMS risks specific to customer product
revrens, calabo fore aval ad previous issues wih ues were taken nt acount
This, the reported resulted inthe current process et and related objectives Fr example the
Maintenance” process was formerly embedded in production, but nowisa standalone processin order
to beter maroge uities
In that example, the names of the people interviewed ("Bob J. and Jim 5.” are the objective evidence, since they can
be confirmed later by a third party. The rest ofthe notes are the supporting evidence to show what they ald, and to
‘ive some idea that it was acted upon. There's no risk registry, no procedure, no records to prove it. Nothing that
approaches any common approach to "risk management.” And none would be required, yet the company complies
with risicbased thinking just fine,
The Bad
‘So what might a nonconformancellook like in such a scenario? In eal life we can expect to see all sorts of,
nightmarish NCs written up, as auditors go nuts trying to invent risks from thin ar and then play “gotcha” with the
client by writing them up for not thinking of them; or worse, for not completing an FMEA on each risk. None of that
Is required, but some evidence or risk-based thinking must be present, ora nonconformity can be issued. Here's an
example:
eis base thinking, hel interviews wt Jon D the CEO and FstrB the President. There was
litle understanding of isk and management admitted ié not consider risk when developing the QMS.
The management could not name any isk it might face, nor any actions it took to address those risks.
‘What we see is that you have tobe pretty ignorant of risk to get such a finding. Which is also by TC 176's design; they
didnt intend for companies to be written up for having a different view of risk than their auditors, but they did
intend a complete absence of any risk-based thinking to be noncompliant. That's good news for users, since you
don't have to do too much to comply with RBT, especially since TC 176 says i's been “implicit in ISO 9001" all along,
But for companies that ignore it entirely, blow it off, or fll to execute something, it will be a nonconformity. And it
should be,
The Usly
2141226/2017
hups:siwew.oxebridge,comlemmashow-io-audltisk-based.
How to Aust "Risk-Based Thinking" | Oxebridge Quality Resources
So, to recap, here's how it should work:
1. Determine how the company has interpreted the requirements for risk-based thinking
2 Determine how the company has implemented risk-based thinking
+3. Conduct interviews with key management to confirm; capture names and discussions as evidence.
4 Ifavallable, capture documents and records to support. If not, stop at # 3.
‘This idea of auditing intangibles may be frustrating, and yes, ISO 9001's risk-based thinking isa mess. Bu i's not un
auditable, and auditing it doesnt require imposing specific solutions on clients simply because an auctor lacks the
imagination to audit something other than a document or record,
‘And the thing is, auditors have already been doing this, without a peep. In the 2000/2008 versions of $001, the
standard required the management to show “commitment and "a customer focus,” neither of which are tangible
‘things. Auditors typically relied on documentation to check these off, and ifthe words were on paper, that satisfied
them. They were idiots of course, and should instead have done the same thing Iam suggesting here: have
conversations with management and key staff, and document that as the evidence.
‘So we find that auditing RBT ist the great mystery that many are claiming, If auditors can stop trying to be
consultant, stick tothe rules, and understand that they should stop their fixation on auditing documents, we might
see some benefit from ths ater al
[At least when RBT hits the fan, we know who to blame.
About Christopher Paris
Christopher Paris isthe founder and VP Operations of Oxebridge. He has over 25 years’
experience implementing ISO 9001 and A$9100 systems, and isa vocal advocate for the
WE development and use of standards rom the pin of view factual uses He the
author of Surviving 150 9001:2015, hich can be purchased here,
‘Mail | Web | Twitter | Facebook | Linkedin | Google+ | More Posts
More Blog Entries
More entries,
180 Made Video Explaining Standards, Using Vomiting Sockpuppets
22 December, 2017
I
Read John Seddon’s 2004 Open Letter About BSI “Rubber Stamping” ISO 9001 Companies
22 December, 2017
3141226/2017 How to Aust "Risk-Based Thinking" | Oxebridge Quality Resources
Facing Derailment Probe, Amtrak’s ISO 9001 Certification Under Scrutiny
21 December, 2017
Z—§
Philippine Vice President's Office Now ISO 9001 Certified
20 December, 2017
slack
Join he Oil Oevige 0900 Slack Chae
19 December, 2017,
‘ABS-QE Ducks Complaint Against ISO Consultant They Certified
19 December, 2017,
Oxebridge Site Maintenance Underway ~ Some Site Downtime Expected
18 December, 2017,
Following Pressure From Oxebridge, ASQ Updates Code of Ethics to Prohibit Discrimination,
18 December, 2017,
hups:iwew oxebridge,com/emma/how-io-audltisk-based thinking! aa