1226/2017 How to Aucil "Risk-Based Thinking" | Oxebridge Quality Resources “Tony rac ry v How to Audit “Risk-Based Thinking” by Christopher Paris | Apr 14, 2015 | Guidance Document | ‘The future of how certification bodies (CBs) will aut the new ISO 9001:2015 “isk based thinking" language Is already setting, ike a wet clay inthe oven. In shor, they are going to default to traditional risk management techniques and impose FMEA on their clients. It won't matter if you are making tanks forthe miltary or muffins in a bakery, you are going to be doing FMEA because they auditor's dor't know any other way, That contradicts what ISO 9001's authors intended, butts what is going to happen. But ifthe CBs are wrong, then what isthe righe way to audit something lke RAT, which doesnt actually have any requirements? How do you audit “thinking”? Some have argued it's impossible, but i's not it’s just challenging, Let's take a look. ‘The Audit Process First, les understand what aucitors are supposed to do, They are supposed to gather objective evidence to assess the conformity of a company against ISO 9001 requirements. That means there needs to be two inputs into the audit process: requirements and evidence. Lets take thatin reverse order and understand what “objective evidence" is. In short, objective evidence is evidence that is gathered independent of the auditor's opinions and biases, and which can be confirmed ata later date by any thied party. For decades, auditors have been trained to believe thatthe only acceptable forms of evidence are documents and records, This isnot true. Other forms of objective evidence include: + Direct observation of work by multiple parties + Direct observation of work by a single party (when a job is only performed by one person) + Gathering of intellectual evidence (.e, conversations) + Sounds, smells, tactile evidence + ss. and so on, When auditing RBT it wil be imperative for CB auditors to avold the reliance on documents, records and procedures since the standard specifically does NOT require them. Auditors who demand to see such documentation because "I can't audit otherwise” should be shown the door. And I mean that in the Old Western saloon bar fight way. ‘So the second input isthe requirement itself. For RBT, as I said, there are no firm requirements for documents, records, processes or resources. One need merely think" about risk when crafting and managing @ QMS. The idea behind this approach was to, according to one TC 176 representative, “address risk according tothe context ofthe organization.” 41 Some organizations might be required to take a heavy, formal approach in order to provide the necessary level of confidence in thelr abllty to provide consistent conforming product. Inthe automotive context, design and process FMEA would be expected, and possibly other risk-based things lke sampling criteria ete. In the Food context we have HACCP; and so on. Clearly though, it wouldn't be appropriate for 2 small mom & pop store selling innocuous hardware products to have to go through a full FMEA. So we hups:iiwew oxebridge.com/emma/how-io-audleriskbased-thinking! M41226/2017 hups:siwew.oxebridge,comlemmashow-io-audltisk-based. How to Aull "Risk-Based Thinking" | Oxebridge Quality Resources ‘ame up with the “risk-based thinking” phrase as a way of diluting the push for out-and-out risk management Ok, that’s simple enough. But what does 1SO 9001 actually require? From this standpoint, the 9001:2015 DIS calls ut the need to assess risks in the following areas: + Determining the context of the organization + Determining the processes needed for the QMS + Risks associated with assuring product or service conformity + Post-delivery risks ‘There's also a general theme running that risks should be considered throughout the QMS regardless of whether i's speciticaly called out in a clause or not. It appears, then, that we have very loose, vague language defining how 88T is tobe implemented, and (again) that’s by TC 176' design. The intent was for the company to determine the level of rigor to be used, So that leaves us with the need to find those badly trained auditors who probably should have retired 10 years ago. ard” evidence of a “soft” intangible. Impossible? Only ifyou are one of ‘The Good Instead, this sa situation that requires gathering of intellectual evidence, typically through conversations. Auditors, we find, actualy don't know how to document a conversation, so here is what an audit report might look like: ‘Le isk based thinking, el interns with Bo the VP Engineering and jm the President Managemen indicated that during the development ofthe QMS risks specific to customer product revrens, calabo fore aval ad previous issues wih ues were taken nt acount This, the reported resulted inthe current process et and related objectives Fr example the Maintenance” process was formerly embedded in production, but nowisa standalone processin order to beter maroge uities In that example, the names of the people interviewed ("Bob J. and Jim 5.” are the objective evidence, since they can be confirmed later by a third party. The rest ofthe notes are the supporting evidence to show what they ald, and to ‘ive some idea that it was acted upon. There's no risk registry, no procedure, no records to prove it. Nothing that approaches any common approach to "risk management.” And none would be required, yet the company complies with risicbased thinking just fine, The Bad ‘So what might a nonconformancellook like in such a scenario? In eal life we can expect to see all sorts of, nightmarish NCs written up, as auditors go nuts trying to invent risks from thin ar and then play “gotcha” with the client by writing them up for not thinking of them; or worse, for not completing an FMEA on each risk. None of that Is required, but some evidence or risk-based thinking must be present, ora nonconformity can be issued. Here's an example: eis base thinking, hel interviews wt Jon D the CEO and FstrB the President. There was litle understanding of isk and management admitted ié not consider risk when developing the QMS. The management could not name any isk it might face, nor any actions it took to address those risks. ‘What we see is that you have tobe pretty ignorant of risk to get such a finding. Which is also by TC 176's design; they didnt intend for companies to be written up for having a different view of risk than their auditors, but they did intend a complete absence of any risk-based thinking to be noncompliant. That's good news for users, since you don't have to do too much to comply with RBT, especially since TC 176 says i's been “implicit in ISO 9001" all along, But for companies that ignore it entirely, blow it off, or fll to execute something, it will be a nonconformity. And it should be, The Usly 2141226/2017 hups:siwew.oxebridge,comlemmashow-io-audltisk-based. How to Aust "Risk-Based Thinking" | Oxebridge Quality Resources So, to recap, here's how it should work: 1. Determine how the company has interpreted the requirements for risk-based thinking 2 Determine how the company has implemented risk-based thinking +3. Conduct interviews with key management to confirm; capture names and discussions as evidence. 4 Ifavallable, capture documents and records to support. If not, stop at # 3. ‘This idea of auditing intangibles may be frustrating, and yes, ISO 9001's risk-based thinking isa mess. Bu i's not un auditable, and auditing it doesnt require imposing specific solutions on clients simply because an auctor lacks the imagination to audit something other than a document or record, ‘And the thing is, auditors have already been doing this, without a peep. In the 2000/2008 versions of $001, the standard required the management to show “commitment and "a customer focus,” neither of which are tangible ‘things. Auditors typically relied on documentation to check these off, and ifthe words were on paper, that satisfied them. They were idiots of course, and should instead have done the same thing Iam suggesting here: have conversations with management and key staff, and document that as the evidence. ‘So we find that auditing RBT ist the great mystery that many are claiming, If auditors can stop trying to be consultant, stick tothe rules, and understand that they should stop their fixation on auditing documents, we might see some benefit from ths ater al [At least when RBT hits the fan, we know who to blame. About Christopher Paris Christopher Paris isthe founder and VP Operations of Oxebridge. He has over 25 years’ experience implementing ISO 9001 and A$9100 systems, and isa vocal advocate for the WE development and use of standards rom the pin of view factual uses He the author of Surviving 150 9001:2015, hich can be purchased here, ‘Mail | Web | Twitter | Facebook | Linkedin | Google+ | More Posts More Blog Entries More entries, 180 Made Video Explaining Standards, Using Vomiting Sockpuppets 22 December, 2017 I Read John Seddon’s 2004 Open Letter About BSI “Rubber Stamping” ISO 9001 Companies 22 December, 2017 3141226/2017 How to Aust "Risk-Based Thinking" | Oxebridge Quality Resources Facing Derailment Probe, Amtrak’s ISO 9001 Certification Under Scrutiny 21 December, 2017 Z—§ Philippine Vice President's Office Now ISO 9001 Certified 20 December, 2017 slack Join he Oil Oevige 0900 Slack Chae 19 December, 2017, ‘ABS-QE Ducks Complaint Against ISO Consultant They Certified 19 December, 2017, Oxebridge Site Maintenance Underway ~ Some Site Downtime Expected 18 December, 2017, Following Pressure From Oxebridge, ASQ Updates Code of Ethics to Prohibit Discrimination, 18 December, 2017, hups:iwew oxebridge,com/emma/how-io-audltisk-based thinking! aa