Source: ISO 9001 Li group
Sarah Banks,Group Quality Systems Manager at Volac International Ltd.
I would like to change the Internal Audit Documentation that our company use to include a planned approach to risk assessment and then management and ranking of the risk identified. Can anyone in the group recommend a good reference source?
Elements to consider as part of a robust risk management program include;
1. A list of risk categories relevant to your business
2. An inventory of your business processes
3. Defined criteria for both severity and probability
4. Tools for risk screening and assessment
5. Well defined management review and approval requirements.
6. Appropriately trained staff
Documenting the above will help ensure consistency / sustainment over time plus helps provide 'evidence' of a planned approach.
Feel free to send me a message if you're interested in suggestions regarding execution of risk management programs.
From the ISO 2015 manual. Don't overdue this clause for ISO. If it is value added for you, then by all means proceed.
" Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process. Organizations can decide whether or not to develop a more extensive risk management methodology than is required by this International Standard, e.g. through the application of other guidance or standards."
As indicated above BOWTIE is a great resource to 'show' that there's been logical thought about risk. Pre-Emptive Six Sigma© is a collection of tools which can be used to identify, rate, rank and...again... 'show' that a company's tolerance for risk and their ID of risk has been well thought out. www.bit.ly/2eJmc01
I agree with Dr Ali Al-Zubaidi. We need to understand organization's risk profile and appetite.
Hugo Alejandro Garza Michel
Why change that documentation if you only want to identifiy and evaluate the risk? I think that you should only implement tools can help you like Qualitative Risk analysis is a method that help you to prioritize the risk, but first you must indentify the risk with another tools like analysis FODA (strengths, weaknesses), brainstorming, Delphi technique, etc. And document all.
Rajendran Arun Kumar
I would suggest better go with 9001 2015. and follow the QMS.
Prof. Dr. Mohamed Alaalam
I would suggest first to study risk assessment.That would help you very much.
Como trata da informação documentada relativa a auditoria interna o que você deve prever são os riscos da auditoria, tais como: Planejamento (não atingimento dos objetivos e a abrangência do programa de audito-ria); recursos (tempo insuficiente); seleção da equipe (competência); comunicação ineficaz; registros e seus controles; desatenção (auditor e auditados); ineficácia nos resultados; acidentes; contaminação em salas limpas.
you can create a FMEA to identify, rate and evaluate how your plan as impacted the identified risk.
Since when was risk assessment ever an internal audit activity? IA happens so late in the piece as to be almost irrelevant for RM purposes... get real.. understand the issue here.
ISO 9001:2015, clause 9.2.2 (audit program) does not specify the requirement for a planned approach to risk assessment.
Rajendran Arun Kumar
Follow the complete clause of 9001-2015 to identify the risk in internal audit
Hello Sarah You should include in the risk assessment process at 6.1 the key processes of the QMS including the internal audit. After, you should evaluate if the internal audit process represented a high risk rate to ensure the application of the QMS. If yes, KPI should be in place to measure the performance of the internal audit process to be able to evaluate the criticity of this risk.
The internal audit shall require some changes in the audit report to include for each key processes audited, the KPI objectives, the results and the risks associated.
Once again.. Risk assessment is a management responsibility for inclusion in system and product/service design processes. It has almost nothing to do with internal audit... not least because the expectation that internal auditors will know more about system and product/service risk than those responsible for identifying and managing the resources to control them is completely ridiculous.
First you donot need to change the standard internal audit Documentation but you could add through the check lists the points which check the apply of the risk notes of the clauses,processes which effect by the risk assessment.