The Risk Organization
The Risk Organization
A holistic approach to management is reconfiguring the traditional silo organization by addressing the risk appetite to meet their objectives(ISO Guide 73:2009). Organizations adopt a holistic approach to risk by combining strategic planning with the operations and the integration of Management Systems Standards into a single management system. Sarbanes Oxley and the Food Safety Modernization Act are regulations, which are also management risk-driven legal requirements for organizations.
A clause-based audit approach sufficed for silo or department management Standard; when the Management clause was matched to the activity within the department. However within a process, whether recognized or not, more than one discipline exists. At a minimum occupational safety. Consequently, more than one discipline is associated with a process and the risk across the process should be considered. As such, a risk assessment of discipline standards should not be completed independently for each discipline silo or department. All the potential risks should be assessed simultaneously because an unassessed can affect the operations of the process.
An overarching risk strategy across the integrated disciplines is the more acceptable management practice. Consequently risk based auditing is more suited to risk managed process driven organizations.
The qualified processes are those called out in 8.1 in ISO 9001, which states that 6.1 and 4.4 apply. Other ‘process’ such as those called out in 9.2.2 does not qualify because 6.1 and 4.4 are not called out.
Until 19011:2018, no internationally recognized guidelines for risk auditing have been advanced. This web site is an online facility for risk based auditing training.
The Reconfigured Organization
19011:2018 does not provide clear guidelines on what the organization should look like to accommodate risk-based auditing. In 2007, the alternative structure and format to support integrated management disciplines for organizations proved to be an award-winning concept. The Quality Assurance Institute made the award. The mechanics of the concept resulted in technology and led to the Fellow’s designation by the Chartered Quality Institute. The 2015 Management Standards aligned the requirements for the respective disciplines.
The configuration of integrated disciplines enabled the risk requirements to be seamlessly added as a management tool to holistically deliver preventive controls over a process, which is an ISO best practice; re-Introduction ISO 9001:2015.
Patent 6994258 is the genesis of integrated operational disciplines.
Our award-winning reconfigured organizational format forms the foundation of the risk-based organization for conducting risk-based audits.
The risk-based auditor requirements
Although 19011:2018 speaks to risk-based audit – it does not guide the ‘how to’ conduct the risk-based audit, except to state: ‘An audit of an organization’s approach to determining risks and opportunities should not be performed as a standalone activity. The auditor’s training will satisfy the full definition of an audit per 19011:2018: ‘the systematic, independent and documented process for obtaining objective evidence (3.8) and evaluating it objectively to determine the extent to which the audit criteria (3.7) are fulfilled’
The classroom student is limited by a single pass of materials to gain knowledge. In our program, the student must review the information repeatedly until the pass threshold is reached. The student only has an indication when passed without knowing which questions were correct. Rote is an effective learning method. The online information is repeated until the pass mark is reached to provide confidence that the student is trained.
The organization is reconfigured away from silo management to become a risk-based process operation. The student is trained on the reconfiguration and becomes aware of the interface between the 19011:2018 and the ‘process’.
The auditor conducts the risk-based audit to determine the extent to which the risk has been managed and allowed the organization to meet its intended outcome. The training also identifies the required reports to be completed by the auditor. The management also assesses the auditor to determine whether certification is deserved.
Take a look at our program and sign up to manage your organization’s risk of not meeting the objectives determined by its strategic direction.