The auditor is coming, or will be coming, to evaluate your organization. While continuous improvement and compliance helps, there are things that you can do to make the auditing process go much more smoothly (this applies to internal audits as well). Preparation doesn’t start the week before, it starts the minute you implement a quality management system or prepare for ISO 9001 certification. You need a systematic approach to audit reporting that begins with core management principles, training, traceability, and credibility.
Because risk-based thinking is more prominent in ISO 9001:2015 than in previous versions of the standard, many organizations are wondering how to demonstrate how they do it to auditors. Fortunately, most activities in the domain of quality management, if successful, serve to reduce risks. The key is to keep track of how your efforts relate to risk.
Here are five actionable recommendations to demonstrate risk-based thinking to auditors :
- Train your staff about risk.Use the training management module of your QMS software to ensure that everyone in your organization knows the foundational information about risk, such as:
- what risks are, as well as the risk profile of your organization based on stakeholder needs and the organizational profile
- the relationship between hazards, threats and risks
- how (and how often) your organization assesses and monitors risks, and
- how lessons learned are integrated into processes and the QMS.
- Prioritize activities with risks in mind. Determining which corrective action, improvement project or audit finding you work next often includes looking at the benefits you expect to realize. Incorporating expected reduction in risk can add to the prioritization decision.
- Show progress on Action Plans that emerge from quality events like nonconformances, audits and management reviews. In ISO 9001:2015, this is mentioned in Clause 6.1, where management review should include examining “the effectiveness of actions taken to address risks and opportunities.”
- Keep records of how risks change after you implement corrective actions or improvement projects. Not only will this provide information about the effectiveness of your efforts, but it will also demonstrate that you are incorporating risk into decision making and evaluation of results.
- Demonstrate how your organization is continuously improving its physical, knowledge and social infrastructures. Improved physical infrastructure enhances reliability and performance while reducing costs over the long term. Building knowledge infrastructure improves communication and institutional memory, which reduces the risks associated with incomplete or outdated information. Improving the social infrastructure builds resilience, helping your organization recover from risks if they lead to incidents.
Risk-based thinking is not just “watered down” risk management — it’s the basis for managing risk in any organization. But while risk management is systematic and institutional (and sometimes, only occasional), risk-based thinking is continuous, proactive, engaged and personal.