Taking Internal Audits to the Next Level: Process Improvement and Business Risk Mitigation
Monroe J. Ratchford, MBB, President, LEAPS Consulting, Dumfries, VA, USA
Co-Speaker: Derick Carter
Keywords: Auditing, Risk, Maturity
The initial purpose of all internal audits should be to reduce the risk of governance noncompliance and certification. The standard subtle gives us the authority to get off calendar based audits and into risk based audits. Too many times, organizations get stuck in the calendar based, compliance based audits. By the third surveillance audit, even the registrars tend to fall in the trap of only finding trivial issues. It is important for a compliance disciple to be developed. Habits must be formed to drive compliance and the culture of compliance. Most companies achieve victory; they achieve compliance relatively soon. It is the organization freezing their maturity at this level that short changes organizations of the potential benefits of the standard. This presentation addresses this simple compliance concern and offers an alternative that involves building the maturity of the auditing discussion. Audits simply focused on compliance, after a while, tend to be less effective, and if artificially continued, tend to lower the respect for ISO 9001 quality principles.
But how do you actually conduct an audit whose goal is process improvement? This may cause us to expand our traditional definition of audit. The proposed maturing level audits still have the goal of providing senior management with insight into operations. It still has the goal of bringing to the process owner s attention, risks worthy of addressing. Consider using a process improvement audit that follows this kind of sequence:
- Review, the flow chart, procedure, past CARs and metrics. Highlight areas of concern and discuss with process owner. Determine which sub-process will provide the best ROI for these concern areas.
- Take this sub process and considering capturing the details enough to do unit costs, cycle time and defects levels. This may require writing a flow chart. Frequently, in ISO implementation, we tend to map a process minimally to order to reduce the need for displays of evidence. We probably need to get beyond this fear and map processes to capture the critical nuances for process execution where appropriate.
- Depending on the urgency, consider doing a value stream type map of the sub-process. Value stream mapping is another tool useful to address process improvements so that the data can be collected on each process, in specific the C&A (Correct and Accurate first time right), costs, process time and touch time.
-Consider now doing a Gemba walk. That is, go see. Go touch. Go feel. Go be the process. Seek ground truth. Gemba walks would include actually walking the process to observe and ask questions about the process instead of looking for evidence on just a flow chart. During the process understanding effort (flow charting a Gemba walk), the auditor will have a chance to see where compliance with statues and regulations come into play; see if compliance is real.
- Consider doing some root cause analysis and validation where appropriate.
- Once captured, one can make the concerns visual and then translate into process steps, transform into lessons learned, improvements, and potentially a better way of doing work.
- The auditor would summarize the findings affecting cost, cycle time and defect rate.- The auditor and process owner would meet to discuss the findings. As a team they would develop a way ahead. This plan could run the gambit from a blown DMAIC project to a just do it.
- The auditor would then write a CAR that summarized the findings and the way ahead that the process owner and the auditor agreed to do. These CARS (summary) would be presented just as a normal CAR would be presented and tracked in a Management Review.
At the very least, there will be a substantive conversation about the music of the process flow. Conversations about the subtleties that only someone working in the process can share. Conversations about the pain points, the emotions, incongruences, frustrations, the vision, etc., can now be captured.
The final level of audit maturity is the business risk audit. This is where we deliberately use auditors to address business risks. Once again while there is a departure from our normal concept of auditing, but the change still fits in the basic foundations of audits: audits provide for leadership s eyes and ears, seekers of ground truth, risk mitigators, etc.
So how do you conduct a business risk audit? Here is one approach to addressing this effort:
- Review the SWOT, Interested Party, Master Requirements List, new delivery order/project or like documents. Determine appropriate risks for these documents. One approach might be to use the auditors to charter and address the risks from your SWOT. They could spend significant time working the mitigation plans on each projects risks and sharing those lessons learned for other projects.
-Determine the appropriate risk analysis/management tool (FMEA, UML Diagramming, etc.)
-Discuss with the risk owner, business leader, project manager or team leader. Develop potential mitigation approaches. This can cover the gambit from just do it to complete mitigation project plans.
-Convert discussion notes into a CAR.
-Continue tracking the CAR in the normal Management Reviews.
So this is an approach to business risk audits. This too requires a higher level of sophistication for your auditors. They would be more useful in this effort if they had insight into the challenges senior management has in running the organization. They would have to be cognizant of the strategic issues to prioritize their efforts.
So overall, we are talking about building in maturity levels for internal audits. The basic starting level is compliance auditing. At the some frequency, compliance audits are still useful forever. But a diet of only compliance audits deprives the organization of the other benefits the ISO 9000 framework can provide. I am proposing that internal auditing programs adopt a maturity level system. We should always start with compliance as an initial purpose of audits, but as our organization matures, they move up the ladder from compliance to process improvement to strategic business risks. We can still sprinkle in compliance checks, but as compliance become a habit, the auditing program can still add value by moving up the maturing ladder. Using the Management Review system and the sunk cost for auditors, organizations can expand the repertoire of auditors to address, fund and get visibility of the risks associated with process improvements as well as the risks associated with business risks.