Value Added Auditing is a Q+E process and risk based manual for conducting operational, IT, cyber, and supply management assessments. The objective of the manual is to enhance 1. Risk-based problem solving and 2. Risk-based decision making. Value Added Auditing can be used as a ‘how to’ primer or reference for the following assessments:
- ISO 9001, ISO 14001, and other ISO management system assessments that focus on continual improvement and achieving business objectives. The book is harmonized to ISO 19011:2011.
- Critical Infrastructure Protection (CIP) assessments including risk assessments, vulnerability, NERC CIP compliance, cyber security, resilience and CIP assessments addressing Presidential Policy Directive (PPD-21) – Critical Infrastructure Security and Resilience.
- Business assurance assessments including compliance, maturity, capability, and benchmarking.
- Internal auditing (Yellow Book/Red Book/Quality) providing independent and objective assurance that an organization can accomplish its business objectives.
- Supplier auditing that may involve forensics, assurance, and analytics.
- Risk based Information Technology (IT) audits including ISO 27001, COBIT, ITIL, HIPAA, PCI, FISMA, and SOX assessments.
- Assurance and opinion audits based on international standards.
- Risk assurance assessments ensuring an organization can meet its governance, risk, and compliance (GRC) objectives.
- Agreed Upon Procedure (AUP) engagements including reporting findings based on reviewing specific procedures.
Value Added Auditing is the primary text for the Risk Assurance element of the Certified Enterprise Risk Manager® certificate program. Visit www.CERMAcademy.com.
US Department of Homeland Security (DHS) certified Value Added Auditing as a ‘Qualified Anti-Terrorist Technology’ under the Safety Act as a critical elements of Critical Infrastructure Protection: Forensics, Assurance, Analytics®.
By the late 80s, it became apparent that Japanese cars were in many ways superior to their American counterparts. They were often more reliable and durable and they got better gas mileage. They were of superior quality. They often still are.
To what do the Japanese attribute their success? The teachings of W. Edwards Deming. The Japanese listened to Deming when Americans would not. Continue reading
The words “risk” or “risks” have been sprinkled throughout the 2015 revision of the ISO 9000 standard. Although some “requirements” will be easy to satisfy using well-established process monitoring or capability techniques other references to risk are so vaguely stated as to be open to a myriad of interpretations and thus become meaningless. Having read and re-read the current references to risk spread over several paragraphs I wonder if it would not have been better to address risk in one paragraph at the beginning of the standard. I have “cut and paste” all of the current references to risk and included brief comments. BTW: This isn’t the complete list of uncertainties (also called risks) in the standard.
4.4.2 Process approach
The organization shall: d) Determine the risks to conformity of goods and services and customer satisfaction if unintended outputs are delivered or process interaction is ineffective; What is the meaning of “unintended output”? Nonconforming product? Unintended output from a process can either be: reprocessed (chemical industry), scrapped or sold at a discount. The risk of producing unintended output should theoretically be set at zero or near zero but is rarely achieved (the analogy would be a process operating at 4.5 sigma vs. 5 or higher.) The lower the ppm the lower the risk of producing “unintended output” but one must not forget that depending on the industry (airline, nuclear, medical vs. pencil manufacturers or other similar industries), these risks have different end-user impact and/or costs. Fortunately this is recognized in the last line of 6.1 5.1.2 Leadership and commitment with respect to the needs and expectations of customers Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that a) the risks which can affect conformity of goods and services and customer satisfaction are identified and addressed; This can be achieved by establishing process capabilities for each process from manufacturing and/or assembly to packaging and product delivery and/or installation. The computation of a simple Cp or Cpk index would help management quantify their process risk. The objective would be to achieve the highest economically feasible capability for each process thus minimizing the risk of producing so-called “unintended output.” 6.1 Actions to address risks and opportunities When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 (4.2 Understanding the needs and expectations of interested parties) and determine the risks and opportunities that need to be addressed to a) assure the quality management system can achieve its intended outcome(s), b) assure that the organization can consistently achieve conformity of goods and services and customer satisfaction, c) prevent, or reduce, undesired effects, and d) achieve continual improvement. The word “risks” in the above context is at best difficult to interpret given the requirements stated in a) – d). For example, how does one determine the risks and opportunities to assure the quality management system can achieve its intended outcomes? The intent has always been to insure that the quality management system is effective and this is verified via the audit process; the insertion of the word “risk” does not help any and confuses things. Nevertheless these risks can be quantified by simply looking at nonconformance percentages (per process and at final output) but this is already established via the use of process capability measures! The organization shall plan: a) actions to address these risks and opportunities, and b) how to 1) integrate and implement the actions into its quality management system processes (see 4.4), and 2) evaluate the effectiveness of these actions. Any actions taken to address risks and opportunities shall be proportionate to the potential effects on conformity of goods and services and customer satisfaction. Good to know and a wise decision but this could well be seen as an escape clause by many companies. 8.3 Operational planning process In preparing for the realization of goods and services, the organization shall implement a process to determine the following, as appropriate, b) actions to identify and address risks related to achieving conformity of goods and services to requirements; This seems to be nothing more than a repeat of what has already been stated! 8.5.1 Development processes In determining the stages and controls for the development processes, the organization shall take account of: e) the determined risks and opportunities associated with the development activities with respect to 1) the nature of the goods and services to be developed and potential consequences of failure, 2) the level of control expected of the development process by customers and other relevant interested parties, and 3) the potential impact on the organization’s ability to consistently meet customer requirements and enhance customer satisfaction. This is already done in some industries (automotive and avionics) but is not likely to be documented for all to see. Who will document these risks for future lawyers to see? If a company acknowledges that there is a small risk (lets say one in a million chance) that something wrong COULD happen, lawyers would say that the company knew that there was a risk and is therefore liable. You can’t have zero risk and no one will want to pay the cost of developing a product with zero risk. This idea to either quantify and/or document risk for all to see is unrealistic from a legal point of view; of course lawyers will love it.. 8.6.5 Post delivery activities The extent of post delivery activities that are required shall take account of a) the risks associated with the goods and services, This sounds like a rephrasing of warranty cost analysis; major companies have done this for a long time but I don’t know about small to medium size companies. 9.1 Monitoring, measurement, analysis and evaluation The organization shall take into consideration the determined risks and opportunities and shall: This is vague but there are important issues to address relating to inaccurate measurements or insufficient measurements. Gage R&R addresses many if not most of these issues and I don’t see how adding the word risk brings any value to this paragraph except that now one must think of the missed “opportunities” for measuring (or rather, not measuring) and the associated risk. 9.2 Internal Audit The organization shall: a) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the quality objectives, the importance of the processes concerned, the related risks, and the results of previous audits; Internal auditors would now have to assess the risk of failing to do something or the risk of not following a procedure; this would be challenging to quantify and assess. Potential risks would also have to be assessed! Even more challenging. 10.2 Improvement The organization shall improve the quality management system, processes and goods and services, as appropriate, through responding to: c) changes in identified risk (see 6.1); One could do FMEAs to show that the RPN (Risk Priorty Number) has decreased as a result of a process change not difficult to do but full of uncertainties since FMEAs are based on subjective assessment. All of this work can give the illusion that all is well or that things are getting better until the famous Black Swan (unforeseen outlier) shows its ugly head thereby demonstrating that risk analysis is by definition a risky business! Note: Reference italicized clauses of ISO 9001 (2015) are (C) ISO and are used within the context of “Fair Use” for public review of the standard.