Does anyone have any information in how to use risk communication to leverage the format and language of audit reports? I have taken a look at financial and governmental risk management and they do parallel but do not quite marry up. I was hoping to find some guidelines on using the strengths of both types of risk management techniques to get the attention and appropriate reaction of the readers of my audit reports. Comments and suggestions?:)

In my opinion, you are definitely on the right track. But reporting is just a component of the risk-based approach to auditing. So, keep in mind that planning and conducting of the audit activity should ALSO consider risks. Not only the reporting phase.

The registrar I work for released the Risk Based Certification(TM) protocol last year and we have a Risk Based Assessment Methodology too. But I can not share the reporting templates with you because they are proprietary.

I'd be interested in anyone with comments on this topic. But to clarify:

1. I assume you're referring to ISO 9001 or TS 16949 or other ISO audit(s) {or possibly OHSAS 18001} - Is that correct?

2. Are you asking for 'content' in an audit report to protect yourself from liability? Or, are you looking at "...risk communication..." in the sense of assigning a risk element {or level} to nonconformances?

And... How is Risk Based Auditing defined?

And... How is Risk Based Auditing defined?Marc, if you google Risk Based Auditing (http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2004-36,GGLD:en&q=%22Risk+Based+Auditing%22), you will find a lot of hits. For the Risk Based Certification™ protocol (very brief summary), browse here. (http://www.dnvcert.com/DNV/Certification1/AboutDNV/ClientList1/RiskBasedCertification/)

Most of the Google links are financial audit related.

I did find some stuff like this: * Understand the importance of corporate governance and enterprise risk management
* Identify risks to strategy
* Define key business processes and objectives
* Perform a risk assessment
* Develop a risk-based assurance plan
* Understand entity-wide controls and their relevance in the audit plan
* Plan a risk-based engagement I sure would like to see more details and info related to other than financial auditing.

Here's another 'general' description I found: Services -- Risk-based Auditing

Risk Auditing is the current version of the traditional audit. Topics to be reviewed are determined through a continuous risk assessment process that assesses emerging risks on a participative, continuous, qualitative, real-time basis rather than on an annual basis.

Once a topic is identified, the related business objectives are identified and associated key processes are reviewed based upon identified risks. Assessment is made as to the adequacy of the controls in place to mitigate those risks, and recommendations are made to strengthen controls where appropriate.

The audit product is a formal audit report identifying the issues and concerns, audit recommendations, and management responses indicating planned management action plans. A Recommendation Follow-up Matrix is provided to assist management in reporting status of the action plan activities.

Is anyone here actually personally doing risk based audits? What risk facors are considered and how are they determined?

Essentially all risks whether they be health & safety, quality, enviromental or whatever boil down to financial risk. The trick is in the development of an equation, the identification of them and then the communication of relevant information in an understandable format to the real decision makers.

Anyone have any example(s) to share?

I haven't found much here is one link http://www.hse.gov.uk/pubns/indg163.pdf . I think risk based auditing could enhance the process audit approach. Although two different fields financial and medical risk assessments is not necessarily apples and oranges. http://www.ffiec.gov/ffiecinfobase/booklets/audit/audit_toc.htm
Many thanks to all that have added to the thread. :)

I maintain the statement of "I look horrible in jumpsuit orange!" Unfortunately, as my professional development continues to...well...develop and our BMS continues to integrate on a deeper level, I find myself participating in combined audits and analysis and process approvals in areas such as environment and safety (beyond my comfort zone of quality).

While I appreciate the exposure to new territory it has caused me to slow my usual charge through life as I contemplate what I am approving, what I am saying we comply with and what my name will be associated (potentially after I leave the oganization, too).

As we are now compliant with the Sarbanes-Oxley requirements or guidelines or ultimatums (or whatever they're called :) ), that too may come under my umbrella at some point...and orange really isn't my colour.

So, to help me in this area, I've just started reading up on risk assessments and risk management (granted the topic is more from a project management standpoint)...hoping this will help me with not only audits but the ongoing evolution of our BMS.

Essentially all risks whether they be health & safety, quality, enviromental or whatever boil down to financial risk. The trick is in the development of an equation, the identification of them and then the communication of relevant information in an understandable format to the real decision makers.

:agree1: That's it in a nutshell. Sometimes I think we tend to overcomplicate things, and in so doing look past the actual reasons for doing what we do. Why audit at all if risk management isn't the object? Isn't all auditing a form of risk management? Simply reporting the findings is tantamount to telling management what they already know, even if they don't know the exact details. What they need to know is why the results indicate risk that needs to be mitigated, and what can be done to change things, and as Randy suggests, the risk has to be expressed in terms of improved fiscal performance. For most managers who have the authority to make a difference, anything else is annoying white noise.

I was involved in helping the EFQM and DNV develop a framework on risk management. This is now published and available from EFQM. Here are links to more information:
http://www.efqm.org/Default.aspx?tabid=83
http://www.dnv.com/consulting/enterpriseriskmanagement/

We are adding identified Risks and Controls to our quality procedures, so that one internal audit can cover all aspects. Sarbanes Oxley was our driver to do this.

I was involved in helping the EFQM and DNV develop a framework on risk management. This is now published and available from EFQM. Here are links to more information:
http://www.efqm.org/Default.aspx?tabid=83
http://www.dnv.com/consulting/enterpriseriskmanagement/

We are adding identified Risks and Controls to our quality procedures, so that one internal audit can cover all aspects. Sarbanes Oxley was our driver to do this.

I am toying with the idea of creating a hybrid business improvement system (whatever you want to call it) by leveraging the process audit strengths of quality, the business analysis of risk management and top it off with the powerful reporting mechanism of risk communication. The links provided indicate that your going that way. This is probably the closest example of what I am looking for.
Thanks!