Audit Focus Area: Tribal Knowledge

E

EEJen

Our auditor started off this years audit stating that in their audit they had a finding in not identifying Focus Areas. This was all that I am aware of he mentioning during our 2nd Surveillance audit.

Our 1st Surveillance Report indicates "No Focus Areas were identified" with no rating.

Our 2nd Surveillance Report indicates "Focus Area - Tribal knowledge" and rates it a 2 out of 5 for Degree of Control. This years audit was to ISO 9001:2008

1) Are CB auditors suppose to be evaluating "control"? I thought the audits were to be evaluating effectiveness.

2) Next years focus area is "Reduce tribal Knowledge" - Do you think this might fall under the Organizational Knowledge?

3) Our company does not plan to reduce tribal knowledge because we are a small company. Any suggestions on how to steer the auditor away from "Tribal Knowledge" and focus on something in the standard.
 
Sidney Vianna

Sidney Vianna

Post Responsibly
Leader
Admin
Re: Principles of Auditing ISO 9001:2015 - Focus Area - Tribal Knowledge

EEJen said:
Any suggestions on how to steer the auditor away from "Tribal Knowledge" and focus on something in the standard.
Click to expand...
Was this audit done by a CB under the Risk Based Certification methodology?
 
howste

howste

Thaumaturge
Trusted Information Resource
Re: Principles of Auditing ISO 9001:2015 - Focus Area - Tribal Knowledge

EEJen said:
1) Are CB auditors suppose to be evaluating "control"? I thought the audits were to be evaluating effectiveness.

2) Next years focus area is "Reduce tribal Knowledge" - Do you think this might fall under the Organizational Knowledge?

3) Our company does not plan to reduce tribal knowledge because we are a small company. Any suggestions on how to steer the auditor away from "Tribal Knowledge" and focus on something in the standard.
Click to expand...

1) Yes. Audits include verification of conformity and verification of effectiveness. Anywhere a control is supposed to be in place, the auditor should verify that the control is in place AND effective.

2) Yes. Whenever someone with "Tribal Knowledge" leaves the company the organization loses knowledge. How do you make sure that losing people doesn't lead to lost organizational knowledge is what this requirement is all about.

3) See #2. Don't steer them away from it. It's a problem (with requirements in the new standard) that needs to be addressed. A plan to rely on tribal knowledge is a plan to fail, regardless of the size of the company.
 
Sidney Vianna

Sidney Vianna

Post Responsibly
Leader
Admin
Re: Principles of Auditing ISO 9001:2015 - Focus Area - Tribal Knowledge

howste said:
A plan to rely on tribal knowledge is a plan to fail, regardless of the size of the company.
Click to expand...
Fully agree with Howste. If you want to maintain and promote "tribal knowledge" you are not risk based thinking. One of the biggest risks for any organization is for corporate knowledge being mismanaged.

That's not to promote over documenting your organization, but reliance on "tribal knowledge" is risky for you and your customers.
 
E

EEJen

Re: Principles of Auditing ISO 9001:2015 - Focus Area - Tribal Knowledge

howste said:
1) Yes. Audits include verification of conformity and verification of effectiveness. Anywhere a control is supposed to be in place, the auditor should verify that the control is in place AND effective.

2) Yes. Whenever someone with "Tribal Knowledge" leaves the company the organization loses knowledge. How do you make sure that losing people doesn't lead to lost organizational knowledge is what this requirement is all about.

3) See #2. Don't steer them away from it. It's a problem (with requirements in the new standard) that needs to be addressed. A plan to rely on tribal knowledge is a plan to fail, regardless of the size of the company.
Click to expand...
1) The control rating of 2 out of 5 does not have any support evidence except we don't have a documented procedure for inventory control. I am familiar with the PEAR Levels ratings. Is anyone familiar with what the DNV control ratings are in relations to the PEAR levels?
PEAR - Process Effectiveness Assessment Report

2) I have been reading more on how Tribal Knowledge fits into the "Organizational Knowledge". I am just more frustrated that the Auditor did not even discuss this during our audit. It showed up in the report. Organizational Knowledge is a 2015 requirement and not a 2008 requirement. There is lack of evidence to support the rating negative or positive. His one area for improvement comment "The QMS documentation does not address the physical inventory process in (city)."

3) Tribal Knowledge is a management risk decision. This company is new (early 2015) to ISO but with lots of knowledge from document, tacit, and tribal. I am going to move the the Organizational Knowledge to that thread for more suggestions on how to implement for a small company (48 people.)
In my opinion if the Registrars are suppose to be doing Process audits - The focus area should be on a process. The other option is possibly focus on Organizational Knowledge which is in the standard instead of trying to confuse the auditee with the auditors definition of tribal knowledge is.
 
Sidney Vianna

Sidney Vianna

Post Responsibly
Leader
Admin
I am very familiar with the Next Generation Risk Based Certification methodology and:

1) the focus area(s) should be agreed upon between the lead auditor and the registrant before the audit commences.
2) the degree of control determination has to be based on evidence.
3) the focus area(s) have to be connected to the standard(s) which are in the audit criteria.
4) if you think tribal knowledge is not part of 9001:2008, just substitute the term for undocumented processes and, voilá, it is.
 
Last edited:
howste

howste

Thaumaturge
Trusted Information Resource
Re: Principles of Auditing ISO 9001:2015 - Focus Area - Tribal Knowledge

EEJen said:
1) The control rating of 2 out of 5 does not have any support evidence except we don't have a documented procedure for inventory control. I am familiar with the PEAR Levels ratings. Is anyone familiar with what the DNV control ratings are in relations to the PEAR levels?
PEAR - Process Effectiveness Assessment Report

2) I have been reading more on how Tribal Knowledge fits into the "Organizational Knowledge". I am just more frustrated that the Auditor did not even discuss this during our audit. It showed up in the report. Organizational Knowledge is a 2015 requirement and not a 2008 requirement. There is lack of evidence to support the rating negative or positive. His one area for improvement comment "The QMS documentation does not address the physical inventory process in (city)."

3) Tribal Knowledge is a management risk decision. This company is new (early 2015) to ISO but with lots of knowledge from document, tacit, and tribal. I am going to move the the Organizational Knowledge to that thread for more suggestions on how to implement for a small company (48 people.)
In my opinion if the Registrars are suppose to be doing Process audits - The focus area should be on a process. The other option is possibly focus on Organizational Knowledge which is in the standard instead of trying to confuse the auditee with the auditors definition of tribal knowledge is.
Click to expand...

All CBs should use the same rankings for the PEAR forms, including DNV-GL. All of the IAQG AS9101 forms can be found here. The criteria are in the form instructions. The 2014 PEAR form has a scale of 1 to 4. The 2016 PEAR form has a scale of 1 to 5. They should have left you a copy of the PEAR showing which box they checked.
 
D

dsanabria

Quite Involved in Discussions
EEJen said:
Our auditor started off this years audit stating that in their audit they had a finding in not identifying Focus Areas. This was all that I am aware of he mentioning during our 2nd Surveillance audit.

Our 1st Surveillance Report indicates "No Focus Areas were identified" with no rating.

Our 2nd Surveillance Report indicates "Focus Area - Tribal knowledge" and rates it a 2 out of 5 for Degree of Control. This years audit was to ISO 9001:2008

1) Are CB auditors suppose to be evaluating "control"? I thought the audits were to be evaluating effectiveness.

2) Next years focus area is "Reduce tribal Knowledge" - Do you think this might fall under the Organizational Knowledge?

3) Our company does not plan to reduce tribal knowledge because we are a small company. Any suggestions on how to steer the auditor away from "Tribal Knowledge" and focus on something in the standard.
Click to expand...

It looks like your CB auditor has a poor way of communicating. Ask the registrar for qualification or for another auditor.

The auditor should be looking for objective evidence to established goals / objectives. If the auditor can not point in the standard what the issue is then the auditor has an agenda - time to switch.

Your point # 3 is disturbing that you have chosen not to collect valuable knowledge and experience from people performing the task so when they leave the company - there goes your information and you are back to the very beginning - a long and steep learning curve. No one is suggesting a procedure and large format - keep it simple, effective and easy to understand for the next individual to keep your process running.
 
D

Duke Okes

One of the options for dealing with risk is to accept it. If management:

- is aware of the risk
- believes it to be insufficient to require action
- and has evidence/rationale for why it is unlikely to affect product conformity or customer satisfaction

Then they should tell the auditor to bug off.

I remember an instructor in an audit class saying that a 20% turnover of employees would automatically be a NC. Oh yeah?

Run the criteria above against it. Supposed the organizational context is a call center that hires primarily students from a local college/university. Every year you could expect the seniors to graduate and go on to other jobs, and be replaced by incoming freshmen. About a 20% turnover woud not be abnormal.
 
You must log in or register to reply here.

Similar threads

K
ISO 14001 - Suppliers and Contractors
Replies
0
Views
94
Kasem
K
T
ISO 13485:2016 Internal Audits method
2
Replies
18
Views
1K
QCBOB
QCBOB
iMPact Business Group
  • Locked
Hiring: Sr. Supplier Quality Engineer (Fully Remote)
Replies
1
Views
698
Jim Wynne
Jim Wynne
C
Resume Feedback - Medical Device (SaMD) Regulatory Affairs, 5 YOE
Replies
5
Views
864
EmiliaBedelia
E
D
What are the rules regarding coverage in internal audits?
Replies
5
Views
613
malasuerte
malasuerte
Top Bottom