Risk Management Audit Pointers for AS9100 Rev C

G

Gul_Dukat

Dear All I am hoping you can give me some pointers for a good process effectivity approach to systems audit.

I am currently preparing to carry out a systems audit on our Risk Management approach, ultimately against the requirements of AS9100 Revision C but also against our umbrella company's own risk management model. The aim of the audit is to clearly show the senior management board where we need to improve and give some idea of the standard and maturity of risk management approach, planning, realisation that we should be aiming for.

Having written previous versions of our QMS (I have now moved to lead the audit team rather than writing QMS) I am reasonably aware of what sort of risk management approach we currently have, what is good about it, how contiguous it is and where the gaps are, but I need help on the best way to present it.

I have looked at a turtle diagram approach but I don't think this could constitute the whole audit: after all I will need to write a report to management, surely the turtle diagram would only be a part of that? Should I create an "ideal turtle" and then compare the evidence I find to this, or should I create an "actual turtle" and compare that to ideal requirements? In your experience does completing the turtle diagram itself, clearly identify gaps and (non) compliance?

Any experience you can share would be very helpful. Thanks
 
D

dsanabria

Quite Involved in Discussions
Gul_Dukat said:
Dear All I am hoping you can give me some pointers for a good process effectivity approach to systems audit.

I am currently preparing to carry out a systems audit on our Risk Management approach, ultimately against the requirements of AS9100 Revision C but also against our umbrella company's own risk management model. The aim of the audit is to clearly show the senior management board where we need to improve and give some idea of the standard and maturity of risk management approach, planning, realisation that we should be aiming for.

Having written previous versions of our QMS (I have now moved to lead the audit team rather than writing QMS) I am reasonably aware of what sort of risk management approach we currently have, what is good about it, how contiguous it is and where the gaps are, but I need help on the best way to present it.

I have looked at a turtle diagram approach but I don't think this could constitute the whole audit: after all I will need to write a report to management, surely the turtle diagram would only be a part of that? Should I create an "ideal turtle" and then compare the evidence I find to this, or should I create an "actual turtle" and compare that to ideal requirements? In your experience does completing the turtle diagram itself, clearly identify gaps and (non) compliance?

Any experience you can share would be very helpful. Thanks
Click to expand...

There is great information here at the cove but you need to go read it.

After reading it - let us know if it helped.:read:
 
G

Gul_Dukat

Well, in my defence I only posted this thread after doing a reasonably thorough search on the subject and not being able to find the answers I needed. Of course, this could be because I didn't do a very intelligent search.

I have read the PEAR thread and that seems to be more a debate on whether you should use them for internal audit. I also searched on Turtle diagrams, and found some nice examples, but this still didn't tell me how someone with a reasonably intimate knowledge of the QMS would be able to "step outside" their own QMS enough to objectively identify gaps in the system using the turtle diagram (or similar) approach.

Maybe you could point me in the direction of a suitable thread? It would be appreciated.
 
P

prototyper

I would start by determining what are the major types of risk associated with a new product/order, such as:-
Can you make the part to the drawing requirements/specifications?
Do you have the required approvals?
Is it a sensitive part?
Does it involve new technology/processes to your organisation?
Are the necessary skills available in your organisation?
Is material available from an approved source?
Are lead times acceptable?
Do you have capacity?
Do you have approved subcontractors and how will you manage them?
Can you comply with regulations/legislation?
Etc., etc., etc.

Next perform a gap analysis on your systems. Is there a mechanism to identify and act on these risks.
Then write up your procedures and/or your turtle diagrams to reflect what you do.

You may also want to consider contingency planning for major operational risks such as fire, floods, earthquakes, etc.:2cents:
 
G

Gul_Dukat

Thanks very much for replying. :)

I think you have pointed me in the direction I was (slowly, hesitantly) going towards myself, i.e. to find out what risk management aspects our company does employ, and work out where they would fit in an overall risk management "process". As you say, I can then complete the turtle from a more informed point of view.

Yes, we do have business continuity and disaster recovery plans in place, as well as many risk mitigation activities, the bit missing with us I think is that there is not one coherent risk management process, but lots of bits tagged on to other processes, which can obviously cause ownership issues etc.

I will let you know how I get on :) Regards Amy
 
P

prototyper

The product related aspects of risk management within my company are mainly dealt with at the quotation stage. It seems logical that we assess the risks and if found unacceptable, decline to quote at this point.

Contract review (on receipt of an order) covers aspects such as are approvals up to date and are delivery expectations realistic.

We have a seperate procedure covering disaster recovery, etc.
 
G

Gul_Dukat

Yes, we also address risk at bid/contract stage but I feel that without a coherent, contiguous process, ownership can get muddled. So I'd like to understand how risks at bid stage get passed through to contract, setup and requirements capture, design, analysis, report writing, lessons learned etc.
 
D

dsanabria

Quite Involved in Discussions
Gul_Dukat said:
Yes, we also address risk at bid/contract stage but I feel that without a coherent, contiguous process, ownership can get muddled. So I'd like to understand how risks at bid stage get passed through to contract, setup and requirements capture, design, analysis, report writing, lessons learned etc.
Click to expand...

OK so you completed the reading assignment previously mentioned - now go to section 11.2 of the following link (Supply Chain Management Handbook on the IAQG website).

https://www.sae.org/servlets/regist...BJECT_TYPE=SCMHGeneral&PAGE=getSCMHBOOK:read:
 
You must log in or register to reply here.

Similar threads

E
IATF 16949 QMS in OEM
2 3
Replies
20
Views
2K
Sidney Vianna
Sidney Vianna
T
AS9100D Risk-Based Internal Audit Schedule
2
Replies
10
Views
2K
Mike S.
M
V
Risk number - same (calculated) number for acceptable & not acceptable risk, how to handle?
Replies
9
Views
571
Bev D
Bev D
qualityegghead
Any Suggestions Will Be Welcomed
2 3 4 5
Replies
44
Views
2K
Randy
Randy
L
AS9100 work for another site outside scope
Replies
5
Views
485
Big Jim
B
Top Bottom