Internal Auditing related to RISK

[Shannon]

Hi guys , I have a question about questions.....

When conducting audits/assessments "what questions would need to be asked during an audit/assessment" ( related to possible risk) of the organisation".

I have listed a couple questions I would ask but as I am a novice at the moment some help would be appreciated

Q) what controls are in place to accurately identify risks acossiated with the organisations management system?

Q) does your risk management plan have controls to determine the impact of the risk or associated hazard?


I work for an organisation complying to ISO17025(2005) if this helps.

Cheers

 

[Chance]

Follow what ISO 17025 requires. If there is an internal procedure that was developed as an element to comply with ISO 17025 standard then base your audit from the procedure, if it exist.

 

[dickgent]

In my experience with A2LA and laboratory accreditation when they talk about risk they are referring to the risk of measurement systems being out of calibration. Is this to what you are referring?

 

[Shannon]

Thanks for the comments,

RISK as referred to in ISO 31000 (effect of uncertainty on objectives)

Should have clarified this earlier

Regards,
Shannon

 

[Shannon]

Any one else have any input?

 

[AndyN]

Try this - it relates to a lab just as well. http://www.nqa-usa.com/resources/articles_detail?id=48

 

[John Broomfield]

Thanks for the comments,

RISK as referred to in ISO 31000 (effect of uncertainty on objectives)

Should have clarified this earlier

Regards,
Shannon

Shannon,

Before auditing for effective risk management (ISO 31000) you should first ensure this is a requirement from top management, customers or regulators. Auditors cannot impose requirements or their will beyond the audit criteria sufficient to fulfill the audit objective.

If left with ISO 17025 alone, instead of auditing broadly as implied by your two questions, why not ask more specific RM questions for when you are auditing the various planning processes such as may be sampled when investigating conformity to these clauses:

4.2.7
4.11.3
4.11.5
4.12.2
4. 14.1
4.15.1
5.4.3
5.4.5.3
5.5.6
5.7
5.9.1

You could apply your FMEA knowledge and ask questions to obtain evidence of plans taking account of what could go wrong with regard for its effect (magnitude) and frequency (probability). Failure to address risks in the plan will probably yield evidence of ineffective planning.

You may well find that planning inherently address risks even if not mentioned specifically so give the auditee a chance to demonstrate effective planning.

John

 

[Penny Riordan]

Hi Shannon.

Maybe by changing the verbiage a bit -

1. How have you identified the risks associated with this particular procedure/process?

2. What controls have you implemented to reduce the likelihood - or impact - of those risks?

These would be my starting questions around the topic of risk management/reduction in an area.

Hope this helps -

 

[Penny Riordan]

John I am also a big fan of FMEA for this purpose. It works very well.

 

[Shannon]

Andy, thanks heaps the article you provided, I thought of risk management as a whole (organisation) Where in reality to determine the risks of the organisation I should determine the risks acossiated to processes/procedures within the organization. And a way of doing this during an internal audit would be to follow as Jhon has described. Thanks Heaps Jhon it is good to have people willing to teach others.

Penny thank you for your input, as my questions where based on my idea of risk management, the questions I will provide would be based on the area at hand, not as a broad question as I stated.


Regards,
Shannon