Risk Approach doesn't address External Issues (Auditor's Comment)

[tony s]

Yes, I agree to this point. I think your point is best described in the standard ISO31000/ IEC31010 5.3.2

Most organizations who would try to "integrate" the statements in the ISO 31000 or even in the ISO 9001 into their tools or forms to analyze risks and opportunities will result to complicating the approach. Even ISO/TS 9002 mentioned this:

Clause 6.1.1 of ISO/TS 9002:2016:​

There is no requirement in ISO 9001 to use formal risk management (in accordance with ISO 31000​

in determining and addressing risks and opportunities. An organization can choose the methods​

that suit its needs.​

There's no need to have subsequent columns to indicate who will be affected (IP) or what is the context for each risk/opportunity that you have identified. It should be the other way around. To better identify risks/opportunities, the needs/expectations of IPs and the issues should be understood first. Example: waking up late will only be considered risk if I clearly understand that my boss expects me to come early in the office (i.e. 4.2) and I know that there is heavy traffic along the way to the office (i.e. 4.1).

 

[qualprod]

Most organizations who would try to "integrate" the statements in the ISO 31000 or even in the ISO 9001 into their tools or forms to analyze risks and opportunities will result to complicating the approach. Even ISO/TS 9002 mentioned this:

Clause 6.1.1 of ISO/TS 9002:2016:​

There is no requirement in ISO 9001 to use formal risk management (in accordance with ISO 31000​

in determining and addressing risks and opportunities. An organization can choose the methods​

that suit its needs.​

There's no need to have subsequent columns to indicate who will be affected (IP) or what is the context for each risk/opportunity that you have identified. It should be the other way around. To better identify risks/opportunities, the needs/expectations of IPs and the issues should be understood first. Example: waking up late will only be considered risk if I clearly understand that my boss expects me to come early in the office (i.e. 4.2) and I know that there is heavy traffic along the way to the office (i.e. 4.1).

Tonys and Sílex 7
I have seen companies that need to write down documents, (columns) in order for the people these issues be understood, one think is what is kept in the mind, and other is that Information be easy to be read and people can find on one paper, this is when companies take an approach of the risk more deeply.

 

[dhakadmilind]

I think, we can consider 4.1 and 4.2 seperatey but finally when we go for 6.1 then we have to consider Risk planning for 4.1,4.2both.That's why auditor showed the combined sheet so that both clauses will get address in one sheet in 6.1

 

[John Broomfield]

I’m shocked to read of an auditor sharing intellectual property that possibly belongs to another client.

If auditors cannot be trusted with your property why would you allow them access to your business?

Better to have such auditors disbarred by their certifying body.

 

[AndyN]

I’m shocked to read of an auditor sharing intellectual property that possibly belongs to another client

Don't be John. Lower your standards, it happens so often it's the new norm...

 

[John Broomfield]

Don't be John. Lower your standards, it happens so often it's the new norm...

Yes, the idea that “auditors can provide examples instead of providing advice” was rotten at its core.

With norms like that our days are numbered.

 

[AndyN]

Yes, the idea that “auditors can provide examples instead of providing advice” was rotten at its core

When consultants can do CB audits, there's part of the problem...(plus it's easy to get paid that way than to find consulting gigs...)

 

[John Broomfield]

As a consultant I never worked for any registrar as an auditor. Neither did my colleagues. As consultants (and as second party auditors) we wanted to preserve our independence.

 

[AndyN]

Indeed, John. I could/may write a book based on my experiences doing triage at many clients, after audits left more damage than good. Many audits are modeled after the CB process - even in the name of "internal audits" - and, of course, the auditor doesn't see the aftermath of their 76 page reports of nit-picky stuff which doesn't amount to a hill of beans. Being told that one caliper in 400 not being in the cal system is a "major" because last year a "similar" finding happened, doesn't meet with managements' reality. Or that a certificate of training for auditors didn't mention "ISO 9001:2015" as well as IATF 16949... In text-speak: FFS!

 

[Eredhel]

I've heard many a horror story, including from people I know very well with direct experiences. But I can see I've been very fortunate with the registrar I've used over the last 5 or so years. Nothing like any of this.