Changing the Audit Focus to a Performance Based System where the audits are driven by needs related to both System Performance and Management Objectives rather than by simple schedule.
For maximum benefit, the internal management systems audits should connect with an overarching objective to evaluate “risk.”
IS031000 defines risk as: “An undesirable situation or circumstance that has both a likelihood of occurring and a potentially negative consequence” or the “effect of uncertainty on objectives.”
It is increasingly understood that the explicit and structured management of risk brings benefits.
It is common for internal audit programs to be developed on an annual calendar that predicts which aspects of the Quality Management System are going to be audited.
The existing objective of developing an audit schedule focuses on the need to ensure all the system elements are audited each year, however it is possible to miss exposure to critical processes when they become an issue.
It is important to ensure that the risk management process fully aligns with the need to integrate into existing management activities to ensure the visibility of risk data throughout the management system.
By taking a proactive approach to risk and risk management, organisations will be able to achieve the following four areas of improvement:
Strategic
Because the risks associated with different strategic options will be fully analysed and better strategic decisions will be reached.
Tactical
Because consideration will have been given to a selection of the tactics and the risks involved in the alternatives that are available.
Operational
Because events that can cause disruption will be identified and actions taken to reduce the likelihood of these events, limit the damage and contain the cost.
Compliance
To ensure risks associated with failure to achieve compliance with statutory and customer obligations will be visible within the system.
Organisations should understand the risks that may cause non-compliance with statutory obligations. Management holds overall responsibility for managing risks to the organisation, but it is important for senior management to go further and ensure that full considerations are given at the highest level.
Organisations need to manage risks associated with changes to the external operating environment, supply chain obligations as well as regulatory pressures and legislative requirements increasing.
ISO 31000 provides guidance so that organisations can define and fulfil their risk oversight responsibilities.
These considerations include such elements as:
a) good governance;
b) managing organisational culture;
c) strategy and objective-setting;
d) performance;
e) data management;
f) communications and reporting;
g) review and revision of practices to enhance the performance of the organisation.
Sofema Aviation Services www.sassofia.com and SofemaOnline www.sofemaonline.com offers classroom and online training related to EASA & ISO 19011 Compliant Aviation Quality Assurance (QA) & Root Cause Assessment (RCA) please see the websites or email office@sassofia.com or online@sassofia.com