How to Audit Risk Management

advertisement
Registration Management Committee (RMC)
How to Audit Risk Management
Atlanta, GA
July 22 & 23, 2010
Kimberly Maggie
Ron Tarach
QUAL-TECH, INC.
Company Confidential
Auditor Workshop
Atlanta, GA
July 22-23, 2010
1
Registration Management Committee (RMC)
Agenda
• What is Risk?
• Risk Management Process
• Examples Risk Management Criteria
• Auditor perceptions of Risk Management
• Risk Management Tools
– Auditor knowledge of tools and actions
Atlanta, GA
July 22-23, 2010
2
Registration Management Committee (RMC)
Agenda (continued)
• Audit Planning
– Audit Planning Tools
• Activity 1 - Brainstorming session using
Audit Planning Tool
• Conducting the Audit of Risk Management
Process
– Examples of areas to evaluate
• Activity 2 - Brainstorming session using Case
Study and Failure Modes and Effects Analysis
(FMEA)
Atlanta, GA
July 22-23, 2010
3
Registration Management Committee (RMC)
Ice Breaker!
Atlanta, GA
July 22-23, 2010
4
Registration Management Committee (RMC)
What is Risk?
An undesirable situation or circumstance that
has both a likelihood of occurring and a
potentially negative consequence.
AS9100:2009, clause 3.1
Atlanta, GA
July 22-23, 2010
5
Registration Management Committee (RMC)
“Risk is inherent in all processes. Unfortunately, we don’t
see the results of ineffective risk management methods
until later”.
Atlanta, GA
July 22-23, 2010
6
Registration Management Committee (RMC)
Risk Management Process
– Most organizations spend a great deal of time and
manpower trying to document “Risks” but many
times this data is decentralized and not easily
accessible to the functions that need this
information.
– Process manufacturing can be so complex that
“Risks” can be very subtle and if there is not a
structured “Risk Management Process” that takes
advantage of corporate knowledge, lessons learned
an organization’s exposure to “Risk” can remain
high.
Atlanta, GA
July 22-23, 2010
7
Registration Management Committee (RMC)
Atlanta, GA
July 22-23, 2010
8
Registration Management Committee (RMC)
Examples of Risk Management Criteria
» Understanding the types of risk that could come
into a company. They could be related to
• Employees
• Process
• Design
• Manufacturing
• Equipment
• Environment
• Project
• Security
Atlanta, GA
July 22-23, 2010
9
Registration Management Committee (RMC)
Examples of Risk Management Criteria
» Understanding the types of risk that could come
into a company cont.
• External
• Contractor
Atlanta, GA
July 22-23, 2010
10
Registration Management Committee (RMC)
Examples of Risk Management Criteria
(continued)
– Employees – the organizations need to
ensure the safety, training, and
qualifications of employees.
– Process – managing process variation.
– Design – building quality into the product
design from the start, including it’s affect
on planning.
– Manufacturing – ensuring that
manufacturing is more efficient with
streamlined quality planning.
Atlanta, GA
July 22-23, 2010
11
Registration Management Committee (RMC)
Criteria for Risk Management Process
(continued)
– Equipment – ensuring that equipment can
meet capabilities, current and future.
– Environment – ensuring that the
operations are not compromising the
environment (adequate lighting,
temperature control, noise, cleanliness,
etc).
– Security – managing the security needed
by the facility.
– Project – ensuring project risks are
evaluated before beginning.
Atlanta, GA
July 22-23, 2010
12
Registration Management Committee (RMC)
Criteria for Risk Management Process
(continued)
– External – developing plans to address the
potential impact of weather, issues with
transportation companies, city
infrastructure (relating to construction,
road closures).
– Contractor – ensuring impact is considered
for contractors working on the building,
equipment, or with employees.
Atlanta, GA
July 22-23, 2010
13
Registration Management Committee (RMC)
Auditor Perceptions of Risk Management
• That’s the way we identified and handled risk
when I worked at Aviation Anywhere, Inc.
• When I audited a Original Equipment
Manufacturer (OEM) last month they were
using FMEAs.
• This little company only uses tool XYZ – they
can’t be managing risk properly.
Atlanta, GA
July 22-23, 2010
14
Registration Management Committee (RMC)
Auditor Perceptions of Risk Management
(continued)
“Remember, the design and implementation
of an organization’s aerospace quality
management system is influenced by varying
needs, particular objectives, the products
provided, the processes employed and the
size and structure of the organization.”
AS9100:2009 General
Atlanta, GA
July 22-23, 2010
15
Registration Management Committee (RMC)
Auditor Perceptions of Risk Management
(continued)
• Organizational application of Risk can vary
based on situation, customer, product line.
• Audit approach & interviewing will need to be
appropriate to the organization.
• Remember, what is “Appropriate” to the
organization.
Atlanta, GA
July 22-23, 2010
16
Registration Management Committee (RMC)
Atlanta, GA
July 22-23, 2010
17
Registration Management Committee (RMC)
Risk Management Tools
– FMEAs e.g. dFMEA, pFMEA, etc.
– Fault Tree Analysis (FTA)
– Probabilistic Risk Assessment (PRA)
– Event Tree Analysis (ETA)
– Event Sequence Diagram (ESD)
– Master Logic Diagrams (MLD)
– Reliability Block Diagram (RBD)
Atlanta, GA
July 22-23, 2010
18
Registration Management Committee (RMC)
Risk Management Tools (continued)
– Risk Assessment Matrix
– Likeliness/Consequence Table
– SWOT (Strength Weakness Opportunity
Threat)
– Business Continuity/Current Capability
Matrix
– Risk Map and Control Scale
Atlanta, GA
July 22-23, 2010
19
Registration Management Committee (RMC)
Risk Management Tools (continued)
– Auditor knowledge of tools and actions
» No one auditor has experience with all the tools
available in the industry and how they are used.
» Familiarize your self with the various Risk
Management Tools (self study).
Atlanta, GA
July 22-23, 2010
20
Registration Management Committee (RMC)
Risk controlled – or “Oh No”?
Atlanta, GA
July 22-23, 2010
21
Registration Management Committee (RMC)
Risk Management Tools (FMEA)
Atlanta, GA
July 22-23, 2010
22
Registration Management Committee (RMC)
Risk Management Tools (Influencer Analysis)
Atlanta, GA
July 22-23, 2010
23
Registration Management Committee (RMC)
Risk Management Tools (Risk Consequence)
Atlanta, GA
July 22-23, 2010
24
Registration Management Committee (RMC)
Risk Management Tools
Atlanta, GA
July 22-23, 2010
25
Registration Management Committee (RMC)
Audit Planning
– Selecting the right audit tool.
– Identifying your audit criteria and any
reference documents.
– Identifying your audit scope, including
identification of the organizational and
functional units and processes to be
audited.
– Identifying an appropriate audit scope.
Atlanta, GA
July 22-23, 2010
26
Registration Management Committee (RMC)
Audit Planning Tools
– Process (Turtle) Tool
– Process Map Tool
– Supplier Input Process Output Customer
(SIPOC) Form
– Process Based Management (PBM) Process
Flow
Atlanta, GA
July 22-23, 2010
27
Registration Management Committee (RMC)
Process (Turtle) Tool
With Who?
With What
(Comp./Skills/Training)
(Materials, Equipment, Facilities)
Inputs (information and
Process
Outputs (information
material from other
and Material to other
processes)
processes
How?
How Effective/Efficient?
(Methods/Procedures/Techniques
(Measurable Objective)
Atlanta, GA
July 22-23, 2010
28
Registration Management Committee (RMC)
Process Map
Atlanta, GA
July 22-23, 2010
29
Registration Management Committee (RMC)
Supplier Input Process Output Customer
(SIPOC) Form
Atlanta, GA
July 22-23, 2010
30
Registration Management Committee (RMC)
Process Based Management (PBM) Process
Flow
Atlanta, GA
July 22-23, 2010
31
Registration Management Committee (RMC)
Activity 1 - Brainstorming session using
Audit Planning Tool
Atlanta, GA
July 22-23, 2010
32
Registration Management Committee (RMC)
Process (Turtle) Tool (Design)
With What
With Who?
Risk Management Software
Sales
Forms
Engineering
Documents
Production
Quality
Inputs
Customer, Internal Organization,
Regulatory, Statutory
Special Requirements (e.g. product or
process complexity)
Outputs
Outputs
Process
Drawing/Spec
Design
Contract Review
Travelers
Planning
- Risk Management
Routers
Production
Work Orders
Purchasing
Inspection Reports
Suppliers
Critical Items (functions, parts, software,
characteristics, processes)
How?
Shipping
AS9100, AS9110 and AS9120 Standards
How Effective/Efficient?
Quality Manual
Customer complaints
Standard Operating Procedure for Contracts
In process/final rejection
FMEA
Design verification/validation
Risk Assessment Matrix
Atlanta, GA
July 22-23, 2010
33
Registration Management Committee (RMC)
Process (Turtle) Tool (Design Excluded)
With What
With Who?
Risk Management Software
Sales
Forms
Engineering
Documents
Production
Quality
Inputs
Customer, Internal Organization,
Regulatory, Statutory
Special Requirements (e.g. product or
process complexity)
Outputs
Outputs
Process
Travelers
Planning
Contract Review
Routers
Production
- Risk Management
Work Orders
Purchasing
Inspection Reports
Suppliers
Critical Items (functions, parts, software,
characteristics, processes)
Shipping
How?
AS9100, AS9110 and AS9120 Standards
How Effective/Efficient?
Quality Manual
Customer complaints
Standard Operating Procedure for Contracts
In process rejection
FMEA
Final rejection
Risk Assessment Matrix
Atlanta, GA
July 22-23, 2010
34
Registration Management Committee (RMC)
Conducting the Audit of Risk Management
Process
– Examples of areas to evaluate
» Are all “Risk” identified during the RFQ and Contract
Review Process e.g. special requirements, critical
requirements.
» Ensure Top management clearly understands what
“Risks” they have and what they are doing to ensure
they are mitigating those “Risk”.
» Evaluate the selected Risk Management Tool for
effectiveness.
» How are “Risks” communicated and managed
throughout the organization e.g. Design, Planning,
Purchasing, Suppliers, Manufacturing, Inspection,
Delivery and Post Delivery.
» Design inputs, Design FMEAs, Design Verification and
Validation.
Atlanta, GA
July 22-23, 2010
35
Registration Management Committee (RMC)
Conducting the Audit of Risk Management
Process
– Examples of areas to evaluate continued
» Critical characteristics across the quality lifecycle,
ensuring the Process FMEAs and Control Plans are
linked.
» Processes in place for capturing leading and lagging
indicators related to Design Quality Performance.
» Evaluate whether the organization has closed loop
Continual Improvement Processes that captures and
sustains Product and Process Quality.
» Organization is using Lessons Learned and Best
Practices.
Atlanta, GA
July 22-23, 2010
36
Registration Management Committee (RMC)
Conducting the Audit of Risk Management
Process
– Examples of areas to evaluate continued
» Ensure organization’s Change Management Process
involves the right people at the right time with the
right process.
» Ensure integration of Change Management with
assessments to ensure correct consideration of “Risk”.
» Ensure “Risk Assessment” tracked, recommended
controls to completion and ensured that “Risk” were
mitigated as prescribed.
» Ensure controls are in place for “Risk” that still remain
after mitigation actions.
Atlanta, GA
July 22-23, 2010
37
Registration Management Committee (RMC)
Activity 2 - Brainstorming session using
Case Study and FMEA
Atlanta, GA
July 22-23, 2010
38
Registration Management Committee (RMC)
Closing!
Atlanta, GA
July 22-23, 2010
39
Registration Management Committee (RMC)
Questions!
Atlanta, GA
July 22-23, 2010
40
Registration Management Committee (RMC)
References
1.AS9100:2009
2.ISO 19011
3.FAA Risk Management Handbook 2009
4.NASA
Atlanta, GA
July 22-23, 2010
41
Download