THE COMPETENT AUDITOR
Risky Business
by Peter Holtmann
Risk appetite and aversion make excellent inputs into determining an organization’s audit program.
A
uditing is risky business. The choice of becoming an auditor, choosing your field of expertise, gaining an understanding of the standards, and applying to technical areas all rely on a professional’s competence. What underlies this competence is the confidence to complete the task. This confidence is achieved through the ability to resolve the risk inherent in the process. Let’s talk risk. Compliance auditing, surveillance and inspection audits, internal audits, and reviews all operate on the same premise—review past performance against current practice to predict future compliance. This is very similar to risk analysis. The auditor is looking for risks and assessing their likelihood of occurrence and the severity of the risk in the event the risk is realized. If the risk is high, a corrective action is issued; if it is low, an observation; if the risk is managed, the organization is in compliance. However, risk is subjective and depends on an individual’s assessment of likelihood and severity, which, in turn, is determined by an individual’s appetite for risk. Let me expand on this topic: risk is usually equated with finances or health and safety. Gambling or investment is something we attribute to risk. Would you leverage your life savings on an investment? Some of you would have immediately yelled, “Are you crazy?!” Others may have said, “Depends on the odds.” In health and safety if I had said to you, “Let’s go cave diving this weekend,” some of you would have said, “Never in 10 THE AUDITOR • MAY–JUNE 2011
these? How should the audit profesa million years!” while others may sional determine when to deploy varihave said, “Sounds like fun!” ous tools or understand This concept of How do we their appropriateness? risk is emerging in the Now onto my subject auditing profession as determine of choice: the individual. an attribute that is to auditors’ An individual’s risk apbe considered. Curcompetence petite must be considered. rently, ISO/TC 176 is To become an auditor developing a new ISO in risk is to understand the 19011, which integrates management risks involved. In some risk. Sections 5.2.3, fields, audit/inspectorate knowledge? 7.3.1(e), 7.3.3(b), 7.6.2, outcomes carry a legal A.2–A.4, and B.2–B.5 responsibility for the lifetime of the speak of knowing how to identify product or service inspected, such and assess risk as an audit outcome. as in electrical inspections. After an Clearly, an auditor needs to perelectrical installation is completed, form risk assessments before, during, it falls upon an individual to inspect and as part of making findings after an for compliance to rules and safety of audit, but where is the training comuse. Should the inspector sign off on ing from, and more important, how the work, he or she is as liable as the do we understand the risk appetite installer for the lifetime of the installfor the auditor/team leader? From ment. Death, injury, or damage caused my experience, risk management by faulty installation is as much the training is not a part of any auditor responsibility of the inspector as the training courses. I also have not yet installer. seen an agreed upon international In the conformity assessment standard for risk management. So field, an auditor makes claims that how do we determine auditors’ the outcomes are only as good as competence in risk management the evidence presented at the time of knowledge? In this instance, there is audit. Let’s take food safety (FS) for no ability to rely on industry experiinstance. An auditor can inspect a food ence, as risk hasn’t yet become part product manufacturer and make the of the language of “doing business.” assessment that based on the evidence Environmental impact studies and presented, the organization is followworkplace safety assessments are ing FS practices and that the food is prevalent but not commonplace safe to eat. In the following week, the and they don’t translate into a risk factory undergoes a major product assessment methodology. recall based on FS risks. Where is Next, there is the question of risk the auditor in this chain of events? assessment methodology. Are we He or she is somewhat protected by talking Monte Carlo analysis, Pareto, the disclaimer of “audit,” and yet the causal analysis, or a combination of COMMENTS? • feedback@theauditoronline.com
COVER STORY risk assessment the auditor performed is an outcome of his or her “satisfaction” with what he or she observed, discussed, and reviewed during the audit. There is a disconnect. Understanding the knowledge competence for risk is equally as important as understanding the personal risk attributes of the auditor. In the financial sector, assessments of risk attributes of financial planners and their clients are already occurring. In the United Kingdom, the Financial Services Reform Act says that risk must be addressed before providing service. So it is possible to assess personal risk behaviors as a quotient of providing a competent, managed (risk) service. Can the risk behavior assessment be adapted to the conformity assessment sector? Yes. We are in the process of breaking ground in this area. Behavior or personal inventory has been a consideration of auditor competence since 2004 and has been deployed through psychometric tools. The term psychometrics was first used early in the 20th century and is defined by Merriam-Webster as “the psychological theory or technique of mental measurement.” Although the term is somewhat new, measuring the mind is an age old technique, dating back to the Han Dynasty in China. Great strides have been made over the last century in the science of measuring mental processes. It is easiest to think of “mental measurement” in three primary areas: measurement of knowledge, measurement of skill (or performance), and measurement of psychological attributes. The declaration that an individual is competent can be made based on measurements of these three areas. Using risk management as an example, the knowledge of risk and the means in which it’s identified and assessed,
THE COMPETENT AUDITOR such as personality. For example, the the skills involved in responding to linking of the type A personality with the risk, and the individual’s tendency the increase in heart problems. Dr. toward (or aversion of) risk can be Meyer Friedman linked measured. If we begin the highly competitive, our argument that all Measuring an high-strung personality individuals engage in individual’s risk to a higher probability some sort of risk-taking, aversion or tendency of heart problems based we must clarify in what on his observations and environment that indibecomes more study. Although many vidual is taking risks difficult because of us might conclude and why. The individual that we cannot change one’s own risk who said, “Depends on our personality, we can the odds” when investtype may depend change our behaviors ing his life savings may on his or her that are correlated with say, “Never in a million those personalities. years!” about cave knowledge level One Friedman study diving because he’s an and skills, as well found that those who investment banker and as aspects of his or received counseling not a strong swimmer. had a marked decrease Why this difference her psychological and why would it vary attributes, such as in behaviors that are typical of type A peramong individuals? personality. sonalities. We might Although it is relatively conclude that as patients easy to measure one’s became increasingly self-aware of knowledge and skill, it becomes more their behaviors, they could decrease difficult to measure how an individual their heart risk. may behave because to do so requires The same could be true for an a measurement of personality. Measurindividual’s risk type. One might ing an individual’s knowledge of risk argue that if individuals have adand the means to identify and assess it equate knowledge and skills within can be easily quantified by developing an industry, their risk tendencies will and administering a multiple choice mirror those of their peers. test from which we receive a specific With this information at hand, range of scores that can be interpreted personality risk assessment can be as pass/fail. Measuring an individual’s used to gain a better understanding of skill at responding to the risk can also risk-based audit outcomes. The theory be quantified either by developing and of identifying auditor risk is to allow administering a writing assessment or an examination of the likelihood of a by using a scoring rubric and assessing mistake or an incorrect or incomplete the individual as he or she responds to audit. It’s likely that those working in a risk. These results can also result in audit roles may tend toward a specific a very specific range of scores that are personality profile and furthermore interpreted against pass/fail standards. that high-performing auditors may Measuring an individual’s risk have an even more distinct profile. aversion or tendency becomes more The Risk-Type Compass, developed difficult because one’s own risk type by Matt Trickey and Geoff Stewart, is may depend on his or her knowledge a psychometric tool that can be used level and skills, as well as aspects of to measure an individual’s predisposihis or her psychological attributes,
COMMENTS? • feedback@theauditoronline.com
THE AUDITOR • MAY–JUNE 2011 11
THE COMPETENT AUDITOR
ASSESSING RISK
It’s likely that certain risk types will tion to risk and capacity to manage it. be more prevalent; specifically, there The two main personality scales that will be a greater prevalence of risk underpin risk predisposition are estitypes associated with a more apmated to be Calm: Emotional, which prehensive, careful, and cautious concerns the more emotional side of approach to risk taking, risk taking, from fearful There are i.e., wary, intense, and or anxious to composed prudent types. and optimistic; and those among Furthering the conDaring: Measured, us that are cepts of personal risk, which indicates an regarded as the theory can predict individual’s preference patterns of work. It for a methodical apgood auditors may be the case that proach or, conversely, for one of teams with a balanced a spontaneous and many reasons. distribution of risk adventurous approach types perform better to risk. One reason is than those with conAuditors are likely how we conduct centrations of certain to need to be prudent, types. Conversely, it ourselves. thorough, organized, could also be the case and compliant. These that teams with high numbers of are characteristics associated with a certain types (such as those likely Measured rather than Daring disposito be associated with higher auditor tion, or a lower score on the Daring: performance) will perform better than Measured scale. This leads to the those with a balanced mix. hypothesis that auditors will have There are those among us that are lower levels of Daring: Measured regarded as good auditors for one of compared to the general population. many reasons. One reason is how Calm: Emotional concerns emowe conduct ourselves on-site. The tional stability. High scorers on this professionals in our field may owe scale are likely to be cool-headed, their performance to the way that calm, and optimistic, but at the exthey manage themselves, i.e., they are treme seem almost oblivious to risk. strategically self aware. Such people Those with lower scores are likely to would be aware of their strengths and be apprehensive and pessimistic about limitations and understand how they risk taking and alert to any threats may affect others. They may know in their environment. They will put how to compensate for weaknesses, security at the top of their agenda. rein in excesses, maximize their asThis could be linked to an ability to sets, or improve their performance. spot the risks associated with products “Strategic self awareness” or assessed by auditors. This leads to a “political awareness” are ideas that second hypothesis: that auditors will crop up in discussion or as a focus have lower levels of Calm: Emotional of coaching, but I am not aware that compared to the general population. such an assessment exists as a formal These personality scales are psychometric. RABQSA International used to place individuals into risk Inc. is working on this now with Psytypes determined by the Risk-Type chological Consultancy Ltd. and will Compass, ranging from the most risk have a research project for risk types averse (the wary type), to the most among auditors operating shortly. risk tolerant (the adventurous type). 12 THE AUDITOR • MAY–JUNE 2011
Using this theory, we could predict if an auditor is placing him or herself and client at risk using psychometric analysis. These data would be used to influence choice of auditor for standard, technical area, and risk level of process. It can even be used to determine certification type, length, and CPD activities. When planning, undertaking, or reporting on audit outcomes, risk management is an emerging area that requires research and analysis. The results of assessing risk in personnel and the process will further advance the industry and the auditing professional. While ISO/TC 176 has begun to frame the premise of risk and how it should be demonstrated, the market must be given time to define, examine, and record the risk of the auditing professional. I am hoping to provide some direction by conducting this study of risk of personnel and applying it to the process of certification. I like to think that this is an exciting and important service being offered back to the industry. Should you be interested in becoming a part of the research work and survey group, please contact me.
About the author Peter Holtmann is president and CEO of RABQSA International Inc. and has more than 10 years of experience in the service and manufacturing industries. He received his bachelor’s degree in chemistry from the University of Western Sydney in Australia and has worked in industrial chemicals, surface products, environmental testing, pharmaceutical, and nutritional products. Holtmann has served on various international committees for the National Food Processors Association in the United States and on the Safe Quality Foods auditor certification review board. A
COMMENTS? • feedback@theauditoronline.com