Featured Product
This Week in Quality Digest Live
Standards Features
Harish Jose
Using OC curves to generate reliability/confidence values
Phanish Puranam
Instead of blindly adopting industry best practice, companies can pilot new organizational designs
William A. Levinson
All is not gold that glitters
Grant Ramaley
IAF CertSearch now mandatory for accredited certification bodies
Megan Wallin-Kerth
MasterControl’s Matt Lowe talks competition, data, and what quality does for a company

More Features

Standards News
Ensuring product consistency, quality, and adherence to federal and state standards
Omnex webinar on May 11, 2023
Digital Twin Consortium’s white paper guides strategies for building owners and stakeholders
Copper, titanium, and 304L stainless-steel powders from Desktop Metal have qualified for production
Webinars cover Automotive SPICE and carbon neutrality standards
Creates one of the most comprehensive regulatory SaaS platforms for the industry

More News

Denise Robitaille


Risky Business

Providing direction without offering solutions

Published: Tuesday, October 9, 2007 - 22:00

Last month’s column dealt with how to effectively communicate a finding of nonconformity in an audit report. It’s pretty straightforward: Here’s the requirement; there’s the evidence. They don’t match.

Observations, which are now often called opportunities for improvement (OFIs), aren’t so cut and dried. There’s no definite determination that a requirement hasn’t been fulfilled. There’s either inadequate evidence to conclude something is wrong or there’s a perception that something could easily go wrong. The first suggests the possibility that things may not be OK, but the situation has yet to come to light. The second intimates that the practices in place are implemented in such a way that there’s a risk of a breakdown.

In either case, the tacit message that the auditor is sending to the auditee is that this requires attention. Despite the ongoing debate as to whether or not auditors should make recommendations, I continue to adopt the philosophy that saying “should” to an auditee is outside the accepted purview of our responsibility. We can have enormous influence without taking inappropriate ownership of the organization’s problem-solving prerogative.

There are four constituent parts to each OFI:
1) Description of what might be wrong
2) Reference to the applicable requirement
3) Evidence to substantiate the observation
4) Statement of risk

Say what could be wrong.
This is a statement of concern. “It is unclear if the sampling plan utilized for XYZ parts is adequate to ensure that defective parts are not installed into customer subassemblies.” It’s not a matter of whether they have a sampling plan or if they’re using it. This asks if the use of the sampling plan fulfills the requirement in such a way as to get the desired result—the detection of bad parts.

Refer to the specific requirement.
Even though you aren’t issuing a nonconformance report (NCR), you still have to tie the observation to a requirement. Otherwise, you can easily fall into the consulting trap. (“No, it’s not a requirement, but I think it’s a good idea.”). Auditors who conduct lots of assessments sometimes blur the line between actual requirements and good practices they’ve seen employed by a large majority of organizations in a particular industry. While their insight helps to articulate risk clearly, it doesn’t obviate staying within the scope of the requirements.

The same rules apply as for an NCR: Be accurate and specific. Make sure to include numbers, revision levels, and dates, as appropriate.

You might tell the client: “The ISO 9001 requirement relating to this OFI is found in subclause 7.4.3. ‘The organization shall establish and implement the inspection or other activities necessary for ensuring that purchased product meets specified purchase requirements.’” In this case, the auditor is saying that the practice, as documented and implemented, makes it difficult to fulfill the intent of ensuring that purchased product is acceptable.

Provide the evidence.
The requirement for evidence is no less important as for an NCR. Without proof, it’s almost impossible not to come off sounding like a consultant, instead of an auditor.

You might express this proof like this: “Work instruction WI 4.10.1 for incoming inspection directs the receiver to always use the ‘relaxed’ recommended sample size and skip down one row. It was explained that this decision was made to decrease processing time of incoming goods in an effort to improve overall cycle time and, ultimately, delivery performance. The plan doesn’t take into account the data uncovered when auditing other processes that reveal a steadily increasing number of in-process defects traced back to bad parts and the increase in the number of supplier corrective actions.”

This provides fairly substantial evidence that the implemented practice isn’t working.

Make a statement concerning the perception of risk.
This isn’t a hysterical prophecy. It’s a reasonable conclusion based upon the requirements and the evidence. In this case it would say something like: “Continued use of the sampling, as directed in the work instruction, could result in numerous reworks delaying delivery to the customer and negating the objective of improving cycle time.”

What the auditor has provided is a clear statement of the risk, based upon requirements as assessed against evidence. The auditor has been able to illustrate the cost associated with the risk, which is the goal of what is often referred to as “value-added” auditing.

However, the auditor has done so without providing the solution. If the auditor makes a statement recommending that the auditee consider changing how they use the sampling plan, all that will probably occur is that they’ll change the practice to make the auditor happy. They’ll be stuck with the old problem of inspection taking too long.

If, on the other hand, an auditor makes a statement that basically says, “The evidence isn’t showing that you’re getting the results you want from this practice,” then the auditee has more freedom to decide what to do next. The auditor provides direction but the organization retains ownership of the problem-solving process.


About The Author

Denise Robitaille’s picture

Denise Robitaille

Denise Robitaille is the author of thirteen books, including: ISO 9001:2015 Handbook for Small and Medium-Sized Businesses.

She is chair of PC302, the project committee responsible for the revision to ISO 19011, an active member of USTAG to ISO/TC 176 and technical expert on the working group that developed the current version of ISO 9004:2018. She has participated internationally in standards development for over 15 years. She is a globally recognized speaker and trainer. Denise is a Fellow of the American Society for Quality and an Exemplar Global certified lead assessor and an ASQ certified quality auditor.

As principal of Robitaille Associates, she has helped many companies achieve ISO 9001 registration and to improve their quality management systems. She has conducted training courses for thousands of individuals on such topics as auditing, corrective action, document control, root cause analysis, and implementing ISO 9001. Among Denise’s books are: 9 Keys to Successful Audits, The (Almost) Painless ISO 9001:2015 Transition and The Corrective Action Handbook. She is a frequent contributor to several quality periodicals.