This article is for: Auditors, Quality Assessors or Operations Analysts
5 Minute Read
As an Auditor, Quality Assessor or Operations Analyst your priority is to uncover risks and raise awareness of these risks, perhaps even to offer support to overcome those risks.
Some Executives see audits as an enabler, some Executives teams see audits as a threat to their work. For the purposes of this article, we will focus on the latter.
As a Senior Executive, their priority will usually be perhaps sales, product development or launch targets.
They see audits as an unnecessary process which adds burdensome bureaucracy to their already stretched timelines. They perceive it as something which only weighs them down, stopping them from hitting their targets on the possibility this risk “might” happen.
Given my perspective above as an Executive, when you tell me you “did an assessment on my department and several risks need management attention” or when you say “this is against our company’s process” and you “have to raise it as a gap and it will be recorded as a requirement for corrective action” I get defensive because I don’t see why I have to do all this recording and risk assessing.
As a Senior Executive I see these risk assessment tools unfit for purpose as they don’t reflect the reality I experience when I have to deliver my targets and these tools don’t fit with how we operate. They just cause us additional work and I can’t see any real or immediate payoff.
As a Senior Executive being audited, what I would ideally like to hear is a simple explanation as to what I have to do or what you can do to help me make all of this bureaucracy go away.
The key to avoiding the meeting from becoming confrontational to show the Senior Executive that you understand this is a burden on them and you want to help them make it go away as soon as possible.
Here is a formula for starting the meeting and breaking the bad news about the results of the audit:
When you notice gaps in information (risks), ask collaborative questions like:
A. Things that could be resolved within a few days (e.g. by taking on an example from another department). Say things like: “This risk is high but it can be resolved quickly with X type document. I can help with this by giving you a document from A Department which would cover this risk. All your team would need to do is replace XYZ parts to make it specific for your department.”
B. Things that could take weeks/months and the risk is low. You can use sentences such as:
“This one would take longer to solve because it needs a deep customised analysis of X, but the risk of this is fairly low. Here is something you can do / use which would cover this risk up to about 90%. The one I would recommend you prioritise is point C.”
C. Things that could take weeks / months and the risk is high. You can use sentences such as:
“This is a high risk and it will would take you a minimum of 3 months to do because it needs XYZ . I am sure you have other priorities and you want this to go away as soon as possible, so I thought about what options you have to make this one go away ASAP:
As far as I can see, you have 3 options (start with the hardest one for them):
1. You can tackle point C fully and spend 3-6 months to do XYZ and put DEF procedures in place. This would be time consuming, but it would mean the risk is eliminated and you’d save time on next audits and your department would be fully covered legally.
2. If you think this is a medium risk (despite the high risk warning in my assessment), you could do only parts 1-3 of point C to satisfy the key requirements, this could cover point C to 70% and would only possibly take your team a couple of weeks. Then we could ask the General Manager to sign off the rest if the rest feels too much time and resource investment for little risk.
3. If you think it’s unlikely for this risk to occur (despite the high risk warning in my assessment) and from your perspective this is actually low risk, I can escalate it for you and ask the General Manager to sign it off. If they are happy to accept this risk, then that’s it. You don’t have to do anything further. Do keep in mind this keeps our company open to X risk and Y potential penalty.