One of the benefits of risk based audits that had been introduced since 2011 is to unlock the hidden risks that couldn’t be identified by the organization itself and monitoring of the current risk treatments.
But the auditor may fail to identify significant risk, or may identify a risk that is not important, because the auditor’s evaluation mainly depends on samples, therefore that would involve a sampling risk.
The new ISO 9001:2015 incorporated Risk Based Thinking to the quality management system in the very beginning, during the planning stage, so all risks and opportunities associated with the organization’s context and objectives are identified, analyzed, treated and monitored a head of time.
The internal or external auditor is not solely responsible for this anymore, but the organization leadership and every process owner too.
This is how Risk Based Auditing and Risk Based Thinking will go hand in hand, and I’ve devoted the rest of the article to show how to do this without being overwhelmed by the risk management jargon.