Internal audit risk assessment
We carried out an audit on each individual clause in 2015 with the result of 1 audit having 1 major & 2 minor ncrs, 2 audits having 2 minors each and 2 audits having 1 minor. With the exception of the one where a major was raised, there's no logic to auditing any more than annually (IMHO).
How do other packaging companies (high hygiene) approach 3.5 section?
Hi, I'm really struggling to know how to present a chart to the BRC auditor showing how 'the frequency of the audits shall be established in relation to the risks associated with the activity and previous audit performance.'
We carried out an audit on each individual clause in 2015 with the result of 1 audit having 1 major & 2 minor ncrs, 2 audits having 2 minors each and 2 audits having 1 minor. With the exception of the one where a major was raised, there's no logic to auditing any more than annually (IMHO).
How do other packaging companies (high hygiene) approach 3.5 section?
Hi Rosemary,
You might usefully have a look at the analogous charts for food. i suspect the (risk) concepts will be not so different for the high hygiene situation. (Low maybe less so).
"Risk-based" is BRC's "ants in the pants". They just can't resist putting it in, like the Scarlet Pimpernel. :smile:
Hello Rosemary,
Your IA freq must be based on the out put of your risk assessment. Your risk assessment will be based on the history of previous audits. If that division has always had NC and involve safety and legality of the product, your audit freq must be shorter that those division that has lesser NC. But it should be put in writing e.g. Risk Assessment. The common mantra or cliche in food safety is "If you did not write it, you did not do it".
regards,
redfox
Hi Charles & Redfox, thanks for your responses.
I have attached my starting point but not sure whether this will pass muster with our external auditor. I'm really not sure how to make a risk assessment out of this.
Any thoughts would be gratefully received.
Attached Files
Dear Rosemary,
In making risk assessment, you can make a scoring system where you can based your freq from previous audits. I'll give you example but it is an Approved Supplier Performance Monitoring but you can still make it as an example. The matrix is your guide to determine risk level and from there you can determine your freq and you can justify to auditor where you based your IA freq.
regards,
redfox
3.5.1.2 Approved Suppliers Performance Monitoring Form_ifsqn.xlsx 22.9KB 588 downloads
Rosemary,
A score system will work. You can score the nonconformities by area/issue of previous period to establish the frequency on the upcoming period. More nonconformities per area/issue, more the time spent in the audit or more frequent audits. If you grade the nonconformities by major/minor you can use this as well.
Regards,
Martina
I'm a little confused. If you open the document I published on this thread, I have listed the ncrs we had which are very small. As a result of that I have suggested that most of them are low risk (0 - 2 ncrs) and one audit per year or medium (2 audits for traceability and the audit which had a major). How do you suggest I improve on that to make the auditor happy?
Dear Rosemary,
In making risk assessment, you can make a scoring system where you can based your freq from previous audits. I'll give you example but it is an Approved Supplier Performance Monitoring but you can still make it as an example. The matrix is your guide to determine risk level and from there you can determine your freq and you can justify to auditor where you based your IA freq.
regards,
redfox
3.5.1.2 Approved Suppliers Performance Monitoring Form_ifsqn.xlsx
Hi redfox,
Thks for the example. Very generous.
The basic methodology is fine IMO (and in use elsewhere) but it seems questionable to use the same scoring contributions for both safety-related and "quality" defects (I assume there is no subsequent "correction" factors applied).
Dear Charles,
What posted is a monthly Approved Suppliers Performance Monitoring. I have a daily monitoring which have all the same criteria as monthly to detect non-conformities for every suppliers and make necessary actions. If safety and legality issue is concern, like metal, and reject (due to spoilage) as correction we immediately conduct an audit to the said supplier. But as of this time we dont encounter as such.
regards,
redfox
(ahem, slightly OT, sorry Rosemary)
Hi redfox,
Sorry, I probably phrased my previous post poorly.
Your risk assessment (RA) is being basically assessed for defects in 2 categories - safety and non-safety (“quality”).
IMO, ignoring legality aspects, from a FS POV, risks relating to safety factors are relatively of more importance than those relating to quality. (I hope BRC will agree despite their due diligence side-additions).
Accordingly, if one wishes to directly combine (ie add together) the risks from these 2 different categories so as to obtain a single score, it is statistically questionable whether an identical scoring scale is appropriate for both categories of defect.
In practice, the use of 2 identical scales can be applied but is then typically “adjusted” in more sophisticated RAs by using a “correction factor”. For example, in a simple format, if S is the required combined score of defects in the 2 categories –
S = (sum of scores of individual safety factors).(a1) + (sum of scores of individual non-safety factors).(a2)
Where a1, a2 are the “correction factors”.
Regardless, I daresay most (all?) FS auditors will be unaware (or uninterested) in such distinctions.
@Rosemary - IMO yr basic approach (Post 4) is not unreasonable but I do suggest you hv a look at some almost equally simple but perhaps slightly more elegant (no offence intended) BRC7 equivalents, eg this thread maybe posts 8,35 inter alia -