Photo credit: Erikona

Published: 6 Aug 2020

Luis Alberto Palacios Vásquez, Technical Director at Integral Consulting Group, Guatemala, South America, explains the importance of risk-based thinking during the audit process.

Many companies have several different management systems, each focusing on different areas, such as food safety, quality and environmental management. ISO 19011:2018 - Guidelines for Auditing Management Systems, helps with the effective audit of those management systems to ensure continuous improvement.

The launch of ISO 19011:2018 saw the concept of a risk-based approach added as one of the audit principles, in addition to integrity, confidentiality and others.

As always, risk is one side of the coin, the other side is opportunity.


The standard mentions that the risk-based approach must be present throughout the plan, do, check, act (PDCA) cycle of the audit process. At the planning stage, for example, risk must be considered in several ways.

I remember a set of audits I conducted at a hospital, in a Latin American country, where during the first audit the doctor responsible for the health and safety programme at the site commented that half of the staff had chikungunya (a disease caused by a tropical mosquito). This disease infected a total of 500 people at the hospital in question.

The audit should have been scheduled for another time as there was a clear risk here, not only to the auditor, but to the audit not being properly conducted with so many people infected and unable to work.


Risk-based thinking during an audit also means focusing on issues that are relevant to the performance of the system. I once audited a food factory, where I discovered allergens present in one of their products.

The company had not realised that a raw material contained an allergenic ingredient. Therefore, although the allergenic ingredient was present in the product, it was not declared on the product’s label. This meant consumers were not aware of the full list of ingredients.

When asked how important this product was to the business, the quality manager said it accounted for 70 per cent of the company’s overall sales.

On average, one million boxes a month of this product were sold to customers. I was shocked at this declaration by the company regarding the product’s popularity with consumers as the findings required the product to be recalled.

This situation made me realise that the most popular product should be the first product to be inspected and audited.

Quality objectives

We always need to keep the quality objectives in mind and analyse them against the findings of the audit. One example of an objective for auditors is to challenge the whole system to prove it is effective.

As auditors, we need to go deeper to ask for more evidence, until we are certain about the evidence we have collected.

During one audit, it was required of me to prove that the employees performing tests for food safety had been evaluated against a proficiency assessment.

The issue was finding the right way to carry out the assessment, for example through an interview or on-the-job observations.

I needed to visit the lab, interview the technicians and the supervisors to offer a solution for this requirement.

By challenging how the technicians and supervisors carry out their jobs, I was able to better see the changes that needed to be implemented.

When we discover something that is an obstacle to meeting quality objectives, we must stop and determine if we need to challenge the system to resolve the problem.