ISO Auditing: How can you take your business to the ‘Next Level’?

Share on facebook
Share on email
Share on twitter
Share on linkedin

Organisations that use ISO Management Systems enjoy many advantages. Even if you don’t plan to go for ISO certification, your business can extract great value from an internal audit and it can provide top management a realistic view of how likely they are to meet objectives.

There are so many reasons to think about audit as a partner in your management operations, so let’s dive into the world of ISO audits and discover the benefits.

Learn more about the Risk-based Auditing Approach! Download our FREE guide Risk-Based Approach to Auditing an ISO Management System.


An ISO audit can apply to an entire organisation or it may be applied to a specific function, process or production step. Some audits serve an administrative purpose, such as auditing documents, risk or performance or following up on completed corrective actions.

The formal definition of an ISO audit is found in the ISO standard – Guidelines for Auditing Management Systems Standards, which is:

“the systematic, independent and documented process for obtaining audit evidence (records, statements of fact or other information which are relevant and verifiable) and evaluating it objectively to determine the extent to which the audit criteria (a set of policies, procedures or requirements) are fulfilled.” ISO 19011:2018 – Guidelines for Auditing Management Systems.


There are three main types of ISO audits:

  • First-party (internal)
  • Second-party (external / supplier)
  • Third-party (certification)

First-party Audit

An Internal Audit is conducted on a process or set of processes to ensure they meet the organisation’s internal requirements and is used for evaluating the effectiveness of the Management System. The value of the Internal Audit is that it takes a critical look at your company and how it operates and improves the effectiveness of risk management, control and governance processes.

Second-party Audit

A Second-party or Supplier Audit is valuable for strengthening a company’s supply chain and verifying that suppliers meet or exceed predetermined requirements. A Supplier Audit can prevent quality, environmental or health and safety issues from reaching your customers.

Third-party Audit

A Third-party or Compliance audit is carried out by a Certification Body (CB) and evaluates whether the Management System meets the requirements of a specific ISO standard. If successful, the Third-party Audit will provide the organisation with a certification of conformity with the given standard.

The ISO 19011:2018 standard stipulates that a third-party Auditor must acquire the necessary knowledge and skills to be employed by a CB and pledge to abide by a code of ethical conduct in the performance of an audit. ISO certification confers numerous benefits such as increasing your organisation’s credibility and enabling you to secure business.

Surveillance Audit

These audits are held in years one and two after initial certification and in years one and two following each recertification. The audit is conducted by a Certification Body.

Recertification Audit

These audits are held every three years with a Certified Body performing the audit The goal is to continue to demonstrate management’s commitment to and ongoing improvement of the Management System to ensure its effectiveness.


Knowledge of the ISO standard(s) and conducting effective interviews are essential parts of the Internal Auditor’s job. Unskilled auditors will collect little useful information and their interview questions are likely to elicit predictable answers which are of no value. So ensure that your Internal Auditors are properly trained.

Our ISO Auditor Training courses are an efficient way of doing this: View our public Auditor Training courses here or Sign Up for an Online Learning Course here.


Audits are aimed at enhancing productivity, detecting problems at an early stage and ensuring that policy and objectives are being followed by everyone in the organisation. Below is a roundup of the benefits offered by auditing your ISO Management System:

  • Audits help us to analyse the compliance of our process with respect to the set ISO standards.
  • Audits aid us in identifying our strengths and weaknesses, which are necessary for us to tackle the various opportunities and threats in our industry.
  • We are able to assess and identify the areas for improvement of our efficiency.
  • Audits help us to identify deviations from our objectives and goals and provide us with the opportunity to correct them.
  • Above all, audits helps to bring in positive changes in departments by correcting the nonconformities observed and preventing them from recurring.


Are your Internal Auditors adequately trained to sufficiently audit ISO Management Systems?

Risk ZA’s focus is to conduct audits according to the new ISO 19011:2018 standard’s requirements which focus on a Risk-based Approach during the audit process.

Learn more about the Risk-based Auditing Approach! Download our FREE guide Risk-Based Approach to Auditing an ISO Management System.


Risk ZA assists businesses in Southern Africa make excellence a habit. We are experts in delivering a cost-effective route to ISO certification and make sure that ISO Management Systems work for you through our ISO Training, Auditing of Management Systems and our Consulting Services.

For more information about our wide range of training and consulting services, please contact our expert team on +27 (0) 31 569 5900, email info@riskza.com.

You can share this blog post on your preferred social media platform:

Share on facebook
Share on email
Share on twitter
Share on linkedin

Risk Management: Improving Business Performance with Proactive Risk Reduction

Share on facebook
Share on email
Share on twitter
Share on linkedin

Business leaders navigate a complex environment in which the pace of change is rapidly accelerating and this has put pressure on companies to focus on risk management. The risk environment is equally challenging. Organisations are juggling a multitude of risks and it is becoming extremely difficult for enterprises to identify and reduce the impact of risk on their organisations. While managing the failure of critical assets is the top pressure, executives should not forget the risks associated with non-compliance, environmental, financial, logistical and supplier issues.

As such, Enterprise Risk Management (ERM) and Enterprise Resilience have become hot topics. But what are they and are they the same concept?

Enterprise resilience and ERM are related concepts that are associated with risk, but they are different. Enterprise Risk Management is a process that organisations use to rigorously identify, assess, manage and monitor risks that may affect their operations and objectives.

Enterprise resilience, on the other hand, is a capability. It describes an organisation’s capacity to anticipate and react to change that could represent opportunities and threats. Resilience includes two important components: organisational capacity and the ability to adapt and grow from a disruptive experience.


There are four stages to achieving enterprise which include:

  • Stage 1 – prepare and plan for the risk event
  • Stage 2 – absorb the consequences of the risk event
  • Stage 3 – recover from the risk event
  • Stage 4 – successfully adapt to the risk event

ERM is the mainstay of Stage 1 and assists with the other three stages as it cuts across organisational silos and considers internal and external risks, such as cyber-attacks and natural disasters. In this way, ERM allows management to identify risks and absorb the negative impact and assists with recovery by allowing organisations to assess and mitigate risks and plan for adverse events.


A healthy corporate culture promotes long-term resilience. The opposite may also be true. If the board and senior leadership are too focused on containing incidents and minimising bad press to preserve reputation and share value, this may lead to inappropriate responses in crises, and to inappropriate strategies to prepare the company to bounce back better.

Your governance, your values and your stakeholder relationships all determine your resilience. So do your processes.


Good governance comprises four essential elements:

Transparency – being clear and unambiguous about the company’s structure, operations and performance, both externally and internally; and, maintaining a genuine dialogue with and providing insights to stakeholders and the market.

Accountability – ensuring that there is clarity of decision-making within the company; with processes in place to ensure that the right people have the right authority to make effective and efficient decisions; with appropriate consequences delivered for failures to follow those processes.

Stewardship – developing and maintaining a company-wide recognition that the organisation is managed for the benefit of its shareholders, taking into account the interests of other stakeholders.

Integrity – developing and maintaining a corporate culture committed to ethical behaviour and compliance with the law.


Almost all organisations have faced adversity at some point in their history. Those that prosper over long periods of time display a remarkable ability to bounce back from adversity time and time again and to create value in changing circumstances.

Business turbulence and disruptions need to be addressed in the same manner as any other material business risk. Directors have a duty to ensure that the organisations which they govern are sustainable through disruptive events and create a culture in which business opportunities are chosen wisely.

A sustainable organisation is able to quickly adapt and align its strategy, operations, management systems, governance structure, and supply chain to meet the challenges of significantly changing environments. It is also able to create competitive advantage by maximising opportunities in an informed manner.

Sustainability is not only about being able to respond to a single crisis or setback but about continuously anticipating and adjusting to trends that can permanently alter the viability of a business. Traits of sustainable organisations include:

A culture of sustainability – a clear purpose and a core set of values which are more than just platitudes. Leaders of sustainable organisations strive to make the purpose and value a compelling reality at all levels of the organisations. The measure of success of a culture of sustainability is the degree to which the organisation’s people, from the board down, are active participants in understanding and addressing the opportunities and risks associated with the achievement of the organisation’s objectives.

A strong understanding of risks aligned to business strategy – all strategies and all opportunities worth pursuing involve risks that must be monitored and managed. Risk management is about both protecting value and creating value.

Accurate monitoring and detection with relevant reporting to management and the board – reporting mechanisms to raise alerts about risks may also be used to identify opportunities.

Reliable and sustainable processes and infrastructure which balance efficiency with flexibility – contingency and recovery planning and competitive advantage are founded on risk-based analysis and are embedded in operational plans encompassing people, processes, systems and data.


The ISO 31000:2018 Risk Management standard provides principles and generic guidelines on risk management. The framework seeks to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters, and regions. It assists organisations to gain better control and visibility into the risks within their operations.

Cross-functional involvement and collaboration are the keys to a successful risk management and risk mitigation program and these are focus areas in the latest version of the ISO 31000:2018 Risk Management standard.

In a risk environment that is growing more perilous and costly, boards and business owners need to help steer their enterprises toward resilience and value by embedding strategic risk capabilities throughout the organisation. But how do you achieve this? Learn more! Download our FREE guide on How to Achieve A Best-In-Class Risk Management System.


Risks ZA works with organisations in numerous ways to help you understand and manage your risks.

Don’t miss our ISO 31000:2018 Introduction to Risk Management Public Training Event which aims to deliver better solutions for managing complex risks and identifying competitive advantages in an ever-changing business environment.

Gain invaluable insights into Risk Management principles and be in a position to establish best-in-class Risk Management practices. Visit our Training Schedule page to view when the next course is running in your area!

To book your seat, call our team on +27 (0) 31 569 5900, email info@riskza.com or complete our Online Booking Form.

You can share this blog post on your preferred social media platform:

Share on facebook
Share on email
Share on twitter
Share on linkedin

Are You A Risk Ready Organisation?

Share on facebook
Share on email
Share on twitter
Share on linkedin

As the speed of change increases, organisations need to adapt quickly. The age that we are living in will show no mercy for the risk-averse. From cyber risk to terrorism, climate change, and reputation risk, mounting a credible defence against these risks will depend very much on our ability to harness them and improve overall organisational resilience.

Organisations that embrace risk agility will be able to quickly reinvent themselves and establish a company culture that recognises when the enterprise is in danger by either an internal course of action or an external threat.

Based on our research and experience, almost all organisations in South Africa have been hit by a major operational ‘surprise’ in the past two years. The disastrous consequences of the recent rolling blackouts on businesses are all too fresh in our memories, as are the severe water restrictions imposed in the Western Cape.

Yet, we see few organisations that have a ‘complete’ Enterprise Risk Management (ERM) framework in place. Many do not maintain a Risk Register, and formal Risk Management training for executives and business owners is something that is often overlooked.

On the upside, the speed of change presents a myriad of opportunities. By embracing the reality that risk and return are related, and investing in enterprise risk oversight, there is plenty of evidence to support the fact that an organisation’s resilience and agility will strengthen.

Risk management can be a valuable aid to help people in organisations think through ‘what might happen’. Some of the benefits that good risk management can provide include:

  • Helping to set a successful strategy and governance
  • Helping to foster a good culture
  • Helping to achieve good, risk-informed decision-making
  • Assisting with new innovation and technological change
  • Ensuring there is an appropriate level of organisational resilience
  • Helping operations and projects to achieve successful outcomes


Top performing organisations view risk management as a strategic asset, which can sustain value over the long term. Ideally, risk management and compliance are addressed as strategic priorities by leadership and day-to-day management.

In the ISO 31000:2018 Risk Management Standard, risk oversight is presented as a process that is underpinned by a set of 9 core principles. These principles are supported by a structure or a framework that is appropriate to the organisation and its external environment. This is key in our view.

Your Risk Management framework should be fit for purpose and integrated into how your organisation works. ISO 31000:2018 doesn’t provide details about different organisational processes because you know what yours are. So ISO 31000:2018 gives you the freedom to stitch ‘risk-thinking’ into your core processes in a simple and effective manner.

You may also want to read our blog post “ISO 31000:2018 Risk Management – Accelerate Business Performance”.

ISO 31000:2018 recommends that a successful Risk Management initiative should be:

  • Proportionate to the level of risk in the organisation
  • Aligned with other corporate / business activities
  • Comprehensive
  • Embedded into routine activities
  • Dynamic by being responsive to changing circumstances

This approach enables a Risk Management program to deliver outputs, such as compliance with applicable governance legal requirements, assurance to stakeholders regarding the management of risk and improved decision-making.

The benefits associated with these outputs, which need to be sustainable and measurable, include more efficient operations and a more effective business strategy.

In summary, you can use the guidance in ISO 31000:2018 to help people in your organisation think through what might happen and work collaboratively to achieve your business goals and objectives in a fast-changing world.


Megan Cunningham, MD of Risk ZA, shares her insights into the benefits that an ERM System can bring to your organisation.

Could you talk about your perceptions of the benefits that an ERM program can bring to an organisation?

From my perspective, ERM positions an organisation to better manage uncertainties, reduce volatility and add measurable value if integrated correctly. ERM also positions organisations to communicate with internal and external stakeholders on what they are doing to address risk.

ERM promotes risk awareness throughout the organisation. It provides an avenue for risk discussions and assists business owners to know what they are doing to address risk and what is being done to address risk so that the business owner or top management is not left wondering: “Okay, we have this big risk out there, what are we doing about it?”

Risk Management provides that avenue and that structure so that everybody in an organisation is informed about what is being done to assess risk.

Have you any advice for an organisation that is getting started with ERM?

Yes. Enterprise Risk Management is not a race. It’s a journey. It’s also not a check-the-box approach to Risk Management.

For ERM to be sustainable, it’s very important to get buy-in from Top Management and to make sure that it becomes part of the organisational culture.


Risk ZA has a collective experience of over 30 years in training, consulting and implementing ISO related solutions for organisations of all types and sizes in the Southern African region.

We are leading experts in the field of Enterprise Risk Management and Corporate Sustainability. We are well-positioned to assist your organisation build a solid foundation for growth.

If you want to learn more about adopting the principles of Risk Management, or want to implement ISO 31000:2018 into your organisation, give us a call – we would be happy to walk with you through the process +27 (0) 31 569 5900!

You can share this blog on your preferred social media platform:

Share on facebook
Share on email
Share on twitter
Share on linkedin

Manage Your Risks Better: It’s About Survival

Share on facebook
Share on email
Share on twitter
Share on linkedin

The Great Recession is the name given to the 2008 – 2009 financial crisis. A perfect storm had been brewing for years and finally, it was unleashed in 2008. But what caused it? Let’s take a look at the events leading up to the crisis.

The credit crisis brought two groups of people together – homeowners and investors. These two groups were brought together by the financial system – banks and brokers, commonly known as Wall Street.

Years ago, investors were sitting on piles of money looking for ways to make more money. Traditionally, they purchased Treasury bills from the US Federal Reserve. But in the wake of the 20001 dot.com bubble, Alan Greenspan lowered the Fed’s interest rates to 1%. Investors said “no thanks” to the low return. Banks on Wall Street, on the other hand, could borrow from the Fed at the low rate of 1%. Add to that surpluses (excess savings) from Japan, China and the Middle East and there was an abundance of cheap credit.

Wall Street banks took out a lot of credit, made great deals, grew tremendously rich and paid back the Fed. Investors saw this and wanted a piece of the action. This gave Wall Street an idea. They could connect investors with homeowners through mortgages. The banks starting selling mortgages to investment bankers who then borrowed millions of dollars and purchased thousands more mortgages and put them into a ‘box’. They received payments from the homeowners, and then decided to cut the ‘box’ into three investment slices: Safe, Okay and Risky.

The debt was repackaged and called Collateralised Debt Obligation or a CDO. Finally, the investors had found a safe investment for their money. They were so pleased, they wanted more CDO slices. So the investment banker called up the bank for more homeowners. But everyone who qualified for a home loan already had one. The banks came up with another idea. They started adding risk to new mortgages by not requiring deposits and proof of income. These were called Sub-prime Mortgages. This was the turning point.

Not surprisingly, homeowners defaulted on payments and banks foreclosed. Soon there were more houses than people could buy and prices plummeted. Investment bankers were left holding a box full of worthless houses. Bankers had a glut of houses nobody wanted to buy, and investors were saddled with thousands of CDOs they couldn’t shift.

The whole financial system froze and things got very dark.

Download your FREE Guide on How to Unlock the Potential of Risk-based Thinking in the New ISO Management Standards and gain an excellent understanding of Risk-based Thinking!


What went wrong with leadership and how did they aid and abet the 2008-2009 financial crisis? Surely banking executives must have known what was going on? A team from the Ivey Business School asked these questions to more than 300 senior business leaders from across Canada, New York, London, England and Hong Kong. They found that a failure in leadership was a root cause of the crisis.

While banking executives were aware of what was going on, they had blinded themselves to the inevitable consequences as they were reaping the rewards. Good leadership and sound risk management practices, on the other hand, had protected organisations that emerged from the crisis unscathed.

So how does a business effectively manage its risks?


“… You can’t control people through policies, procedures and policing. You can only do it through a strong risk management culture and absolute integrity in all leaders.” – Ivey Business School.

A company’s culture is set from the top, so it makes sense that senior leaders need to establish the tone for the risk management culture. As a company’s success and survival can depend on the proper implementation of risk management, it’s important that senior leaders assume overall responsibility for it. Enterprise Risk Management (ERM) has been seen as a hindrance rather than a necessity in the past, but many businesses are realising its importance today.


The internationally recognised ISO 31000:2018 Risk Management Standard, focusses on the importance of implementing a coherent risk culture within a business. It defines the risk management process as “coordinated activities to direct and control an organisation with regard to risk”.

It also provides a definition of the risk management framework as a “set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization”. The ISO 31000:2018 Standard is practical and business oriented and consists of three components: the principles of managing risks, the framework for managing risk, and the process for managing risks.

The Standard captures ERM as an integrated way of managing risk across an enterprise at all levels of an organisation. Due to the complex nature of risk, market volatility, the changing global risk landscape, and the speed at which risks can now materialise, organisations need to think beyond risk compliance and towards a holistic approach.

This is where ERM comes into its own. Effective ERM will, for example, encourage proactive risk management and a deeper and more meaningful insight into the threats you face and the opportunities for growth.


ERM programmes should be tailored to the needs of the organisation. Broadly speaking, the practice of ERM incorporates the process of risk management, the people who are involved in risk management and the information system used to facilitate the process.

1. Process

Risk should be embedded in management activities. Describe the process in a procedure document so that employees understand the risk management process and how to consistently perform their activities. The risk management activities for the ERM programme should span all areas and functions and cross internal boundaries. Adopting an interlocking or joined-up approach to risk management helps to allocate resources efficiently and to solve the risk more effectively.

2. People

Senior executives set the tone for the organisation’s risk management culture and need to live and breath the culture as well as talk to staff about the reasons why the organisation is engaging in ERM. Ensure that responsibilities and accountabilities are clearly communicated and followed through.

3. Information Systems

Using a well-designed information system to record, report and monitor risk performance across your organisation will improve management insight, speed up response times and assist with knowledge-based decision-making.

Safeguarding your brand and reputation – your two most valuable assets – and protecting shareholder value requires an active, well-managed risk management programme.

Why not opt for the internationally- acclaimed ISO 31000:2018 Risk Management Standard for your ERM programme?


Do you need help managing your risk holistically? Contact us today to find out about our range of services! Visit www.riskza.com/training-schedule-booking to find an upcoming ERM training event closest to you.

Contact Risk ZA on +27 (0) 31 569 5900, email info@riskza.com or using our contact form.

You can also download your FREE Guide on How to Unlock the Potential of Risk-based Thinking in the New ISO Management Standards and gain an excellent understanding of Risk-based Thinking!

You can share this blog on your preferred social media platform:

Share on facebook
Share on email
Share on twitter
Share on linkedin

ISO 31000:2018 Risk Management – Accelerate Business Performance

Share on facebook
Share on email
Share on twitter
Share on linkedin

The World Economic Forum describes the current competitive business landscape in a word: disruptive. How well an organisation approaches risk management in a climate of volatility can affect its ability to make robust and informed strategic decisions and achieve its objectives.

Download our FREE GUIDE ISO 31000:2018 How do I get started? where we investigate the 8 Principles that set out the requirements for a risk management initiative.

Traditionally, risk management played a supporting role at board level. However, over the past decade, organisations have adopted the view that risk management must be embedded in the general management of an organisation, and fully integrated across an enterprise with functions such as finance, strategy, internal control, procurement, continuity planning, human resources, and compliance.

Voices of stakeholders have become louder in their demand for transparency and accountability in managing the impact of risk, and evaluating the ability of leadership to embrace opportunities. The use of technology and economic globalisation have made risks increasingly entwined, placing even more emphasis on sound risk management within any organisation.

To keep pace with a rapidly evolving world and future threats, the International Organization for Standardization published a revised version of its Risk Management Standard in February 2018. Essentially, ISO 31000:2018 reflects the evolution of risk management thinking from a separate ‘siloed’ activity to an integrated management function. The overarching strategy of the standard is to embed risk management best practices on a micro-level within organisations so as to manage threats that stand in the way of enterprises achieving their objectives, and create value by finding and exploiting opportunity. This should grab the attention of anyone looking to gain competitive advantage, improve operations, or reduce costs within their organisation.

ISO 31000:2018 - Five Things to Know

1. It is clear and concise

The standard delivers a clear and concise guide to help all organisations manage risks. Risk management concepts are simply explained, giving diverse organisations and people the ability to access the tools that can drive change in order to protect and create value. ISO 31000:2018 is supplemented by ISO Guide 73:2009, a vocabulary index used to support ISO 31000:2018, and ISO 31010:2009 that focuses on risk assessment concepts, processes and the selection of risk assessment techniques.  ISO 31000:2018 has been trimmed down to just 15 pages, and risk management principles reduced from 11 to 8, which streamlines the process for implementation.

2. It is easy to implement

All organisations make decisions that shape their future every day. ISO 31000:2018 provides guidance on how to manage uncertainty to meet objectives, and how to implement risk management to support strategic decision making. This promotes intelligent risk taking at all levels of a business. Risk management best practices promote critical thinking about the role of uncertainty in decision making, and encourage the identification, assessment, and treatment of uncertainty that can impact daily business activities. Small organisations with limited room for exposure to adverse internal and external risks now have the ability to access invaluable tools to create a tolerable risk environment and protect value.

3. It creates and protects value

Creating and protecting value is the central tenant of ISO 31000:2018. If processes are not adding value, they are simply adding costs. The standard helps enterprises improve performance by embedding risk management into all business decision-making processes and making risk-based thinking a daily activity.

4. It reinforces integration

Integration is mentioned throughout the standard. Here are a few examples:

  • Risk management should be part of the organisational purpose, governance, leadership and commitment, strategy, objectives and operations.
  • Properly designed and implemented, the risk management framework ensures that the risk management process is a part of all activities throughout the organisation.
  • The organisation should continually improve the suitability, adequacy and effectiveness of the risk management framework and the way the risk management process is integrated.
  • The risk management process should be an integral part of management and decision-making and should be integrated into the structure, operations and processes of the organisation.

5. It focuses on leadership

Support from top management is essential for successful implementation of the risk management framework and processes. Leadership support for risk management becoming a strategic planning and decision-making tool creates a risk aware culture at all levels of the organisation.


ISO 31000:2018 can help create and protect value for any organisation by providing a flexible framework. If individuals are given the tools to promote critical thinking on how uncertainty can impact meeting objectives then the organisation should see an increase in value from an integrated risk management framework.

Ready to get started?

Risk ZA is a leading provider of enterprise risk management training programmes, which aim to improve your business performance. Contact us on +27 (0) 31 569 5900, email info@riskza.com or visit www.riskza.com.

PLUS! Download our FREE GUIDE ISO 31000:2018 How do I get started? where we investigate the 8 Principles that set out the requirements for a risk management initiative.

For more information or guidance on which ISO standard(s) and services would best suit the needs of your organisation, please email Risk ZA at info@riskza.com or contact us on 0861 Risk ZA / +27 (0) 31 569 5900.

You can share this blog on your preferred social media platform:

Share on facebook
Share on twitter
Share on linkedin
Share on email