Greetings! Just last week, we underwent the first stage audit with our CB. To determine the actions to address risks and opportunities, we used a matrix that lists down all the steps of a procedure, its requirement/s, the corresponding risks and opportunities of these requirements and the actions to address them. We also indicated what the planned result should be for these steps. IMHO, doing this would help us make sure that our procedures would be effective. Here's the thing though, one of the auditors from our CB indicated that one of the risks I should have explicitly stated is that our process (which is about providing info to clients through various means) may not be effective. It seems the auditor wants me to identify a single major risk. I can't buy into this idea because when we were indicating the actions in this matrix, the main goal is for our process to be effective by addressing risks/opportunities. Thus addressing risks, effectiveness and achieving intended results are 'peppered' throughout this matrix. I would like to hear everyone's thoughts on this. Thank you.