The seven steps to a successful fire risk management audit

Following two recent articles on fire policy and developing fire risk management strategy, Ben Bradford offers 7 steps to a successful fire risk management audit.

In an ever changing world, there’s an increasing focus on the total contribution from businesses to their customers, people, suppliers, community and the wider economy. These stakeholders can demand a high level of confidence that the organisation is capable of operating in a way that is defined, consistent, under control, effective and efficient. Put simply, the leadership, management and wider stakeholders want assurance.

There is of course a legal requirement contained within Article 11 of the Regulatory Reform (Fire Safety) Order 2005 that imposes a responsibility on the Responsible Person (usually the body corporate) to make and give effect to such arrangements as are appropriate, having regard to the size of his undertaking and the nature of its activities, for the effective planning, organisation, control, monitoring and review of the preventive and protective fire safety measures.

Interestingly that’s never the primary reason we are commissioned to undertake an audit. There are usually a number of reasons beyond minimum compliance with legislation that spur an organisation to commission a fire risk management audit. Providing evidence and confirmation for enhanced confidence and increased assurance is the primary positive role for auditing. This is achieved by looking for evidence to the contrary, for weaknesses, faults and failures in order to prove confidence.

However, we need to understand more clearly what is meant by the term ‘audit’. The term audit is defined in PAS 7: 2013 as a ‘systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the specified criteria are fulfilled’. The specified criteria would be the PAS 7: 2013 – fire risk management system specification standard from the British Standards Institution.

On appointment, the auditor will prepare an audit plan with dates, times and locations for the following seven steps to take place. This will be discussed and agreed with the client to ensure it is mutually convenient. The following seven steps provide a methodology with which to approach a fire risk management audit:

Step One

This process will start with a desk top review of the organisations documented information. In an ideal world this will be the organisations fire risk management policy, strategy and procedures. However there may be other fire safety information that is required to be controlled and maintained by an organisation. This could be information at an organisational or strategic level or premises specific. We recently published a BB7 White paper entitled ‘A Guide to fire safety information for occupiers and end users of premises’ which provides further clarification on the different forms of fire safety information.

Step Two

The audit team will conduct interviews with key staff (duty holders). A duty holder is a person on whom there is a duty to comply with fire safety legislation. A selection of key duty holders can be identified from a review of organisational charts obtained in step one. However, it is prudent to begin gathering information on key people as early as possible and usually during initial meetings with the client.

In our experience, within a large organisation there are usually 10–15 key stakeholders linked to the fire risk management system across departments. It is useful for the organisation to identify the key individuals by title and schedule appointments. This way you are less likely to get to the end of the audit and someone to come forward and ask “Why did you not speak to me?”

Fire safety is not like health and safety and it rarely sits neatly in one department. The fire risk management function often straddles a number of departments but the role of the fire safety manager often creates a misconception among other functions within an organisation that fire safety is nothing to do with them. On occasions we find that the expectations on the fire safety manager are unrealistic.

Examples of this can be when they are leaned on for fire safety design and engineering advice during a refurbishment or new build project. Alternatively, they may be responsible for the governance of fire risk but also be contracted to look after health, safety and environment issues or security. In this scenario organisations can sometimes expect them to be a technical expert in all these disciplines. This is an unrealistic expectation.

Step Three

It is important to review the premises lists of those premises that require fire risk assessments and perform a desk top audit of a random sample of fire risk assessments. Following this initial desk top review the auditor can undertake site visits on a smaller sample in order to assess the standard of fire risk assessment review being undertaken.

BB7 have developed and documented a methodology specifically for desk top review and site based inspection of fire risk assessments and this is essential in ensuring consistency among auditors about what is deemed suitable and sufficient and what is not and also in providing constructive feedback to those who prepared the fire risk assessments.

Step Four

The auditor will then need to prepare a documented report in order to communicate the results of a fire risk management audit. This is, in itself, fire safety information however it is worth recognising that the words ‘information’ and ‘communication’ are used interchangeably but there is a difference. Information is giving out and communication is imparting the information and knowledge. A good auditor will use both written and verbal communication to communicate the results of the audit.

When drafting the fire risk management audit report the auditor will need to separate recommendations and key messages. Recommendations are areas where the organisation will need to complete some improvements much like an action plan in a fire risk assessment. Key messages are significant findings that might be found throughout the entirety of the report but not necessarily require the organisation to act upon them.

Step Five

The auditor may provide a close-out presentation if required, articulating and summarising the information contained in the report. This presentation is usually to senior management within the organisation, and is an opportunity to communicate the information verbally and answer any questions they may have on the content of the report. If a close out presentation is not required by the client the key stakeholders of the organisation will review the report in house before discussing with the auditor any questions they may have.

Step Six

Once the report has been discussed with the auditee in step five the auditor will then review the report in light of comments received and may alter or make changes before the final report is issued.

Step Seven

The auditor will revise and re-issue the final fire risk management audit report.


An auditor is defined as a ‘person with the demonstrated personal attributes and competence to conduct a fire risk management system audit’. Competence is a key word in the definition and relates to one’s ability to apply knowledge and skills to achieve intended results. The value of an audit is dependent on the competency of those auditing. It requires an in-depth knowledge of fire risk management and also management systems awareness.

Fire safety has been in the news a lot recently and for all the wrong reasons. Organisations need assurance. A fire risk management audit is a systematic and structured assessment of the set of interrelated or interacting elements of an organisation to establish policies and objectives and processes to achieve those objectives and manage fire risk.

BB7 are offering a free GAP analysis against PAS 7 to any medium / large organisation considering formalising their fire risk management system organisation wide.