What is risk-based thinking?

 - One of the main changes in the 2015 revision of ISO 9001 is to establish a systematic approach by considering risk, rather than treating “prevention” as a separate component of a quality management system.

 - Risk is present in all aspects of a quality management system i.e. in all systems, processes and functions. Risk-based thinking ensures these risks are identified, considered and controlled throughout the design and use of the system.

 - In previous editions of ISO 9001, a clause on preventive action was separated. By using risk-based thinking the consideration of risk is integral. It becomes proactive rather than reactive in preventing or reducing undesired effects through early identification and action. Preventive action is present when a management system is risk-based.

 - Risk-based thinking is something we all do in everyday life.

Example: If I wish to cross a road I look for traffic before moving. I will not step in front of a moving car.

 - Not all the processes of a QMS represent the same level of risk in terms of the organization’s ability to meet its objectives. Some need more careful and formal planning & controls than others.

Example: To cross the road I may go directly or I may use a nearby footbridge. Which process I choose will be determined by considering the risks factor.

 - Risk is commonly understood to have only negative effect; however the effects of risk can be either negative or positive.

 - In ISO 9001:2015 risks and opportunities are often mention together. Opportunity is not always positive side of risk. An opportunity is a set of circumstances which makes it possible to do something. Taking or not taking an opportunity then presents effect on risk.

Crossing the road directly gives me an opportunity to reach the other side in quick time, but if I take that opportunity there is high risk of injury from moving cars.

 - Risk-based thinking considers both the current situation and the possibilities for change.


Where is risk addressed in ISO 9001:2015?

The concept of risk-based thinking is explained in the introduction of ISO 9001:2015 as an essential part of the process approach.

ISO 9001:2015 uses risk-based thinking in the following way:

1. Introduction

 - The concept of risk-based thinking is explained

2. Clause 4

 - The organization is required to determine its QMS processes and to address its risks and opportunities process wise.

3. Clause 5

Top management is required to

 - Promote awareness of risk-based thinking

 - Determine and address risks and opportunities that can affect product /service conformity

4. Clause 6

 - The organization is required to identify risks and opportunities related to QMS performance and take appropriate actions to address them

5. Clause 7

 - The organization is required to determine and provide necessary resources (risk is implicit whenever “suitable” or “appropriate” is mentioned)

6. Clause 8

 - The organization is required to manage its operational processes (risk is implicit whenever “suitable” or “appropriate” is mentioned)

7. Clause 9

 - The organization is required to monitor, measure, analyze and evaluate effectiveness of actions taken to address the risks and opportunities

8. Clause 10

 - The organization is required to correct, prevent or reduce undesired effects and improve the QMS and update risks and opportunities

Why use risk-based thinking?

 - By considering risk throughout the system and all processes the probability of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the good product or service.

 - Risk-based thinking:

• improves governance

• establishes a proactive culture of improvement

• assists with statutory and regulatory compliance

• assures consistency of quality of products and services

• improves customer confidence and satisfaction

Risk associated with internal factors

 - Supplier

 - Input

 - Process

 - Output

 - Customer

 - 6M

Risk associated with external factors

 - Economical

 - Social

 - Political

 - Environmental

 - Legal

External and Internal Factors

How do I do it?

 - Use risk-based thinking in building your management system and processes.

Identify what your risks are

 - it depends on context


If I cross a busy road with many fast-moving cars the risks are different if the road is small with very few moving cars. It is also necessary to consider such things like weather, visibility, personal mobility and specific personal objectives.

Understand your risks

 - What is acceptable, what is unacceptable? What advantages or disadvantages are there to one process over another?


Objective: I need to cross a road safely to reach a meeting at a given time.

• It is UNACCEPTABLE to be injured.

• It is UNACCEPTABLE to be late.

 - Reaching my goal more quickly must be balanced against the likelihood of injury. It is more important that I reach my meeting uninjured than to reach my meeting on time.

 - It may be ACCEPTABLE to delay arriving at the other side of the road by using a footbridge if the likelihood of being injured by crossing the road directly is high.

Plan actions to address the risks

How can I avoid or eliminate the risk? How can I mitigate risks?


I could eliminate risk of injury caused by being hit by a vehicle if I use the footbridge but I have already decided that the risk involved in crossing the road is acceptable.

 - I plan to cross at a time when there are no cars moving near me and so reduce the probability of an accident. I also plan to cross the road at a place where I have good visibility.

Implement the plan – take action


I move to the side of the road, check there are no barriers to crossing. I check there are no cars coming. I continue to look for cars while crossing the road.

Check the effectiveness of the action – does it work?


I arrive at the other side of the road without injury and on time: this plan worked and undesired effects have been avoided.

Learn from experience – improve


I repeat the plan over several days, at different times and in different weather conditions.

 - This data used to understand that changing context (time, weather, quantity of cars) directly affects the effectiveness of the plan and increases the probability that I will not achieve my objectives (being on time and avoiding injury).

 - Experience teaches me that crossing the road at certain times of day is very difficult because there are too many cars. To limit the risk I revise and improve my process by using the footbridge at these times.

 - I continue to analyses the effectiveness of the processes and revise them when the context changes.

 - I also continue to consider innovative opportunities:

• can I move the meeting place so that the road does not have to be crossed?

• can I change the time of the meeting so that I cross the road when it is quiet?

• can we meet electronically?


 - Risk-based thinking:

• is not new

• is something you do already

• is on-going

• ensures greater knowledge of risks and improves preparedness

• increases the probability of reaching objectives

• reduces the probability of negative results

• makes prevention a habit


Please do not enter any spam link in the comment box.

Post a Comment

Please do not enter any spam link in the comment box.