International Organization for Standardization

BIBC II, Chemin de Blandonnet 8 , CP 401, 1214 Vernier, Geneva , Switzerland

Tel: +41 22 749 01 11, Web: www.iso.org

RISK-BASED THINKING IN ISO 9001:2015

Purpose of this paper

• to explain risk-based thinking in ISO 9001

• to address perceptions and concerns that risk-based thinking replaces the process
approach

• to address the concern that preventive action has been removed from ISO 9001

• to explain in simple terms each component of risk-based thinking

What is risk-based thinking?

One of the key changes in the 2015 revision of ISO 9001 is to establish a systematic
approach to considering risk, rather than treating “prevention” as a separate component of
a quality management system.

Risk is inherent in all aspects of a quality management system. There are risks in all systems,
processes and functions. Risk-based thinking ensures these risks are identified, considered
and controlled throughout the design and use of the quality management system.

In previous editions of ISO 9001, a clause on preventive action was separated from the
whole. By using risk-based thinking the consideration of risk is integral. It becomes proactive
rather than reactive in preventing or reducing undesired effects through early identification
and action. Preventive action is built-in when a management system is risk-based.

Risk-based thinking is something we all do automatically in everyday life.

Example: If I wish to cross a road I look for traffic before I begin. I will not step in front of a
moving car.

Risk-based thinking has always been in ISO 9001 – this revision builds it into the whole
management system.

In ISO 9001:2015 risk-based thinking needs to be considered from the beginning and
throughout the system, making preventive action inherent to planning, operation, analysis and
evaluation activities.

Risk-based thinking is already part of the process approach.

Not all the processes of a quality management system represent the same level of risk in
terms of the organization’s ability to meet its objectives. Some need more careful and
formal planning and controls than others.

ISO/TC 176/SC2/N1284 www.iso.org/tc176/sc02/public

Example: To cross the road I may go directly or I may use a nearby footbridge. Which process
I choose will be determined by considering the risks.

Risk is commonly understood to have only negative consequences; however the effects of
risk can be either negative or positive.

In ISO 9001:2015 risks and opportunities are often cited together. Opportunity is not the
positive side of risk. An opportunity is a set of circumstances which makes it possible to do
something. Taking or not taking an opportunity then presents different levels of risk.

Example:

Crossing the road directly gives me an opportunity to reach the other side quickly, but if I
take that opportunity there is an increased risk of injury from moving cars.

Risk-based thinking considers both the current situation and the possibilities for change.

Analysis of this situation shows opportunities for improvement:

• a subway leading directly under the road

• pedestrian traffic lights, or

• diverting the road so that the area has no traffic

Where is risk addressed in ISO 9001:2015?

The concept of risk-based thinking is explained in the introduction of ISO 9001:2015 as an
integral part of the process approach.

ISO 9001:2015 uses risk-based thinking in the following way:

Introduction - the concept of risk-based thinking is explained

Clause 4 – the organization is required to determine its QMS processes and to address its
risks and opportunities

Clause 5 – top management is required to

 Promote awareness of risk-based thinking

 Determine and address risks and opportunities that can affect product /service
conformity

Clause 6 – the organization is required to identify risks and opportunities related to QMS
performance and take appropriate actions to address them

Clause 7 – the organization is required to determine and provide necessary resources (risk is
implicit whenever “suitable” or “appropriate” is mentioned)

Clause 8 – the organization is required to manage its operational processes (risk is implicit
whenever “suitable” or “appropriate” is mentioned)

ISO/TC 176/SC2/N1284 www.iso.org/tc176/sc02/public

Clause 9 – the organization is required to monitor, measure, analyse and evaluate
effectiveness of actions taken to address the risks and opportunities

Clause 10 – the organization is required to correct, prevent or reduce undesired effects and
improve the QMS and update risks and opportunities

Why use risk-based thinking?

By considering risk throughout the system and all processes the likelihood of achieving
stated objectives is improved, output is more consistent and customers can be confident
that they will receive the expected product or service.

Risk-based thinking:

• improves governance

• establishes a proactive culture of improvement

• assists with statutory and regulatory compliance

• assures consistency of quality of products and services

• improves customer confidence and satisfaction

Successful companies intuitively incorporate risk-based thinking.

How do I do it?
Use risk-based thinking in building your management system and processes.

Identify what your risks are – it depends on context

Example:

If I cross a busy road with many fast-moving cars the risks are not the same as if the road is
small with very few moving cars. It is also necessary to consider such things as weather,
visibility, personal mobility and specific personal objectives.

Understand your risks

What is acceptable, what is unacceptable? What advantages or disadvantages are there to

one process over another?

Example:

Objective: I need to safely cross a road to reach a meeting at a given time.

• It is UNACCEPTABLE to be injured.

• It is UNACCEPTABLE to be late.

Reaching my goal more quickly must be balanced against the likelihood of injury. It is more
important that I reach my meeting uninjured than it is for me to reach my meeting on time.

ISO/TC 176/SC2/N1284 www.iso.org/tc176/sc02/public

It may be ACCEPTABLE to delay arriving at the other side of the road by using a footbridge if
the likelihood of being injured by crossing the road directly is high.

I analyse the situation. The footbridge is 200 metres away and will add time to my journey.
The weather is good, the visibility is good and I can see that the road does not have many
cars at this time.

I decide that walking directly across the road carries an acceptably low level of risk of injury
and will help me reach my meeting on time.

Plan actions to address the risks

How can I avoid or eliminate the risk? How can I mitigate risks?

Example: I could eliminate risk of injury caused by being hit by a vehicle if I use the
footbridge but I have already decided that the risk involved in crossing the road is
acceptable.

Now I plan how to reduce either the likelihood or the impact of injury. I cannot reasonably
expect to control the impact of a car hitting me. I can reduce the probability of being hit by a
car.

I plan to cross at a time when there are no cars moving near me and so reduce the likelihood
of an accident. I also plan to cross the road at a place where I have good visibility.

Implement the plan – take action

Example:

I move to the side of the road, check there are no barriers to crossing. I check there are no
cars coming. I continue to look for cars whilst crossing the road.

Check the effectiveness of the action – does it work?

Example:

I arrive at the other side of the road unharmed and on time: this plan worked and undesired
effects have been avoided.

Learn from experience – improve

Example:

I repeat the plan over several days, at different times and in different weather conditions.

This gives me data to understand that changing context (time, weather, quantity of cars)
directly affects the effectiveness of the plan and increases the probability that I will not
achieve my objectives (being on time and avoiding injury).

Experience teaches me that crossing the road at certain times of day is very difficult because
there are too many cars. To limit the risk I revise and improve my process by using the
footbridge at these times.

ISO/TC 176/SC2/N1284 www.iso.org/tc176/sc02/public

I continue to analyse the effectiveness of the processes and revise them when the context
changes.

I also continue to consider innovative opportunities:

• can I move the meeting place so that the road does not have to be crossed?

• can I change the time of the meeting so that I cross the road when it is quiet?

• can we meet electronically?

Conclusion
Risk-based thinking:

• is not new

• is something you do already

• is on-going

• ensures greater knowledge of risks and improves preparedness

• increases the probability of reaching objectives

• reduces the probability of negative results

• makes prevention a habit

Other useful documents

ISO 31000:2009 Risk Management – Principles and guidelines

PD ISO/TR 31004:2013 Risk management - Guidance for the implementation of ISO 31000

ISO 9001:2015 Risk-based thinking - power point presentation

ISO 31010:2010 Risk management - Risk assessment techniques

ISO/TC 176/SC2/N1284 www.iso.org/tc176/sc02/public

SO 9001:2015 – Risk Based Thinking
One of the key changes in the 2015 revision of ISO 9001 is to establish a systematic
approach to risk, rather than treating it as a single component of a quality management
system. In previous editions of ISO 9001, a clause on preventive action was separated
from the whole. Now risk is considered and included throughout the standard. By
taking a risk-based approach, an organization becomes proactive rather than purely
reactive, preventing or reducing undesired effects and promoting continual
improvement. Preventive action is automatic when a management system is risk-
based.Risk-based thinking is something we all do automatically and often sub-
consciously. for e.g if I wish to cross a road I look for traffic before I begin. I will not
step in front of a moving car. The concept of risk has always been implicit in ISO 9001
– this revision makes it more explicit and builds it into the whole management system.
The risk is considered from the beginning and throughout the standard, making
preventive action part of strategic planning as well as operation and review. Risk-
based thinking is already part of the process approach. For e.g to cross the road I
may go directly or I may use a nearby footbridge. Which process I choose will be
determined by considering the risks. Risk-based thinking makes preventive action part
of the routine. Risk is often thought of only in the negative sense. Risk-based thinking
can also help to identify opportunities. This can be considered to be the positive side
of risk. Crossing the road directly gives me an opportunity to reach the other side
quickly, but there is an increased risk of injury from moving cars. The risk of using a
footbridge is that I may be delayed. The opportunity of using a footbridge is that there
is less chance of being injured by a car.Opportunity is not always directly related to
risk but it is always related to the objectives. By considering a situation it may be
possible to identify opportunities to improve.The opportunities for improvement: a
subway leading directly under the road, pedestrian traffic lights, or diverting the road
so that the area has no traffic. It is necessary to analyse the opportunities and consider
which can or should be acted on. Both the impact and the feasibility of taking an
opportunity must be considered. Whatever action is taken will change the context and
the risks and these must then be reconsidered.

Identify what your risks are – it depends on context

Example:

If I cross a busy road with many fast-moving cars the risks are not the same as if the
road is small with very few moving cars. It is also necessary to consider such things
as weather, visibility, personal mobility and specific personal objectives.
Understand your risks

What is acceptable, what is unacceptable? What advantages or disadvantages are

there to one process over another?

Example:

Objective: I need to safely cross a road to reach a meeting at a given time.

 It is UNACCEPTABLE to be injured.
 It is UNACCEPTABLE to be late.

ISO/TC 176/SC2/N1284 www.iso.org/tc176/sc02/public

Reaching my goal more quickly must be balanced against the likelihood of injury. It is
more important that I reach my meeting uninjured than it is for me to reach my meeting
on time.

It may be ACCEPTABLE to delay arriving at the other side of the road by using a
footbridge if the likelihood of being injured by crossing the road directly is high.I
analyse the situation. The footbridge is 200 metres away and will add time to my
journey. The weather is good, the visibility is good and I can see that the road does
not have many cars at this time. I decide that walking directly across the road carries
an acceptably low level of risk of injury and will help me reach my meeting on time.

The Main Objectives Of ISO 9001 to provide confidence in the organization’s ability to
consistently provide customers with conforming goods and services and to enhance
customer satisfaction. The concept of “risk” in the context of ISO 9001 relates to the
uncertainty in achieving these objectives.

Plan actions to address the risks

How can I avoid or eliminate the risk? How can I mitigate risks?
Example: I could eliminate risk of injury caused by being hit by a vehicle if I use the
footbridge but I have already decided that the risk involved in crossing the road is
acceptable. Now I plan how to reduce either the likelihood or the impact of injury. I
cannot reasonably expect to control the impact of a car hitting me. I can reduce the
probability of being hit by a car. I plan to cross at a time when there are no cars moving
near me and so reduce the likelihood of an accident. I also plan to cross the road at a
place where I have good visibility.

Implement the plan – take action

Example:

I move to the side of the road, check there are no barriers to crossing. I check there
are no cars coming. I continue to look for cars whilst crossing the road.

Check the effectiveness of the action – does it work?

Example:

I arrive at the other side of the road unharmed and on time: this plan worked and
undesired effects have been avoided.

Learn from experience – improve

Example:

I repeat the plan over several days, at different times and in different weather
conditions. This gives me data to understand that changing context (time, weather,
quantity of cars) directly affects the effectiveness of the plan and increases the
probability that I will not achieve my objectives (being on time and avoiding
injury). Experience teaches me that crossing the road at certain times of day is very
difficult because there are too many cars. To limit the risk I revise and improve my
process by using the footbridge at these times. I continue to analyse the effectiveness

ISO/TC 176/SC2/N1284 www.iso.org/tc176/sc02/public

of the processes and revise them when the context changes. I also continue to
consider innovative opportunities:

 can I move the meeting place so that the road does not have to be crossed?
 can I change the time of the meeting so that I cross the road when it is quiet?
 can we meet electronically?

DEFINITIONS
ISO 9001:2015 defines risk as the effect of uncertainty on an expected result.

1. An effect is a deviation from the expected – positive or negative.

2. Risk is about what could happen and what the effect of this happening might
be.
3. Risk also considers how likely it is.

The target of a management system is achieve conformity and customer satisfaction.

Explanation:
Risk is the possibility of events or activities impeding the achievement of
an organization’s strategic and operational objectives. It is the volatility of potential
outcomes. Risk can be defined by two parameters

 Severity (This is the Seriousness of the harm)

 Probability (This is the Probability that the harm will occur)

ISO/TC 176/SC2/N1284 www.iso.org/tc176/sc02/public

Risk as Currently Stated in ISO 9001:2015
ISO 9001:2015 uses risk-based thinking to achieve this in the following way:

 Clause 4 (Context) the organization is required to determine the risks which

may affect this.The organization is also required to determine its QMS
processes and to address its risks and opportunities
 Clause 5 (Leadership) top management are required to commit to
ensuring Clause 4 is followed. Top management is required to
 Promote awareness of risk-based thinking
 Determine and address risks and opportunities that can affect product
/service conformity
 Clause 6 (Planning) The organization is required to identify risks and
opportunities related to QMS performance and take appropriate actions to
address them
 Clause 7 (Support) the organization is required to determine and provide
necessary resources (risk is implicit whenever “suitable” or “appropriate”
is mentioned)
 Clause 8 (Operation)the organization is required to manage its operational
processes (risk is implicit whenever “suitable” or “appropriate” is
mentioned). The organization is required to implement processes to
address risks and opportunities.
 Clause 9 (Performance evaluation) the organization is required to monitor,
measure, analyse and evaluate the risks and opportunities.
 Clause 10 (Improvement) the organization is required to correct, prevent or
reduce undesired effects and improve the QMS and update risks and
opportunities.

ISO 9001:2015 subclause 4.4.1—QMS and it processes

“ The organization shall establish, implement, maintain and continually improve a
quality management system, including the processes needed and their interactions,
in accordance with the requirements of this International Standard.

ISO/TC 176/SC2/N1284 www.iso.org/tc176/sc02/public

The organization shall determine the processes needed for the quality management
system and their application throughout the organization and shall determine:
organization shall:
f) address the risks and opportunities as determined in accordance with the
requirements of 6.1″

The organization must integrate the actions to address risks and opportunities into its
QMS processes using the PDCA cycle. Not all processes of a quality management
system represent the same level of risk in terms of the organization’s ability to meet
its objectives and the effects of uncertainty are not the same for all organizations. Each
organization is therefore responsible for the extent it applies risk-based thinking and
the actions it takes to address risk, including whether or not to retain documented
information as evidence of its determination of risks. 5.1.2—Leadership and
commitment with respect to the needs and expectations of customers

ISO 9001:2015 subclause 5.1.1—General under leadership and

commitmentment
“Top management shall demonstrate leadership and commitment with respect to the
quality management system by: d) promoting the use of the process approach and
risk-based thinking;”

ISO 9001:2015, requires that when planning its QMS, the top management must
implement and promote a culture of risk-based thinking throughout the organization to
determine and address the risks and opportunities associated with providing
assurance that the QMS can achieve its intended result(s); provide conforming
products and services, enhance customer satisfaction; promote desirable effects and
improvement; and prevent, or mitigate, undesired effects.

ISO 9001:2015 subclause 5.1.2—Customer focus

“Top management shall demonstrate leadership and commitment with respect to
customer focus by ensuring that:
b) the risks and opportunities that can affect conformity of products and services and
ability to enhance customer satisfaction are determined and addressed;”

This can be achieved by establishing process capabilities for each process from
manufacturing and assembly to packaging and product delivery and installation. The
computation of a simple indicator of process capability (Cp) or the adjustment of the
process capability toward a specification (Cpk) would help managers quantify their
process risk. The objective would be to achieve the highest economically feasible
capability for each process, thus minimizing the risk of producing so-called unintended
output.

6.1—Actions to address risks and opportunities

6.1.1 “When planning for the quality management system, the organization shall
consider the issues referred to in 4.1 and the requirements referred to in 4.2 and
determine the risks and opportunities that need to be addressed to:
a) giving assurance that the quality management system can achieve its intended
result(s)
b) enhance desirable effects
c) prevent, or reduce, undesired effects, and

ISO/TC 176/SC2/N1284 www.iso.org/tc176/sc02/public

d) achieve improvement.”
6.1.2 “The organization shall plan:
a) actions to address these risks and opportunities, and
b) how to
1) integrate and implement the actions into its quality management system
processes (see 4.4), and
2) evaluate the effectiveness of these actions.
Any actions taken to address risks and opportunities shall be proportionate to the
potential impact on conformity of goods and services and customer satisfaction.”

The organization must integrate the actions to address these risks and opportunities
into its QMS processes using the PDCA cycle. Not all processes of a quality
management system represent the same level of risk in terms of the organization’s
ability to meet its objectives and the effects of uncertainty are not the same for all
organizations. Each organization is therefore responsible for the extent it applies risk-
based thinking and the actions it takes to address risk, including whether or not to
retain documented information as evidence of its determination of risks. When
planning its QMS, the organization must consider the risks and opportunities
presented by external and internal issues as well as the needs and expectations of
interested parties, relevant to its purpose and strategic direction Means to address
risks may include avoiding risk, taking risk in order to avail an opportunity, removing
the source of the risk, changing the likelihood or consequences, sharing the risk, or
making an informed decision to retain the risk. Opportunities can derive from favorable
circumstances that can lead to the use of new practices, launch new products, enter
new markets, address new clients, reduce waste or improve productivity, grow
relationships, use new technology and other desirable and viable opportunities to
facilitate the organization in achieving its strategic direction and enhance customer
satisfaction.

9.1.3 – Analysis and evaluation

“The organization shall analyse and evaluate appropriate data and information
arising from monitoring and measurement.
The results of analysis shall be used to evaluate:
e) the effectiveness of actions taken to address risks and opportunities;”

Planning also requires monitoring and measuring these actions and gathering,
analyzing and evaluating appropriate data and information to determine the
effectiveness of such actions.

9.3.2 – Management review Inputs

” The management review shall be planned and carried out taking into
consideration: e) the effectiveness of actions taken to address risks and opportunities
(see 6.1)“

This planning must be periodically reviewed and updated as necessary when taking
corrective actions or at management reviews. These actions must be proportional to
the potential impact on the conformity of products and services.

10.2.1- Non Conformity and Corrective action

“When a nonconformity occurs, including any arising from complaints, the organization
shall:
ISO/TC 176/SC2/N1284 www.iso.org/tc176/sc02/public
e) update risks and opportunities determined during planning,if necessary;”
One could do failure mode effects and analysis (FMEA) to show that the risk-priority
number has decreased as a result of a process change. This would not be difficult to
do but full of uncertainties because FMEA is based on subjective assessment.

Use of risk based thinking.

By considering risk based thinking throughout the organization the likelihood of
achieving stated objectives is improved, output is more consistent and customers can
be confident that they will receive the expected product or service.

Risk-based thinking therefore:

 builds a strong knowledge base

 establishes a proactive culture of improvement
 assures consistency of quality of goods or services
 improves customer confidence and satisfaction

Use of Risk Register

The risk register or risk log becomes essential as it records identified risks,
their severity, and the actions steps to be taken. It can be a simple document,
spreadsheet, or a database system, but the most effective format is a table. A table
presents a great deal of information in just a few pages. There is no standard list of
components that should be included in the risk
register. Some of the most widely used components are:

 Dates: As the register is a living document, it is important to record the date that
risks are identified or modified. Optional dates to include are the target and
completion dates.
 Description of the Risk: A phrase that describes the risk.
 Risk Type (business, project, stage): Business risks relate to delivery of
achieved benefit;, project risks relate to the management of the project such as
timeframes and resources, and stage risks are risks associated with a specific
stage of the plan.
 Likelihood of Occurrence: Provides an assessment on how likely it is that this
risk will occur. Examples are: L-Low >30%)(, M-Medium (31- 70%), H-High
(>70%).
 Severity of Effect: Provides an assessment of the impact that the occurrence of
this risk would have on the project.
 Countermeasures: Actions to be taken to prevent, reduce, or transfer the risk.
This may include production of contingency plans.
 Owner: The individual responsible for ensuring that risks are appropriately
engaged with countermeasures undertaken.
 Status: Indicates whether this is a current risk or if risk can no longer arise and
impact the project. Example classifications are: C-current or E-ended.
 Other columns such as quantitative value can also be added if appropriate.

ISO/TC 176/SC2/N1284 www.iso.org/tc176/sc02/public

Risk-driven approach in organizational processes.
Identify what risks and opportunities are – it depends on context. For example If I
cross a busy road with many fast-moving cars the risks are not the same as if the road
is small with very few moving cars. It is also necessary to consider such things as
weather, visibility, personal mobility and specific personal objectives.

1. Analyse and prioritize your risks and opportunities.

What risk is acceptable, what is unacceptable? What advantages or
disadvantages are there to one process over another? for Example If I need to
safely cross a road to reach a meeting at a given time. It is UNACCEPTABLE to
be injured. It is UNACCEPTABLE to be late. The opportunity of reaching my goal
more quickly must be balanced against the likelihood of injury. It is more
important that I reach my meeting uninjured than it is for me to reach my meeting
on time. It may be ACCEPTABLE to delay arriving at the other side of the road
by using a footbridge if the likelihood of being injured by crossing the road directly
is high.I analyse the situation. The footbridge is 200 metres away and will add
time to my journey. The weather is good, the visibility is good and I can see that
the road does not have many cars at this time. I decide that walking directly
across the road carries an acceptably low level of risk of injury and an opportunity
to reach my meeting on time.

2. Plan actions to address the risks

How can I avoid or eliminate the risk? How can I mitigate risks? For example I
could eliminate risk of injury by using the footbridge but I have already decided
that the risk involved in crossing the road is acceptable. Now I plan how to reduce
the likelihood of injury and/or the effect of injury. I cannot reasonably expect to
control the effect of a car hitting me. I can reduce the probability of being hit by a
car. I plan to cross at a time when there are no cars moving near me and so
reduce the likelihood of an accident. I also choose to cross the road at a place
where I have good visibility and can safely stop in the middle to re-assess the
number of moving cars, further reducing the probability of an accident

3. Implement the plan – take action

For example I move to the side of the road, check there are no barriers to
crossing and that there is a safe place in the centre of the moving traffic. I check
there are no cars coming. I cross half of the road and stop in the central safe
place. I assess the situation again and then cross the second part of the road.

4. Check the effectiveness of the actions – does it work?

ISO/TC 176/SC2/N1284 www.iso.org/tc176/sc02/public

 For Example I arrive at the other side of the road unharmed and on time: this plan
worked and undesired outcomes have been avoided.

5. Learn from experience – continual improvement

For example I repeat the plan over several days, at different times and in different
weather conditions. This gives me data to understand that changing context
(time, weather, quantity of cars) directly affects the effectiveness of the plan and
increases the probability that I will not achieve my objectives of being on time
and avoiding injury. Experience teaches me that crossing the road at certain
times of day is very difficult because there are too many cars.To limit the risk I
revise and improve my process by using the footbridge at these times. continue
to analyse the effectiveness of the processes and revise them when the context
changes. I also continue to consider innovative opportunities such as Can I move
the meeting place so that the road does not have to be crossed? Can I change
the time of the meeting so that I cross the road when it is quiet? Can we meet
electronically?

ISO/TC 176/SC2/N1284 www.iso.org/tc176/sc02/public