risk-based thinking

stevepb / Pixabay

One of the biggest changes to the ISO 9001 Revision 2015 is the requirement to implement risk-based thinking.  This “new” requirement may already be in place within your org – it’s simply a codification of what’s already there.

ISO 9001:2015 requires a systematic, proactive approach to risk-based thinking.  In previous version, notably ISO 9001:2008, this was considered solely in clause 8.5.3 – Preventive Action.  By moving the requirement from a single clause to a wider, system-based approach, it drives risk-based thinking into the Plan stage of the Plan-Do-Check-Act cycle, encompassing the entire system rather than the more narrowly applied prevention of defects, and encourages the organization to consider risk proactively across the entire enterprise.

Risk-based thinking is closely tied to opportunity – these are actually paired terms in ISO 9001:2015 – risk and opportunity.  Risk is typically connoted as a negative, while opportunity is the opposite/positive.  In considering risks and opportunities together, an organization makes a knowledge-based determination of where to set its objectives and priorities.  For example, an organization may wish to release a new product or service, and is considering moving up the release date. They take several factors into account, including potentially:

  • product/service may not be ready
  • product or service may not be fully functional in time / have many design ‘bugs’
  • employees will have to work overtime
  • additional costs to move up collateral (marketing materials, etc.) to meet new deadline
  • etc.
  • We will beat competition to market
  • We can get a larger market share
  • our Board of Directors will be happy
  • etc.

ISO 9001:2015 defines risk as the effect of uncertainty on an expected result.

1. An effect is a deviation from the expected – positive or negative.

2. Risk is about what could happen and what the effect of this happening might be

3. Risk also considers how likely it is

ISO 9001:2015 uses risk-based thinking to achieve this in the following way:

  • Clause 4 (Context) the organization is required to determine the risks which may affect this.
  • Clause 5 (Leadership) top management are required to commit to ensuring Clause 4 is followed.
  • Clause 6 (Planning) the organization is required to take action to identify risks and opportunities.
  • Clause 8 (Operation) the organization is required to implement processes to address risks and opportunities.
  • In Clause 9 (Performance evaluation) the organization is required to monitor, measure, analyse and evaluate the risks and opportunities.
  • In Clause 10 (Improvement) the organization is required to improve by responding to changes in risk.

– source:  ISO document N1222, July 2014


What are the steps to implement risk-based thinking?

  • Identify risks and opportunities, based on the context of the organization
  • Analyze risks and opportunities
  • Prioritize risks and opportunities
  • Design plans to minimize or mitigate risks, and capitalize on opportunities
  • Implement the plan(s)
  • Check effectiveness – did it work?
  • Make improvements and repeat as necessary