Published: 9 Aug 2016

Andrew Holt discusses risk-based thinking, a major addition to ISO 9001:2015.

Risk-based thinking is a key concept that underpins ISO 9001:2015. It may seem new but risk-based thinking has always been implicit in ISO 9001, and it is something many organisations do already.

References to “preventative action” have been removed but the idea of identifying and addressing potential mistakes before they happen very much remains.

The revised standard requires an organisation to determine the risks and opportunities to processes, products and services, as well as to the quality management system (QMS) overall, and to take proportionate action to address them.

Risk-based thinking means considering risk and opportunity qualitatively, as well as quantitatively when defining the rigour and degree of formality needed to plan and control the QMS and its component activities.

The standard acknowledges that different processes carry different levels of risk in terms of potential impact on customer satisfaction and the intended results of the QMS. It also recognises that the consequences of nonconformities are not the same for all organisations.

Risk is defined as "the effect of uncertainty" on an expected result. This encompasses any deviation, positive or negative. The intent is for an approach to risk-based thinking, which is proactive and promotes continual improvement, rather than one that is reactive, focussing preventing or reducing negative effects.

Free to choose

Risk-based thinking is prominent in Clause 6.1 Actions to address risks and opportunities. The clause requires an organisation to consider its context when planning the QMS.

This includes considering the internal and external issues they face and the relevant requirements of relevant interested parties, and how these may affect the QMS.

The organisation must then determine the risks and opportunities that it needs to address as a result.

Addressing risk

ISO 9001:2015 does not prescribe a risk methodology – organisations are free to adopt their own approach. This approach must be proportionate to the potential impact on customer satisfaction and the intended results of the QMS, should the risk (or opportunity) be realised.

Organisations may look to ISO 3100 (Risk management: Principles and guidelines). This standard provides a framework and process for managing risk for organisations of any size or sector. As such it may prove to be a useful resource to those looking to implement a more formal risk management approach.

Once an organisation has determined the risks and opportunities it faces, it must then determine how it needs to address them. Actions taken to address risk and opportunities should be appropriately matched to the potential impact of the risk or opportunity on the organisation’s ability to achieve the stated aims of the QMS.

This can include avoiding the risk, eliminating the source, changing the likelihood or consequences or sharing the risk. It also recognises that not all risks require actions.

Organisations may take an informed decision to do nothing beyond identifying and evaluating the risk or opportunity. They may even choose to take a risk in order to pursue an opportunity.

Andrew Holt is technical content executive at the Chartered Quality Institute.