Blog

Understanding Risk-Based Thinking in ISO 9001:2015

Introduction

The 2015 revision of ISO 9001 introduced a significant shift: a systematic approach to considering risk, moving beyond treating “prevention” as a separate element of a quality management system. This paper aims to clarify risk-based thinking in ISO 9001, address concerns about it replacing the process approach or the removal of preventive action, and explain its key components in simple terms.

What is Risk-Based Thinking?

Risk is inherent in all aspects of a quality management system every system, process, and function. Risk-based thinking ensures these risks are identified, considered, and controlled throughout the design and use of the quality management system.

Previously, ISO 9001 had a separate clause for preventive action. With risk-based thinking, the consideration of risk becomes integral and proactive. It prevents or reduces undesired effects through early identification and action, essentially building prevention into a risk-based management system.

We all engage in risk-based thinking automatically in daily life. For instance, before crossing a road, we instinctively check for traffic to avoid stepping in front of a moving car. This concept isn’t new to ISO 9001; the 2015 revision simply integrates it across the entire management system. In ISO 9001:2015, risk-based thinking must be considered from the outset and continuously throughout the system, making preventive action inherent to planning, operation, analysis, and evaluation activities.Risk-Based Thinking and the Process Approach

Risk-based thinking is already an embedded part of the process approach. Not all processes within a quality management system carry the same level of risk in terms of achieving organizational objectives. Some require more careful and formal planning and controls than others.

Consider crossing a road: you might go directly or use a nearby footbridge. The chosen process depends on a consideration of the risks involved.Risk and Opportunity

While risk is commonly understood to have only negative consequences, its effects can be either negative or positive. In ISO 9001:2015, risks and opportunities are often discussed together. It’s important to note that opportunity is not merely the positive flip side of risk. An opportunity is a set of circumstances that makes something possible. Taking or not taking an opportunity then presents different levels of risk.

For example, crossing a road directly offers the opportunity to reach the other side quickly. However, taking that opportunity increases the risk of injury from moving cars.

Risk-based thinking considers both the current situation and possibilities for change. Analyzing such a situation might reveal opportunities for improvement, such as building a subway under the road, installing pedestrian traffic lights, or even diverting the road to create a traffic-free area.

Where is Risk Addressed in ISO 9001:2015?

The concept of risk-based thinking is introduced in the opening of ISO 9001:2015 as a core part of the process approach. ISO 9001:2015 incorporates risk-based thinking throughout its clauses:

  • Introduction: Explains the concept of risk-based thinking.
  • Clause 4: Requires organizations to address risks and opportunities associated with their Quality Management System (QMS) processes.
  • Clause 5: Mandates top management to promote awareness of risk-based thinking and to determine and address risks and opportunities that can affect product/service conformity.
  • Clause 6: Requires organizations to identify risks and opportunities related to QMS performance and take appropriate actions to address them.
  • Clause 7: Requires organizations to determine and provide necessary resources (risk is implicitly considered when “suitable” or “appropriate” is mentioned).
  • Clause 8: Requires organizations to manage their operational processes (risk is implicitly considered when “suitable” or “appropriate” is mentioned).
  • Clause 9: Requires organizations to monitor, measure, analyze, and evaluate the effectiveness of actions taken to address risks and opportunities.
  • Clause 10: Requires organizations to correct, prevent or reduce undesired effects, improve the QMS, and update risks and opportunities.

Why Use Risk-Based Thinking?

By incorporating risk throughout the system and all processes, organizations improve the likelihood of achieving stated objectives, ensure more consistent output, and build customer confidence in receiving the expected product or service.

Risk-based thinking offers several benefits:

  • Improves governance
  • Builds a strong knowledge base
  • Establishes a proactive culture of improvement
  • Assists with statutory and regulatory compliance
  • Assures consistency of quality in products and services
  • Improves customer confidence and satisfaction

Successful companies intuitively integrate risk-based thinking into their operations.

How to Implement Risk-Based Thinking

Applying risk-based thinking involves several steps in building your management system and processes:

  1. Identify Your Risks: The risks depend on the specific context. For example, crossing a busy road with fast-moving cars presents different risks than a small road with minimal traffic. Factors like weather, visibility, personal mobility, and specific objectives also need consideration.
  2. Understand Your Risks: Determine what is acceptable and unacceptable. Evaluate the advantages and disadvantages of different processes. For instance, if your objective is to safely cross a road to reach a meeting on time, it’s unacceptable to be injured or late. Reaching your goal quickly must be balanced against the likelihood of injury. It’s more crucial to arrive uninjured than precisely on time. It might be acceptable to delay your arrival by using a footbridge if the risk of injury from crossing directly is high. Analyze the situation: if the footbridge adds significant time but the road has few cars and good visibility, direct crossing might carry an acceptably low level of risk while helping you reach your meeting on time.
  3. Plan Actions to Address Risks: Consider how to avoid, eliminate, or mitigate risks. While using a footbridge might eliminate the risk of being hit by a vehicle, if the direct crossing risk is acceptable, focus on reducing the likelihood or impact of injury. You cannot control the impact of a car hitting you, but you can reduce the probability of being hit. Plan to cross when no cars are near and at a spot with good visibility to reduce the likelihood of an accident.
  4. Implement the Plan: Take action. Move to the side of the road, check for barriers and oncoming cars, and continue to look for cars while crossing.
  5. Check the Effectiveness of the Action: Does it work? If you arrive safely and on time, the plan was effective, and undesired effects were avoided.
  6. Learn from Experience (Improve): Repeat the plan over time, in different conditions (times of day, weather). This provides data to understand how changing contexts (time, weather, traffic volume) affect the plan’s effectiveness and the probability of achieving your objectives (being on time and avoiding injury). Experience might show that crossing at certain times is too difficult due to traffic. To limit risk, revise your process by using the footbridge at these times. Continue to analyze process effectiveness and revise as the context changes. Also, continue to consider innovative opportunities, such as moving the meeting location, changing the meeting time to cross during quiet periods, or meeting electronically.

Conclusion

Risk-based thinking:

  • Is not new.
  • Is something you already do.
  • Is continuous.
  • Ensures greater knowledge of risks and improves preparedness.
  • Increases the probability of reaching objectives.
  • Reduces the probability of negative results.
  • Makes prevention a habit.