ISO 9001:2015 revision explained: Risk-based thinking

The revised ISO 9001 standard has moved away from what it called "preventive action" towards a "risk-based approach". Preventive action was found to be lacking when it came to driving change and continuous improvement. The risk-based approach is likely to be much more effective in allowing organisations to become stronger, fitter businesses.

Taking a risk-based approach means:

  • Determining the risks and opportunities
  • Planning actions to address them
  • Implementing them in a quality management system
  • Evaluating their effectiveness

All this ensures your organisation is proactive rather than reactive, preventing potentially damaging events and promoting improvement. Once a management system is risk-based, preventive action is automatic.

Though we commonly understand risk to be negative, risk-based thinking has a more positive slant in that it provides opportunities for improvement and enables businesses to make strategic decisions. Applying a robust quality management system is another important aspect.

iso 9001:2015 webinar

"Quality management is currently going through a state of metamorphosis," says Kate Krachai, director of leading quality management consultancy Quality Context. "Quality professionals must change the opinion of those in organisations that view quality as simply improving compliance. It's more than that – it can empower a business by reducing risk. Even better, a good quality management system not only enables you to reduce risk, but also take risks.

"Reducing risk to take more risks may sound counter-intuitive, even paradoxical, but that’s where the power of quality can be. By considering compliance risks you can drive a business forward by giving it the power and control to take educated risks."

Determining risks and opportunities

But how do you determine your risks and opportunities and the appropriate level of action to address them?

Well, you need to determine your objectives before you can identify things that might get in the way of you achieving them.

You must consider:

  • Issues that may affect your organisation's values, culture, knowledge and performance
  • How these issues may impact your ability to deliver products and services that meet customers' needs and any regulations that may apply
Look at them both from an internal perspective – strategies to achieve your policies and objectives; your relationship with your staff and stakeholders (including partners and suppliers) – and an external perspective – issues arising from political, economic, social and technological changes within the sector.
Risk based thinking


Analysing and prioritising your risks and opportunities

ISO 9001 defines a risk as "the effect of uncertainty on an expected result". So:

  • an effect is a deviation from the expected – positive or negative

  • risks are about what could happen and what effect it might have

  • risk also considers the likelihood of an event occurring

Though the revision to ISO 9001 doesn't formally say you must do a full risk assessment or maintain a risk register, it does say you must monitor, measure, analyse and evaluate the risks and opportunities. There are various methods to approaching risk-based thinking – which method is appropriate to you is determined by the context of your organisation.

In smaller organisations, it may be sufficient to simply provide appropriate records of risk-based thinking and to ensure control of business processes (e.g. by regularly reviewing documentation, keeping clear records of training and competence, recording sufficient data for analysis and continual improvement).

In contrast, many busy quality teams in larger organisations use risk registers as a framework for assessing, evaluating and prioritising risks. Risk management software such as EQMS Risk Manager enables you to identify and assess risks looking at 'likelihood' and 'impact'. EQMS Risk Manager's workflow functionality allows you to assign responsibilities and set deadlines to ensure risks are dealt with rapidly and efficiently. EQMS triggers escalation to guarantee that critical actions never go ignored.





Planning and implementing actions to address risk

Planning actions to address risks and opportunities can include:

  • Avoiding risk
  • Eliminating the source of the risk
  • Changing the likelihood or consequences (likelihood and impact)
  • Sharing the risk
  • Retaining risk by informed decision
  • Even taking risk to pursue an opportunity

When you're planning your own actions, again, you must consider the context of your organisation. Planning actions to mitigate a potential fault with a nuclear reactor at a power plant will be much more thorough and meticulous than if you were mitigating the risk of the wrong sandwiches being ordered for the staff vending machines.

Similarly, the risk of an economic downturn in a country with which your organisation has little trade or links is minor compared to a recession in the country in which you solely trade and operate. Understanding your organisation and its strategic direction is essential if you're going to determine and address the associated risks.

Many organisations use risk management software such as EQMS Risk Manager to implement actions to address risks. EQMS Risk Manager enables you to create automated workflows for addressing risks, highlighting responsibilities and sending email notifications of various tasks to the appropriate employees. This ensures actions to address risks are completed via a closed-loop process.

Checking the effectiveness of the actions – do they work?

In simple terms, checking whether actions to address risk are effective means asking "Do they work?". There are various ways you can do this, including:

  • Audits and internal reviews
  • Analysing KPI
  • Project evaluations

One important thing to bear in mind is making sure you having the right data available to make informed decisions. By improving how you aggregate risk data, you can make much stronger, better judgements. And this leads to you becoming more efficient, making fewer losses, and ultimately increasing profitability.

Many organisations now employ KPI dashboards such as EQMS Dashboard so they can have real-time, instant access to management information. Having an overarching view of the key performance indicators you've set, you can track your performance in critical areas and make informed strategic decisions.

Instant access to risk assessments, audit reports, customer complaints, non-conformance and CAPA statuses and document notification confirmations gives you the ability to 'take the temperature' of your organisation, analyse trends and demonstrate that your organisation has a 'culture of compliance'.

Moving forward

The concept of risk has always been implicit in ISO 9001 and many organisations take a risk-based approach intuitively. But the 2015 revision of the standard makes it more explicit and encourages organisations to build it into their entire management system.

Business risks are ever-growing worldwide, reflecting widespread political, economic and social uncertainties. ISO 9001:2015 makes it mandatory for you to adopt a risk-based approach, so that you improve customer confidence and satisfaction, assure a consistency of quality of goods and services, and establish a proactive culture of prevention and improvement. Every organisation should see risk-based thinking as an opportunity and a step in the right direction.


What you should do now

Download our datasheets to learn more about how our EQMS software can help your organisation adopt a risk-based approach.


Migrating from spreadsheets to EQMS


Topics: ISO 9001, Risk Based Thinking

Share your thoughts on this article