An ongoing series of Posts: Practical advice on implementing ISO 9001:2015
One of the key changes in the 2015 revision of ISO 9001 is to establish a systematic approach to considering risk, rather than treating “prevention” as a separate component of a quality management system.
Risk is inherent in all aspects of a quality management system. There are risks in all systems, processes and functions. Risk-based thinking (RBT) ensures these risks are identified, considered and controlled throughout the design and use of the quality management system.
What then is the logical and practical way to tackle RBT when implementing ISO 9001?
ISO 9001 and Risk-based Thinking
When planning an ISO 9001 Implementation Project, one of the first, and most frightening, 'stumbling block' that the uninitiated encounter is this topic of risk. At first glance, it seems to have arrived out of nowhere! However:
- is something you do already,
- is on-going,
- ensures greater knowledge of risks and improves preparedness,
- increases the probability of reaching objectives,
- reduces the probability of negative results, and
- makes prevention a habit.
How to Integrate Risk-Based Thinking with Your Quality Management System
- Use Risk-Based Thinking to determine the factors that could cause your processes and its quality management system to deviate from the planned results.
- Use Risk-Based Thinking to put in place preventive controls to minimize negative effects.
- Use Risk-Based Thinking to make maximum use of opportunities as they arise.
- Read ISO 9001:2015 Clause 0.3.3 Risk-based Thinking in the Introduction to the Standard. The ISO Committee’s thoughts on the topic are covered here.
- Do introduce a formal Risk Management in your organization if it is a Corporate requirement. Many organizations are taking advantage of their project to migrate to ISO 9001:2015 to introduce it. See ‘What not to do’ a), below.
- Do not introduce formal Risk Management in your organization as a requirement of ISO 9001:2015. The Standard does not require an organisation to have a formal risk management system nor to have documentation in support of its application. See ‘What to do’ e), above.
- Do not limit your focus to ISO 9001:2015 Clause 6.1 Actions to address risks and opportunities. RBT arises in every Section of the standard. Check out:
- Section 4 – the organization is required to determine its QMS processes and to address its risks and opportunities
- Section 5 – top management is required to:
- Promote awareness of risk-based thinking
- Determine and address risks and opportunities that can affect product /service conformity
- Section 6 – the organization is required to identify risks and opportunities related to QMS performance and take appropriate actions to address them
- Section 7 – the organization is required to determine and provide necessary resources (risk is implicit whenever “suitable” or “appropriate” is mentioned)
- Section 8 – the organization is required to manage its operational processes (risk is implicit whenever “suitable” or “appropriate” is mentioned)
- Section 9 – the organization is required to monitor, measure, analyse and evaluate the effectiveness of actions taken to address the risks and opportunities
- Section 10 – the organization is required to correct, prevent or reduce undesired effects and improve the QMS and update risks and opportunities
How to Provide Evidence of Risk-based Thinking
The Risk-based Thinking requirements of ISO 9001:2015 do not require you to have a formal risk management system. But your first ISO 9001 audit against the revised Standard, the External Auditors will request objective evidence of RBT across all seven auditable Sections of the Standard. Interview (verbal) evidence alone will not suffice.
You will need to supply some tangible evidence of the application of Risk-based Thinking. ISO 9001 Lead Implementer Training is recommended to ensure that you will have adequately covered this difficult topic.
We have addressed the topic in-depth in our Handbook 'ISO 9001:2015 Quality Management System Implementation', which is provided as part of our ISO 9001 migration training course, ISO 9001:2015 Transition Training (Course 032T), and our ISO 9001:2015 Lead Implementer Certification (Course 032).
You can have both Risk-based Thinking and Risk Management
The Medical Device Standard, ISO 13485, requires risk-based thinking in relation to the quality system generally and risk management regarding patient/user safety. So, it is possible to have both risk-based thinking and risk management within one QMS.
Recommended Approach to Integrating Risk-based Thinking with Your QMS
An approach often taken with ISO 9001 quality systems is to apply risk-based thinking to the QMS generally. However, when addressing the requirements of ISO 9001:2015 Clause 6.1, Actions to address risks and opportunities, it's recommended to have 'full on' risk management with risk assessment and risk treatment focused on threats to customer satisfaction and business success.
Note: First published August 2017; revised and updated August 2021.
- ISO 9001 and Risk-based Thinking - Some Practical Advice
- ISO 9001 Planning for Changes: DO's and DON'Ts
- How to Implement ISO 9001: Quality Objectives
- Free ISO 9001 Implementation Handbook (100+ pages)
- ISO 14971 Risk Management: 12 FAQs answered
deGRANDSON Global is an ISO Certified Educational Organization
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.