ISO 9001 and Risk-based Thinking - Some Practical Advice

Practical guide on how to implement risk-based thinking in accordance to ISO 9001 standards


Do you need formal Risk Management or not?

One of the key changes in the 2015 revision of ISO 9001 was a requirement to establish a systematic approach to considering risk, rather than treating “prevention” as a separate component of a quality management system.

Risk is inherent in all aspects of a quality management system. There are risks in all systems, processes and functions.

Risk-based thinking as set out in ISO 9001:2015 requires that these risks are identified, considered and controlled throughout the design and use of the quality management system.

However, the Standard (and ISO 9001 Guidance documents) does not require an organisation to have a formal risk management system nor to have documentation in support of its application.

So what then should one do?

What is Risk-based Thinking?

Risk-based thinking enables an organization:

  1. to determine the factors that could cause its processes and its quality management system to deviate from the planned results,
  3. to put in place preventive controls to minimize negative effects and
  5. to make maximum use of opportunities as they arise.

Risk-based thinking ...

  • is not new
  • is something you do already
  • is on-going
  • ensures greater knowledge of risks and improves preparedness
  • increases the probability of reaching objectives
  • reduces the probability of negative results
  • makes prevention a habit

New call-to-action

What does the Revised Standard say about Risk-based Thinking?

ISO 9001:2015 uses risk-based thinking is addressed in the following sections:

Introduction - the concept of risk-based thinking is explained

  • Clause 4 – the organization is required to determine its QMS processes and to address its risks and opportunities
  • Clause 5 – top management is required to: 
    • Promote awareness of risk-based thinking
    • Determine and address risks and opportunities that can affect product /service conformity
  • Clause 6 – the organization is required to identify risks and opportunities related to QMS performance and take appropriate actions to address them
  • Clause 7 – the organization is required to determine and provide necessary resources (risk is implicit whenever “suitable” or “appropriate” is mentioned)
  • Clause 8 – the organization is required to manage its operational processes (risk is implicit whenever “suitable” or “appropriate” is mentioned)
  • Clause 9 – the organization is required to monitor, measure, analyse and evaluate the effectiveness of actions taken to address the risks and opportunities
  • Clause 10 – the organization is required to correct, prevent or reduce undesired effects and improve the QMS and update risks and opportunities


Options in dealing with Risk Management requirements in ISO 9001

In dealing with the Standards requirement regarding risk, you have two options.

So, what to do?

Option 1:  Do the minimum to fulfil the requirements and obtain your Certification  

Some cleverly worded statements in policy documents and in management review records, and nothing more, will suffice.  

This is what many will do and, very likely, will think that they are being smart.

They're not, because they're missing a great opportunity to improve the performance of their organisation.  The organisation will continue to manage risk 'by the seat of the pants'.

Benefits of Option 1:

It's quick, easy, and gets the job done. Quality management experts will never take this approach.

Option 2: Have a formal risk management system and have documentation in support of its application

There are several Standards that you might consider to aid you in developing risk management for your organisation.  

The one we recommend is ISO 14971.  This standard was developed so as to manage the risk to patient safety from medical devices. It's about managing risk in the context of a Quality Management System for medical device manufacture.

Its framework for risk management (risk evaluation, risk assessment, risk control, etc) can be applied to any organisation and not just manufacturing - e.g. administrative processes have risks for commercial and public sector organisations too.  

Its greatest attraction, however, is the selection of proven risk management tools it explores.  These include FMEA - Failure Mode and Effect Analysis, PHA - Preliminary Hazard Analysis, FTA - Fault Tree Analysis, HACCP - Hazard Analysis and Critical Control Point, HAZOP - Hazard and Operability Study, and more.

It's a very good starting point from which to explore and select the tools appropriate for managing the different kinds of risks arising in your organisation.

Benefits of Option 2:

A risk-based approach to managing the organisation will be introduced on many levels and functions.  Many business benefits will accrue.  Risk will be managed in an objective way, based on facts and the use of appropriate risk management tools.  

Consequently, the possibility of failure will be reduced (having in many instances been eliminated by design) and the probability of success, both financial and otherwise, will be increased.

ISO 9001:2015 Lead Implementer


And the road most often travelled ...

The most popular choice in practice is Option 2 using the FMEA Method or variants thereof.  Our recommendation would be to use a fully-featured FMEA based on the Processes of your QMS.  This is covered in full in our ISO 14971 Foundation Course.

Related Courses:

Related Articles:


Note: First published April 2020; revised and updated May 2022.

deGRANDSON Global is an ISO Certified Educational Organization

InISO 21001 ISO 29993 ISO 29994  October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

  • ISO 21001, Educational Organizational Management System,
  • ISO 29993, Learning Services outside formal Education,  and
  • ISO 29994, Learning Services – additional requirements for Distance Learning.

We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.


Written by Dr John FitzGerald

Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems

Subscribe to Email Updates


Recent Posts

Posts by Topic