Using Risk-Based Thinking When Implementing ISO 9001:2015

Risks Ahead

'There’s nothing new under the sun' – so goes the old saying, and it applies as much to risk and the management of risk as to anything else.

When you crossed the road on your way to work this morning you were, even though it was not being done consciously, you are managing risk.  That is, the risk of being knocked down.

Indeed, we are naturally inclined to adopt a risk-based thinking. As a consequence, we are always subconsciously employing risk management practices all the time.

Daily Examples of Risk-based Thinking

At home, when securing large sharp kitchen knives or

  • At work in relation to…
    • building security,
    • staff numbers needed to serve customer/business needs,
    • production capacity needed over the next 5 years so as to take full advantage of market opportunities (upside risk),
    • and so on.

Risk Management and ISO 9001:2015

When ISO 9001:2015 is considered for your business, don’t be overly concerned about the inclusion of the risk-based approach – you’ve been doing it for years, however informally.  And you’ll probably find that you’ve been doing it formally as well – the risk assessments being continually performed as part of managing and controlling workplace occupational health and safety, for example.

And when you are solemnly told that ‘nothing much is required as the standard doesn’t require formal risk management’, ignore the suggestion. 

Embrace risk management, use a selection of risk control methods (varying with the category of risk being considered) and take full business advantage of the upside and downsides of workplace risk.  On the one hand, the chances of business failure will be reduced, and on the other, the chances of business success enhanced.

Why is Risk-based Thinking Important When Applying ISO 9001?

Risk-based thinking enables an organization:

  1. to determine the factors that could cause its processes and its quality management system to deviate from the planned results,
  2. to put in place preventive controls to minimize negative effects and
  3. to make maximum use of opportunities as they arise.


  • is not new
  • is something you do already
  • is on-going
  • ensures greater knowledge of risks and improves preparedness
  • increases the probability of reaching objectives
  • reduces the probability of negative results
  • makes prevention a habit

Furthermore, ISO 9001:2015 will include six instances where objective (and credible) evidence of the application of a risk-based approach will be demanded by Certification Auditors, namely,e-Book Implementing ISO 9001

  • Clause 4 Context of the Organisation (Process Approach): the organization is required to determine the risks which can affect its ability to meet these objectives

  • Clause 5 Leadership: top management are required to commit to ensuring Clause 4 is followed

  • Clause 6 Planning: the organization is required to take action to identify risks and opportunities

  • Clause 8 Operation: the organization is required to implement processes to address risk

  • Clause 9 Evaluation of Performance: the organization is required to monitor, measure, analyse and evaluate the risks and opportunities

  • Clause 10 Improvement: the organization is required to improve by responding to changes in risk


Risk Management Tools

In case you’re not aware of it, EN ISO 14971:2019 (and the companion guide, ISO/TR 24971:2020), which addresses risk management in relation to medical device manufacture, is a great place to start and the standard includes a very good introduction to popular and effective risk management tools (FMEA, HACCP, PHA etc.) that can be applied throughout a product’s life cycle.

deGRANDSON itself offers a Risk Assessment and Risk Management Online Course that is based on ISO 14971 and ISO 31010.

You can find 20+ Risk Management methods/tools in IEC 31010:2019 Risk Assessment techniques, including Cause and consequence analysisCause-and-effect analysisLayer protection analysis (LOPA), Decision treeHuman reliability analysis (HRA), Bow tie analysisReliability centered maintenanceSneak circuit analysisMarkov analysisMonte Carlo simulation, and many more. Well worth studying.

Additionally, ISO/IEC 27005:2018 Information technology -- Security techniques -- also offers Information security risk management methods.

A search on the ISO website,, under 'risk management' will provide you with a list of over 70 Standards.  As we said above: nothing new under the sun!

FMEA vs Risk-based Thinking

Despite all the choices of techniques available, and the fact that the revised Standard requires the application of risk-based thinking throughout, what is happening in practice is that Failure Modes and Effects Analysis (FMEAs) or some minor alteration thereof, are being offered to Certification Body auditors as sole proof of application of risk based thinking (now often referred to as RBT).  

While this is being accepted, it is the lazy way of addressing requirements and represents a lost opportunity for the Quality Management System to provide real and financial benefits to the organization. And who wants to be remembered for being lazy?

If it looks like a duck, quacks like a duck and waddles like a dick, it’s a DUCK!

The recently published Guide to ISO 9001:2015 adds clarity to the vexed question of RBT, risk-based thinking.

Is Risk-based Thinking Required When Implementing ISO 9001?

Try as you might to avoid the conclusion, the requirement in the revised Standard for the system-wide application of RBT should lead you to introducing a risk management system.

The ‘last piece in the jigsaw’ for us was the Planning Section in ISO/TS 9002:2016, Quality management systems - Guidelines for the application of ISO 9001:2015 that addresses risk and opportunity.

In Clause 6.1.1 it states:

'There is no requirement in ISO 9001 to use formal risk management (in accordance with ISO 31000) in determining and addressing risks and opportunities. An organization can choose the methods that suit its needs.'

It goes on to state:

'IEC 31010 provides a list of risk assessment tools and techniques that can be considered, depending on the organization’s context.


Alternatives to Risk-based Thinking

In determining risks and opportunities, the organization can consider using the outputs of techniques such as SWOT or PESTLE. Other approaches can include techniques such as Failure Mode and Effects Analysis (FMEA); Failure Mode, Effects and Criticality Analysis (FMECA); or Hazard Analysis and Critical Control Points (HACCP). It is for the organization to decide which methods or tools it should use.

Simpler approaches include techniques such as brainstorming, structured what if technique (SWIFT) and consequences/probability matrices.

The application of RBT can also help an organization to develop a proactive and preventive culture focused on doing things better and improving how work is done in general.

There are various situations where risks and opportunities should be considered, for example strategy meetings, management reviews, internal audits, different kinds of meetings on quality, meetings to set quality objectives, the planning stages for the design and development of new products and services, and the planning stages for production processes.'

Note: There are many guidance documents to ISO 9001:2015that you should consider when implementing or migrating a QMS.

So, do you need formal Risk Management or not?

One of the key changes in the 2015 revision of ISO 9001 is a requirement to establish a systematic approach to considering risk, rather than treating “prevention” as a separate component of a quality management system.

Risk is inherent in all aspects of a quality management system. There are risks in all systems, processes and functions. RBT as set out in ISO 9001:2015 requires that these risks are identified, considered and controlled throughout the design and use of the quality management system.

However, the Standard does not require an organisation to have a formal risk management system nor to have documentation in support of its application. So what should one do?

Risk Management Guidance

What then is the practical solution?

In dealing with the Standards requirement regarding risk, you have two options...

Option 1: the minimalist approach

Do the minimum to fulfill the requirements and obtain your Certification.  Some cleverly worded statements in policy documents and in management review records, and nothing more, will suffice.  This is what many will do and, very likely, will think that they are being smart.  They're not, because they're missing a great opportunity to improve the performance of their organisation.  The organisation will continue to manage risk 'by the seat of the pants'.

Benefits of Option 1:  It's quick, easy and gets the job done.

Option 2: embrace risk management

Have a formal risk management system and have documentation in support of its application.  There are several Standards that you might consider to aid you in developing risk management for your organisation.  The one we recommend is ISO 14971.  This standard was developed so as to manage risk to patient safety from medical devices. It's about managing risk in the context of a Quality Management System for medical device manufacture.

Its framework for risk management (risk evaluation, risk assessment, risk control, etc) can be applied to any organisation and not just manufacturing - e.g. administrative processes have risk for commercial and public sector organisations too.  

Its greatest attraction, however, is the selection of proven risk management tools it explores.  These include FMEA - Failure Mode and Effect Analysis, PHA - Preliminary Hazard Analysis, FTA - Fault Tree Analysis, HACCP - Hazard Analysis and Critical Control Point, HAZOP - Hazard and Operability Study, and more.

It's a very good starting point from which to explore and select the tools appropriate to managing the different kinds of risk arising in your organisation.

Benefits of Option 2: A risk-based approach to managing the organisation will be introduced on many levels and functions.  Risk will be managed in an objective way, based on facts and the use of proven risk management tools. Consequently, the possibility of failure will be reduced (having in many instances been eliminated by design) and the probability of success, both financial and otherwise, will be increased.

Our Conclusion

Go for it!  Introduce Risk Management.  And get the benefits of your effort.  It works; just ask anyone how’s tried it.

And we take our own advice. We are ISO 29990:2010 Certified.  This Standard which specifies a quality management system for Learning Service Providers has no stated requirements regarding risk (opportunities are addressed under the ‘Improvement’ heading). 

Nonetheless, we have included risk management in our system; in particular, we have FMEAs regarding our Learners’ experience with our Courses.  It is both an informative and productive part of our management of quality. And as we’ve said…


ISO 9001:2015 Lead Implementer

Other Related Posts


NOTE: Previously posted in July 2017 and updated September 2020.

Written by Dr John FitzGerald

Director and founder of deGRANDSON Global. After 15 years in the manufacturing industry, John has spent the past 25 years training, consulting and auditing ISO 9001 and other management systems.

Subscribe to Email Updates


Recent Posts

Posts by Topic