Risk Thinking

The new term in ISO 9001:2015 – Risk-Based Thinking (RBT) – isn’t as difficult as it sounds. ISO 9000:2015 defines Risk as “the effect of uncertainty on an expected result”. In other words, looking at what could happen if things don’t go as planned.

In reality we all make decisions using Risk-Based Thinking, weighing actions and probable outcomes every day (whether/when to cross the road; who is/is not allowed to use knives in the kitchen at home; whether/how to respond to a frustrating email or phone call you received).

While the concept of risk has been implicit in previous versions of ISO 9001 and 14001 (within the requirements for preventive action), the explicit term Risk Based Thinking now applies to the entire standard and the entire company management system.

You DON'T have to perform formal Risk Management Assessments (which are standard for Medical Device or Aerospace manufacturers) for ISO 9001 and ISO 14001. Risk matrices like PFMEA or similar tools are acceptable, and in some cases a simple matrix is a way to monitor risks you’ve identified. See below for examples.

You DO need to show evidence that “Risks and opportunities that can affect conformity of products/services and the ability to enhance customer satisfaction are determined and addressed” (from ISO 9001:2015 section 5.1.2b) and “Address the risks and opportunities in accordance with 6.1 and plan and implement the appropriate actions to address them” (from section 4.1.1f). The examples below may be helpful.

Much of the evaluation and monitoring of risk can occur and be recorded as outputs of management review, and by defining the controls within each process. At the company level, risks to products/services and customer satisfaction have to be determined and addressed. After identifying risks at the company level the risk assessment needs to be carried out at the individual process level. Risks are also to be considered within the framework of what the organization is all about (the context of the organization and needs of stakeholders).

Step 1: Assessing Risks & Opportunities

The goal of the risk assessment is to compare process risks to current process controls in order to determine if the level of control is sufficient, or if additional controls and contingency plans may be required.

Quantitative - A quantitative measure asks the team to place a number on each named risk, similar to a Failure Modes and Effects Analysis (FMEA). Company experience drives likelihood of risk, and management evaluation of potential impact severity are then multiplied or added. Management determines criteria for actions associated with the risk level, which drives priorities within the overall risk management strategy.


Simple Risk Matrix



Qualitative Assessment can be derived from a discussion between experienced employees without using numerical scoring. This approach to risk assessment is qualitative in nature because it is based on the learned observation and “gut feel” of process owners. This still includes determining criteria for prioritizing actions to address the risk, but is less cumbersome for small companies, simple quality systems, or companies whose products or services have very low risk.


Step 2: Determining the Actions Needed to Control the Risk

As required in ISO 9001:2015 section 9.3.1, the effectiveness of actions taken as a result of the risk analyses must be reviewed by Management Review.

Once your risk assessment is complete, Top Management must determine priorities and the actions that need to be taken to address the identified risks. Actions taken to address risk can include:

  • Avoiding risk
  • Taking risk in order to pursue an opportunity
  • Eliminating the risk source
  • Changing the likelihood or consequences
  • Sharing the risk
  • Retaining risk by informed decision

This could be as simple as presenting a list of proposed process-improvement actions to Management Review for discussion and endorsement, after which approved actions would be taken. With metrics assigned to monitor each risk it becomes simple to see if the controls have been effective.

Step 3: Evaluating the Actions Taken to Control the Risk

As process controls are monitored as a normal part of performance evaluation, the minutes of Management Review will then show evidence of the review of those improvement actions, and any follow-up actions that are required subsequent to those actions. Finally, if during Management Review you notice a trend of risks or opportunities that had not been previously identified, be sure to update your risk listing and control the new items.

However you approach Risk Based Thinking, may all your risks be identified, evaluated, addressed, and monitored.