Management system guidance

Risk-based thinking

ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.

Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.

Risk-based thinking

Defining risk-based thinking

risk management

ISO 9001:2015 (0.3.3) defines risk as the 'effect of uncertainty'. Therefore, all risks relating to quality, safety, commercial or the environment, etc. can be dealt with under a single 'multidisciplinary' aspect of the management system.

Risk-based thinking should ensure that risks and opportunities are considered throughout your business's operations and activities. Risk-based thinking makes preventive action part of strategic and operational planning.

In order to identify what your business's risks and opportunities are will depend on context of your organization. The determination of the risks and opportunities when planning for the quality management system should include the inputs arising from:

  1. The analysis of external and internal issues (see 4.1);
  2. Requirements of relevant interested parties (see 4.2);
  3. The scope of QMS of the organization (see 4.3);
  4. The processes of the organization (see 4.4);
  5. The strategic direction of the organization.

The need for risk identification may also be determined on the basis of information and trends regarding the performance and effectiveness of the quality management system. Risks should be identified and evaluated when quality performance data indicates that there are trends of decreasing quality capability, or effectiveness of the quality management system.

Developing a risk management methodology

Risk will influence every aspect of your organization’s operations. Understanding the risks and managing them appropriately will enhance your organization’s ability to make better decisions, safeguard assets, and enhance your ability to provide products and services and to achieve your mission and goals.

A risk management regime, managed by the use of risk registers so as to allow for new risks to be progressively identified, rated and mitigated, should be implemented throughout the business. The principle is to ensure that:

  1. All significant risks to success are identified;
  2. Identified risks are understood and potential consequences mitigated;
  3. Assessment is undertaken of individual risks relative to other risks to support priority setting and resource allocation;
  4. Strategies for treating risks take account of opportunities to address more than one risk;
  5. The process itself and the risk treatment strategies are implemented cost effectively.

There are many other tools and methodoligies that you can adopt to help manage risks and identify opportunities including; learning from the past (Lessons Learned), PEST (Political, Economic, Social, Technological), PESTLE (Political, Economic, Social, Technological, Legal, Environmental), SWOT (Strengths, Weaknesses, Opportunities, Threats), FMEA (Failure Modes and Effects Analysis) or Hazard and Operability Study (HAZOP).

By considering risk throughout your organization the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product or service. Risk-based thinking therefore helps to:

  1. Improve customer confidence and satisfaction;
  2. Assure consistency of quality of goods and services;
  3. Establishes a proactive culture of prevention and improvement;
  4. Intuitively take a risk-based approach.

Risk management themes

We suggest that you use the familiar Plan-Do-Check-Act (PDCA) methodology to manage your organization’s transition to risk-based thinking; using an approach that ring-fences processes into ‘risk themes’ or groups such as:

  1. Business planning and strategic direction;
  2. Process risks;
  3. Product and service risks;
  4. Risks associated with the control of externally provided products and services.

Business planning and strategic direction

PDCA ISO 9001 Clause References Suggested approach
Plan 4.1, 4.2 Has the organization identified both internal and external issues and interested parties that are relevant to and/or support the strategic direction of the organization?
Do 5.2.1 Is the strategic direction being utilized as an input to the QMS policies, objectives, risk management and the management review processes?
Check 4.1, 4.2, 5.1.1, 9.3.2 Is the QMS being assessed and reviewed in accordance with the strategic direction?
Act 10.3 Is the QMS being updated as necessary in response to changes in any of the above?
 

Process risks

PDCA ISO 9001 Clause References Suggested approach
Plan 4.4.1, 6.1, 6.2, 6.3, 8.5.6 When establishing the QMS and planning for change, have risks to achieving process objectives been identified?
Do 8.1 Have the identified process risks been addressed?
Check 6.1.2, 9.1.3, 9.3.2 Is the organization analyzing the effectiveness of actions taken to address process risks?
Act 10.2.1, 10.3 Following analysis and corrective action is there evidence that process risks have been updated?
 

Product and service risks

PDCA ISO 9001 Clause References Suggested approach
Plan 5.1.2, 6.1, 6.2, 8.1, 8.2.2, 8.2.3, 8.3.2 Have risks to achieving product or service conformity considered, as part of the planning for operational control? When determining and reviewing customer requirements? And has product complexity been considered during design planning?
Do 8.1, 8.2.3.1, 8.3.3 Have design and operational controls to address the identified product and service risks been implemented?
Check 9.1.3, 9.3.2 Is the organization analyzing the effectiveness of actions taken to address product risks?
Act 10.1 Has the organization determined and selected opportunities for improvement on product and service?
 

Risks associated with externally provided products and services

PDCA ISO 9001 Clause References Suggested approach
Plan 6.1 Have risks associated with externally provided product, process (i.e. formerly named outsourced) or service been identified?
Do 8.4.1, 8.4.2 Are the identified risks utilized as an input into the potential impact of externally provided product, process or service? The type and extent of controls and the selection and evaluation of external providers?
Check 8.4.1, 9.3.2 Has the organization applied criteria for the evaluation, selection, monitoring of performance and re-evaluation of external providers?
Act 9.3.3 Has the organization modified the controls applied to external providers based upon the results of evaluation?
 

Risk management compliance

Most organizations intuitively take a risk-based approach to identifying, analysing and prioritising perceived risks and opportunities as this process forms a key part of the preventive action routine. Presently, there are six clauses in ISO 9001:2015 which require an organization to consider risk:

  • Clause 4 - determine the risks which can affect its ability to meet these objectives;
  • Clause 5 - top management are required to commit to ensuring Clause 4 is followed;
  • Clause 6 - take action to address risks and advance opportunities;
  • Clause 8 - implement processes which identify and address risk in its operations;
  • Clause 9 - monitor, measure, analyse and evaluate the risks and opportunities;
  • Clause 10 - improve by responding to changes in risk.

Compliance with ISO 9001:2015 will require objective evidence that these clauses have been fulfilled. The adoption of risk-based thinking will, over time, improve customer confidence and satisfaction by assuring the consistency of the quality of goods and services brought on by establishing a proactive culture of prevention and improvement.

Ongoing review is essential to ensure that risk management processes remain relevant and effective. The factors that affect the likelihood and consequences of an event may change, as may the factors that affect the suitability of treatment options. Process monitoring should provide information about the effectiveness of the risk management process.

Our management system templates offer a reliable way of integrating risk-based thinking into your processes and your quality management system!

More on ISO 9001:2015

 

More information on PDCA

Planning

ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
4.1 Organizational Context 4.1 Organizational Context 4.1 Organizational Context
4.2 Relevant Interested Parties 4.2 Relevant Interested Parties 4.2 Relevant Interested Parties
4.3 Management System Scope 4.3 Management System Scope 4.3 Management System Scope
4.4 QMS Processes 4.4 EMS Processes 4.4 OH&S Management System
 
ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
5.1 Leadership & Commitment 5.1 Leadership & Commitment 5.1 Leadership & Commitment
5.2 Quality Policy 5.2 Environmental Policy 5.2 OH&S Policy
5.3 Roles, Responsibilities & Authorities 5.3 Roles, Responsibilities & Authorities 5.3 Roles, Responsibilities & Authorities
    5.4 Consultation & Participation
 
ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
6.1.1 Address Risks & Opportunities 6.1.1 Address Risks & Opportunities 6.1.1 Address Risks & Opportunities
6.2.1 Quality Objectives 6.1.2 Environmental Aspects 6.1.2 Hazard Identifcation
6.2.2 Planning to Achieve Objectives 6.1.3 Compliance Obligations 6.1.3 Legal & Other Requirements
6.3 Planning for Change 6.1.4 Planning Action 6.1.4 Planning Action
  6.2.1 Environmental Objectives 6.2.1 OH&S Objectives
  6.2.2 Planning to Achieve Objectives 6.2.2 Planning to Achieve Objectives
 

Doing

ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
7.1.1 Resources - General 7.1 Resources 7.1 Resources
7.1.2 People 7.2 Competence 7.2 Competence
7.1.3 Infrastructure 7.3 Awareness 7.3 Awareness
7.1.4 Operational Environment 7.4.1 Communcation - General 7.4.1 Communcation - General
7.1.5 Monitoring & Measuring 7.4.2 Internal Communcation 7.4.2 Internal Communcation
7.1.6 Organizational Knowledge 7.4.3 External Communcation 7.4.3 External Communcation
7.2 Competence 7.5 Documented Information 7.5 Documented Information
7.3 Awareness    
7.4 Communcation    
7.5 Documented Information    
 
ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
8.1 Operational Planning & Control 8.1 Operational Planning & Control 8.1.1 General
8.2.1 Customer Communication 8.2 Emergency Preparedness 8.1.2 Eliminating Hazards
8.2.2 Determining Requirements   8.1.3 Management of Change
8.2.3 Reviewing Requirements   8.1.4 Outsourcing
8.2.4 Changes in Requirements   8.2 Emergency Preparedness
8.3.1 Design Development - General    
8.3.2 Design Development - Planning    
8.3.3 Design Development - Inputs    
8.3.4 Design Development - Controls    
8.3.5 Design Development - Outputs    
8.3.6 Design Development - Changes    
8.4.1 External Processes - General    
8.4.2 Purchasing Controls    
8.4.3 Purchasing Information    
8.5.1 Production & Service Provision    
8.5.2 Identification & Traceability    
8.5.3 3rd Party Property    
8.5.4 Preservation    
8.5.5 Post-delivery Activities    
8.5.6 Control of Changes    
8.6 Release of Products & Services    
8.7 Nonconforming Outputs    
 

Checking

ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
9.1.1 Performance Evaluation 9.1.1 Performance Evaluation 9.1.1 Performance Evaluation
9.1.2 Customer Satisfaction 9.1.2 Evaluation of Compliance 9.1.2 Evaluation of Compliance
9.1.3 Analysis & Evaluation 9.2 Internal Audit 9.2 Internal Audit
9.2 Internal Audit 9.3 Management Review 9.3 Management Review
9.3 Management Review    
 

Acting

ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
10.1 Improvement - General 10.1 Improvement - General 10.1 Improvement - General
10.2 Nonconformity & Corrective Action 10.2 Nonconformity & Corrective Action 10.2 Incident, Nonconformity & Corrective Action
10.3 Continual Improvement 10.3 Continual Improvement 10.3 Continual Improvement
 

How to apply the latest quality management principles

The latest and current quality management principles (QMPs), stated in ISO 9000:2015, are intended to provide the foundation by which any organization can continually improve its performance.

You can learn to apply the latest quality management principles in the context of your business's own particular operations by reviewing and documenting its activities in the context of each quality management principle.

Want to know more?

SSL certification

A certificate guarantees the information your internet browser is receiving now originates from the expected domain - https://www.iso9001help.co.uk. It guarantees that when you make a purchase, sensitive data is encrypted and sent to the right place, and not to a malicious third-party.

Free PDCA guidance

ISO Navigator™ is our FREE online training tool that shows you how to apply the principles of PDCA to your operations. We also offer many helpful templates that get you on the road to documenting your management system, please visit the download page.