Management system guidance

Risk-based thinking

ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.

Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.

Risk-based thinking and the effects of uncertainty

ISO 9001:2015 will define risk as the 'effect of uncertainty'. Therefore, all risks relating to quality, safety, commercial or the environment, etc. can be dealt with under a single 'multidisciplinary' aspect of the management system.

The risk management aspect of ISO 9001:2015 should be part of this analysis and any new process definitions would require the assignment of process owners to manage this aspect, typically senior managers or by engaging more of your organization's leaders as new process owners.

To support the inevitable transition that your organization will have to make, you should learn about the key changes, understand the key concepts, plan how to implement the new requirements and stay informed with developments. Further changes to the standard are likely during the period of revision, you should not make changes to your management system at this stage.

Risk management methodology

Risk will influence every aspect of your organization’s operations. Understanding the risks and managing them appropriately will enhance your organization’s ability to make better decisions, safeguard assets, and enhance your ability to provide products and services and to achieve your mission and goals.

By considering risk throughout your organization the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product or service.

Risk-based thinking therefore helps to:

  1. Improve customer confidence and satisfaction;
  2. Assure consistency of quality of goods and services;
  3. Establishes a proactive culture of prevention and improvement;
  4. Intuitively take a risk-based approach.

We suggest that you use the familiar Plan-Do-Check-Act (PDCA) methodology to manage your organization’s transition to risk-based thinking; using an approach that ring-fences processes into ‘risk themes’ or groups such as:

  1. Business planning and strategic direction;
  2. Process risk;
  3. Product and service risk;
  4. Risk associated with the control of externally provided product and service.

Risk themes

Business planning and strategic direction

PDCA Clause References Activity
Plan 4.1, 4.2 Has the organization identified both internal and external issues and interested parties that are relevant to and/or support the strategic direction of the organization?
Do 5.2.1 Is the strategic direction being utilized as an input to the QMS policies, objectives, risk management and the management review processes?
Check 4.1, 4.2, 5.1.1, 9.3.2 Is the QMS being assessed and reviewed in accordance with the strategic direction?
Act 10.3 Is the QMS being updated as necessary in response to changes in any of the above?

Process risk

PDCA Clause References Activity
Plan 4.4.1, 6.1, 6.2, 6.3, 8.5.6 When establishing the QMS and planning for change, have risks to achieving process objectives been identified?
Do 8.1 Have the identified process risks been addressed?
Check 6.1.2, 9.1.3, 9.3.2 Is the organization analyzing the effectiveness of actions taken to address process risks?
Act 10.2.1, 10.3 Following analysis and corrective action is there evidence that process risks have been updated?

Product and service risk

PDCA Clause References Activity
Plan 5.1.2, 6.1, 6.2, 8.1, 8.2.2, 8.2.3, 8.3.2 Have risks to achieving product or service conformity considered, as part of the planning for operational control? When determining and reviewing customer requirements? And has product complexity been considered during design planning?
Do 8.1,, 8.3.3 Have design and operational controls to address the identified product and service risks been implemented?
Check 9.1.3, 9.3.2 Is the organization analyzing the effectiveness of actions taken to address product risks?
Act 10.1 Has the organization determined and selected opportunities for improvement on product and service?

Risk associated with externally provided product and service

PDCA Clause References Activity
Plan 6.1 Have risks associated with externally provided product, process (i.e. formerly named outsourced) or service been identified?
Do 8.4.1, 8.4.2 Are the identified risks utilized as an input into the: Potential impact of externally provided product, process or service? Type and extent of controls? Selection and evaluation of external providers? Degree of information provided to these resources?
Check 8.4.1, 9.3.2 Has the organization applied criteria for the evaluation, selection, monitoring of performance and re-evaluation of external providers?
Act 9.3.3 Has the organization modified the controls applied to external providers based upon the results of evaluation?

Risk-based thinking

Most organizations intuitively take a risk-based approach to identifying, analysing and prioritising perceived risks and opportunities as this process forms a key part of the preventive action routine. Presently, there are six clauses in ISO 9001:2015 which require an organization to consider risk:

  • Clause 4 - determine the risks which can affect its ability to meet these objectives;
  • Clause 5 - top management are required to commit to ensuring Clause 4 is followed;
  • Clause 6 - take action to address risks and advance opportunities;
  • Clause 8 - implement processes which identify and address risk in its operations;
  • Clause 9 - monitor, measure, analyse and evaluate the risks and opportunities;
  • Clause 10 - improve by responding to changes in risk.

Compliance with ISO 9001:2015 will require objective evidence that these clauses have been fulfilled. The adoption of risk-based thinking will, over time, improve customer confidence and satisfaction by assuring the consistency of the quality of goods and services brought on by establishing a proactive culture of prevention and improvement.

Ongoing review is essential to ensure that risk management processes remain relevant and effective. The factors that affect the likelihood and consequences of an event may change, as may the factors that affect the suitability of treatment options. Process monitoring should provide information about the effectiveness of the risk management process.

Our quality management system templates offer a reliable way of achieving process based compliance to ISO 9001:2015.

More on ISO 9001:2015


Why should you buy our templates?

Our audit checklists, procedures, quality manual and integrated manual templates have been successfully implemented by thousands of businesses globally to reduce the risk of minor, or major non-conformances during certification audits.

Our customers really value the in-depth content and the straight forward approach to implementation the templates provide. Certification Bodies such as BSI and UKAS, as well as independent External Auditors, have commented upon the high-level of detail and excellent presentation standard of the documents.

Free PDCA guidance

ISO Navigator™ is our FREE online training tool that shows you how to apply the principles of PDCA to your operations. We also offer many helpful templates that get you on the road to documenting your management system, please visit the download page.

Client list

Over 8,000 companies and globally recognized brands have relied on our templates to provide a path to improve, collaborate, and to enhance their operations to achieve certification, please see our client list for more information.