Management system guidance
ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.
Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.
Defining risk-based thinking
ISO 9001:2015 (0.3.3) defines risk as the 'effect of uncertainty'. Therefore, all risks relating to quality, safety, commercial or the environment, etc. can be dealt with under a single 'multidisciplinary' aspect of the management system.
Risk-based thinking should ensure that risks and opportunities are considered throughout your business's operations and activities. Risk-based thinking makes preventive action part of strategic and operational planning.
In order to identify what your business's risks and opportunities are will depend on context of your organization. The determination of the risks and opportunities when planning for the quality management system should include the inputs arising from:
- The analysis of external and internal issues (see 4.1);
- Requirements of relevant interested parties (see 4.2);
- The scope of QMS of the organization (see 4.3);
- The processes of the organization (see 4.4);
- The strategic direction of the organization.
The need for risk identification may also be determined on the basis of information and trends regarding the performance and effectiveness of the quality management system. Risks should be identified and evaluated when quality performance data indicates that there are trends of decreasing quality capability, or effectiveness of the quality management system.
Developing a risk management methodology
Risk will influence every aspect of your organization’s operations. Understanding the risks and managing them appropriately will enhance your organization’s ability to make better decisions, safeguard assets, and enhance your ability to provide products and services and to achieve your mission and goals.
A risk management regime, managed by the use of risk registers so as to allow for new risks to be progressively identified, rated and mitigated, should be implemented throughout the business. The principle is to ensure that:
- All significant risks to success are identified;
- Identified risks are understood and potential consequences mitigated;
- Assessment is undertaken of individual risks relative to other risks to support priority setting and resource allocation;
- Strategies for treating risks take account of opportunities to address more than one risk;
- The process itself and the risk treatment strategies are implemented cost effectively.
There are many other tools and methodoligies that you can adopt to help manage risks and identify opportunities including; learning from the past (Lessons Learned), PEST (Political, Economic, Social, Technological), PESTLE (Political, Economic, Social, Technological, Legal, Environmental), SWOT (Strengths, Weaknesses, Opportunities, Threats), FMEA (Failure Modes and Effects Analysis) or Hazard and Operability Study (HAZOP).
By considering risk throughout your organization the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product or service. Risk-based thinking therefore helps to:
- Improve customer confidence and satisfaction;
- Assure consistency of quality of goods and services;
- Establishes a proactive culture of prevention and improvement;
- Intuitively take a risk-based approach.
Risk management themes
We suggest that you use the familiar Plan-Do-Check-Act (PDCA) methodology to manage your organization’s transition to risk-based thinking; using an approach that ring-fences processes into ‘risk themes’ or groups such as:
- Business planning and strategic direction;
- Process risks;
- Product and service risks;
- Risks associated with the control of externally provided products and services.
Business planning and strategic direction
ISO 9001 Clause References
|Plan||4.1, 4.2||Has the organization identified both internal and external issues and interested parties that are relevant to and/or support the strategic direction of the organization?|
|Do||5.2.1||Is the strategic direction being utilized as an input to the QMS policies, objectives, risk management and the management review processes?|
|Check||4.1, 4.2, 5.1.1, 9.3.2||Is the QMS being assessed and reviewed in accordance with the strategic direction?|
|Act||10.3||Is the QMS being updated as necessary in response to changes in any of the above?|
ISO 9001 Clause References
|Plan||4.4.1, 6.1, 6.2, 6.3, 8.5.6||When establishing the QMS and planning for change, have risks to achieving process objectives been identified?|
|Do||8.1||Have the identified process risks been addressed?|
|Check||6.1.2, 9.1.3, 9.3.2||Is the organization analyzing the effectiveness of actions taken to address process risks?|
|Act||10.2.1, 10.3||Following analysis and corrective action is there evidence that process risks have been updated?|
Product and service risks
ISO 9001 Clause References
|Plan||5.1.2, 6.1, 6.2, 8.1, 8.2.2, 8.2.3, 8.3.2||Have risks to achieving product or service conformity considered, as part of the planning for operational control? When determining and reviewing customer requirements? And has product complexity been considered during design planning?|
|Do||8.1, 220.127.116.11, 8.3.3||Have design and operational controls to address the identified product and service risks been implemented?|
|Check||9.1.3, 9.3.2||Is the organization analyzing the effectiveness of actions taken to address product risks?|
|Act||10.1||Has the organization determined and selected opportunities for improvement on product and service?|
Risks associated with externally provided products and services
ISO 9001 Clause References
|Plan||6.1||Have risks associated with externally provided product, process (i.e. formerly named outsourced) or service been identified?|
|Do||8.4.1, 8.4.2||Are the identified risks utilized as an input into the potential impact of externally provided product, process or service? The type and extent of controls and the selection and evaluation of external providers?|
|Check||8.4.1, 9.3.2||Has the organization applied criteria for the evaluation, selection, monitoring of performance and re-evaluation of external providers?|
|Act||9.3.3||Has the organization modified the controls applied to external providers based upon the results of evaluation?|
Risk management compliance
Most organizations intuitively take a risk-based approach to identifying, analysing and prioritising perceived risks and opportunities as this process forms a key part of the preventive action routine. Presently, there are six clauses in ISO 9001:2015 which require an organization to consider risk:
- Clause 4 - determine the risks which can affect its ability to meet these objectives;
- Clause 5 - top management are required to commit to ensuring Clause 4 is followed;
- Clause 6 - take action to address risks and advance opportunities;
- Clause 8 - implement processes which identify and address risk in its operations;
- Clause 9 - monitor, measure, analyse and evaluate the risks and opportunities;
- Clause 10 - improve by responding to changes in risk.
Compliance with ISO 9001:2015 will require objective evidence that these clauses have been fulfilled. The adoption of risk-based thinking will, over time, improve customer confidence and satisfaction by assuring the consistency of the quality of goods and services brought on by establishing a proactive culture of prevention and improvement.
Ongoing review is essential to ensure that risk management processes remain relevant and effective. The factors that affect the likelihood and consequences of an event may change, as may the factors that affect the suitability of treatment options. Process monitoring should provide information about the effectiveness of the risk management process.
Our management system templates offer a reliable way of integrating risk-based thinking into your processes and your quality management system!
More on ISO 9001:2015
More information on PDCA
Monitoring, measurement, analysis and evaluation
How to apply the latest quality management principles
The latest and current quality management principles (QMPs), stated in ISO 9000:2015, are intended to provide the foundation by which any organization can continually improve its performance.
You can learn to apply the latest quality management principles in the context of your business's own particular operations by reviewing and documenting its activities in the context of each quality management principle.
Want to know more?
- Read our customer's feedback
- Client list - who's using our templates?
- How the templates are formatted and download examples
- Why we use turtle diagrams and process maps
- What's the difference between a process and a procedure?
- About documented information
A certificate guarantees the information your internet browser is receiving now originates from the expected domain - https://www.iso9001help.co.uk. It guarantees that when you make a purchase, sensitive data is encrypted and sent to the right place, and not to a malicious third-party.
Free PDCA guidance
ISO Navigator™ is our FREE online training tool that shows you how to apply the principles of PDCA to your operations. We also offer many helpful templates that get you on the road to documenting your management system, please visit the download page.