Management system guidance

Risk-based thinking

Defining risk-based thinking

ISO 9001:2015 (0.3.3) defines risk as the 'effect of uncertainty'. Therefore, all risks relating to quality, safety, commercial or the environment, etc. can be dealt with under a single 'multidisciplinary' aspect of the management system.

Risk-based thinking should ensure that risks and opportunities are considered throughout your business's operations and activities. Risk-based thinking makes preventive action part of strategic and operational planning.

In order to identify what your business's risks and opportunities are will depend on context of your organization. The determination of the risks and opportunities when planning for the quality management system should include the inputs arising from:

1. The analysis of external and internal issues (see 4.1);
2. Requirements of relevant interested parties (see 4.2);
3. The scope of QMS of the organization (see 4.3);
4. The processes of the organization (see 4.4);
5. The strategic direction of the organization.

The need for risk identification may also be determined on the basis of information and trends regarding the performance and effectiveness of the quality management system. Risks should be identified and evaluated when quality performance data indicates that there are trends of decreasing quality capability, or effectiveness of the quality management system.

Developing a risk management methodology

Risk will influence every aspect of your organization’s operations. Understanding the risks and managing them appropriately will enhance your organization’s ability to make better decisions, safeguard assets, and enhance your ability to provide products and services and to achieve your mission and goals.

A risk management regime, managed by the use of risk registers so as to allow for new risks to be progressively identified, rated and mitigated, should be implemented throughout the business. The principle is to ensure that:

1. All significant risks to success are identified;
2. Identified risks are understood and potential consequences mitigated;
3. Assessment is undertaken of individual risks relative to other risks to support priority setting and resource allocation;
4. Strategies for treating risks take account of opportunities to address more than one risk;
5. The process itself and the risk treatment strategies are implemented cost effectively.

There are many other tools and methodoligies that you can adopt to help manage risks and identify opportunities including; learning from the past (Lessons Learned), PEST (Political, Economic, Social, Technological), PESTLE (Political, Economic, Social, Technological, Legal, Environmental), SWOT (Strengths, Weaknesses, Opportunities, Threats), FMEA (Failure Modes and Effects Analysis) or Hazard and Operability Study (HAZOP).

By considering risk throughout your organization the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product or service. Risk-based thinking therefore helps to:

1. Improve customer confidence and satisfaction;
2. Assure consistency of quality of goods and services;
3. Establishes a proactive culture of prevention and improvement;
4. Intuitively take a risk-based approach.

Risk management themes

We suggest that you use the familiar Plan-Do-Check-Act (PDCA) methodology to manage your organization’s transition to risk-based thinking; using an approach that ring-fences processes into ‘risk themes’ or groups such as:

1. Business planning and strategic direction;
2. Process risks;
3. Product and service risks;
4. Risks associated with the control of externally provided products and services.

Business planning and strategic direction

PDCA	ISO 9001 Clause References	Suggested approach
Plan	4.1, 4.2	Has the organization identified both internal and external issues and interested parties that are relevant to and/or support the strategic direction of the organization?
Do	5.2.1	Is the strategic direction being utilized as an input to the QMS policies, objectives, risk management and the management review processes?
Check	4.1, 4.2, 5.1.1, 9.3.2	Is the QMS being assessed and reviewed in accordance with the strategic direction?
Act	10.3	Is the QMS being updated as necessary in response to changes in any of the above?

Process risks

PDCA	ISO 9001 Clause References	Suggested approach
Plan	4.4.1, 6.1, 6.2, 6.3, 8.5.6	When establishing the QMS and planning for change, have risks to achieving process objectives been identified?
Do	8.1	Have the identified process risks been addressed?
Check	6.1.2, 9.1.3, 9.3.2	Is the organization analyzing the effectiveness of actions taken to address process risks?
Act	10.2.1, 10.3	Following analysis and corrective action is there evidence that process risks have been updated?

Product and service risks

PDCA	ISO 9001 Clause References	Suggested approach
Plan	5.1.2, 6.1, 6.2, 8.1, 8.2.2, 8.2.3, 8.3.2	Have risks to achieving product or service conformity considered, as part of the planning for operational control? When determining and reviewing customer requirements? And has product complexity been considered during design planning?
Do	8.1, 8.2.3.1, 8.3.3	Have design and operational controls to address the identified product and service risks been implemented?
Check	9.1.3, 9.3.2	Is the organization analyzing the effectiveness of actions taken to address product risks?
Act	10.1	Has the organization determined and selected opportunities for improvement on product and service?

Risks associated with externally provided products and services

PDCA	ISO 9001 Clause References	Suggested approach
Plan	6.1	Have risks associated with externally provided product, process (i.e. formerly named outsourced) or service been identified?
Do	8.4.1, 8.4.2	Are the identified risks utilized as an input into the potential impact of externally provided product, process or service? The type and extent of controls and the selection and evaluation of external providers?
Check	8.4.1, 9.3.2	Has the organization applied criteria for the evaluation, selection, monitoring of performance and re-evaluation of external providers?
Act	9.3.3	Has the organization modified the controls applied to external providers based upon the results of evaluation?

Risk management compliance

Most organizations intuitively take a risk-based approach to identifying, analysing and prioritising perceived risks and opportunities as this process forms a key part of the preventive action routine. Presently, there are six clauses in ISO 9001:2015 which require an organization to consider risk:

• Clause 4 - determine the risks which can affect its ability to meet these objectives;
• Clause 5 - top management are required to commit to ensuring Clause 4 is followed;
• Clause 6 - take action to address risks and advance opportunities;
• Clause 8 - implement processes which identify and address risk in its operations;
• Clause 9 - monitor, measure, analyse and evaluate the risks and opportunities;
• Clause 10 - improve by responding to changes in risk.

Compliance with ISO 9001:2015 will require objective evidence that these clauses have been fulfilled. The adoption of risk-based thinking will, over time, improve customer confidence and satisfaction by assuring the consistency of the quality of goods and services brought on by establishing a proactive culture of prevention and improvement.

Ongoing review is essential to ensure that risk management processes remain relevant and effective. The factors that affect the likelihood and consequences of an event may change, as may the factors that affect the suitability of treatment options. Process monitoring should provide information about the effectiveness of the risk management process.

Our management system templates offer a reliable way of integrating risk-based thinking into your processes and your quality management system!

More on ISO 9001:2015

Transitioning to ISO 9001:2015	Quality management principles
Implementing ISO 9001:2015	A look at the certification process
The impact of risk	The next iteration of ISO 9001
High level structure	The history of ISO 9000

Free management system interpretation guidance

Planning - Context, leadership and management system planning

This is the 'Plan' part of the PDCA process. Establish the objectives and processes necessary to deliver results in accordance with customer requirements and the organizational policies. This is often implemented using stated objectives, work instructions or procedures as required for consistent process output.

ISO 9001:2015	ISO 14001:2015	ISO 45001:2018
4.1 Organizational Context	4.1 Organizational Context	4.1 Organizational Context
4.2 Relevant Interested Parties	4.2 Relevant Interested Parties	4.2 Relevant Interested Parties
4.3 Management System Scope	4.3 Management System Scope	4.3 Management System Scope
4.4 QMS Processes	4.4 EMS Processes	4.4 OH&S Management System

ISO 9001:2015	ISO 14001:2015	ISO 45001:2018
5.1 Leadership & Commitment	5.1 Leadership & Commitment	5.1 Leadership & Commitment
5.2 Quality Policy	5.2 Environmental Policy	5.2 OH&S Policy
5.3 Roles, Responsibilities & Authorities	5.3 Roles, Responsibilities & Authorities	5.3 Roles, Responsibilities & Authorities
		5.4 Consultation & Participation

ISO 9001:2015	ISO 14001:2015	ISO 45001:2018
6.1 Address Risks & Opportunities	6.1.1 Address Risks & Opportunities	6.1.1 Address Risks & Opportunities
6.2.1 Quality Objectives	6.1.2 Environmental Aspects	6.1.2 Hazard Identifcation
6.2.2 Planning to Achieve Objectives	6.1.3 Compliance Obligations	6.1.3 Legal & Other Requirements
6.3 Planning for Change	6.1.4 Planning Action	6.1.4 Planning Action
	6.2.1 Environmental Objectives	6.2.1 OH&S Objectives
	6.2.2 Planning to Achieve Objectives	6.2.2 Planning to Achieve Objectives

Doing - Support and operations

This is the 'Do' part of the PDCA process. Ensure the availability of resources and information necessary to support the operation and monitoring of your processes. This may be through management review or other methods that define resource requirements.

ISO 9001:2015	ISO 14001:2015	ISO 45001:2018
7.1 Resources	7.1 Resources	7.1 Resources
7.2 Competence	7.2 Competence	7.2 Competence
7.3 Awareness	7.3 Awareness	7.3 Awareness
7.4 Communcation	7.4.1 Communcation - General	7.4.1 Communcation - General
7.5 Documented Information	7.4.2 Internal Communcation	7.4.2 Internal Communcation
	7.4.3 External Communcation	7.4.3 External Communcation
	7.5 Documented Information	7.5 Documented Information

ISO 9001:2015	ISO 14001:2015	ISO 45001:2018
8.1 Operational Planning & Control	8.1 Operational Planning & Control	8.1.1 General
8.2 Customer Requirements	8.2 Emergency Preparedness	8.1.2 Eliminating Hazards
8.3 Design & Development		8.1.3 Management of Change
8.4 Purchasing		8.1.4 Outsourcing
8.5 Product & Service Provision		8.2 Emergency Preparedness
8.6 Release of Products & Services
8.7 Nonconforming Outputs

Checking - monitoring, measuring, analysing and evaluating

This is the 'Check' part of the PDCA process. Monitor, measure and analyse process performance. Monitor and measure processes and products against policies, objectives and requirements, and report the results. The methods employed and the timing of such analysis should be based upon priorities established by the organization.

ISO 9001:2015	ISO 14001:2015	ISO 45001:2018
9.1 Monitoring & Measurement	9.1.1 Performance Evaluation	9.1.1 Performance Evaluation
9.2 Internal Audit	9.1.2 Evaluation of Compliance	9.1.2 Evaluation of Compliance
9.3 Management Review	9.2 Internal Audit	9.2 Internal Audit
	9.3 Management Review	9.3 Management Review

Acting - implementing improvement actions

This is the 'Act' part of the PDCA process. Implement the actions necessary to achieve the planned results, and for the continual improvement of those processes. Auditors will expect to see evidence that corrective action is taken when measurable objectives and performance indicators fall below target or a pre-defined action level.

ISO 9001:2015	ISO 14001:2015	ISO 45001:2018
10.1 Improvement - General	10.1 Improvement - General	10.1 Improvement - General
10.2 Nonconformity & Corrective Action	10.2 Nonconformity & Corrective Action	10.2 Incident, Nonconformity & Corrective Action
10.3 Continual Improvement	10.3 Continual Improvement	10.3 Continual Improvement

How to apply the latest quality management principles

The latest and current quality management principles (QMPs), stated in ISO 9000:2015, are intended to provide the foundation by which any organization can continually improve its performance.

You can learn to apply the latest quality management principles in the context of your business's own particular operations by reviewing and documenting its activities in the context of each quality management principle.

Want to know more?

• Read our customer's feedback
• Client list - who's using our templates?
• How the templates are formatted and download examples
• Why we use turtle diagrams and process maps
• What's the difference between a process and a procedure?
• About documented information

SSL certification

A certificate guarantees the information your internet browser is receiving now originates from the expected domain - https://www.iso9001help.co.uk. It guarantees that when you make a purchase, sensitive data is encrypted and sent to the right place, and not to a malicious third-party.

Free PDCA guidance

ISO Navigator™ is our FREE online training tool that shows you how to apply the principles of PDCA to your operations. We also offer many helpful templates that get you on the road to documenting your management system, please visit the download page.