What is the definition of risk-based thinking?
One of the most significant improvements in the 2015 revision of ISO 9001 is the establishment of a systematic approach to risk assessment, rather than treating “prevention” as a separate component of a quality management system.
Risk is present in every facet of a quality management system. Risks exist in all systems, processes, and functions. Risk-based thinking ensures that these risks are identified, considered, and controlled during the design and implementation of the quality management system.
In previous editions of ISO 9001, a clause on preventive action was separate from the rest. The use of risk-based thinking requires the evaluation of risk. It becomes proactive rather than reactive in preventing or mitigating negative consequences by early detection and intervention. A risk-based management system includes preventive action.
In everyday life, we all naturally engage in risk-based thinking. For example, before crossing a road, I check for traffic. I will not step in front of a moving vehicle.
ISO 9001 has always included risk-based thinking, and this revision integrates it across the management system.
In ISO 9001:2015, risk-based thinking must be incorporated from the start and throughout the system, with preventative action built into planning, operation, analysis, and evaluation processes.
The process approach already includes risk-based thinking.
Not all procedures in a quality management system carry the same level of risk to the organization’s ability to accomplish its objectives. Some require more rigorous and formal planning and controls than others.
For example, I can cross the road directly or via a nearby footbridge. I will choose a process based on the risks.
Risk is widely assumed to have exclusively negative repercussions; nevertheless, the impacts of risk can be both negative and good.
In ISO 9001:2015, risks and opportunities are frequently mentioned simultaneously. Opportunity is not a benefit of risk. An opportunity is a group of conditions that allows you to do something. Taking or not taking an opportunity results in varying levels of risk.
For example, crossing the road straight can be faster, but it also increases the danger of harm from moving cars.
Risk-based thinking includes both the existing environment and the potential for change.
Analysis of this problem reveals opportunities for improvement
- A subway that goes straight beneath the road
- Installing pedestrian traffic lights or diverting the route to eliminate traffic
Where is risk addressed in ISO 9001:2015?
The concept of risk-based thinking is presented in the introduction to ISO 9001:2015 as an essential component of the process approach.
ISO 9001:2015 applies risk-based thinking in the following ways:
Introduction: The concept of risk-based thinking is explained.
Clause 4 : requires the organization to identify its QMS procedures and handle its risks and opportunities.
Clause 5 : Top management is expected to
- Increase awareness of risk-based thinking
- Identify and manage risks and opportunities that may impact product/service conformance.
Clause 6 : The organization must identify risks and opportunities linked to QMS performance and take necessary actions to address them.
Clause 7 : The organization is obligated to determine and supply essential resources (risk is implied anytime “suitable” or “appropriate” is mentioned).
Clause 8 : The organization must manage its operational procedures (risk is implied whenever “suitable” or “appropriate” is mentioned).
Clause 9 : Requires the organization to monitor, measure, analyze, and evaluate the efficacy of activities taken to manage risks and opportunities.
Clause 10 : The organization is obligated to remedy, prevent or mitigate undesirable impacts, improve the QMS, and update risks and opportunities.

Why employ risk-based thinking?
By addressing risk throughout the system and all processes, the possibility of meeting stated objectives increases, production is more consistent, and customers may be confident that they will receive the promised product or service.
Risk-oriented thinking:
- Improves governance
- Creates a proactive culture of improvement
- Helps in statutory and regulatory compliance
- Ensures consistent quality of products and services
- Increases client confidence and satisfaction
Successful firms naturally include risk-based thinking.
How can I do it?
- When developing your management system and processes, think in terms of risk.
- Identify your risks based on context.
- Crossing a busy road with fast-moving autos poses different risks compared to a minor road with few moving cars. It is also vital to consider weather, visibility, physical mobility, and special personal goals.
Understand your risks
What is acceptable, and what is unacceptable? What are the advantages and disadvantages of one process over another?
Example:
Objective: I need to cross a road safely to get to a meeting on time.
It is not acceptable to be injured.
Being late is unacceptable.
Reaching my goal faster must be balanced against the risk of injury. It is more crucial that I get at my meeting safely than on time.
It may be ACCEPTABLE to use a footbridge to delay arrival to the other side of the road if the risk of injury from crossing the road directly is significant.
I analyze the situation. The footbridge is 200 metres away and will extend my journey. The weather is nice, the visibility is decent, and I see that there aren’t too many cars on the road right now.
I determine that walking right across the road poses an acceptable risk of injury and will get me to my meeting on time.
Plan actions to address hazards.
How do I mitigate or remove the risk? How can I reduce the risks?
For example, using the footbridge would reduce the danger of injury from being hit by a vehicle, but I have already chosen that the risk of crossing the road is acceptable.
Now I’m planning ways to limit the chance or severity of injury. I can’t expect to control the impact of a car hitting me. I can lower the chances of being hit by an automobile.
I intend to cross at a moment when there are no automobiles near me, reducing the probability of an accident. I also intend to cross the road where I have decent visibility.
Implement the plan and take action.
Example:
I move to the side of the road and check that there are no barriers to cross. I check that there are no automobiles approaching. I continue to scan for cars when crossing the street.
Check the effectiveness of the action: does it work?
Example:
I arrive at the other side of the road safely and on time: my strategy worked and unintended consequences were avoided.
For instance, I may replicate a strategy across multiple days, at various times and weather circumstances.
This data allows me to understand how changing circumstances (time, weather, number of automobiles) directly affects the success of the strategy and raises the likelihood that I will fail to meet my goals (being on time and avoiding harm).
Experience has taught me that crossing the road at some times of day is quite difficult due to the high volume of traffic. To reduce the risk, I revise and improve my technique by using the footbridge at these moments.
I continue to assess the efficacy of the processes and adapt them as circumstances change.
I continue to consider novel opportunities:
- Can I change the meeting location so that the road does not need to be crossed?
- Can I adjust the meeting time so that I cross the road when it's quiet?
- Could we meet electronically?
Conclusion
Risk-based thinking is a long-standing practice that enhances preparedness, increases the likelihood of achieving goals, reduces the likelihood of negative outcomes, and promotes prevention as a habit.