News & Commentary on ISO Management System Standards

    ISO 9001 and Risk-based Thinking (RBT): DO's & DON'Ts

    A team of employees discussing their risk management plans

    An ongoing series of Posts: Practical advice on implementing ISO 9001:2015

    One of the key changes in the 2015 revision of ISO 9001 was to establish a systematic approach to considering risk, rather than treating “prevention” as a separate component of a quality management system.  

    Risk-based Thinking (RBT)

    Risk is inherent in all aspects of a quality management system. There are risks in all systems, processes and functions. A risk-based approach to handling management systems ensures that these risks are identified, considered and controlled throughout the design and use of the quality management system.

    What, then, is the logical and practical way to tackle RBT when implementing ISO 9001?

    ISO 9001 and Risk-based Thinking

    When planning an ISO 9001 Implementation Project, one of the first, and most frightening, 'stumbling block' that the uninitiated encounter is this topic of risk.  At first glance, it seems to have arrived out of nowhere!  However:

    Risk-based thinking:

    • is something you do already,
    • is on-going,
    • ensures greater knowledge of risks and improves preparedness,
    • increases the probability of reaching objectives,
    • reduces the probability of negative results, and
    • makes prevention a habit.

    New call-to-action

    How to Integrate Risk-Based Thinking with Your Quality Management System


    1. Use Risk-Based Thinking to determine the factors that could cause your processes and its quality management system to deviate from the planned results.
    3. Use Risk-Based Thinking to put in place preventive controls to minimize negative effects.
    5. Use Risk-Based Thinking to make maximum use of opportunities as they arise.
    7. Read ISO 9001:2015 Clause 0.3.3 Risk-based Thinking in the Introduction to the Standard. The ISO Committee’s thoughts on the topic are covered here.
    9. Do introduce a formal Risk Management in your organization if it is a Corporate requirement. Many organizations are taking advantage of their project to migrate to ISO 9001:2015 to introduce it. See ‘What not to do’ a), below.


    1. Do not introduce formal Risk Management in your organization as a requirement of ISO 9001:2015. The Standard does not require an organisation to have a formal risk management system nor to have documentation in support of its application.  See ‘What to do’ e), above.
    3. Do not limit your focus to ISO 9001:2015 Clause 6.1 Actions to address risks and opportunities. RBT arises in every Section of the standard. Check out:
      • Section 4 – the organization is required to determine its QMS processes and to address its risks and opportunities
      • Section 5 – top management is required to:
        1. Promote awareness of risk-based thinking
        3. Determine and address risks and opportunities that can affect product /service conformity
      • Section 6 – the organization is required to identify risks and opportunities related to QMS performance and take appropriate actions to address them
      • Section 7 – the organization is required to determine and provide necessary resources (risk is implicit whenever “suitable” or “appropriate” is mentioned)
      • Section 8 – the organization is required to manage its operational processes (risk is implicit whenever “suitable” or “appropriate” is mentioned)
      • Section 9 – the organization is required to monitor, measure, analyse and evaluate the effectiveness of actions taken to address the risks and opportunities
      • Section 10 – the organization is required to correct, prevent or reduce undesired effects and improve the QMS and update risks and opportunities


    How to Provide Evidence of Risk-based Thinking

    The Risk-based Thinking requirements of ISO 9001:2015 do not require you to have a formal risk management system. But your first ISO 9001 audit against the revised Standard, the External Auditors will request objective evidence of RBT across all seven auditable Sections of the Standard. Interview (verbal) evidence alone will not suffice.

    You will need to supply some tangible evidence of the application of Risk-based Thinking.  ISO 9001 Lead Implementer Training is recommended to ensure that you will have adequately covered this difficult topic.

    We have addressed the topic in-depth in our Handbook 'ISO 9001:2015 Quality Management System Implementation', which is provided as part of our ISO 9001 migration training course,  ISO 9001:2015 Transition Training (Course 032T), and our ISO 9001:2015 Lead Implementer Certification (Course 032).

    You can have both Risk-based Thinking and Risk Management

    The Medical Device Standard, ISO 13485, requires risk-based thinking in relation to the quality system generally and risk management regarding patient/user safety.  So, it is possible to have both risk-based thinking and risk management within one QMS. 

    Recommended Approach to Integrating Risk-based Thinking with Your QMS

    An approach often taken with ISO 9001 quality systems is to apply risk-based thinking to the QMS generally. However, when addressing the requirements of ISO 9001:2015 Clause 6.1, Actions to address risks and opportunities, it's recommended to have 'full on' risk management with risk assessment and risk treatment focused on threats to customer satisfaction and business success.  

    ISO 9001 Lead Implementer CTA Button

    Related Articles

    deGRANDSON Global is an ISO Certified Educational Organization

    ISO Compound Logo-2-1 - compressedIn  October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.


    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts