News & Commentary on ISO Management System Standards

    Risk Management in ISO Management System Standards

    Risk Management in ISO management system standards


    A vast topic that pervades all aspects of business today.  And rightly so.

    Until about 15 years ago no one in business gave formal consideration to risk.  Yes, it was there in the books on management from business schools but the practical application of risk mitigation was something only insurance companies talked about.  Not so today.  And if your organization is not 'up to speed' on managing risk you are, at best, bleeding profit or, at worst, laying the groundwork for your organization's demise.

    Our area of interest is ISO Management System Standards and in this post, we give you an overview of the many posts we have published on this topic.

    Table of Contents

    Definition of Risk

    ISO 31000 defines risk as the 'effect of uncertainty on objectives', where an effect is a deviation from the expected that can be positive or negative, or both and can address, create or result in opportunities or threats.

    This definition leaves the door open to risk assessment to be based on opinion rather than on objective evidence.  Other ISO Standards consistently use a different definition, namely, a 'combination of the probability of occurrence of harm and the severity of that harm.'

    While this definition leads to semi-quantitative measurement, at best it has been found (dare I say proven) to be reliable, not in terms of absolute values, but in terms of one being able to rank risk. That is, the higher the risk rating, the greater the risk.  So, while not acceptable to the mathematical purists, it does give us an objective basis for making decisions regarding the control and mitigation of risks. Until something better comes along, this is our best option.

    See also: ISO 9001 Risks & Opportunities - DOs and DON'Ts.

    Choose from our ISO Auditor Courses

    What is Risk Management?

    Risk management is the act of proactively identifying possible threats to an organization and laying out appropriate risk control measures to enhance risk minimization.

    A risk management plan can include but is not limited to an assessment of the organization's structure, the identification of its key objectives, the allocation of resources in activities designed to effectively manage risks, the designation of people responsible for key tasks, and the development of strategies to ensure continual improvement of systems and processes among other things.


    The Swiss Cheese Model for Risk Control

    One control to mitigate each threat is not enough to manage risk. A standard such as ISO 27001, and the companion Code of Practice, ISO 27002, create the impression that one control is enough.  Consider Annex A of ISO 27001. It lists vulnerabilities (which become threats where the vulnerabilities are exploitable) and suggests one control. This is not a good approach.

    Several controls should be applied whenever practicable.  It can be shown (as in the link below) that a combination of several weak controls can mitigate risk far better than one strong one, with the added bonus that failure of a control does not leave you totally vulnerable (as is the case if the one strong control fails).

    See also: Risk Management - the Swiss Cheese Model Explained

    The Risk Management Tools of ISO 31010

    While we don't like ISO 31000, we love its companion, ISO 31010.  This Standard contains 40 plus risk management tools and, while it does not include examples, it sets out how each method can be applied and where it is best used. It includes methods covering all parts of the Risk Management Process, namely,

    • Risk Identification
    • Consequence (or Severity of the risk event should it occur)
    • Likelihood (or probability of occurrence of the risk event)
    • Level of Risk (for individual events and for combinations of such events
    • Evaluation, i.e., consideration of the overall level of risk, risk appetite and setting the risk acceptance level.

    Some examples from ISO 31010 are given in the table.

    Some ISO 31010 Techniques

    Click on the image to magnify the view

    Risk-based Thinking in ISO 9001

    There was much debate back in 2015 when the revised ISO 9001 Standard was published about what exactly risk-based thinking was about and how the requirement for it should be understood and addressed.  And what it boiled down to was you had to think about risk but you didn't have to document it! 

    Not a problem, of course, until some auditor asked for evidence that it had been done, which resulted in everyone documenting what they had done!  So, the end result is that today every organization certified to ISO 9001, almost without exception, has documented risk management as part of their QMS documentation.

    In many instances, the risk assessment will be a pretty lightweight effort but it will still be part of the QMS. The best advice is to include in your management system documented risk management (risk evaluation with risk mitigation, as appropriate) applied to each of the processes that make up your QMS.

    See also: ISO 9001 Risk-based Thinking - DOs and DON'Ts.

    New call-to-action


    Information Security Risk Management with ISO 27005

    ISO 27001, the Information Security Management System and the associated guide, ISO 27002, Code of Practice for information security controls, do not address the question of how to address the risk associated with the various threats to information security that apply.

    This can be found in the frequently ignored standard ISO 27005, information security risk management. The examples of typical vulnerabilities and threats are useful in clarifying three much-misunderstood aspects of information security, namely, risk asessment, risk treatment and risk acceptance.

    See also: ISO 27005:2018 Information Security Risk Management

    New call-to-action


    ISO 45001 requires Risk Management  

    Like its 'parent' ISO 9001, this standard also calls for risk-based thinking. In addition, it also calls for Risk Management in relation to the occupational health and safety (OH&S) of all persons present at the workplace (e.g., staff, contractors, persons delivering and collecting goods, and visitors) plus those managed from the workplace (e.g., installation, service and maintenance staff and those working from home or on business away from the office).

    Documentation of the threats arising at each location and for each process in the workplace is needed as well as the necessary mitigation of each of those risks. The applicable regulations (manual handling, noise, dust, VOCs, signage, etc.) all must be documented within the risk management system.

    See also ISO 45001 Certification: 21 FAQs answered and ISO 45001 requires Risk Management and not just Risk-based Thinking.

    CTA Gap Analysis ISO 45001

    ISO 14971 is not a requirement of ISO 13485 but ...

    Section 7.1 of ISO 13485, the medical device management system standard, has a Note, which states: 'Further information can be found in ISO 14971.'  The ISO 14971 Standard is not, therefore, a requirement of ISO 13485; it's not even given the status as a Guideline.  How then do you meet the requirement of ISO 13485 that 'The organization shall document one or more processes for risk management in product realization.'?

    There are two key issues to note here ...

    1. The threats to be treated here are risks to the user and/or patient safety and not component failure or failure of a process activity to function as intended.

    2. Almost without exception, organizations certified to ISO 13485 choose to include ISO 14971 in their QMS.

    See also ISO 14971 Risk Management; 12 FAQs answered. and ISO 13485 requires Risk Management and Risk-based Thinking.

    Training in Risk Management

    We currently have Courses for ISO 14971 with one at the Foundation Level (suitable for internal auditors) and the other at Advanced Level (for lead auditors and Quality Managers/Audit Programme Managers).


    Learn about our ISO 14971 Risk Management - Foundation Course



    Courses on the ISO 31010 Methods are programmed for Q1 2023.

    Related Articles


    deGRANDSON Global is an ISO Certified Educational Organization

    New call-to-actionIn October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.

    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts