Risk Based Thinking (ISO 9001:2015)

Posted by vivek 30/01/2017 0 Comment(s) Quality System,

A special focus has been given to risk-based thinking in the ISO 9001:2015 revision of the quality management system standard. The anticipation of problems and their prevention has been part of all the previous versions. However, the new version makes the risk-based thinking imperative by incorporating it in the requirements for the establishment, implementation, maintenance and continual improvement of the quality management system.


Organizations need to qualitatively analyse the impact of uncertainty in light of the clauses 4.1 and 6.1 of new version of the standard that expects them to identify and address the internal and external issues which could influence organization's ability to provide intended products and services. Accordingly, organizations need to device mechanism to implement, control, evaluate, and review the effectiveness of these actions and these processes in the light of clause 4.4.


Since the purpose of quality management systems is to prevent the possible 'wrongs', the  prescriptive requirement of 'preventive action' has been done away with, thereby imparting more flexibility than previous version.


Though risk-based thinking has been made an essential part of the new standard, it does not actually expect the organization to implement a formal risk management process, Nor does it expect to necessarily document the risk-based approach. Since all the organizations do not face the same kind of risk, the organization may decide the extent to which it needs to formalize their risk based approach depending on the the nature, importance and relevance. The organizations who need to have a formal risk management process are suggested to refer to ISO 31000 standard.


The pointers of the clauses 4.1, 6.1 and 4.4 are given for quick reference:


4.1     Understand the organization and its context:  

Every organization is different and thus it needs to understand clearly its position and relevance in the environment it is working through following pointers:

1. Identification and understanding of organization's unique context through:


  • Considering the external issues such as the social, political, technological, environmental, ethical, legal, and economic environment as may be relevant to the organization's purpose and strategic direction.
  • Considering the internal issues such as a unique structure, processes, own set of culture, beliefs, values, or principles inside the organization relevant for purpose and strategic direction of the organization.

​2.  Monitor information about organization's context.


4.4 Develop a QMS and establish documented information

4.4.1 Keeping in view the context as per the clause 4.1, a QMS needs to be established as per the following pointers for compliance with this standard

  • Developing a process-based quality management system (QMS)
  • Determining the processes that the QMS needs
  • Determining methodologies needed to manage those processes
  • Determining resource requirements to support the processes
  • Determining responsibilities and authorities for the processes
  • Determining risks and opportunities for all the processes
  • Determining methodologies required for evaluation of processes
  • Implementation of the QMS
  • Deciding and applying criteria and methodologies required for operating and controlling the processes
  • Maintaining the QMS
  • Improving the QMS


4.4.2 Maintaining QMS documentation and retaining QMS records

  • Maintaining documents required to support various processes
  • Controlling documents which support processes
  • Retaining and controlling records showing that plans are being followed


 6.1 Defining actions for managing risks and address opportunities


6.1.1 Considering risks and opportunities when while planning the QMS

•  Planning the development of QMS

•  Identifying the risks and opportunities influencing the performance QMS negatively

• Considering the context, how well the QMS is able to achieve intended results

• Considering interested parties, how well the QMS is able to achieve intended results

•  Figure out what is needed to address the risks and opportunities that could influence the performance of  organization's QMS positively or negatively


6.1.2 Planning how to manage risks and opportunities

•  Considering organization's options for addressing risks

•  Defining actions to address the risks and opportunities which might influence the performance of the QMS positively or negatively

Leave a Comment