by: Quality Institute of America (QIA)   |   published on: Sep 23, 2016


Somebody finally got it right…Quality and Quality Systems is all about avoiding risks. Meeting Requirements, delighting customers, and other versions of the theme are but manifestations of the underlying desire to protect ourselves and our organizations from risks.  Building systems, processes, rules, and protocols to minimize risks brings a sharper focus on what and how to efficiently improve quality and productivity at all levels, from enterprise to an individual task. This article explains the role of Risk Based Thinking in the new ISO 9001:2015. The next one will show some tools and techniques to get the most out of the new mandate re risk.



It is quite interesting how people throughout the ages have developed protocols for improving the quality of product and services that they produce and offer. There are records of Egyptians (and perhaps earlier) who intuitively learned to understand that they need to plan what they do, design, build/produce, and deliver. They had to settle on measuring devices, Calibrate, Inspect, Correct and take Corrective actions. They built the pyramids that have survived for thousands of years, and in so doing they went far beyond just keeping their customers (Kings and Queens) happy.


Fast forward to the Twentieth century, and we see major improvements and sea-changes in the list of basic Quality Control and Improvement techniques mentioned above. Use of statistics and industrial engineering started a revolution in the adoption of science and mathematics. However, the theme was still the same. Do what is needed to keep His or Her Majesty happy. Their Majesties were replaced for the most part by customers.  Techniques like HAACP and PFMEA were developed to help design and manufacture highly reliable and safe products. Even in these cases of quintessential risk management tools, people did not bring in the topic of Risk Management, even though that was the subconscious goal.


 Well, it has finally happened. We have finally put our finger on it. Risk Management is the pervasive, underlying and universal desire, and technology for ensuring the absolute best products and services are produced and offered. Risk-based thinking is the new standard. The easiest and most direct definition for risk-based thinking is that it seeks to take advantage of any and all opportunities as they arise and prevent undesirable results in an organization’s Quality Management System and related processes.


The concept of risk is used seventy five times in the new standard.  It is used to describe the risk associated with the new requirement centered on risk-based thinking, as well as, specific situations or conditions where risk must be considered.  The word “risks” is mentioned twenty times. “Risk-based Thinking” is mentioned twenty-eight times in the new standard and is the centerpiece of the new section 6, Planning – the section where the organization addresses risk and opportunity actions related to both Planning and in the implementation of the organization’s Quality Management System.


With the emphasis placed on risk-based thinking, opportunities for improvement (on everything from processes all the way to the overall Quality Management System of an organization) will present themselves and an organization needs to be aware of these opportunities and maximize the use of the opportunities as they become apparent. The word opportunities appears twenty-seven times in the new standard and is centrally linked with risks, both as a requirement for an organization to be aware of and as a tool for improvement in an organization’s processes and overall Quality Management System.


It should be remembered that risk-based thinking gives an organization the ability to recognize and determine what issues or factors could cause its functionality, processes and Quality Management System to deviate or skew away from planned results.  Risk-based thinking is now mandated to be pervasive throughout the organization – from the strict adherence to required documentation to the mundane, everyday decision making undertaken by an organization. By instituting this ”new way” of thinking, an organization should be able to enact a preventative control program that would minimize, and in some cases eliminate, negative effects on the organization’s operations and allow for maximizing the use of opportunities as they arise.


However, one should note, that not all organizations are alike, either in structure or in process achievement. What one entity may determine as risk, another may deem that risk being minimal, irrelevant or does not meet the definition of a Risk. Each organization must determine for themselves what the definition of risk is (as well as defining opportunities when they see them). Once a “risk structure” is put into place, an organization may then determine how to inspect for, document and mitigate their risk exposure. 


It should be noted that while risk-based thinking and the inspection for risk are required under section 6 of the new standard, an organization IS NOT required to formalize a method for risk management or a documented risk management process. This is in line with the usual outlook of QMS standards since their inception: they do not, for example, specify which sampling plans to use for incoming inspection. It is for the organization to decide which plan, if any, to use. In a similar fashion, the organization can select from a variety of tools and methods. Some of these will be reviewed in the next article.


It is certainly not acceptable to have a hap-hazard or random manner of implementation of this mandate (for risk-based thinking. This would be true from the point of view of preparing for an audit, and for formally organizing and operating to win in the marketplace. Our advice: spend time to think it through, and yes, document your approach/ manner/ method for dealing with the new mandate for Risk-Based Thinking.


QIA offers a wide variety of professional services, such as, ISO 9001:2015 consulting and training to assist in transitioning from ISO 9001:2008 to the new 2015 standard. In addition, We offer consulting, Auditing and Training for a wide variety of standards.

  Quality Institute of America

8951 Ruthby Street #15,
Houston, TX 77061, USA

Tel : (281) 335-7979
Fax : (832) 582-8504
E-mail :,
Business Hours : 8:00 AM - 5:00 PM

  Asia Office

House# 14, Road# 1/A, Block# J,
Baridhara, Dhaka, Bangladesh

Tel : (880-2)-9854911
E-Mail :
Business Hours : 9:00 AM - 5:00 PM

Copyright © 2014 - QIA