Somebody finally got it right…Quality and Quality Systems is all about avoiding risks. Meeting requirements, delighting customers, and other versions of the theme are but manifestations of the underlying desire to protect ourselves and our organizations from risks. Building systems, processes, rules, and protocols to minimize risks brings a sharper focus on what and how to efficiently improve quality and productivity at all levels, from enterprise to an individual task.

We get that, but what is this “Risk Based Thinking” that is part of ISO 9001? There is not much guidance on what we should be doing, after we are done thinking. This article is intended to provide that guidance

The Facts

It is quite interesting how people throughout the ages have developed protocols for improving the quality of product and services that they produce and offer. There are records of Egyptians (and perhaps earlier) who intuitively learned to understand that they need to plan what they do, design, build/produce, and deliver.

They had to settle on measuring devices, Calibrate, Inspect, Correct and take Corrective actions. They built the pyramids that have survived for thousands of years, and in so doing they went far beyond just keeping their customers (Kings and Queens) happy.

Fast forward to the Twentieth century, and we see major improvements and sea-changes in the list of basic Quality Control and Improvement techniques mentioned above. Use of statistics, analytics and industrial engineering started a revolution in the adoption of science and mathematics.

However, the theme was still the same. Do what is needed to keep His or Her Majesty happy. Their Majesties were replaced for the most part by customers. Techniques like HAACP and PFMEA were developed to help design and manufacture highly reliable and safe products. Even in these cases of quintessential risk management tools, people did not bring in the topic of Risk Management, even though that was the subconscious goal.


Well, it has finally happened. We have finally put our finger on it. Risk Management is the pervasive, underlying and universal desire, and technology for ensuring the absolute best products and services are produced and offered. Risk-based thinking is the new standard. The easiest and most direct definition for risk-based thinking is that it seeks to take advantage of all opportunities as they arise and prevent undesirable results in an organization’s Quality Management System and related processes.

The concept of risk is used over seventy times in the new standard. It is used to describe the risk associated with the new requirement centered on risk-based thinking, as well as, specific situations or conditions where risk must be considered. The word “risks” is mentioned twenty times. “Risk-based Thinking” is mentioned twenty-eight times in the new standard and is the centerpiece of the new section 6, Planning – the section where the organization addresses risk and opportunity actions related to both Planning and in the implementation of the organization’s Quality Management System.

With the emphasis placed on risk-based thinking, opportunities for improvement (on everything from processes all the way to the overall Quality Management System of an organization) will present themselves and an organization needs to be aware of these opportunities and maximize the use of the opportunities as they become apparent. The word opportunities appears twenty-seven times in the new standard and is centrally linked with risks, both as a requirement for an organization to be aware of and as a tool for improvement in an organization’s processes and overall Quality Management System.

It should be remembered that risk-based thinking gives an organization the ability to recognize and determine what issues or factors could cause its functionality, processes and Quality Management System to deviate or skew away from planned results. Risk-based thinking is now mandated to be pervasive throughout the organization – from the strict adherence to required documentation to the mundane, everyday decision making undertaken by an organization. By instituting this ”new way” of thinking, an organization should be able to enact a preventative control program that would minimize, and in some cases eliminate, negative effects on the organization’s operations and allow for maximizing the use of opportunities as they arise.

The Confusion

However, one should note, that not all organizations are alike, either in structure or in process achievement. What one entity may determine as risk, another may deem that risk being minimal, irrelevant or does not meet the definition of a Risk. Each organization must determine for themselves what the definition of risk is (as well as defining opportunities when they see them). Once a “risk structure” is put into place, an organization may then determine how to inspect for, document and mitigate their risk exposure.

It should be noted that while risk-based thinking and the inspection for risk are required under section 6 of the new standard, an organization IS NOT required to formalize a method for risk management or a documented risk management process. This is in line with the usual outlook of QMS standards since their inception: they do not, for example, specify which sampling plans to use for incoming inspection. It is for the organization to decide which plan, if any, to use. In a similar fashion, the organization can select from a variety of tools and methods. Some of these will be reviewed in later articles.

It is certainly not acceptable to have a hap-hazard or random manner of implementation of this mandate (for risk-based thinking). This would be true from the point of view of preparing for an audit, and for formally organizing and operating to win in the marketplace. Our advice: spend time to think it through, and yes, document your approach/ manner/ method for dealing with the mandate for Risk-Based Thinking.

The Solution and Conclusion

The Fifth edition (2015) of ISO 9001:0.3.3  and 6.1 talk about Risk Based Thinking, and Planning. Other parts of the Standard and related guidance talk about the fact that you need to have your own plan. Whatever it is, we also know that data-based decisions are the best decisions. The challenge is to have a data-driven system that incorporates risk assessment and decisions. It also needs to be rapid and simple so that we can actually implement the spirit of Risk Based Thinking: it needs to be pervasive.

We will soon publish a follow-up article on how to do just that. It will be called Its All About Risk- part 2

Choose suitable software for your business from QISS essential software list. We are always ready to provide you ISO-based QMS services through QISS QMS software.