Professional Documents
Culture Documents
Risk Based Thinking ISO 9001-2015
Risk Based Thinking ISO 9001-2015
ISO 9001:2015
1 Introduction
There has been a shift in how companies view quality and compliance, and as a result,
businesses are looking for a more comprehensive method for measuring operational
efficiency.
Risk management processes are proving to be an effective option for this. ISO 9001:2015
now promotes risk-based thinking in quality management systems, but many organizations
aren’t sure what that means or how to go about it.
4 Leadership directives
5 Planning
This section is where preventive action used to be and is now replaced with managing risks
and opportunities. It’s important to note that ISO 9001:2015’s take on risk is simple. This isn’t
a directive to go out and build an enterprise risk management programme, or change all of
your processes to comply with the requirements.
The standard directs companies to “promote” risk-based-thinking, which is fairly broad and
open to interpretation. Every company should evaluate its own processes in light of the risks
specific to their business or industry.
We can break the planning section down to these salient facts: Risk management is an
objective process that can be repeated and standardized.
Your first goal is to identify the risks in your operations, then determine how you’re going to
measure those risks. After that, you need to figure out treatment options for those risks, and
eventually implement actions and controls to address each risk.
You can accept the risk (i.e., the outcome is worth the risk)
You can transfer risk (perhaps you source out high-risk processes to a partner or
supplier with a better risk management process)
If the risk is simply too high, you can avoid it (i.e., stop the process altogether)
Each company has a different way of treating risk, and it’s up to your risk team to determine
the best way to interpret risk levels.
Once you do, you need to take action on the risks. This is where you’ll want to make use of
your quality management processes such as corrective and preventive actions (CAPA) to
address the risks. You’ll also want to have some means of reporting in place to analyze risks
over time.