INSIGHT REPORT

RISK-BASED THINKING
IN ISO 9001:2015:
How Understanding Risk
Improves Quality in Your
Organization
 Contents

Introduction.................................................................................................................................. 1

A Process for Risk-Based Thinking in ISO 9001:2015................................................................. 1

Demonstrate Risk-Based Thinking to Auditors............................................................................ 4

Quality Tools for Risk Management.............................................................................................. 6

Conclusion................................................................................................................................... 8

References................................................................................................................................... 9

About the Authors...................................................................................................................... 10

About Intelex.............................................................................................................................. 10

Disclaimer
This material provided by Intelex is for informational purposes only. The material may include notification of regulatory activity,
regulatory explanation and interpretation, policies and procedures, and best practices and guidelines that are intended to educate
and inform you with regard to EHSQ topics of general interest. Opinions are those of the authors, and do not necessarily reflect the
opinion of Intelex. The material is intended solely as guidance and you are responsible for any determination of whether the
material meets your needs. Furthermore, you are responsible for complying with all relevant and applicable regulations. We are not
responsible for any damage or loss, direct or indirect, arising out of or resulting from your selection or use of the materials.
Academic institutions can freely reproduce this content for educational purposes

© INTELEX TECHNOLOGIES, ULC | CAN: 1 877 932 3747 | UK:+44 (0) 1182 149512 | intelex@intelex.com | INTELEX.COM
Introduction
Many people know what the basic definition of risk is, but it can be much
more difficult to translate that understanding into a strategy for risk-based
thinking in an organization. Fortunately, ISO 9001:2015 incorporates risk-based
thinking into its requirements to help every organization build an implicit
understanding of risk into their quality systems. In Part II of our exploration of risk, we’ll
learn about the risk-based thinking of ISO 9001:2015, how to demonstrate risk-based
thinking to auditors, and the best quality tools you can use for risk management.

A Process for Risk-Based Thinking in ISO 9001:2015

Understanding the effect of uncertainty—risk—impacts how value is created and
sustained. Even if you do not have an ISO-based QMS, risk-based thinking can be the
cornerstone of your integrated management system—helping your entire organization
become more productive and resilient.

So why adopt risk-based thinking? Fundamentally, risk-based thinking helps us make

better decisions. Although there aren’t any solid empirical studies that conclusively
establish the ROI of risk-based thinking, there are plenty of examples of failures and
inefficiencies that come from sticking your head in the sand and just pretending that

“  ISO 9001:2015 was

nothing unexpected will happen—that everything will go totally to plan.

And if you’re using ISO 9001:2015 as the basis for your quality management system, then
you don’t actually have a choice: risk-based thinking is emphasized in the most recent written to align with the
revision. Although risk management has always been part of this standard, it takes a 10-clause Annex SL
much more prominent role now. standard, making it
Clause 4 requires that you characterize your organization’s capabilities and desired
look and feel the same
outcomes in the context of internal and external stakeholders’ needs. The reason this is as other standards that
being done is to tie structures for management & continuous improvement to business use Annex SL. This will
outcomes. The needs and expectations of “interested parties” or stakeholders (clause 4.2) make integrating
should also be expressly determined. environmental
In the past, ISO 9001 has been criticized because you can demonstrate that you “do all management
the things right”—that is, you operate according to your documented processes and processes, health &
procedures—but following the standard does not guarantee that you will “do all the right safety processes, and
things”. You can achieve conformance yet still not have a viable business model. The
quality management
changes in 9001:2015 were made to remedy this.
processes easier—and
In addition, ISO 9001:2015 has fewer requirements for documentation (for example, you easier to audit.”
don’t need to produce a quality manual for auditors)—but you still need to document your
processes and maintain and retain records. Finally, ISO 9001:2015 was written to align
with the 10-clause Annex SL standard, making it look and feel the same as other
standards that use Annex SL. This will make integrating environmental management
processes, health & safety processes, and quality management processes easier—and
easier to audit.

© INTELEX TECHNOLOGIES, ULC | CAN: 1 877 932 3747 | UK:+44 (0) 1182 149512 | intelex@intelex.com | INTELEX.COM 1
The ISO 9001:2015 standard still follows
a PDCA cycle, and thus is characterized Quality Management System (4)
Organization
by data-driven learning and and its context
improvement, but the organizational (4)

context informs planning and Support (7),

Operation (8)
performance evaluation. It also
considers customer needs and desired
Plan Do
business outcomes. Customer
satisfaction

According to Aven (2016), risk

management is a set of “systematic Customer Planning Leadership Performance Results of
requirements (6) (5) evaluation the QMS
approaches for organizing the pros and (9)
cons of a decision alternative.” Before Products and
Act Check
services
beginning, make sure that all your key
organizational processes are
documented and that you know where
Improvement
the inevitable variation might emerge. (10)
Needs and
The risk management process, then, expectations of
relevant
includes the following general steps: interested
parties (4)
• Establish the Organizational
Context. Because risk is relative, first you should define the purpose of risk Fig. 1: Clauses of ISO 9001:2015
in relation to PDCA.
management in your organization, the goals you’d reasonably like to achieve, and the
criteria and governance for the risk management process. This is described by Clause
4 of ISO 9001:2015, Context of the Organization.
• Risk Assessment is a systematic, multi-step process that starts with
identifying all possible risks and concludes by outlining the likelihood and impacts of
those risks.


— Risk Identification. In this step, call out situations or events (including hazards,
threats, and opportunities) that could affect the organization. Consider the unique “ Risk Assessment is a
capabilities and orientation of the company. systematic, multi-step
— Risk Analysis. Once risks are identified, investigating potential causes and process that starts
consequences can reveal the places where controls for detection or controls for with identifying all
prevention should be implemented. possible risks and
— Risk Evaluation. Finally, assess the likelihood, consequences, and significance of concludes by outlining
the risks in the context of the organizational profile. This step provides the the likelihood and
information that will be used to decide how to treat each risk. impacts of those
• Risk Treatment. Finally, address risks by deciding on appropriate courses of action risks.”
and monitor the effectiveness of any decisions that are made. Risk treatments must
be established with the organizational context under consideration.
•

© INTELEX TECHNOLOGIES, ULC | CAN: 1 877 932 3747 | UK:+44 (0) 1182 149512 | intelex@intelex.com | INTELEX.COM 2
The process for risk assessment and treatment is summarized in Figure 2 from ISO
31000:2018, Risk management—Guidelines:

Scope, Context, Criteria

COMMUNICATIONS & CONSULTATION

Risk Assessment

MONITORING & REVIEW

Risk Identification

Risk Analysis

Risk Evaluation

Risk Treatment

RECORDING & REPORTING

Process (clause 6)

“ Although it may be
Fig. 2: Risk management process in Clause 6, from ISO 31000:2018.

Although it may be tempting to avoid risk management entirely, ignoring risks can lead to tempting to avoid risk
cost overruns, time delays, waste and rework, and other unpleasant surprises. This is
management entirely,
why risk management has played a pivotal role in strategic management since the 1970s,
ignoring risks can lead
and why Enterprise Risk Management (ERM) and the ISO 31000 guidelines for risk
management have emerged. This is also why the topic has received increased attention
to cost overruns, time
in the latest revision to ISO 9001. delays, waste and
rework, and other
unpleasant surprises.”
ISO 9001:2015 became the authoritative version of the standard in late 2018. For insights
into the latest version, read Freeman’s What is ISO 9001:2015 and Why Is It Important.

© INTELEX TECHNOLOGIES, ULC | CAN: 1 877 932 3747 | UK:+44 (0) 1182 149512 | intelex@intelex.com | INTELEX.COM 3
Demonstrate Risk-Based
Thinking to Auditors
Because risk-based thinking is a critical element of ISO 9001:2015,
organizations need to establish effective ways to demonstrate their activities
to auditors. Fortunately, most activities in the domain of quality management, if
successful, serve to reduce risks. The key is to keep track of how your efforts relate
to risk and, in the case of ISO 9001:2015, to keep records of those activities.

There are many ways to use your quality management system software to maintain and
share the records that demonstrate adequate consideration of risk. For example:
1. Train your staff about risk. Use the training management module of your QMS
software to ensure that everyone in your organization knows the foundational
information about risk, such as:
a. what risks are, as well as the risk profile of your organization based on
stakeholder needs and the organizational profile
b. the relationship between hazards, threats, and risks
c. how (and how often) your organization assesses and monitors risks, and
d. how lessons learned are integrated into processes and the QMS.
2. Prioritize activities with risks in mind. Consider the expected benefits when
determining which corrective action, improvement project, or audit finding to work
next. Incorporating expected reduction in risk can add to the prioritization decision.
3. Show progress on Action Plans that emerge from quality events like
nonconformances, audits, and management reviews. In ISO 9001:2015, this is

“ There are many ways

mentioned in Clause 6.1, where management review should include examining “the
effectiveness of actions taken to address risks and opportunities.”
4. Keep records of how risks change after you implement corrective actions or to use your quality
improvement projects. Not only will this provide information about the effectiveness of management system
your efforts, but it will also demonstrate that you are incorporating risk into decision
software to maintain and
making and evaluation of results.
share the records that
5. Demonstrate how your organization is continuously improving its physical,
demonstrate adequate
consideration of risk.”
knowledge, and social infrastructures. Improved physical infrastructure enhances
reliability and performance while reducing costs over the long term. Building
knowledge infrastructure improves communication and institutional memory, which
reduces the risks associated with incomplete or outdated information. Improving the
social infrastructure builds resilience, helping your organization recover from risks if
they lead to incidents.
6. Document a comprehensive risk management process, such as the one in Figure 3
created by Bekefi et al. (2008).

© INTELEX TECHNOLOGIES, ULC | CAN: 1 877 932 3747 | UK:+44 (0) 1182 149512 | intelex@intelex.com | INTELEX.COM 4
Fig. 3: Risk management
process (Bekefi et al, 2008).

Guzik (2016) gets a little more specific and actionable with his recommendations. To
demonstrate risk-based thinking to auditors, show that:
• decisions made (and actions taken) as a result of Management Reviews include
discussion of the uncertainty around the influencing factors and potential outcomes
• risks were a consideration in audit planning or follow-up actions “ Risk-based thinking is
• changes to your quality management system are made only after reviewing and not just “watered down”
considering the impact of risks risk management—it’s
• change control processes have risk assessment and mitigation steps the basis for managing
• new business opportunities are pursued only after consideration of all possible risk in any organization.”
consequences and the uncertainty of impacts on stakeholders, and
• new product development incorporates risk at the planning, design, development, and
testing stages.

These are, of course, representative examples and not a comprehensive list. In general,
any time one of your business processes includes a decision, there is an opportunity to
consider the uncertainty of the inputs and how they might impact the outcome. Similarly,
consider the risks and opportunities that emerge from those actions or decisions.

Risk-based thinking is not just “watered down” risk management—it’s the basis for
managing risk in any organization. But while risk management is systematic and
institutional (and sometimes only occasional), risk-based thinking is continuous,
proactive, engaged, and personal.

© INTELEX TECHNOLOGIES, ULC | CAN: 1 877 932 3747 | UK:+44 (0) 1182 149512 | intelex@intelex.com | INTELEX.COM 5
Quality Tools for Risk Management
There are many tools for risk management. Several of these emerged from the discipline
of quality management as early as the 1960s. Here are some descriptions of risk
identification, analysis, and management tools that are commonly used by both safety
and quality professionals.

Bowtie. The bowtie diagram illustrates causal links between threats (on the left side)
and consequences (on the right side) in high-risk scenarios. At the center of the
bow tie is the event that activates a hazard, and immediately above the
center, a description of the hazard. Bowtie analysis is often used for risk
management in safety.

Control Plan. A control plan lists all the control points that must
be monitored, inspected, or protected during the operation of a
product or the process used to create or assemble the product. This
is one artifact produced by an FMEA/FMECA study.

Critical to Quality (CTQ). CTQ consists of lists of essential features that, if not
satisfied, will adversely impact the ability to satisfy requirements or customer
demands. Features can also be identified as critical to safety, meaning that failure to
meet them can lead to unsafe or dangerous conditions.

Decision Tree. Decision Trees are schematics that illustrate the outcomes when
sequences of decisions are made under uncertainty. Decision trees can help teams
understand how and why certain decisions are made, step by step, and identify actions
to mitigate or treat risk at each step.

Failure Mode Effect Analysis (FMEA). FMEA is an analytical tool that is used to
articulate the scope of potential failures, as well as their severity, likelihood, and
(sometimes) detectability. The results from an FMEA study, which can be performed on a
production process (PFMEA) or a design (DFMEA), are used to prioritize risk mitigation
and corrective actions.

Failure Mode Effect and Criticality Analysis (FMECA). FMECA is an extension of FMEA
identified by the MIL-STD-1629A document, which specifies qualitative and quantitative
methods to determine which failure modes are the most significant.

Fault Tree Analysis (FTA). FTA breaks down an undesirable event into components or
sub-events so that risk can be managed at its source rather than where symptoms are
evident. FTA can be used to identify appropriate corrective actions.

Hazard Analysis and Critical Control Points (HACCP). HACCP is often used to ensure
food safety and quality. This method not only calls out hazards but also establishes
monitor points and thresholds to determine when those hazards may be activated and
require a response.

Hazard Analysis and Risk-Based Preventive Controls (HARPC). HARPC is a more

rigorous approach to hazard analysis and establishing preventive controls to keep food
safe as required by the 2011 U.S. Food Safety Modernization Act (FSMA). The U.S. Food
and Drug Administration (FDA) requires that HARPC plans are updated every time the
processing facilities are updated or every 3 years, whichever is shorter.

© INTELEX TECHNOLOGIES, ULC | CAN: 1 877 932 3747 | UK:+44 (0) 1182 149512 | intelex@intelex.com | INTELEX.COM 6
Fig. 4: Risk Matrix from https://community.intelex.com/library/peer-resources/risk-matrix-example.

Hazard and Operability Study (HAZOP). HAZOP outlines risks to people or equipment
that arise from a process and is catalyzed by guide words that help analysts explore how
elements of those processes may diverge from what is expected. For example, a flow
may be examined to see whether it is MORE, LESS, REVERSE, or EARLY to identify
hazards that may be the source of risk.

Preliminary Hazard Analysis (PHA). PHA is often the first step in a risk assessment. The
PHA table lists the hazards, the causes and effects of those hazards, a category for each
one, and corrective or preventive measures that can be put in place to respond.

Risk Matrix. A Risk Matrix (Figure 4) compares risks to one another by arranging them in
a grid with the likelihood of risk realization on one side and the consequence of that risk
on the other side. Risks that fall into the most critical (red) categories are treated with
higher priority.

Risk Register. A Risk Register is a list that serves as a repository and index for risks,
their characteristics, the response or treatment selected, and how that risk will be
monitored and/or controlled. An Enterprise Risk Register covers the risks that are most
important to the organization as a whole, while functional areas may have their own risk
registers.

Stage-Gate. A Stage Gate establishes rigorous controls (“gates”) for moving to the
next phase (“stage”) of a project or process. It is often used with large concurrent
engineering projects to reduce the risks associated with very large, distributed teams
working on extremely complex design and development.

© INTELEX TECHNOLOGIES, ULC | CAN: 1 877 932 3747 | UK:+44 (0) 1182 149512 | intelex@intelex.com | INTELEX.COM 7
Conclusion
When organizations plan their business activities, it is tempting to assume that process

“ Risk-based thinking
will always run as they’re supposed to, that failures will never happen, and that
inefficiencies can always be mitigated by earning more revenue. Yet there are plenty of
examples of what can happen when organizations stick their heads in the sand and
ignore the reality of the world in which we live. Risk-based thinking should be the
should be the
cornerstone of your QMS, your integrated management system, and your overall cornerstone of your
organizational strategy. QMS, your integrated
When examining the place of risk in your organization, consider the following:
management system,
• ISO 9001:2015 provides a valuable framework for risk-based thinking. It considers
and your overall
everything from stakeholder requirements to documentation and ties them to business organizational
outcomes. strategy.”
• Demonstrating your understanding of risk-based thinking to auditors requires training
staff about risk and ensuring you maintain documentation of processes and continual
improvement projects.
• The quality toolbox contains many important tools for risk management, including
FMEA, Decision Trees, and HAACP that are vital for every quality manager.

This approach can help you get your organization on the right path to effective risk-based
thinking. In Part III of this series, we’ll look at how risk-based thinking and Innovation 4.0
come together to produce powerful new opportunities for innovation.

© INTELEX TECHNOLOGIES, ULC | CAN: 1 877 932 3747 | UK:+44 (0) 1182 149512 | intelex@intelex.com | INTELEX.COM 8
References
Aven, T. (2016). Risk assessment and risk management: Review of recent advances on their foundation. European Journal of
Operational Research, 253(1), 1-13.
Bekefi, T., Epstein, M. J., & Yuthas, K. (2008). Managing opportunities and risks. CMA Canada.
Costin, A., Wehle, A., & Adibfar, A. (2019). Leading Indicators—A Conceptual IoT-Based Framework to Produce Active Leading
Indicators for Construction Safety. Safety, 5(4), 86.
Cucuzzella, C. (2016). Creativity, sustainable design and risk management. Journal of Cleaner Production, 135, 1548-1558.
Danielsen, A., Olofsen, H., & Bremdal, B. A. (2016). Increasing fall risk awareness using wearables: a fall risk awareness protocol.
Journal of Biomedical Informatics, 63, 184-194.
Freeman, G. (2018). What is ISO 9001:2015 and Why Is It Important? Intelex Insight Report, available from https://www.intelex.com/
resources/insight-report/what-iso-90012015-and-why-it-important
Guzik, J. J. (2016). Prove It. Quality Progress, 49(6), 61. Available from http://asq.org/quality-progress/2016/06/standards-outlook/
prove-it.html
Illés, B. C., Szuda, C., & Dunay, A. (2017). Quality and management–tools for continuous and systematic improvement of processes. In
Management and Organization: Concepts, Tools and Applications. Suffolk: Pearson Education Limited, 99-108.
Institution of Occupational Safety and Health (IOSH UK) (2017). Joined-up working – an introduction to integrated management systems.
John, E., & Cianfrani, C. A. (2016). Where Is Preventive Action? Quality Progress, 49(3), 56. Retrieved from http://asq.org/quality-
progress/2016/03/standards-outlook/where-is-preventive-action.html and https://search.proquest.com/docview/1774763783/
fulltextPDF/C893D375DBD740C4PQ/1?accountid=11667
Kendall, K. (2017). The Increasing Importance of Risk Management in an Uncertain World. The Journal for Quality and Participation,
40(1), 4.
Laqua, Raimond. (2018, August 14). NEW QUALITY STRATEGIES: Turn your “Risk Management” into “Risk-Based Thinking”! Available
from https://community.intelex.com/explore/posts/new-quality-strategies-turn-your-risk-management-risk-based-thinking
Laqua, Raimond. (2018, August 23). Demystifying Risk. Intelex Community Webinar. Available at https://community.intelex.com/library/
peer-resources/demystifying-risk
Lockton, D., Harrison, D., & Stanton, N. A. (2010). The Design with Intent Method: A design tool for influencing user behaviour. Applied
Ergonomics, 41(3), 382-392.
Radziwill, N. M. (2020). Connected, Intelligent, Automated: The Definitive Guide to Digital Transformation with Quality 4.0. ASQ Quality
Press, Milwaukee WI.
Valentic, S. (2018, August 10). 5 Tips to Prevent Slips, Trips and Falls [Infographic]. EHS Today. Available from https://www.ehstoday.
com/safety/article/21919742/5-tips-to-prevent-slips-trips-and-falls-infographic
Willumsen, P., Oehmen, J., Rossi, M., & Welo, T. (2017). Applying lean thinking to risk management in product development. In Proc.
21st Intl. Conf. on Engr. Design (ICED 17), Vancouver, 269-278.

© INTELEX TECHNOLOGIES, ULC | CAN: 1 877 932 3747 | UK:+44 (0) 1182 149512 | intelex@intelex.com | INTELEX.COM 9
About the Author
NICOLE RADZIWILL
Nicole Radziwill is SVP Quality & Strategy at Ultranauts Inc. She is a Fellow of the American Society for
Quality (ASQ), a Certified Six Sigma Black Belt (CSSBB), a Certified Manager of Quality and Organizational
Excellence (CMQ/OE), and editor of Software Quality Professional with a PhD in Quality Systems from
Indiana State. She is one of ASQ’s Influential Voices and blogs at http://qualityandinnovation.com.

GRAHAM FREEMAN
Graham Freeman is a writer and editor at Intelex Technologies, ULC in Toronto, Canada. He has written
extensively on topics such as quality, health and safety, environmental sustainability, and knowledge
organization. Graham works and teaches as a technical writer in Toronto.

About Intelex
Intelex Technologies, ULC is a global leader in environmental, health, safety and quality (EHSQ)
management software. Since 1992 its scalable, web-based platform and applications have helped
clients across all industries improve business performance, mitigate organization-wide risk, and
ensure sustained compliance with internationally accepted standards (e.g., ISO 9001, ISO 14001, ISO
45001 and OHSAS 18001) and regulatory requirements. Virgin Atlantic, Brinks, Air Liquide, Lafarge,
Volvo and over 1,300 customers in 150 countries trust Intelex to power their EHSQ initiatives. Intelex
is one of North America’s fastest-growing technology companies, recognized as a Great Place to
Work for over 7 years, recipient of Waterstone’s Most Admired Corporate Cultures award, and
Deloitte’s Best Managed Companies award. For more information, please visit www.intelex.com.

© INTELEX TECHNOLOGIES, ULC | CAN: 1 877 932 3747 | UK:+44 (0) 1182 149512 | intelex@intelex.com | INTELEX.COM 10