Applying the Risk Based Thinking approach within your organisation

How to adopt the Risk Based Thinking approach within your organisation.

Purpose of this post

• explain risk-based thinking

• address perceptions and concerns that risk-based thinking replaces the process approach

• address the concern that preventive action has been removed from ISO 9001:2015

• explain in simple terms each component of risk-based thinking

What is risk-based thinking?

One of the key changes in the 2015 revision of ISO 9001 is to establish a systematic approach to considering risk, rather than treating “prevention” as a separate component of a quality management system.

Risk is inherent in all aspects of a quality management system. There are risks in all systems, processes and functions. Risk-based thinking ensures these risks are identified, considered and controlled throughout the design and use of the quality management system.

In previous editions of ISO 9001, a clause on preventive action was separated from the whole. By using risk-based thinking the consideration of risk is integral. It becomes proactive rather than reactive in preventing or reducing undesired effects through early identification and action. Preventive action is built-in when a management system is risk-based.

Risk-based thinking is something we all do automatically in everyday life.

Example: If I wish to cross a road I look for traffic before I begin. I will not step in front of a moving car.

Risk-based thinking is already part of the process approach.

Not all the processes of a quality management system represent the same level of risk in terms of the organization’s ability to meet its objectives. Some need more careful and formal planning and controls than others.

Example: To cross the road I may go directly or I may use a nearby footbridge. Which process I choose will be determined by considering the risks.

Risk is commonly understood to have only negative consequences; however the effects of risk can be either negative or positive.

In ISO 9001:2015 risks and opportunities are often cited together. Opportunity is not the positive side of risk. An opportunity is a set of circumstances which makes it possible to do something. Taking or not taking an opportunity then presents different levels of risk.


Crossing the road directly gives me an opportunity to reach the other side quickly, but if I take that opportunity there is an increased risk of injury from moving cars.

Risk-based thinking considers both the current situation and the possibilities for change.

Analysis of this situation shows opportunities for improvement:

a subway leading directly under the road

pedestrian traffic lights, or

diverting the road so that the area has no traffic

Why use risk-based thinking?

By considering risk throughout the system and all processes the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product or service.

Risk-based thinking:

• improves governance

• establishes a proactive culture of improvement

• assists with statutory and regulatory compliance

• assures consistency of quality of products and services

• improves customer confidence and satisfaction

Successful companies intuitively incorporate risk-based thinking.

Understand your risks

What is acceptable, what is unacceptable? What advantages or disadvantages are there to one process over another?


Objective: I need to safely cross a road to reach a meeting at a given time.

It is UNACCEPTABLE to be injured.

It is UNACCEPTABLE to be late.

Reaching my goal more quickly must be balanced against the likelihood of injury. It is more important that I reach my meeting uninjured than it is for me to reach my meeting on time.

Check the effectiveness of the action – does it work?


I arrive at the other side of the road unharmed and on time: this plan worked and undesired effects have been avoided.

Learn from experience – improve


I repeat the plan over several days, at different times and in different weather conditions.

This gives me data to understand that changing context (time, weather, quantity of cars) directly affects the effectiveness of the plan and increases the probability that I will not achieve my objectives (being on time and avoiding injury).

Experience teaches me that crossing the road at certain times of day is very difficult because there are too many cars. To limit the risk I revise and improve my process by using the footbridge at these times.

I continue to analyse the effectiveness of the processes and revise them when the context changes.

I also continue to consider innovative opportunities:

can I move the meeting place so that the road does not have to be crossed?

can I change the time of the meeting so that I cross the road when it is quiet?

can we meet electronically?


Risk-based thinking:

• is not new

• is something you do already

• is on-going

• ensures greater knowledge of risks and improves preparedness

• increases the probability of reaching objectives

• reduces the probability of negative results

• makes prevention a habit

Join our mailing list to receive upcoming posts:


Get In Touch

Scroll to Top