Risk Based Thinking

The latest version of the International Organization for Standardization (ISO) 9001 now requires companies to address risk within the quality management system (QMS). This forces you to be proactive rather than reactive which promotes continual improvement.

“Risk is inherent in all aspects of a quality management system. There are risks in all systems, processes and functions. Risk-based thinking ensures these risks are identified, considered and controlled throughout the design and use of the quality management system.”

In previous revisions of the standards, preventive actions was a separate aspect within the standards, but now risk is woven throughout. Risk-based thinking makes preventive action part of your organization’s routine. As many people think of risk in a negative way, ISO defines risk as anything that is produced that deviates from the predicted objectives. This means that there can be a positive side of risk.

While adhering to standards can require additional work, most companies benefit from meeting the requirements because of the order and stability they bring to business strategy, operations, and results.

Risk-based thinking offers the following benefits:

  • Prevention: Risk Based Thinking helps reduce and eliminate delays, costs, and customer dissatisfaction caused by problems that should have been caught earlier in the planning and development stages of products and services.
  • Identify opportunities: Every business process should include steps that explicitly ask the question, “Is there an opportunity here we might have overlooked?” when a problem or challenge is encountered. Many of the world’s greatest inventions have their origins in “mistakes.”

Here are several tools to help your organization maintain a systematic approach to risk.

  • Risk-Based Thinking Training – Helps all process owners understand how to assess risk.
  • Risk Management Exercise a simple approach to risk management that can be applied to throughout the organization.
  • Using FMEA to manage Risk and FMEA Training as well as Bowtie – a technical approach to identifying and managing risks.

Risk identified during day-to-day operations is typically addressed as a normal part of doing business through a company’s QMS. However, discovering risks that aren’t generated through day-to-day operations must be done through an orderly process. Here is a suggested approach.

To start with, most company risks stem from the relationships between the company and each of its interested and effected parties, especially in terms of what each wants or expects from the other. This could be defined within a simple “Needs and Expectations” register as indicated below:

From your “Needs and Expectations” register, define the following;

  1. What’s at risk if the expectations aren’t met?
  2. Which relationships are at risk and which aren’t? Why or why not?
  3. What’s the potential impact of the risk? How will it be dealt with?

Incorporating a similar chart and questions into strategic and operational discussions can go a long way to identifying risks early and dealing with them before their impact expands.


Regardless of the level of interest in ISO 9001, a systematic approach to identifying and addressing risk is essential to prevent or minimize undesired outcomes and to allow business leaders to be more confident when making decisions.


Get In Touch

Scroll to Top