Risk Based Thinking


Risk-based thinking was limited to the clause 8.5.3. Preventive action in the current revision of ISO 9001 which was published in 2008, whereas in the 2015 revision, risk is considered from the beginning and throughout the standard, making preventive action part of strategic planning as well as operation and review. By taking a risk-based approach, an organisation is proactively preventing or reducing.

By considering risk throughout the organization the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product or service.


What does risk mean?

Risk is defined as “”effect of uncertainty” in ISO 9001:2015. An effect is a deviation from the expected positively or negatively. Uncertainty is the state, even partial, of efficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.

Risk is commonly understood to be negative. In risk-based thinking opportunity can also be found which is sometimes seen as the positive side of risk. For example, crossing the road directly gives us an opportunity to reach the other side quickly, but there is an increased risk of injury from moving cars. The risk of using a footbridge is that we may be delayed. The opportunity of using a footbridge is that there is less chance of being injured by a car.

Opportunity is not always directly related to risk but it is always related to the objectives. By considering a situation it may be possible to identify opportunities for further improvement. In the above-mentioned example, an analysis of this situation shows further opportunities for improvement such as a subway leading directly under the road, pedestrian traffic lights, or diverting the road so that the area has no traffic


Risk in ISO 9001:2015

 ISO 9001:2015 uses risk-based thinking to achieve this in the following way throughout the standard requirements:

  • Clause 4 (Context): the organisation is required to determine the risks which may affect this.
  • Clause 5 (Leadership): top management are required to commit to ensuring Clause 4 is followed.
  • Clause 6 (Planning): the organization is required to take action to identify risks and opportunities.
  • Clause 8 (Operation): the organization is required to implement processes to address risks and opportunities.
  • Clause 9 (Performance evaluation): the organisation is required to monitor, measure, analyse and evaluate the risks and opportunities.
  • Clause 10 (Improvement): the organisation is required to improve by responding to changes in risk.


A step-by-step risk-driven approach

Identify what the risks and opportunities are depending on context of organisation

  1. Analyse and prioritise the risks and opportunities based on likelihood and consequence to the business
  2. Plan actions to address the risks and opportunities to eliminate or mitigate the risks and consider the opportunities for business improvement
  3. Implement the plan and take actions
  4. Evaluate the effectiveness of the actions
  5. Learn from experience and continual improvement



  • Risk-based thinking is not new
  • Risk-based thinking is something we do already
  • Risk-based thinking is continuous
  • Risk-based thinking ensures greater knowledge and preparedness
  • Risk-based thinking increases the probability of reaching objectives
  • Risk-based thinking reduces the probability of poor results
  • Risk-based thinking makes prevention a habit



  •  ISO/TC 176/SC2, Document N1222, July 2014
  •  ISO 31000:2009 Risk Management – Principles and guidelines
  •  PD ISO/TR 31004:2013. Risk management – Guidance for the implementation of ISO 31000

Source: http://www.cbisco.com.au/risk-based-thinking-in-iso-90012015/ 

Featured pages