ISO 9001:2015 revision explained: Risk-based thinking

In the 2015 revision of the ISO 9001 standard, it moved away from what it previously called "preventive action" towards a "risk-based approach." Preventive action was found to be lacking when it came to driving change and continuous improvement. The ISO 9001 risk-based thinking approach has proven to be much more effective in allowing organizations to become stronger, fitter businesses.

Taking a risk-based approach means:

• Determining the risks and opportunities
• Planning actions to address them
• Implementing them in a quality management system
• Evaluating their effectiveness

All this ensures your organization is proactive rather than reactive, preventing potentially damaging events and promoting improvement. Once a management system is risk-based, preventive action is automatic. That is why ISO 9001 introduced risk-based thinking and why many other ISO standards based on ISO 9001 (e.g. ISO 15189, ISO 17025 and ISO 13485) have all subsequently introduced risk-based thinking in some capacity. Of course, with the planned 2026 revision to ISO 9001 looming, we expect that the risk-based thinking approach may evolve further – at which point we will update our resources on ISO 9001. But for now, we will focus on risk-based thinking in ISO 9001:2015.

Though we commonly understand risk to be negative, risk-based thinking has a more positive slant in that it provides opportunities for improvement and enables businesses to make strategic decisions. Applying a robust quality management system is another important aspect.

Here at Ideagen, we believe quality management is constantly going through a state of metamorphosis. Quality professionals must change the opinion of those in organizations that view quality as simply improving compliance. It's more than that – it can empower a business by reducing risk. Even better, a good quality management system not only enables you to reduce risk, but also take risks. And risks can lead to reward when they are calculated.

Reducing risk to take more risks may sound counterintuitive, even paradoxical, but that’s where the power of quality can shine through. By considering compliance risks, you can drive a business forward by giving it the power and control to take educated risks to gain positive results.

Determining risks and opportunities

In order to achieve positive results through the risk-based approach, how do you determine your risks and opportunities and the appropriate level of action to address them? To do this, you need to determine your objectives before you can identify things that might get in the way of meeting them.

You must consider:

• Issues that may affect your organization’s values, culture, knowledge and performance
• How these issues may impact your ability to deliver products and services that meet customers' needs and any regulations that may apply

Look at them both from an internal and external perspective: strategies to achieve your policies and objectives. Key considerations include your relationship with your staff and stakeholders (including partners and suppliers) and issues arising from political, economic, social and technological changes within the sector.

Analyzing and prioritizing your risks and opportunities

ISO 9001 defines a risk as "the effect of uncertainty on an expected result". To summarize:

• An effect is a deviation from the expected – positive or negative
• Risks are about what could happen and what effect it might have
• Risk also considers the likelihood of an event occurring

Though ISO 9001 doesn't formally say you must do a full risk assessment or maintain a risk register, it does say you must monitor, measure, analyze and evaluate the risks and opportunities. There are various methods to approaching ISO 9001 risk-based thinking – which method is appropriate to you is determined by the context of your organization.

In smaller organizations, it may be sufficient to simply provide appropriate records of risk-based thinking and to ensure control of business processes (e.g. by regularly reviewing documentation, keeping clear records of training and competence, recording sufficient data for analysis and continual improvement).

In contrast, many busy quality teams in larger organizations use risk registers as a framework for assessing, evaluating and prioritizing risks. Software solutions like those we offer at Ideagen enable you to identify and assess risks looking at “likelihood” and “impact.” This allows you to identify the top risks to your organization and how to deal with them, pinpointing the key opportunities and what you can do right now to exploit them. It takes the guesswork out of decision-making with comprehensive data at your fingertips.

Planning and implementing actions to address risk

Planning actions to address risks and opportunities as part of ISO 9001 risk-based thinking can include:

• Avoiding risk
• Eliminating the source of the risk
• Changing the likelihood or consequences (likelihood and impact)
• Sharing the risk
• Retaining risk by informed decision
• Taking risk to pursue an opportunity

When you are planning your own actions, again, you must consider the context of your organization. Planning actions to mitigate a potential fault with a nuclear reactor at a power plant will be much more thorough and meticulous than if you were mitigating the risk of the wrong sandwiches being ordered for the staff vending machines.

Similarly, the risk of an economic downturn in a country with which your organization has little trade or links is minor compared to a recession in the country in which you solely trade and operate. Understanding your organization and its strategic direction is essential if you're going to determine and address the associated risks.

Many organizations utilize software solutions to implement actions to address risks. Ideagen offer a range of solutions that enable you to effectively monitor corporate strategies via a golden thread that links objectives to risk to real-time performance monitoring. Proactive awareness of performance and risk generates transparency, opportunity and synergy in your organization.

Checking the effectiveness of the actions – do they work?

Evaluation is essential for the ISO 9001 risk-based approach. In simple terms, checking whether actions to address risk are effective means asking "do they work?" There are various ways you can do this, including:

• Audits and internal reviews
• Analyzing key performance indicators (KPIs)
• Project evaluations

One important thing to bear in mind is making sure you have the right data available to make informed decisions. By improving how you aggregate risk data, you can make much stronger, better judgements. This leads to you becoming more efficient, making fewer losses and ultimately increasing profitability. Taking a data-led approach is critical for effective adoption of an ISO 9001 risk-based approach.

Many organizations now employ KPI dashboards so they can have real-time, instant access to management information. Having an overarching view of the key performance indicators you've set means you can track your performance in critical areas and make informed strategic decisions.

Instant access to risk assessments, audit reports, non-conformance and CAPA statuses, customer complaints and document notification confirmations gives you the ability to “take the temperature” of your organization, analyze trends and demonstrate that your organization has a “culture of compliance.”

Moving forward

The concept of risk has always been implicit in ISO 9001 and many organizations take a risk-based approach intuitively. But the 2015 revision of the standard made it more explicit and encourages organizations to build it into their entire management system.

Business risks are ever-growing worldwide, reflecting widespread political, economic and social uncertainties. ISO 9001 makes it mandatory for you to adopt a risk-based approach, so that you improve customer confidence and satisfaction, assure a consistency of quality of goods and services and establish a proactive culture of prevention and improvement. Every organization should see risk-based thinking as an opportunity and a step in the right direction.

Investing in the right tools to embrace ISO 9001 risk-based thinking

Investing in the right quality tools is essential for successfully embracing ISO 9001's risk-based thinking. These tools enable organizations to identify, assess and mitigate potential risks effectively, ensuring robust quality management and operational excellence. Ideagen offers comprehensive solutions tailored to meet ISO 9001 requirements, facilitating real-time risk assessment, streamlined documentation and proactive issue resolution.

By leveraging Ideagen’s software, organizations can achieve a systematic and integrative approach to risk management, ultimately supporting continuous improvement and audit readiness.