Understanding Risk Based Thinking- ISO 9001:2015

The revised version of ISO 9001 standard in 2015 has introduced a “risk- based approach” after moving away from what it called Preventive action. The risk- based approach is likely to be much more effective in allowing organizations to become stronger, more competitive and reduce losses.

Risk Based Thinking Vs Preventive Action
Risk based thinking is no different than to control and manage your risks to prevent issues from occurring, which is normal risk management. This of course is what Preventive action always was – it’s just that no one understood it. Preventive action was mistaken in many ways, for instance, CAPA (Corrective and Preventive) forms on which were recorded the action to fix the nonconformity and prevent its recurrence and there being no form for capturing the preventive actions that have been defined by the standard i.e. action is to eliminate the cause of a potential non-conformity or other potential undesirable situation. Other instance is that when planning to achieve an objective, one anticipates what could go wrong and makes provision for mitigating all such possibilities. This is actually a preventive measure, but it was misleading since Preventive action as per the previous version of ISO standards was placed under the heading of improvement, which ideally should be under planning, design and development.

Risk Based Approach 

Risk based approach in ISO 9001:2015 involves the following four key steps:
  • Determine the risks and opportunities
  • Develop plans to address them
  • Implement them in Quality Management System (QMS)
  • Evaluate the effectiveness of these actions
Understanding Risk based thinking at the simplest level is accessing a situation by looking for the potential for success and failure. This is followed by weighing the potential benefits and threats. So, one has to ask the following questions while examining a process for identifying the inherent risks:
  • What are we trying to achieve?
  • What may go wrong(Identify uncertainties, the things that help or hinder achievement of the objective)
  • What is the likelihood these uncertainties will occur?
  • What are the likely consequences or effects if the uncertainties occur?
  • Which of these is the most important (Risk-assessment)
  • What can we do to control the uncertainties? (Risk Treatment)

Create Risk Register for Incorporating Risk based approach
ISO 9001 does not specify how to implement risk management and it is always left to the organizations to adopt the best methodology defined by many international models or frameworks on Risk management. In this section, we will see how to create a risk register. 

First thing we need to do is write down the process steps in a spread sheet. For each step, we need to identify what could go wrong i.e. Risks. After listing all the risks, we assign High, Medium, Low severity or numeric ratings so that we can prioritize these risks for treatment. Not all risks can be treated as there would be cost and resources involved, so organizations need to decide on threshold limits. In the Risk treatment section, we establish controls as to who, what, when, where and how to ensure risks are mitigated. The table below illustrates a Risk Register Template.

Process Steps


Risk priority (HML)















Profile Pic

About Author

Sachin Desai is associated with TDG’s Process team. He is having over a decade experience in the field of Software Quality Assurance and Process Consultancy (SQA and SEPG member). He has good knowledge of ISO standards (ISO 9001, 27001, 22301,20000), CMMi framework (Dev and Svc) and Six Sigma implementation for process improvements. He likes to share his learnings through trainings and writing blogs and articles.

Write a comment
Cancel Reply