Menu Close

Risk Based Thinking – How to solve the problem during transition from 9001:2008 to 9001:2015

Risk Based Thinking and the transition from ISO 9001:2008 to ISO 9001:2015

There’s been a shift in how companies view quality and compliance, and as a result, businesses are looking for a more comprehensive method for measuring operational efficiency. Risk management processes are proving to be an effective option for this. ISO 9001:2015 now promotes risk-based thinking in quality management systems, but many organizations aren’t sure what that means or how to go about it.

Lets talk about Risk Based thinking for a moment before we dive in.  What really is Risk Based Thinking?  Risk Based Thinking is something we all do automatically, often sub-consciously, to get the best results.  The concept of risk has always been implicit in ISO 9001.  This revision, however, makes it more explicit and builds it into the whole of the management system.  Risk Based Thinking ensures risk is considered from the beginning and throughout the process approach. Risk Based Thinking makes preventative action a regular part of strategic planning.  Risk is often thought of only in the negative sense, however Risk Based Thinking can also help identify opportunities.  This can be considered a positive side to risk.

What is “Risk-Based Thinking”?

  • Risk-based thinking is something we all do automatically and often sub-consciously
  • The concept of risk has always been implicit in ISO 9001 – the 2015 revision makes it more explicit and builds it into the whole management system
  • Risk-based thinking is already part of the process approach
  • Risk-based thinking makes preventive action part of the routine
  • Risk is often thought of only in the negative sense. Risk-based thinking can also help to identify opportunities. This can be considered to be the positive side of risk

The main objective of ISO 9001 is to provide confidence in the organization’s ability to consistently provide customers with conforming goods and services and to enhance customer satisfaction.

The concept of risk in the context of ISO 9001:2015 relates to the uncertainty of achieving such objectives.  The concept of opportunity in the context of ISO 9001 relates to exceeding expectations and going beyond stated objectives.

Risk in the clauses

The introduction of the concept of risk-based thinking is explained in clause 4, the organization is required to determine the risks which can affect its ability to meet these objectives.  In clause 5 top management is required to commit to ensuring clause 4 is followed.  In clause 6 the organization is required to take action to identify risks and opportunities.  In clause 8 the organization is required to implement processes to address risk, and in cause 9 the organization is required to monitor measure, analyze and evaluate the risks and opportunities.  In Clause 10 the organization is required to improve by responding to changes in risk.

Why Should I adopt Risk Based Thinking?

  1. Let’s be honest, it’s required by the new edition of ISO 9001:2015
  2. Successful companies intuitively take a risk based approach because it brings benefits.
  3. To improve customers confidence and satisfaction
  4. To ensure consistency of quality of goods and services
  5. To establish a proactive culture of prevention and improvement


From ISO 9001:2015 Risk based thinking

The concept of risk-based thinking has been implicit in previous editions of this International Standard, e.g. through requirements for planning, review and improvement. This International Standard specifies requirements for the organization to understand its context (see 4.1) and determine risks as a basis for planning (see 6.1). This represents the application of risk-based thinking to planning and implementing quality management system processes (see 4.4) and will assist in determining the extent
of documented information.

One of the key purposes of a quality management system is to act as a preventive tool. Consequently, this International Standard does not have a separate clause or subclause on preventive action. The concept of preventive action is expressed through the use of risk-based thinking in formulating quality management system requirements.

The risk-based thinking applied in this International Standard has enabled some reduction in prescriptive requirements and their replacement by performance-based requirements. There is greater flexibility than in ISO 9001:2008 in the requirements for processes, documented information and
organizational responsibilities.

Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process. Organizations can decide whether or not to develop a more extensive risk management methodology than is required by this International Standard, e.g. through the application of other guidance or standards.

Not all the processes of a quality management system represent the same level of risk in terms of the organization’s ability to meet its objectives, and the effects of uncertainty are not the same for all organizations. Under the requirements of 6.1, the organization is responsible for its application of riskbased thinking and the actions it takes to address risk, including whether or not to retain documented information as evidence of its determination of risks.

What does this mean to my business?

Well, this means a few things and there is always more than one way to address the problem.  Here I will detail how we have chosen to best solve this problem of explicit risk based thinking without reinventing the wheel.

If you’ve read the ISO 9001:2015 edition of the standard you’ll notice there is no room for NCR’s anymore, and there is heavy emphasis on CAR’s, but no mention of Preventative Action Requests.  So what does all this mean.  It means a few things and a few changes need to be made.

  1. NCR’s become “Deviations and Risks”
  2. CAPA’s become CAR’s only
  3. Opportunities – this will be a new list we track for positive opportunities
  4. NCR’s and CAPA’s (now Risks and Deviations and CAR’s) are tracked with a little extra meta data
    • Likelihood
    • Consequence
    • These are tracked on a ranged scale normally 1-6 with 1 being the least and 6 being the most
    • This data can be charted on a pivot chart to identify key areas of significance and outstanding Risks & Deviations and CAR’s

So with relatively few changes we can convert an older ISO 9001:2008 system into a Risk Based thinking compliant system.

Contact us today to find out more about how we can assist you in the transition.

We value your time and energy, and hope you can find something useful in these posts.  If you have a question, maybe a suggestion for a new post so you can learn more, or just stuck on a problem, click the button below for more information.

      Got a Question?  Need some help?     

Thank You!

Leave a Reply

Your email address will not be published.