The phrase risk-based thinking is used to describe the way
in which ISO 9001:2015 addresses the question of risk. The concept of risk has
always been implicit in ISO 9001, by requiring the organization to plan its
processes and manage its business to avoid undesirable results. Organizations
have typically done this by putting greater emphasis on planning and
controlling processes that have the biggest impact on the quality of the
products and services they provide. The way in which organizations manage risk
varies depending on their business context (e.g. the criticality of the
products and services being provided, complexity of the processes, and the
potential consequences of failure). Use of the phrase risk-based thinking is
intended to make it clear that while an awareness of risk is important, formal
risk-management methodologies and risk assessment are not necessarily
appropriate for all business situations and organizations. Risk-based thinking
is something we all do automatically and often sub-consciously
• The concept of risk has always been implicit in ISO 9001 –
the 2015 revision makes it more explicit and builds it into the whole
management system
• Risk-based thinking is already part of the process
approach
• Risk-based thinking makes preventive action part of the
routine
• Risk is often thought of only in the negative sense.
Risk-based thinking can also help to identify opportunities. This can be
considered to be the positive side of risk.
Risk management is a tool that helps companies evaluate
risks in processes and content. It evaluates event data in order to measure
levels of risk in an operational context. Risk assessment is repeatable and
objective; it allows you to replace an otherwise subjective “gut sense†with a
more guided decision-making approach. Furthermore, it’s easy to understand for
people who aren’t directly involved in the process.
Risk assessment helps drive change. It enables you to build
alerts for critical events and develop guidelines and solutions for risk levels
that are unacceptable. These solutions are systematic and repeatable, and you
can implement them for high risks in a more automatic and consistent manner.
However, it’s important to note that risk assessment is a tool, not the solution. Context is important in risk assessment, and for that, you need people. For example, someone on the shop floor might consider something a critical risk, whereas from the top floor, that risk might not look as bad in the larger context of operations. So it’s a good idea to have a team in place to vet your risk assessment process to ensure you’re achieving the right results. As your operations change or as more data accumulate, you may find that established risk levels need to be adjusted
User questions & answers