What is Risk based Thinking in ISO 9001:2015?

7th of August 2019 01:59:13 PM

RISK-BASED THINKING IN ISO 9001:2015

Purpose of this paper

  • to explain risk-based thinking in ISO 9001
  • to address perceptions and concerns that risk-based thinking replaces the process approach
  • to address the concern that preventive action has been removed from ISO 9001
  • to explain in simple terms each component of risk-based thinking

What is risk-based thinking?

One of the key changes in the 2015 revision of ISO 9001 is to establish a systematic approach to considering risk, rather than treating “prevention” as a separate component of a quality management system.

Risk is inherent in all aspects of a quality management system. There are risks in all systems, processes and functions. Risk-based thinking ensures these risks are identified, considered and controlled throughout the design and use of the quality management system.

In previous editions of ISO 9001, a clause on preventive action was separated from the whole. By using risk-based thinking the consideration of risk is integral. It becomes proactive rather than reactive in preventing or reducing undesired effects through early identification and action. Preventive action is built-in when a management system is risk-based.

Risk-based thinking is something we all do automatically in everyday life.

Example: If I wish to cross a road I look for traffic before I begin. I will not step in front of a moving car.

Risk-based thinking has always been in ISO 9001 – this revision builds it into the whole management system.

In ISO 9001:2015 risk-based thinking needs to be considered from the beginning and throughout the system, making preventive action inherent to planning, operation, analysis and evaluation activities.

Risk-based thinking is already part of the process approach.

Not all the processes of a quality management system represent the same level of risk in terms of the organization’s ability to meet its objectives. Some need more careful and formal planning and controls than others.

Example: To cross the road I may go directly or I may use a nearby footbridge. Which process I choose will be determined by considering the risks.

Risk is commonly understood to have only negative consequences; however the effects of risk can be either negative or positive.

In ISO 9001:2015 risks and opportunities are often cited together. Opportunity is not the positive side of risk. An opportunity is a set of circumstances which makes it possible to do something. Taking or not taking an opportunity then presents different levels of risk.

Example:

Crossing the road directly gives me an opportunity to reach the other side quickly, but if I take that opportunity there is an increased risk of injury from moving cars.

Risk-based thinking considers both the current situation and the possibilities for change.

Analysis of this situation shows opportunities for improvement:

  • a subway leading directly under the road
  • pedestrian traffic lights, or
  • diverting the road so that the area has no traffic

Where is risk addressed in ISO 9001:2015?

The concept of risk-based thinking is explained in the introduction of ISO 9001:2015 as an integral part of the process approach.

ISO 9001:2015 uses risk-based thinking in the following way:

Introduction - the concept of risk-based thinking is explained

Clause 4 – the organization is required to determine its QMS processes and to address its risks and opportunities

Clause 5 – top management is required to

  • Promote awareness of risk-based thinking
  • Determine and address risks and opportunities that can affect product /service conformity

Clause 6 – the organization is required to identify risks and opportunities related to QMS performance and take appropriate actions to address them

Clause 7 – the organization is required to determine and provide necessary resources (risk is implicit whenever “suitable” or “appropriate” is mentioned)

Clause 8 – the organization is required to manage its operational processes (risk is implicit whenever “suitable” or “appropriate” is mentioned)

Clause 9 – the organization is required to monitor, measure, analyse and evaluate effectiveness of actions taken to address the risks and opportunities

Clause 10 – the organization is required to correct, prevent or reduce undesired effects and improve the QMS and update risks and opportunities

Why use risk-based thinking?

By considering risk throughout the system and all processes the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product or service.

Risk-based thinking:

  • improves governance
  • establishes a proactive culture of improvement
  • assists with statutory and regulatory compliance
  • assures consistency of quality of products and services
  • improves customer confidence and satisfaction
  • Successful companies intuitively incorporate risk-based thinking.

How do I do it?

Use risk-based thinking in building your management system and processes.

Identify what your risks are – it depends on context

Example:

If I cross a busy road with many fast-moving cars the risks are not the same as if the road is small with very few moving cars. It is also necessary to consider such things as weather, visibility, personal mobility and specific personal objectives.

Understand your risks

What is acceptable, what is unacceptable? What advantages or disadvantages are there to one process over another?

Example:

Objective:  I need to safely cross a road to reach a meeting at a given time.

It is UNACCEPTABLE to be injured.

It is UNACCEPTABLE to be late.

Reaching my goal more quickly must be balanced against the likelihood of injury. It is more important that I reach my meeting uninjured than it is for me to reach my meeting on time.

It may be ACCEPTABLE to delay arriving at the other side of the road by using a footbridge if the likelihood of being injured by crossing the road directly is high.

I analyse the situation. The footbridge is 200 metres away and will add time to my journey. The weather is good, the visibility is good and I can see that the road does not have many cars at this time.

I decide that walking directly across the road carries an acceptably low level of risk of injury and will help me reach my meeting on time.

Plan actions to address the risks

How can I avoid or eliminate the risk? How can I mitigate risks?

Example: I could eliminate risk of injury caused by being hit by a vehicle if I use the footbridge but I have already decided that the risk involved in crossing the road is acceptable.

Now I plan how to reduce either the likelihood or the impact of injury. I cannot reasonably expect to control the impact of a car hitting me. I can reduce the probability of being hit by a car. 

I plan to cross at a time when there are no cars moving near me and so reduce the likelihood of an accident. I also plan to cross the road at a place where I have good visibility.

Implement the plan – take action

Example:

 I move to the side of the road, check there are no barriers to crossing. I check there are no cars coming.  I continue to look for cars whilst crossing the road.

Check the effectiveness of the action – does it work?

Example:

 I arrive at the other side of the road unharmed and on time:  this plan worked and undesired effects have been avoided.

Learn from experience – improve

Example:

I repeat the plan over several days, at different times and in different weather conditions.

This gives me data to understand that changing context (time, weather, quantity of cars) directly affects the effectiveness of the plan and increases the probability that I will not achieve my objectives (being on time and avoiding injury).

Experience teaches me that crossing the road at certain times of day is very difficult because there are too many cars. To limit the risk I revise and improve my process by using the footbridge at these times.

  • I continue to analyse the effectiveness of the processes and revise them when the context changes. 
  • I also continue to consider innovative opportunities:
  • can I move the meeting place so that the road does not have to be crossed?
  • can I change the time of the meeting so that I cross the road when it is quiet?
  • can we meet electronically?

Conclusion

  • Risk-based thinking:
  • is not new
  • is something you do already
  • is on-going
  • ensures greater knowledge of risks and improves preparedness
  • increases the probability of reaching objectives
  • reduces the probability of negative results
  • makes prevention a habit

Other useful documents

1. What is ISO?
2. What is the purpose of the ISO?
3. Why ISO is required?
4. What are the 10 Benefit of ISO?
5. Does any ISO a improvement of a business?
6. What is Annex SL and why it is used?
7. What is the Annex SL System Structure?
8. What was the Vision behind Annex SL?
9. What benefit is there to harmonization?
10. Who Created Annex SL?
11. What is the total Cost involved in the ISO Certification Process?
12. Which is the first group that succeeded to reach an agreement with it?
13. How Annex SL Works?
14. What is Six Sigma?
15. What are the stages of Six Sigma? Explain it.
16. How many principals in Six Sigma?
17. How many belts in Six Sigma?
18. Explain The Quality Levels of Six Sigma?
19. What is master black belt?
20. What are the different kinds of variations used in Six Sigma?
21. What is the Need to do Risk Assessment & How long should risk assessments be kept?
22. What is Quality Control & their tools and techniques?
23. What is 5S and when & where was firstly it introduced?
24. Where can be 5S be Used?
25. What are the Benefits of 5S?
26. How does 5S help the business to grow?
27. What is PDCA cycle?
28. What is a “Gap Analysis"?
29. What are the benefits of PDCA cycle?
30. What are the process of gap analysis?
31. How do i become an ISO Certified Auditor
32. What is a “Zero Defect”?
33. What is cost of quality?
34. What are the Limitations of Zero defects?
35. What are the Categories Of Cost Of Quality?
36. What is supply Chain Management?
37. Why Is Supply Chain Management Important?
38. What are the major obstacles to successfully implementing supply chain management?
39. What is communication? What are the type of communication?
40. What is “Pareto Analysis
41. what are the basic elements of communication process?
42. How to use and construct the Pareto diagram?
43. What is conformity Assessment?
44. Why do we need conformity assessment?
45. Who does the assessments and what are the conformity assessment procedures?
46. What is a histogram and how to use a Histogram?
47. What is Juran’s Quality Trilogy?
48. What do you need for a histogram? And what are the seven simple steps for construction of Histogram.
49. What is the difference between HACCP and GAPs?
50. What is the difference between GMPs and GAPs?
51. What is the Database Management System (DBMS) and its advantages?
52. What are the types of database management system (DBMS)?
53. What is “Quality Culture”?
54. What are the Core Values and Beliefs of a Quality Culture?
55. What is accreditation? Where Accreditation is used and Type of Accreditation?
56. What is the goal of a business continuity plan?
57. How do I Become an ISO Auditor ?
58. How do you conduct a business impact analysis in Organization?
59. What is the role of technical expert in ISO audit?
60. What are six mandatory quality procedures?
61. What is the Role and Responsibilities of a Lead Auditor?
62. Competency Requirements for Auditors and Certification Personnel for Quality Management System
63. What is the main goal of information security?
64. Competency Requirements for Auditors and Certification Personnel for EMS
65. What is risk-based thinking and why has it been introduced into the standard?
66. What is this ISO 21401:2018 standard about?
67. What is the Role and Responsibilities of a ISO 9001:2015 Lead Auditor ?
68. What is the Role and Responsibilities of a ISO 14001:2015 Lead Auditor ?
69. . What is the Role and Responsibilities of a ISO ISO 45001:2018 Lead Auditor ?
70. What are the benefits of Implementing ISO 21401:2018 Standard?
71. What are the Benefits While implementing ISO 20121 on customers and organizations?
72. Which is the best ISO certification bodies in India?
73. What is ISO 26000?
74. What is Risk Management ISO 31000:2018?
75. What are the steps implementations of risk management process?
76. What are the major changes in the ISO 27001:2013 version?
77. How to Design a Risk management framework? What are the principles in improving an organizational risk management framework?
78. What is ISO/IEC 17025?
79. What is the relationship between ISO 17025 and ISO 9001?
80. What are the Benefits Of Following ISO 26000?
81. ISO 9001:2015 Lead Auditor benefits
82. What is the ISO 27000 Series?
83. What Does ISO 26000 Accomplish?
84. What is sustainable development?
85. How can ISO 37101 help promote sustainable development in communities?
86. Who can use ISO 37101?
87. What are the main elements of the ISO 31000 risk management process?
88. What are the main elements of the ISO 31000 risk management process?
89. What are the benefits of ISO/IEC 17025 Accreditation?
90. What is a management system?
91. Which types of Strategies occur in enhancing risk management? And what are the Benefits of ISO 31000 Risk Management?
92. : What is IATF 16949:2016-International Automotive Task Force?
93. What are Benefits While Implementing ISO 37101?
94. What does the ISO 37101 standard cover & Who is the standard for?
95. What is the ISO 8000 Standard?
96. What Are The Core Subjects Of Social Responsibility?
97. What is IT Service Management & Why your business needs ITSM ?
98. What are the main differences between in ISO 31000:2009 and ISO 31000:2018?
99. Why is IATF 16949 a good idea for your organization?
100. What Is Social Responsibility Reporting? Why is social responsibility important?
101. What aspects of data quality does ISO 8000 cover?
102. What is ISO 31000 designed to help organizations do?
103. What is Disaster Recovery?
104. What is ISO 26000:2010 about? How to Support for implementing ISO 26000?
105. What are the practical steps to becoming IATF 16949 certified?
106. Why is ISO 26000 important? What benefits can be achieved by implementing ISO 26000?
107. What is a disaster recovery plan?
108. What is ISO 15378 Certification?
109. What is ISO 10006:2017 & Advantage of ISO 10006?
110. Who can benefit from ISO 26000 and how?
111. What is ISO 30000:2009 Ships and marine technology – Ship recycling management systems?
112. What is ISO 30000:2009 Ships and marine technology – Ship recycling management systems?
113. What are the main changes to the new IATF 16949 standard?
114. What is ISO 20252?
115. What are the Application of ISO 15378 Certification?
116. What are the Benefits while Implementing of ISO 15378 Certification?
117. What does ISO 26000 contain? How did the ISO 26000 initiative come about?
118. What are the benefits of ISO 20252 Market and Social Research Certification?
119. What is ISO 10004:2018 Quality management - Customer satisfaction Management System?
120. What is ISO/TS 17582:2014 Quality management systems-Particular requirements for the application of ISO 9001:2008 for electoral organizations at all levels of government?
121. Which type of Mandatory documents and records required by ISO 27001:2013 ?
122. What is ISO 10012:2013 - Measurement management systems?
123. Which standard is the more appropriate for laboratories?
124. What is “responsibility and authority”?
125. Who developed ISO 26000?
126. What are the benefits of implementing ISO 10004:2018 in an organization?
127. What is the Auditor Competence Requirements?
128. What is ISO 18788?
129. How does an organization go about implementing ISO 26000? What are the benefits of Implementing ISO 26000 Standard?
130. What is ISO 16000-1:2004 - Indoor air -- Part 1: General aspects of sampling strategy?
131. What is ISO/TS 29001?
132. Why is Security Operations Management System important for you?
133. what-is-iso-22163:2017--railway-applications--quality-management-system?
134. What are the Benefits while Implementing ISO 22163:2017?
135. What Main Components of ISO 22163:2017?
136. How do internal and external auditors differ and how should they relate?
137. what are the benefits of ISO/TS 29001? AND why implement ISO/TS 29001?
138. What is ISO 37301Compliance management systems - Requirements with guidance for use?
139. What are the Differences between the Statement of Applicability (SoA) & Risk Treatment Plan (RTP) ?
140. Understanding The ISO 26000 Social Responsibility Standard? How Does The ISO 26000 Standard Function?.
141. What are the Steps for Towards Social Responsibility?
142. What is the importance of ISO 37301Compliance management systems - Requirements with guidance for use?
143. What implications may the affixing of the CE Marking have for the Manufacturer/Importer/Distributor?
144. WHAT IS THE DIFFERENCE BETWEEN ISO 27001 AND ISO 27002?
145. How many Controls are there in ISO 27001?
146. What Is IEC 62304?
147. What are the steps for Implementing a Compliance Management System in an organization?
148. What is CE Marking & CE Marking logo?
149. How does ISO/IEC 27001 standard relates to other management system standards (ISO 9001 and 14001)?
150. Is there any qualification required for ISO 27001 Professionals?
151. Is there any qualification required for ISO 27001 Professionals?
152. What is the difference between disaster recovery management (DRM) and business continuity management?
153. What is the Integrated Management Systems (IMS) & Advantages of Implementation for Integrated Management Systems?
154. What is required to ensure effective integrated management systems?
155. How do we engage our management, persuading them that the ISMS program has to be established?
156. What are the advantages of implementing ISO 14001:2015 Environmental Management System & What type of Companies can get certified to ISO 14001:2015?
157. What duration required man-years (or man-months) are needed to implement ISMS?
158. What is ISO 50001 Energy Management System & What initial steps can my company take to prepare for adopting ISO 50001?
159. How do we define the scope of our ISMS?
160. What is ISO 18091:2014 Standard?
161. What is ISO 18091:2014 Standard?
162. What are the 7 quality management principles?
163. What are the changes find in the company found when we are certified from ISO 27001:2013 Certification?
164. What do we need to do in preparation for a re-certification audit?
165. What are the difference between ISO/TS 16949 to IATF 16949?
166. What is BS 25999-1:2006 ?What are the benefits of BS 25999-1:2006?
167. WHAT IS ISO 10377:2013 & BENEFITS OF ISO 10377:2013 IMPLEMENTATION ?
168. What is ISO 44001:2017 - Collaborative business relationship management?
169. What do you meant by ISO/IEC 27010:2015?
170. What are the benefits of ISO 44001:2017 - Collaborative business relationship management?
171. What is an extended workbench and how can I integrate this into the certification procedure?
172. What is ISO 10393:2013- consumer product recalls?
173. WHY USE AN ISO 17025 ACCREDITED LABORATORY?
174. What is ISO 14298:2013 – Security Printing Process Management?
175. How does ISO 44001 collaborative business relationship management system work in the organization?
176. Is ISO 44001 certification is necessary for an organization?
177. What is 50001 Ready & What are the benefits of becoming 50001 Ready?
178. What is the difference between risk assessment and audit?
179. What is ISO 21101:2014 adventure tourism?
180. How to get certified to ISO 44001? What are the Steps for ISO 44001 Certification?
181. What are the benefits of ISO 14298:2013? What does the intergraf ISO 14298 certification offer?
182. How should have to management define organization’s risk appetite?
183. Which compliance obligations are relevant to ISO27001?
184. WHAT IS THE AS9100 QUALITY MANAGEMENT STANDARD?
185. What are the changes in ISO 44001 from BS 11000-1?
186. What is Occupational Health and Safety Management System (ISO 45001:2018) Standard?
187. Why replaced ISO 18001:2007 standard to ISO 45001:2018?
188.   How does the Internal Audit differ from an External Audit?
189. WHAT ARE THE KEY SUPPLEMENTARY REQUIREMENTS OF AS 9100 BEYOND THE ISO 9001 STANDARD ON WHICH IT IS BUILT?
190. How ISO 45001 is beneficial for my organization?
191. What are the benefits to implementing ISO 45001:2018?
192. What are the differences between OHSAS 18001 and ISO 45001?
193. How to Implement ISO 45001:2018 in my organization?
194. What do you understand by the term ‘Audit Evidence’?
195. How to make the transition from OHSAS 18001 to ISO 45001?
196.   What are the benefits of ISO 9001?
197. What is ISO 24526- Water efficiency management systems?
198. Is 44001 is applicable for all the organization?
199.   What are the impacts of ISO 9001?
200. What are the differences Between Continual Improvement and Continuous Improvement?
201. Why develop an ISO standard relating to water efficiency?
202. Who can use the ISO 24526?
203. What is ISO 24518:2015-Activities relating to drinking water and wastewater services -- Crisis management of water utilities?
204. Is there any guideline for ISO 31000:2018?
205. How to certify my company by ISO 45001 certification from the TNV Certification?
206. What can ISO 24526 do for my business?
207.   How are quality objectives related to risk management?
208. What's New in ISO 45001:2018 Standard?
209. What's New in ISO 45001:2018 Standard?
210. If an organization implements ISO 24526, is certification mandatory?
211. What is ISO 11137 - Sterilization of Health Care Products?
212. What is ISO 50501- ISO for Innovation Management?
213. How does the ISO Certification Body issue ISO certificate in India?
214. What is ISO 45001:2018 (OHSMS) Certification in India?
215. Why Annex SL is now renamed as Annex L?
216. How an ISO 31000 be helpful for an organization?
217. What Is The Published Date For ISO 45001:2018 (OHSMS) standard?
218. What is ISO 21001?
219. What are the opportunities for the lead auditor of ISO 9001?
220. What are the benefits of ISO 21001:2018?
221. Which type of organization can apply for ISO 29001- Petroleum, petrochemical and natural gas industries?
222. What New Requirements for Risk and opportunities as Per the ISO 45001:2018 Standard?
223. What New Requirements for Risk and opportunities as Per the ISO 45001:2018 Standard?
224. Is there any advantage of ISO/TS 29001:2010 for applying in an organization?
225. Is there any advantage of ISO/TS 29001:2010 for applying in an organization?
226. Is there any benefit of Implementing ISO 17025 for an organization?
227. What is ISO/IEC 20000-1 standard-Service Management System?
228. What is the Past story for International organization for standardization (ISO)?
229. What is ISO 19600 Compliance Management Systems?
230. What is ISO 19600 Compliance Management Systems?
231. Is there any difference between ISO/IEC 20000-1 and ITIL?
232. What is the relation between ISO 19600 and ISO 37001?
233. What are the main changes of ISO/IEC 20000-1:2018 from ISO/IEC 20000-1:2011?
234. What are the benefits of ISO 19600 compliance management system?
235. What is ISO 37120 “Sustainable development of communities — Indicators for city services and quality of life”?
236. What are Benefits of ISO 37001 Anti-Bribery standards on the organisation?
237. Why should we take this ISO 24526 Certification services?
238. What is the importance of ISO 24526 in your organization?
239. What is ISO 19600 compliance management systems and how can it help organizations to increase the effectiveness of their compliance management?
240. Is there any advantages/benefits of ISO 37120 Certification?
241. How can I get certification for ISO 37120?
242. What approach should companies take when considering ISO 19600?
243. How to implement ISO 37120 Certification in the organization?
244. How does our Organization benefit from taking this ISO 18788 Certification Services?
245. What are the important elements of ISO 18788 Security Operations Management System?
246. What is ISO 28000 Specification for security management systems for the supply chain?
247. What is difference between ISO Accreditation & Certification?
248. What is Risk based Thinking in ISO 9001:2015?
249. What are the Key Changes in ISO 22000:2018?
250. What is the Common Structure for ISO 22000-2018?
251. What are the RECOMMENDED STEPS FOR CERTIFIED CLIENT FOR THE TRANSITION of ISO 22000-2018
252. What is the FSMS Transition Audit and Audit Duration for transition of ISO 22000-2018?
253. What is the Key Concept of ISO 22000-2018?
254. List of the external origin documents for ISO Certification body?
255. How to apply for ISO 22163:2017?
256. How the Medical device can be classified?
257. What is Critical Control Points (CCPs)?
258. What is the difference between PRP’s (Prerequisite Programs), OPRP’s (Operational Prerequisite Programs) & CCP’s (Critical Control Points)?
259. What are the Principles of HACCP?
260. How Sterilization Processes are monitored?
261. What is ISO 22716? And what are its benefits?
262. What is Data Management?
263. What are the benefits of ISO 28000 supply chain management system?
264. What is PCI DSS?
265. What are the standards specific requirements for PCI DSS (Payment Card Industry Data Security Standard)
266. What are the types of sterilization Techniques and methods?
267. What are the benefits of data management?
268. What are the Benefits of data Governanance?
269. What is Data governance (DG)?
270. What is ISO 20700?
271. What is the Benefits of Sterilizing Medical Equipments?
272. What is a Quality Manual?
273. What is the difference between HACCP Verification and HACCP Validation?
274. What Your Cost of Quality Calculation is Missing
275. Cost Of Quality
276. 13485

User questions & answers

  • We were unable to any existing question.?

leave a reply

Categories

© 2013 - 2025 . All Rights Reserved.