ISO 9001 & Risk-Based Thinking



Risk has always been implicit within ISO 9001, but not explicit. The ISO 9001:2015 revision is set to change that, with risk being built into the whole Management System in order for it to become a strategic approach. In fact, the word ‘risk’ is being used throughout ISO’s management standards as they are being revised.

READ MORE: Why and how often are ISO standards revised?

It’s easy to determine ‘risk’ as a negative concept, but this isn’t the intention with ISO 9001:2015. The ambition of the new quality management standard is that it will help identify opportunities and prevent any issues before they happen.

With ISO 9001 being all about delivering a consistently high-level of service, it could be considered a customer service standard. ISO 9001:2015’s approach emphasises this, with the risk-based approach helping organisations to exceed customer expectations, which can only boost satisfaction. Moreover, implementers of the standard should use ISO 9001 to build a proactive culture of prevention and improvement.

GUIDE: A strategy for implementing a successful ISO 9001 management system

So what’s a practical example of how ‘risk’ is used in ISO 9001:2015? Well, really this depends on context. The new version of the standard does not expect a risk assessment or separate document to be created, but you do need to determine your risks somehow.
Let’s take a look at an example of risk in the real world and how we would address it using ISO 9001:

Crossing the street is something we do virtually every day which poses a risk. The direct approach – crossing at the most convenient place – may be the quickest route, but may be also the most dangerous option.

With our ISO 9001 hat on, we have identified a risk and now need to have an action plan. To eliminate the risk, you could walk up to the nearest bridge. Whilst very safe, the extra distance could make you late to your destination. Therefore, there is an opportunity to mitigate the risk. Certain times of day will be safer to cross the road (daylight, traffic flow etc.), so you could come with a suitable process for guidance. Alternatively, a new crossing at the most convenient spot would further reduce risk whilst ensuring you arrive at your meeting on time, but of course would be a much more expensive solution. As such, you could review the success of the first plan after a few attempts and decide if it was a success. You may decide the risk is acceptable, or believe the only option is to eliminate the danger completely and build a crossing. Alternatively a new option – such as setting up a Skype call for less important meetings – is the best solution.

In fact then, ‘risk’ is nothing new – we consider it intuitively every day. As such, this change for ISO 9001:2015 will not pose a problem for those already with ISO 9001:2008 in place.

Whilst not obligatory, there is a supplementary standard called ISO 31000 which provides principles and guidelines for those who wish to formalise a risk process and, in turn, make their ISO 9001 management system even more robust.

For the very latest ISO news, follow the British Assessment Bureau on Twitter.

Free Introduction to GDPR course






start course