The 2015 revision of ISO 9001 adds the concept of “Risk-based Thinking” to quality management systems (QMS) requiring registered organizations to “determine the risks and opportunities” needed to ensure that the QMS achieves expected results and improvement. Clause 6.1, (Actions to address Risks and Opportunities), is one of several clauses created by ISO’s new “high level structure” designed to produce a common format and base level text within its catalog of management systems standards. The addition of risk-based thinking is a welcome addition to ISO 9001, currently the largest selling standard in the world and applicable to any organization seeking third party registration of their products and/or services in the marketplace.

But you already knew this. And no doubt all businesses throughout the world routinely manage their affairs and make important decisions based on risk. No matter the management system standard, be it quality, environment or the numerous “sector-specific” standards such as medical device, automotive and aerospace, each addresses risk through requirements to plan, inspect, train and otherwise control process results. Several of these sector specific standards directly address risk as a requirement; it’s already baked into the language. But “risk-based thinking” will be a new concept to many of the additional million+ users of ISO 9001:2015, and if the perception of “changing language changes culture” is to be believed, adding risk to the language of ISO 9001 quality management carries the potential for considerable benefit.

Consider the significance of risk based thinking replacing preventive action in 9001:2015. Preventive action was routinely underrepresented in the majority of registered organizations for a host of reasons, not the least of which was its status as a requirement; one of many separate components of an organization’s QMS.

By contrast, risk-based thinking is structural, extending and expanding within the QMS to routinely address potential nonconformance. The change in perspective from a requirement to a required methodology frames risk as standard practice, a formal approach to plan and consider actions to address risk and opportunities capable of verification by a 3^rd party auditor.

The cultural shift from preventive action as the last clause of a compliant QMS to improved planning frontloaded by risk-based thinking will require the language of risk to be spoken by a larger audience than was the case in managing preventive action. With the further requirement that management demonstrate leadership and commitment to the QMS in clause 5 of the standard, involvement in risk-based thinking supports their ability to provide a new level of “risk leadership,” spurring others to adopt their language and example.

The ideal state becomes the rising voice of additional risk champions who, having experienced the successes of comprehensive planning, adopt risk-based thinking as foundational.   Instead of searching for appropriate preventive action candidates to satisfy a requirement, risk-based thinking creates improved confidence and satisfaction among all interested parties. Given these benefits, alongside top management’s leadership and commitment to plan effectively, the application of risk-based thinking is a risk worth taking.

Bio:

Paul Palmes, member of the US Technical Advisory Group to ISO Technical Committee 176, has held positions including vice chair and membership chair, and also represented the United States in developing ISO 10014. He is currently the chairman of ISO TC 176, SC 1, responsible for the ISO 9000:2015 standard. Now principal consultant with Business Systems Architects, Inc., he brings over 25 years of experience helping world-class organizations improve quality, profitability, and culture, and earn ISO registration. His books include Process Driven Comprehensive Auditing, Second Edition (ASQ Press, 2009) and The Magic of Self-Directed Work Teams (ASQ Press, 2006).