Risk-Based Thinking
The 2015-generation requirement that organizations identify what could go wrong (and what opportunities exist), and build responses into the management system's planning — replacing the old standalone 'preventive action' clause.
What the standards actually require
ISO 9001 clause 6.1 (mirrored in 14001, 45001, 27001, 42001) requires you to determine the risks and opportunities relevant to your context and your interested parties, plan actions to address them, integrate those actions into your processes, and evaluate whether they worked. Crucially for smaller organizations: ISO 9001 does not require a formal risk management methodology, a risk register, or retained documented information about risk — though most organizations keep a simple register anyway because it's the easiest way to show the thinking happened.
The safety, security, and AI standards go further: ISO 45001 requires a defined process for hazard identification and risk assessment; ISO 27001 requires a formal, criteria-driven risk assessment and treatment process; ISO 42001 adds impact assessment on affected people. The common thread: prevention moved from a clause at the back to the planning at the front.
What it looks like in practice
A workable minimum for a small business: once a year (and at any big change), leadership lists the top things that could derail quality/safety/security — key-person dependency, single supplier, aging equipment, new regulation — scores them roughly, decides actions for the big ones, and revisits the list at management review. That is genuinely compliant risk-based thinking; the sophistication should scale with your stakes.
The failure mode is theater: a 200-row risk register copied from a template, scored once, never opened again. Auditors ask process owners “what are the main risks in your area and what changed because of them?” — the answer reveals instantly whether thinking or theater occurred.
Go deeper, free.
Every standard this term appears in has a free clause-by-clause guide on ReadSafety.com — and when you're ready for certification, USQC provides accredited third-party audits.
Browse the guidesCertify with USQC