Where it came from
Editions of ISO 9001 before 2015 contained a clause called preventive action, which asked organizations to prevent potential nonconformities. In practice it became a paperwork ritual bolted on after problems. The 2015 revision deleted it and wove prevention into the fabric of the whole standard: understanding context (clause 4) feeds identification of risks and opportunities (clause 6.1), which drives planning, operational controls, and what you monitor. Prevention became the system's posture instead of a form.
What clause 6.1 actually requires
- Determine the risks and opportunities that need to be addressed to give assurance the QMS can achieve its intended results, prevent or reduce undesired effects, and achieve improvement.
- Plan actions to address them, integrate those actions into your QMS processes, and evaluate whether the actions worked.
- Make the effort proportionate to the potential impact on conformity of products and services.
What auditors actually look for
Competent auditors trace risk-based thinking through decisions rather than documents. Typical trails: a new supplier was approved, so what risk consideration preceded it; a process was changed, so what could-go-wrongs were weighed; an objective was set, so which risks threaten it and where do the mitigating actions appear in your plans. If your people can answer "what could go wrong here and what do we do about it" for their own processes, clause 6.1 is alive. If the only evidence is a spreadsheet built the week before the audit, it is not.
Keeping it proportionate
A machine shop's risk thinking might be a column in its process map plus supplier scorecards. A medical device supplier will justifiably run formal FMEAs. Both can conform. The standard's own phrase is that actions must be "proportionate to the potential impact"; sizing your approach to your actual risk profile is itself evidence of understanding the requirement. Over-engineering a risk bureaucracy for a low-risk business is a self-inflicted wound I have watched many organizations bleed from for years afterward.