ReadSafety.com

ISO 9001 Questions, Answered

What is risk-based thinking in ISO 9001?

Quick answer

Risk-based thinking is ISO 9001's requirement (clause 6.1) that you identify the risks and opportunities relevant to your quality objectives and plan actions to address them. It replaced the old "preventive action" clause in 2015. The standard does not require a formal risk management method or a risk register; it requires evidence that risk consideration shapes your decisions.

Where it came from

Editions of ISO 9001 before 2015 contained a clause called preventive action, which asked organizations to prevent potential nonconformities. In practice it became a paperwork ritual bolted on after problems. The 2015 revision deleted it and wove prevention into the fabric of the whole standard: understanding context (clause 4) feeds identification of risks and opportunities (clause 6.1), which drives planning, operational controls, and what you monitor. Prevention became the system's posture instead of a form.

What clause 6.1 actually requires

  • Determine the risks and opportunities that need to be addressed to give assurance the QMS can achieve its intended results, prevent or reduce undesired effects, and achieve improvement.
  • Plan actions to address them, integrate those actions into your QMS processes, and evaluate whether the actions worked.
  • Make the effort proportionate to the potential impact on conformity of products and services.
Key factISO 9001 does not require a documented risk assessment procedure, a risk register, FMEA, or ISO 31000. Those are all legitimate methods, and many organizations use them, but an auditor cannot demand a specific tool. What an auditor can demand is evidence that risks were identified and actions taken.

What auditors actually look for

Competent auditors trace risk-based thinking through decisions rather than documents. Typical trails: a new supplier was approved, so what risk consideration preceded it; a process was changed, so what could-go-wrongs were weighed; an objective was set, so which risks threaten it and where do the mitigating actions appear in your plans. If your people can answer "what could go wrong here and what do we do about it" for their own processes, clause 6.1 is alive. If the only evidence is a spreadsheet built the week before the audit, it is not.

Keeping it proportionate

A machine shop's risk thinking might be a column in its process map plus supplier scorecards. A medical device supplier will justifiably run formal FMEAs. Both can conform. The standard's own phrase is that actions must be "proportionate to the potential impact"; sizing your approach to your actual risk profile is itself evidence of understanding the requirement. Over-engineering a risk bureaucracy for a low-risk business is a self-inflicted wound I have watched many organizations bleed from for years afterward.

Ready to take the next step?

USQC - United Safety Quality Council is an ASC-accredited certification body providing third-party ISO 9001 certification audits, internal and supplier audit services, and auditor training. Since 2015, USQC has automated audit planning, reporting, and decision support, cutting audit man-days that other certification bodies bill for and placing USQC pricing in the lower quartile, with highly experienced lead auditors on every audit.

Talk to USQC