Understanding ISO 9001:2015
Clause 6.1 - Risk-based Thinking
organization's external and internal environment is subject to constant change and change is characterized
by uncertainty which in turn pose risks.
may be defined as having insufficient or
no knowledge of a potential event to determine whether or not it will happen or if it does happen, whether the
outcomes of the event will be positive or negative. So uncertainty presents both risk and opportunity, with the
potential to hinder or grow the business.
Risk is generally defined as participating in an event and thereby
being exposed to the
‘uncertainty of the event and its consequences’.
For example in a poker game there is always uncertainty as to who will
win the pot. But unless you’re in the game there is no risk to you that you will lose your stake in it. In other
words, to be at risk, you must participate in the event and be exposed to the uncertainty of the
event and its consequences. You can have uncertainty without risk, but you cannot have risk without uncertainty.
9000 gets more technical and defines risk as the “effect of uncertainty”.
Effect is described as a “deviation from the expected”, either positive or negative. An organization may embark on
a risky business venture expecting a 10% return on investment. The risk or effect of uncertainties related to the
venture may in fact result in a loss (negative) of 50% or a gain (positive) of 20% (i.e. deviation from the
expected 10% ROI).
Risk management is about using processes, methods and tools for managing these
risks. Risk management focuses on proactively identifying what could go wrong, prioritizing and evaluating risks
and implementing strategies to deal with them. Organizations that proactively identify risks will be better
positioned to achieve its business goals and strategies.
Risk based thinking takes a narrower focus in that it applies the above risk management definition
to contextual risks and opportunities that relate to the organization's QMS as opposed to a full blown risk management
system that covers the entire organization. The concept of preventive
action is expressed through the application of risk based
thinking in planning and implemeting QMS processes.
The ISO 9001:2015
standard does not call for formal methods for risk management or a documented risk management system.
Organizations can decide whether or not to develop a more extensive risk management
methodology through the application of other risk management guidance, standards and
The organization must integrate the
actions to address these risks and opportunities into its QMS processes using the PDCA cycle. Not all processes of a QMS represent the same level of risk in terms
of the organization’s ability to meet its objectives and the effects of uncertainty are not the same for all
organizations. Each organization is therefore responsible for the extent it applies risk-based thinking and
the actions it takes to address risk, including whether or not to retain documented information as evidence of its
determination of risks.
Planning also requires
monitoring and measuring these actions and gathering, analyzing
and evaluating appropriate data and information to determine the effectiveness of such actions. This planning
must be periodically reviewed and updated as necessary when taking corrective actions or at management
reviews. These actions must be proportional to the potential
impact on the conformity of products and services.
When planning its QMS, the
organization must consider the risks and opportunities presented by external
and internal issues as well as the needs and expectations of interested parties, relevant to its
purpose and strategic direction
Opportunities can derive from
favorable circumstances that can lead to the use of new practices, launch new products, enter new markets,
address new clients, reduce waste or improve productivity, grow relationships, use new technology and other
desirable and viable opportunities to facilitate the organization in achieving its strategic direction and
enhance customer satisfaction.
The ”Understanding ISO 9001:2015 eCourse” provides more details on risk based thinking and
management and shows you how to easily and effectively IMPLEMENT the action items required
by clause 6.1 of the Standard.
askartsolutions 2015 Toronto