Risk and the New, Improved ISO 9001

Dear reader: This is NOT my usual “original material”. I found an ISO paper that was meant to explain how the soon-to-be-released ISO 9001:2015 is built around the concept of risk. I read the document several times, thought it could be improved, and made a few changes, mainly to the examples provided. Therefore, this is not plagiarism but a carefully considered criticism/revision. (The original paper is identified in Note 1, at the bottom.)

Please read both versions and let me know what you think of them. Maybe the changes will help you understand the concept of risk as it applies to ISO 9001 a tad better; that was my goal, after all. If I succeeded, please let me know. If the revision leaves you more confused than the original, I humbly apologize. I appreciate your help.

“RISK” IN ISO 9001:2015[1]

1. Objective of this Paper

  • Explain how risk is addressed in ISO 9001
  • Explain what is meant by “opportunity” in ISO 9001
  • Address the concern that risk-based thinking replaces the process approach
  • Address the concern that preventive action has been removed from ISO 9001
  • Explain in simple terms each element of a risk-based approach

2. Overview

One of the key changes in the 2015 revision of ISO 9001 is the encouragement of a systematic approach to risk, rather than treating it as a single component of a QMS, or Quality Management System.

In previous editions of ISO 9001, preventive action was the only place where risk was addressed. Now risk is considered throughout the standard.

By taking a risk-based approach, an organization becomes more active than reactive, preventing or reducing undesired effects and promoting continual improvement. Preventive action should be automatic where a QMS is risk-based.

3. What Is Risk-Based Thinking?

Risk-based thinking may become automatic.

Example: If I work at a construction site, a chemical plant, or a stamping plant – just to mention a few places where the risk of injury is always present – I’ve probably undergone health and safety training as a requisite to employment. I continue to undergo training and retraining, so that putting on personal protective equipment, or PPE, and employing best safety practices, like LOTO[2], becomes – and remains – “second nature”.

Risk-based thinking has always been a part of ISO 9001. This revision builds it into the entire QMS.

In ISO 9001:2008, risk management takes the form of required procedures, like preventive action (clause 8.5.3), document control (4.2.3), and control of records (4.2.4).

In ISO 9001:2015, risk is considered from the very first clause of the standard and is emphasized throughout, incorporating preventive action and other tools, techniques, and methods in strategic planning, operations management, reviews, and elsewhere.

Risk-based thinking is – or should be – part of the process approach.

Example: To perform maintenance on a conveyor system, I might shut down only the part that needs maintenance, or I might shut down the entire system. I could shut down operations that feed into the conveyor system. I might perform such maintenance exactly when it is called for by the manufacturer or I might schedule it when demand for the conveyor system is low or nonexistent. The benefits and risks of each are factored when devising the maintenance schedule. Furthermore, the maintenance schedule for the conveyor system takes all production operations that precede and follow it into account.

Risk is commonly considered a negative. However, in risk-based thinking, opportunity is also found.

Example: If I follow the LOTO procedure before removing an obstruction from a conveyor, resuming production once I’ve removed the obstruction takes 15 minutes, increasing the risk that we won’t meet our daily production target. However, I decrease (or even eliminate) the risk of injury.

If I reach into the conveyor with a pair of pliers to remove the obstruction without shutting off the conveyor, I might be able to resume production with minimal downtime. However, by doing so, I could increase the risk of additional damage to the conveyor, as well as increase the risk of injury to me and others.

Another example: Using social media, like Facebook, affords me the opportunity to expand my social, business, etc., group easily and quickly; however, using social media also increases my vulnerability to cyberthreats. By not using social media, I can somewhat reduce the risk of having my computer hacked but I increase the risk of missing business opportunities and falling behind my competitors.

Opportunity is not always directly related to risk, but it is always related to the objectives. By considering a situation, it may be possible to identify opportunities for improvement.

Analyzing the LOTO situation above may reveal opportunities for improvement.

  1. An automatic shut-off switch on the conveyor that detects abnormal (out-of-range) pressure or flow;
  2. More frequent/improved LOTO procedure training; and
  3. Prominent, highly visible, easily understood warning signs (e.g., “LOTO comes before repair!”).

It is necessary to analyze all opportunities and consider which can and should be acted on. The risks, impact, and feasibility of acting on any opportunity must be considered before taking the plunge.

Trading one risk for another is common, in business and in life. It’s practically unavoidable. For example, you install bars on your home windows to reduce the risk of break-ins. However, you increase the risk of you and your family being trapped inside if a fire or building collapse occurs.

Also, the sight of barred windows on one or more homes can change perceptions of that neighborhood and, therefore, lower property values. However, using impact-resistant (bulletproof) glass affords the homeowner increased physical security while not increasing the risk of trapping home dwellers.

4. Where Is Risk Addressed in ISO 9001:2015?


The concept of risk-based thinking is explained in the Introduction of ISO 9001:2015.


ISO 9001:2015 defines risk as “the effect of uncertainty on an expected result”.

  1. An effect is a change (up/down, right/left, positive/negative) caused by an action or inaction. Example: “His surly attitude had a negative effect on the group.”
  2. Uncertainty is a state, quality, or condition brought about by a deficiency of information. In the context of risk management, uncertainty exists whenever the knowledge or understanding of an event, consequence, or likelihood is inadequate or incomplete. Synonyms for uncertainty include unpredictability, unreliability, riskiness, changeability, variability, and inconstancy.

We like it when people and processes are certain – where the activity and outcome are steady, predictable, consistent, and reliable. We don’t normally react well to uncertainty. Uncertainty can breed anxiety.

  1. A result is the outcome or product of a process. Examples: “Whiskey and brandy are each the result of distillation”, or “the deadly accident resulted, in part, from the driver’s inexperience and inattention.”
  2. Risk is about what could happen and what the effect might Risk also considers how likely it is. In other words, risk is relative, being determined by the likelihood of an event, the degree of vulnerability to it, and its potential impact.

The purpose of a QMS is to enable the organization to achieve conformity, compliance, and customer satisfaction[3]. ISO 9001:2015 encourages the use of risk-based thinking, more so than prior versions, to achieve this.

  • Clause 4 (Context) – The organization is required to determine the risks which may affect conformity and compliance.
  • Clause 5 (Leadership) – Top management must commit to ensuring Clause 4 is followed.
  • Clause 6 (Planning) – The organization must identify risks and opportunities.
  • Clause 8 (Operation) – The organization must implement processes to address (i.e., it must act on) risks and opportunities.
  • Clause 9 (Performance evaluation) – An organization is required to monitor, measure, analyze, and evaluate risks and opportunities.
  • Clause 10 (Improvement) – An organization is required to improve by responding to changes in risk.

5. Why Use Risk-Based Thinking?

By considering risk throughout the organization and implementing appropriate risk controls[4]:

  1. We increase the likelihood of achieving our stated objectives;
  2. Our output is more consistent; and
  3. Our customers can be confident that they will receive a product or service that, at the least, is capable of meeting their expectations.

Risk-based thinking can…

  1. Build a strong knowledge base;
  2. Establish a proactive culture of improvement;
  3. Assure consistency of quality of goods or services; and
  4. Improve customer confidence and satisfaction.

The risk-based approach to quality management can help organizations achieve greater success.

6. How Do I Do It?

Use a risk-driven approach in your organizational processes.

Identify What YOUR Risks and Opportunities Are (Note: It Depends on Context)

Example: If the conveyor operates at a speed above the manufacturer’s specified limit, the risks are not the same as when the conveyor operates within spec. It is also necessary to consider production, quality, and safety objectives and other factors.

Analyze and Prioritize Your Risks and Opportunities

What is acceptable and what is unacceptable? What advantages or disadvantages are there to one process, compared with an alternative?

Example: My objective is to safely operate the conveyor and meet the production goal of “n±2” parts per hour. It is unacceptable to have someone injured by the conveyor but it is equally unacceptable to have the conveyor handle more or fewer parts than required.

The opportunity of reaching the production goal must be balanced against the increased risks of injury and poor quality. It is as important for me to attain safety and quality goals as it is for me to attain the production goal.

Things to consider: The conveyor’s condition and maintenance record, ambient conditions (light, dust, dirt, ventilation, temperature, etc.), operator’s PPE, and operator training.

It may be acceptable to slow the conveyor’s speed IF production doesn’t fall outside the acceptable range AND the operator’s safety risk is decreased AND product quality doesn’t suffer, either.

Analyze the situation. Slowing down the conveyor to the lower end of the prescribed range does not improve product quality, nor does it reduce the risk of operator injury, according to our records. Slowing it down could increase the risk of not meeting the production goal. Furthermore, ambient conditions are ideal.

Plan Actions to Address the Risks

How can I avoid or eliminate the risk? How can I mitigate risks?

Example: I could eliminate the risk of operator injury by running the conveyor at the low end of the range but I have already decided that the risk involved in operating it at the higher end is acceptable.

I plan how to keep the risk of operator injury low. I can require that operators put on their PPE prior to exiting the locker room. I can determine if operator safety training is adequate, in content and frequency, and make changes to the training program where needed. I can have operators report on ambient conditions at the start and at the midpoint of their shifts, as well as report on observed variations (conveyor noise, etc.).

Implement the Plan – Take Action

Example: Ensure that the conveyor speed is coordinated with the output rate of the preceding process and begin running. Monitor and measure conveyor throughput and quality of output. Have operators keep an eye on one another to ensure safety.

Check the Effectiveness of the Actions – Does It Work?

Example: I review production reports on a daily basis. I (may) review accident/ injury reports, customer complaints, etc., less frequently but still on a regular basis. I determine that we are achieving production, quality, and safety goals.

Learn from Experience – Continual Improvement

Example: I repeat the plan over several months, reviewing reports at different times (shifts) and on different days. This gives me enough data to understand that changing context (time of day, for instance) directly affects the effectiveness of the plan and increases the probability that I will not achieve my objectives (being on time and avoiding injury).

Experience teaches me that operating the conveyor at certain times of day (e.g., late in the third shift) is slightly riskier. The only two operator injuries, which were both minor (fortunately), occurred between 5:00 and 6:00 a.m. One of those appeared to have been related to operator illness; we are limited in what we can do there. (We can’t be taking operators’ temperatures every two hours but we can remind them to notify their supervisors, get off the line and get checked out by the on-site OHS officer, go home and get well, etc.)

The other was attributed to operator fatigue. We can look for the root cause of the fatigue (circadian rhythm, etc.) and educate the operator better to avoid the causes of fatigue. We might find the operator isn’t adaptable to third-shift work and may have to transfer to another shift.

We continue to analyze the effectiveness of the processes and revise them when the context changes. We also continue to consider innovative opportunities, like:

  • Can we relocate the conveyor and/or other production processes — in other words, change the plant layout — to make production more efficient? What new risks and costs would changing the layout impose on the firm?

7. Conclusion

  • Risk-based thinking is not innovative. It’s something we’ve been doing since we were kids.
  • Risk-based thinking is continuous, ongoing.
  • Risk-based thinking ensures greater knowledge and preparedness.
  • Risk-based thinking increases the probability of reaching objectives.
  • Risk-based thinking reduces the probability of poor results.
  • Risk-based thinking makes prevention a habit.

Useful Documents

  1. ISO 31000:2009, “Risk Management – Principles and Guidelines”, International Organization for Standardization (ISO)
  2. ISO/TR 31004:2013, “Risk management – Guidance for the Implementation of ISO 31000”, ISO

 * * * * * * *


[1] The original document, same title, is at https://www.standard.no/Global/PDF/Kvalitet/ISO-TC176-SC2_N1222_N1222_-_Risk_in_ISO_9001_2014-07.pdf.

[2] Lock-Out/Tag-Out

[3] While “customer satisfaction” is the term used in ISO standards, mere satisfaction isn’t enough. Any consumer, retail or wholesale, will tell you that a lack of complaints doesn’t necessarily mean all your customers are satisfied.

[4] Risk prevention, risk mitigation, risk avoidance, or risk acceptance.


We help small businesses improve their efficiency and effectiveness. Whether you're selling a product or a service, we'll show you how you can improve product and service quality, effectively and affordably. If you need quality, environmental, or health & safety management but can't afford a full-time manager or staff, call on Q9C and we'll pick up the slack. For information or a quote, call or write. Subscribe to the Q9C blog while you're at it.

Tagged with: , , , ,
Posted in ISO 9001, Quality improvement, Risk, Risk Management

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: