Over forty years ago, Fram Company, a maker of oil and air filters for cars and trucks, had a series of commercials wherein they sold the virtue of preventive maintenance. Their tag line was, “The choice is yours. You can pay me now, or pay me later.”
These commercials helped Fram push a lot of oil filters. Fram filters weren’t better than every other filter. What they did better than other filter makers was “selling peace of mind”. If you changed your car’s oil regularly – and, by the way, replaced that dirty, worn-out oil filter with a Fram every time – you reduced the risk of having to repair or replace a blown gasket, broken rod, or cracked engine block; hence, their tagline.
Whether changing the oil and filter on our car to keep engine failure from occurring, using firewalls and anti-malware software to protect our servers, laptops, and smartphones, or cutting fat, sugar, and salt from our diet to forestall a life-or-death trip to the emergency room, we perform preventive maintenance all the time.
In ISO 9001:2008 – the current version of the quality management standard – preventive action has a clause all its own. At the tail end of the standard, clause 8.5.3 reads, “The organization shall determine action to eliminate the causes of potential nonconformities in order to prevent their occurrence.” The ISO 9001:2015 revision changes the focus from one of separate clauses for corrective and preventive action to one of “risk-based thinking”, spread throughout.
This is a matter of semantics. It could be interpreted as a way of raising the importance of preventive action to a higher level in the new version but to me, it doesn’t do that. Like so many times in ISO standards, the technical committee has muddied the waters. Of all the ways one could manage risks, preventive action – pay me now – is one of the surest. It’s not always the most appropriate; sometimes the likelihood of a “threat” is so slight and its impact negligible that you just shrug your shoulders and say, “to hell with it.” But ISO doesn’t want to appear prescriptive, so they tell you “risk-based thinking is important” without explaining why or how.
You’re still going to take preventive actions to counter the majority of threats your organization faces, regardless of how ISO or anyone else words it. Preventive action is the best form of risk management there is.
 Looks to me almost like an afterthought, regardless of how it was intended by the Technical Committee.