When ISO 9001 standards were revised in 2015, the term “risk-based thinking” was introduced as a replacement for the preventative action clause. This new emphasis on the idea of risk-based thinking was implemented in order to further streamline and simplify how organizations handle uncertainty.

So, what are the basics of risk-based thinking, and what does it mean?

What is Risk-Based Thinking?

Risk-based thinking is the idea that companies should be proactively engaged in handling risk and preventing nonconformities in a holistic way.

The goal of risk-based thinking is to effectively stop treating preventative action as a standalone process. Organizations must weave risk-based thinking throughout every quality management system in order to successfully manage uncertainty.

Risk-based thinking encourages proactive systems instead of reactive ones, giving the company a chance to identify and plan for uncertainty before damage is done.

Incorporating risk into decision-making and quality processes is essential for every organization, and therefore the requirements must remain flexible; there is no formal risk management process that ISO mandates in order to implement risk-based thinking.

The Basics

The foundation of risk-based thinking is understanding that the effect of risk can have positive or negative consequences; opportunities or threats to the organization.

When a company implements risk-based thinking into its quality processes, threats, as well as opportunities, can be identified and acted on early, driving the organization towards its objectives.

Risk-based thinking is at the center of the Plan-Do-Check-Adapt (PDCA) model approach seen in ISO 31000 standard.

The structure of the PDCA approach is as follows:

  • Plan –  outline risks and plan processes on how to prevent or mitigate risk
  • Do – implement processes into the operations of the company
  • Check – track progress and examine results
  • Adapt – use the knowledge gathered to improve processes

This model shows the essence of risk-based thinking and how it is a continuous, almost cyclical exercise within an organization.

The basis of risk-based thinking is to frame uncertainty in a way that is goal-oriented and objective-driven. Threats and opportunities should be recognized in advance to sustain a proactive quality management system.

How Can ISO 31000 Help?

ISO 31000 can be a valuable resource by guiding any company in understanding risk-based thinking and how to implement it into internal operations. ISO 31000 has a copious amount of information that describes the principles, framework, and processes that should be put into place in order to be fully prepared to do the risk-based thinking in ISO 9001:2015 standards.

ISO 31000 also guides organizations through the lengthy, and oftentimes difficult process of establishing context. Every company has vastly different internal and external contexts, which is why the flexibility and customizable nature of the ISO 31000 framework is essential to the task of defining context. Organizations can utilize ISO 31000 to refine and perfect their risk-based thinking approaches before jumping into ISO 9001.

Final Thoughts

Risk-based thinking is about setting an organization up for success by implementing proactive planning about risks and potential consequences. Preventative action is not a standalone process, it should be at the core of every quality management system. A company that is driven by objectives and opportunities is a company that is constantly learning, improving, and succeeding.

ISO 31000 Training Courses & Certification

Online, self-paced, easy-to-understand video courses.

Online ISO 31000 certification exam.