top of page
  • Writer's pictureAndrew Thornhill

What is Risk Based Thinking?

In this video, we're going to explain what is meant by risk-based thinking, which is a concept reinforced in various ISO management system standards.

Towards the end of the video, I'll talk about how you can use this concept of risk-based thinking to get maximum value out of your efforts around your management system.

Risk in the different ISO management system standards

Starting with the Quality Management Standard (ISO 9001), risk has certainly been reinforced when this standard was re-released in 2015.

Looking at particular requirements of the modern quality standard, such as the internal audit requirement - ISO does not use the word 'risk' but they come up with 99 other phrases, encouraging you to take a risk-based approach.

In terms of investigating non-conforming outputs, well, the level of effort we put into that should be related to the effects of the non-conformance that's occurred. That's ISO language was saying, "Don't go overboard on low risk issues."


What has changed in all of the standards including ISO 9001:2015, is that there's now requirements for a high level of identification and management of risk in a systematic fashion, not just at once-off identification.

ISO Clauses and Risk

Under Clause 4.1, we have to identify internal and external issues that could impact on what we're trying to achieve under the quality standard.

Under Clause 6, we have to plan and implement actions to address risks and opportunities.

Under Clause 8.1, we need to implement those actions.

Under Clause 9, we have to monitor progress of actions taken on risks and opportunities.

That's what we mean by a systematic approach to management of risk.


For people who have read the standard carefully, you'll notice between the previous version of the quality standard and ISO9001:2015 , they've dropped the term preventative action. It's been replaced because they're getting you to look at risk up front, and then treat it systematically, which is a lot more effective than just as an endpoint.

You need to start to think "Okay, is there anything where that could go wrong? And do we need to take action on it?" To treat risk systematically is a lot more effective approach.


Think about your efforts for risk

In our experience, we do see a lot of customers spending unneeded time developing procedures and resolving issues that are low risk. They haven't bought this risk-based thinking to the table.

Here at IRM Systems, we try to change that thinking with the customers by informing them that even ISO has stated not to go overboard on those low risk issues.

Put your efforts in where there are high-risk issues and determine where you're going to get a lot more value out of your management system for your organisation.

Use risk as a basis when you regularly review your system

If you do this, you will be able to look for opportunities which can be streamlined to decide where you are finding redundant processes.

Where is more effort going than required? How can you streamline the processes? Think about risk in order to do this...

For example, have you built too many processes, requirements and controls around low-risk issues? They can be errors that you aim to streamline.


If you are finding value from these weekly videos, we encourage you to subscribe to our YouTube Channel. We've got a whole lot more content in this series plus a previous series on internal auditing that will help you on your journey towards certification.

103 views0 comments


bottom of page