What Is Risk-Based Thinking in ISO 9001?

29 December 2019

Risk-based thinking is an integral part of ISO 9001. It goes beyond traditional risk management – which is often assigned to a dedicated risk manager – to become a fundamental way of thinking and decision making throughout the entire organization. To achieve ISO certification, businesses must demonstrate risk-based thinking at all levels, from business objectives and strategies, through systems, processes and products.

Let's take a closer look at risk-based thinking in ISO 9001. We'll start by reviewing how to identify risk, and then examine some of the techniques used in risk management. Finally we'll show you how to use these techniques and thread them into your quality management system (QMS) to achieve risk-based thinking.

Risk-Based Thinking In ISO 9001

Identifying Risk

The way in which an organization sets about identifying risk depends heavily on the context of the organization, its stakeholder requirements, its size, culture, and the nature of its products or services. Several clauses of ISO 9001:2015 explicitly mention the identification of risks.

Models can be very useful for identifying risk. The SWOT analysis, for example, is a simple but powerful tool used to help organizations identify their internal and external strengths, weaknesses, opportunities and threats. An effective model for determining external risk is the PESTEL analysis, which examines political, economic, social, technological, environmental and legal factors to identify the presence of risks.

The PESTEL Analysis

PESTEL Analysis ISO 9001

Assessing Risk

Risk assessment involves determining the probability of the risk and its severity should it occur. It's important to remember that there's no correlation between probability and severity, and risk isn't necessarily catastrophic simply because it's likely to occur. To a large extent, we're surrounded by risk, much of which is either minor or insignificant.

The probability of a risk is the likelihood for the risk event to actually occur. Probabilities can be ranked from 'remote' (or 'highly unlikely') to 'very likely'.

In terms of severity, risks can be graded from insignificant to catastrophic. Severity refers to the impact in case the risk occurs. The disruption depends on the size and nature of the organization. For example, while smaller companies would probably think of a warehouse fire as catastrophic, larger organizations might view catastrophe as a fleet of aircraft grounded due to a global lockdown.

The matrix below plots the severity of risk against the probability of it occurring. The "warmer" the cell, the greater the threat. The red cells convey a level of risk that's generally unacceptable, while those colored yellow are deemed to carry a risk that's ALARP (As Low As Reasonably Practical). The green cells represent risk that's either tolerable or negligible.

Risk Assessment Matrix






Very likely





Dealing with Risk

Applying the concepts of risk assessment to each identified risk enables organizations to prioritize risk. The "warmer" the risk classification, the higher the priority. Responses to risk are often referred to as the 4 T's Process: Tolerate, Treat, Transfer or Terminate.

Tolerating risk is where no action is taken to reduce a risk. This could be because mitigating or eliminating the risk isn't cost-effective, or because its probability is so remote that it's deemed acceptable. Examples might include hotels built in known tsunami zones or businesses operating along the San Andreas Fault. Risk can also be tolerated if its severity is low enough to be negligible, or if it's accompanied by benefits that outweigh the negative impacts.

Treating risk means addressing it directly. Strategies to consider include mitigating the risk to minimize its impact (severity), or reducing the probability of it occurring. If our hotel is built on the San Andreas Fault, for example, we could consider strengthening it in order to lessen the severity of damage should an earthquake occur. And to reduce the probability of a warehouse fire, we could remove all flammable materials in its vicinity.

Risk can be transferred in a number of ways, the most common of which is probably insurance. This option is particularly effective for managing financial risks or risks to assets (fire or theft, for example). Liability waivers can also be used to transfer risk. Other options include setting up a corporate structure where an operating company without assets takes the risk while the company that owns the assets is a step removed.

Terminating risk is often the simplest yet most frequently overlooked option. If the risk can be removed without materially affecting the organization, then this option should be considered first. Risk can be eliminated by altering a risky process or discontinuing a risky product. In the example of the hotel built on the San Andreas Fault, selling and relocating would terminate the risk.

Once risks have been identified and prioritized, the 4 T's Process is an extremely useful tool. But risk management in ISO 9001 isn't static. Organizations need to constantly monitor, measure and evaluate the effectiveness of actions they take to address risk, and must periodically re-assess both risk and their approach to combating it.

From Risk Management to Risk-Based Thinking

So far, we have discussed the main concepts of risk management. But how does risk management differ from risk-based thinking in ISO 9001?

First, risk-based thinking in ISO 9001 considers both risks and opportunities. Opportunities are basically the opposite of risk and can be managed using the same techniques. When prioritizing, you would look for a combination of likelihood and positive impact. And your actions would seek to foster opportunities.

Second, risk-based thinking means that organizations fully integrate the concepts of risk (and opportunity) management in their operations. There are numerous requirements in the standard calling for the consideration of risks and opportunities. Often a formal process, including documentation, is necessary to address these risks and opportunities.

Third, risk-based thinking means that decision makers not only understand the concepts of risk management, but have these concepts ingrained in their thinking and use them as a foundation for decision making. This is often done without a formal and documented risk management process. As mentioned earlier, we are constantly surrounded by risks. Addressing each through a formal and documented process would bring other activities to a grinding halt. But having a fundamental understanding of probability and severity, as well as the ways of dealing with risk (4 Ts), enables decision makers to deal with risk management on the fly. This is what we call risk-based thinking.


Risk-based thinking is a core component of ISO 9001 and something that auditors expect to see evidence of when conducting audits. As such, it's important for organizations to keep records of their risk management related activities. The International Organization for Standardization (ISO) provides guidelines to auditors on how to seek evidence of risk-based thinking. Suggested evidence includes:

Meeting minutes

SWOT analysis

Reports on customer feedback

Brain-storming activities

Competitor analysis

Management review

The American Society for Quality recommends keeping a Risk Register, an example of which is shown below. This type of document is a breeze to set up and enables organizations to prioritize risk quickly and without fuss. It's also easy for auditors to examine and assess.

Click on the image below to view it full size, or download the PDF.

ISO 9001 Risk Register


Along with the Process Approach and Plan-Do-Check-Act (PDCA) methodology, risk-based thinking is an integral component of ISO 9001 and one that top executives and department managers need to be intimately familiar with. Remember too that when it's time to get certified, external auditors will expect to see evidence of your organization's approach to risk.

Naomi Sato

Naomi Sato

Consultant and Product Manager

Naomi holds dual responsibility as an ISO 9001 consultant and product manager, and is an enthusiastic contributor to our online and print resources.

Think your associates and colleagues might enjoy this article too? Share it!

How can we help?

Please enter your full name

Please enter a valid email

Please enter a valid phone number

Please enter a message

Send Inquiry

Thanks. Your message has been sent. We'll get back to you as soon as possible.

Looking for information or advice?
Ask us anything

We'll reply ASAP