Featured Product
This Week in Quality Digest Live
Standards Features
Master Gage and Tool Co.
Why it matters for accurate measurements
Etienne Nichols
It’s not the job that’s the problem. It’s the tools you have to do it with.
Jón Bergsteinsson
Understanding the standard is essential
Stephanie Ojeda
The FDA’s new QMSR will harmonize with ISO 13485 for medical device quality management
Aymen Saidane
Addressing modern manufacturing challenges with advanced software

More Features

Standards News
Providing practical interpretation of the EU AI Act
Advanced Swiss CNC machining delivers precision for the tightest tolerances and specifications
Oct. 24–25, 2023, 8 a.m.–5 p.m. Eastern
Greater accuracy in under 3 seconds of inspection time
Showcasing the latest in digital transformation for validation professionals in life sciences

More News


Risk-Based Thinking and ISO 9001:2015

Understanding the effects of uncertainty and applying them in your QMS

Published: Friday, August 21, 2015 - 12:26

Sponsored Content

Risk is not a straightforward concept. Definitions of risk vary, even within documents published by the International Organizations for Standardization (ISO). One ISO definition indicates that risk is the “effect of uncertainty on an expected result.” Risk is now addressed by ISO 9001:2015—“Quality management systems—Requirements,” the international standard for quality management systems (QMS), scheduled for publication next month. In it, organizations are asked to “address risks and opportunities.”

New language in the final draft international standard (FDIS) of ISO 9001 focuses on “risk-based thinking,” although it stops short of actual “risk management.” As a result, the international community is wrestling with how best to audit risk. What are the concerns of auditors? What does ISO 9001:2015 ask for?

Understanding risk

In ISO 9000:2015—“Quality management systems—Fundamentals and vocabulary,” risk is defined as the “effect of uncertainty.” Notes in the definition further describe risk as a “deviation from the expected,” either positive or negative. The term “uncertainty” is clarified as a lack of information or knowledge about an event that can be expressed in terms of consequences the likelihood of occurrence. Lastly, ISO 9000 states that risk is related to potential events, and that it’s typically expressed as a result of the likelihood and consequence of such an event.

Let’s consider risk as it’s defined in ISO/FDIS 14001:2015—“Environmental management systems,” and in ISO 31000—“Risk management—Principles and guidelines.” The definition of risk in ISO 14001 is identical to ISO 9000, even though it includes only four of the six notes from ISO 9000. However, the definition of risk in ISO 31000 is a little more specific than ISO 9001 and ISO 14001, and is defined as an “effect of uncertainty on objectives.” 

This is a good time to emphasize a few notions about risk. Risk in ISO 9001:2015 and ISO 14001:2015 is general, that is, it is a concept that can be applied anywhere in an organization, including planning (Clause 6.0), i.e., the setting of objectives as it is defined in ISO 31000. Risk can be described as a potential event that can be expressed in terms of consequence, impact, or severity of the impact and its related likelihood of occurrence. 

Use of risk in ISO 9001:2015

Risk appears in the normative parts of ISO 9001 eight times, and risk-based thinking appears once. Risk and risk-based thinking appear many times more when we study the informative portions of the standard, e.g., the introductory sections and the appendix.

Clause number




No title
Under 4.4—QMS and its processes

QMS process risk and opportunities


Customer focus

Risk and opportunities that can affect conformity of products and services—this, then, is quite broad


Actions to address risks and opportunities

Appears in title


No title

Consider risk and opportunities as they relate to the context of the organization and interested-party expectations so that the QMS achieves its “intended results,” i.e., its objectives, including improvement. This is the definition that now appears in ISO 31000.


No title

Appears twice: Plan actions to address risk and opportunities, including their effectiveness; and actions taken shall be proportionate to the potential impact.


Analysis and evaluation

Effectiveness of actions taken to address risk and opportunities


Management review inputs

Effectiveness of actions taken to address risk and opportunities as it relates to Planning (6.1)

Table 1: ISO/FDIS 9001:2015 requirements for risk

The table seen above explains the requirements of ISO/FDIS 9001:2015 for risk and opportunity analysis within the organization. The concept of risks and opportunities, which emphasizes identifying potential problems as well as opportunities for improvement, needs to be applied to QMS processes, the conformity of products and services, and planning QMS objectives, including setting out actions for improvement plans and evaluating their effectiveness.

Process risk and planning risk—Ref. Clauses 4.1 and 6.1
When the requirements of ISO/FDIS 9001:2015 are studied, these are the relationships indicated as they relate to QMS processes and planning:

Product and Process Risks and Opportunities—Ref. Clause 5.1.1
Risk as it relates to product and process conformance can be quite broad. The following are some areas where risk is usually addressed by organizations:

ISO 9001:2015 mandates
ISO/FDIS 9001:2015 requires companies to address risk and opportunities as they relate to QMS processes (Clause 4.4.1), planning (Clause 6.1), and product risks (Clause 5.1.2). The effectiveness of risk management and opportunities for analysis must be evaluated (Clause 9.1.3). Also, the effectiveness of the actions associated with objectives or planning must be included in the management review (Clause 9.3.2).

What the standard doesn’t require
Rightly so, the standard does not prescribe a methodology or require a documented process for risk-based thinking. Ultimately, it is up to an organization to choose a suitable process or specific methodology to address this.

Omnex methodology for risk

Omnex suggests that organizations integrate risks and opportunities into their organizational processes (i.e., QMS processes). Risks and opportunities must be integrated into the planning process (Clause 6.1), as shown below for business planning, or for setting organizational goals and objectives. Omnex calls this process the “business operating system” (BOS). It identifies key processes and conducts risk analysis on them because they affect the organization’s overall objectives.

For managing risk in products and services, we suggest the following methodologies. First, it’s important that a project is evaluated for overall risk, particularly how risk relates to new products, suppliers, and technology.

Second, it’s also important to use tools such as failure mode and effects analysis (FMEA), and product and process design risk to evaluate risk within the context of the new-product development process. FMEA, along with control plans, identifying critical and significant characteristics, process capability, and measurement system analysis, are proven techniques that can help organizations reduce risks. Results have shown that customer nonconformances will lower significantly into the range of 10 to 60 parts per million (PPM).

Auditing risk
Auditors must be flexible when auditing a QMS for conformity to ISO 9001:2015’s risk-based thinking. There are no requirements in the standard for a risk management process or methodology, so auditors have been concerned that auditing a QMS will be difficult. Let’s examine the standard’s planning process for organizations. Following are some of questions auditors can ask when auditing a QMS:
1. Does the organization identify internal and external issues as they relate to the context of the business? (Clause 4.1)
2. Has the organization identified relevant interested parties as they relate to the context of the business? Has the organization understood the interested-party expectations? (Clause 4.2)
3. Has the organization used the issues developed in the context and in the needs and expectations of the interested parties when planning for the organization? (Clause 4.3)
4. Has the organization identified the risks and opportunities as they relate to the organization achieving its intended results, i.e., goal and objectives? (Clause 6)
5. Has the organization identified the actions to address the risks and opportunities?
6. Is the organization meeting its goals and objectives, i.e., is it improving?

For more on risk-based thinking, join Chad Kymal and Dirk Dusharme on Tues., Aug. 25, 2015, at 11 a.m. Pacific for the webinar, “Risk-Based Thinking: Actions to Address and Audit Risk and Opportunities.Kymal will also be releasing a new book on ISO 9001:2015 auditing, published by ASQ, at the end of 2015.


About The Authors

Chad Kymal’s picture

Chad Kymal

Chad Kymal is the CTO and founder of Omnex Inc., an international consulting and training organization headquartered in the United States. He is also president of Omnex Systems, a software provider of ISO 9001, ISO 14001, and ISO 27001 management systems. He developed and teaches auditor training for ISO 9001, IATF 16949, ISO 14001, and ISO 45001, as well as an Integrated Management Systems Lead Auditor training course where all three standards are combined in a single audit.

Kymal is also on the ISO/TC 176, ISO/TC 207, and PC283 committees for ISO 9001:2015 (quality), ISO 14001:2015 (environmental), and ISO 45001 (health and safety) management system development.



R. Dan Reid’s picture

R. Dan Reid

R. Dan Reid is Omnex Inc.’s director of standards and consulting. Reid, an ASQ Fellow and ASQ-Certified Quality Engineer is first delegation leader of the International Automotive Task Force; a member of U.S. Technical Advisory Groups for quality, environmental, and OH&S management systems; a trainer for ISO 9000, ISO 14000, OHSAS 18000, AS9100, ISO 13485, ISO 17025, and VDA 6.3; and serves on the American Association for Laboratory Accreditation (A2LA) board of directors. Reid led the supplier development administration at GM, and served on the Chrysler, Ford, and GM Supplier Quality Requirements Task Force, which was responsible for QS-9000 and ISO/TS 16949.