Featured Product
This Week in Quality Digest Live
Risk Management Features
Jón Bergsteinsson
Understanding the standard is essential
Megan Wallin-Kerth
Or, how mistakes factor into a kaizen mindset
Shaneé Dawkins
Learn how to spot and avoid common phishing tactics
Gleb Tsipursky
Tension between desire for flexibility and perceived need to be visible for career advancement
Scott A. Hindle
Part 2 of our series on SPC in a digital era

More Features

Risk Management News
Providing practical interpretation of the EU AI Act
A tool to help detect sinister email
Developing tools to measure and improve trustworthiness
Streamlines annual regulatory review for life sciences
Adds increased focus on governance
Educational offerings available in Santa Clara in December 2023
Greater accuracy in under 3 seconds of inspection time

More News

Richard Harpster

Risk Management

Top 10 Things You Need to Know About Implementing Risk-Based Thinking

Understanding ISO 9001:2015’s new requirement

Published: Wednesday, January 10, 2018 - 12:01

The concept of risk-based thinking has been implicit in previous editions of ISO 9001 through requirements planning, review, and improvement. But ISO 9001:2015 requires companies to use risk-based thinking to manage their business.

If you want to implement an ISO 9001:2015-compliant quality management system (QMS) that uses risk-based thinking, there are 10 things you need to know.

Top 10 things you need to know

1. What is risk?
Risk has two components. The first is the probability of an objectionable incident occurring. The second is the severity of harm when the objectionable incident occurs.

2. How is risk reduced?
Risk can be reduced by reducing the probability of occurrence of the objectionable incident or the severity of harm when the objectionable incident occurs. It is typically much more difficult to reduce the severity of harm than to reduce the probability of the objectionable incident from occurring.

3. Where are the sources of risk in a company?
Every process in company is a source of risk. An objectionable incident occurs whenever a process does not perform as intended. The severity of harm is based on the type of process.

Risk-based thinking is preventive. It requires a company to analyze its processes to determine the potential causes of its processes not performing as intended. Once the potential causes are identified, controls are created to prevent the causes and the resultant failures in performance. Additional controls can be created to minimize the effects of the process not performing as intended. The implementation of prevention controls and effect mitigation controls are also potential sources of risk.

Risk-based thinking is also used to select the opportunities the company will pursue. While opportunities provide benefits to a company, they can also expose it to risk if the wrong opportunity is selected.

4. What processes does ISO 9001:2015 require risk-based thinking to be used on?
The standard is nonprescriptive when defining the processes that risk-based thinking must be used on. The standard allows the company to define the processes that make up the QMS. Once the company defines the processes that make up the QMS, risk-based thinking must be implemented on them.

5. What is the relationship between risk-based thinking and plan-do-check-act?
The standard requires that risk-based thinking be integrated with the plan-do-check-act cycle. The integration is accomplished by assessing the risk of the “plan” before performing the “do” step.

6. What are the key steps in managing process risk within the QMS system?
Once the processes that make up the QMS system are defined, there are four steps to managing process risk with the QMS system:

• The inputs and outputs for each process in the QMS system must be defined.
• The sequence and interaction of the QMS processes must be defined.
• The risks of the required processes must be defined.
• An action plan must be developed to address the risks of the required processes to confirm the QMS can achieve its intended results, enhance the probability of desirable process outputs, and prevent or reduce the probability of undesirable outputs.

7. How does a company prioritize which QMS process risks to work on?
Actions taken to reduce risk shall be proportionate to the potential impact the actions will have on the quality of delivered products and services. Because companies do not have unlimited resources, it is not possible to work on all the sources of risk within QMS processes.

8. What types of risk management tools does the standard require companies to use?
The standard does not require the use of any specific risk management tools. The following risk-management tools can be very effective when used correctly.

Requirements Risk Assessment (RRA): Two of the greatest sources of risk for companies that design products are improper definitions of customer requirements and design requirements. Companies can end up spending millions of dollars in design changes when customer requirements and/or design requirements are improperly defined. Companies that provide their products to a marketplace have the considerable challenge of creating a single product that multiple customers with different wants and needs will purchase. An RRA is performed to define a set of risk-optimized customer and design requirements.
Design failure mode and effects analysis (DFMEA): Once the design requirements have been optimized, product design specifications must be created that define a product that will meet them. DFMEA is a risk assessment of the adequacy of the product design specifications in defining a product that will meet the design requirements.
Process failure mode and effects analysis (PFMEA): The product must be manufactured to the design specifications. The PFMEA is a risk assessment of the adequacy of the process in manufacturing a product that will meet the product design specifications.
Usage Risk Assessment (URA): A product can fail if it is not used as intended. A URA is conducted to assess the adequacy of the design and usage instructions to prevent failure due to improper use.

9. What elements of the risk management system must be documented?
The standard does not require the risk management system to be formalized or documented. The standard does not define the elements that the risk management system must have.

10. Should a company implement a risk management system that is more robust that the system described in the standard?
Because risk management is very critical to business success and it is difficult to effectively implement a system that is neither formalized or documented, businesses may want to do more than the standard requires to facilitate effective implementation of the risk management system. A good starting point would be creating a formalized and documented risk management system as well as training on it.


There is a lot of misunderstanding about what it ISO 9001:2015 means by its requirement to implement risk-based thinking. I believe people are making it much more difficult than it is. If you are a successful company, there is a high likelihood that you are already implementing some form of risk-based thinking. Hopefully, this article will assist you in properly implementing risk-based thinking to manage your company so you can experience the many benefits of its use.

Join Harpco Systems’ Richard Harpster and Quality Digest’s editor in chief Dirk Dusharme for the webinar, “Ten Things You Need to Know When Implementing ISO 9001:2015-Compliant Risk-Based Thinking,” on Wed., Jan. 17, 2018, at 11 a.m. Pacific/2 p.m. Eastern. Register here.



About The Author

Richard Harpster’s picture

Richard Harpster

Richard Harpster is president of Harpco Systems, which he founded in 1987. Harpco Systems specializes in providing software, training, and consulting for risked-based product lifecycle management (RBPLM). During the past 30 years, Harpster has helped hundreds of companies implement improved risk-based design and manufacturing systems in a wide variety of industries. He is a recognized expert in the application of FMEAs and has invented several new concepts, including the linking of design FMEAs to process FMEAs in 1990, which became an automotive industry standard 18 years later. His latest inventions in the field of RBPLM include Requirements Risk Assessment (RRA), Usage Risk Assessment (URA), Multiple Integrated Cause Analysis (MICA), and Rapid Integrated Problem Solving (RIPS). He has published several papers on the topic of RBPLM.