{domain:"www.qualitydigest.com",server:"169.47.211.87"} Skip to main content

User account menu
Main navigation
  • Topics
    • Customer Care
    • FDA Compliance
    • Healthcare
    • Innovation
    • Lean
    • Management
    • Metrology
    • Operations
    • Risk Management
    • Six Sigma
    • Standards
    • Statistics
    • Supply Chain
    • Sustainability
    • Training
  • Videos/Webinars
    • All videos
    • Product Demos
    • Webinars
  • Advertise
    • Advertise
    • Submit B2B Press Release
    • Write for us
  • Metrology Hub
  • Training
  • Subscribe
  • Log in
Mobile Menu
  • Home
  • Topics
    • 3D Metrology-CMSC
    • Customer Care
    • FDA Compliance
    • Healthcare
    • Innovation
    • Lean
    • Management
    • Metrology
    • Operations
    • Risk Management
    • Six Sigma
    • Standards
    • Statistics
    • Supply Chain
    • Sustainability
    • Training
  • Login / Subscribe
  • More...
    • All Features
    • All News
    • All Videos
    • Contact
    • Training

What Is Risk-Based Thinking?

One of the foundations of quality management

Loic Leray

Michael Mills
Thu, 04/10/2025 - 00:03
  • Comment
  • RSS

Social Sharing block

  • Print
  • Add new comment
Body

Risk-based thinking—it sounds easy. How hard can it be to think about risk? But did you know that the phrase “risk-based thinking” was only invented in 2015? 

ADVERTISEMENT

Did you know that the ISO says “risk-based thinking” is one of the foundations of quality management, but never defines it? Or that it sparked a big controversy in the quality community when it first came out?

Did you know that you can use risk-based thinking as a business strategy in the real world, even if you ignore ISO and all of its standards?

It’s all true. Let me explain.

The words “risk-based thinking” first appeared in the 2015 edition of the ISO 9001 standard, which right away declared it to be something fundamental. The standard’s introduction makes risk-based thinking a part of the process approach and says that it “is essential for achieving an effective quality management system.” Three paragraphs in the introduction, and five paragraphs in the annex are dedicated to explaining how risk-based thinking works and why it’s so important.

 …

Want to continue?
Log in or create a FREE account.
Enter your username or email address
Enter the password that accompanies your username.
By logging in you agree to receive communication from Quality Digest. Privacy Policy.
Create a FREE account
Forgot My Password

Comments

Submitted by Mike Goodsell (not verified) on Thu, 04/10/2025 - 10:00

Preventative actions

I must disagree with the examples. Every example is based on allowing risk to exist in the process at inception. This is common where “timeliness” is mistaken to mean speedy.

Pushing a poor process through to “ship tomorrow” is not the correct way to go about it. In the example of the off-color widgets, the risk analysis should have happened before the first batch was ever run. “What could go wrong?” needs to be asked up front and those conditions need to be guarded against through error proofing. Adding inspection does not change quality, it only increases costs.

Preventative actions at this point result in lower scrap costs, lower labor costs, lower raw material costs and greater customer satisfaction. That is the real reason it was taken out. Waiting until the customer has experienced pain due to an error that should not have happened in the first place, is the wrong time to put in the due diligence.

There will be many who believe that this would cost too much; that the time it takes would somehow prevent maximum profits. Nothing could be further from the truth. Again, back to the example, equipment was purchased and installed without any thought to what COULD fail. If that was added then, the time expense is amortized over all the products that run across that equipment. Waiting to increase labor costs for every product made by adding additional inspection people to the process. Raw material costs increase due to necessitating forecast for loss into the material stream. Shipping costs increase through additional costs to replace unusable product. Overall operational efficiency has decreased due to the necessity to make the same product twice while only being paid once.

Quality is not inspection. It isn’t sorting out rejects. Quality is a set of inherent characteristics within a product making it fit for its intended use. It occurs at the point of process where those individual characteristics are produced.

Control those and quality truly is free.

  • Reply

Submitted by Michael Mills … (not verified) on Mon, 04/14/2025 - 08:24

In reply to Preventative actions by Mike Goodsell (not verified)

Hi, I'm the author. Just a…

Hi, I'm the author. Just a quick note.

Of course you are absolutely right that in real life a risk analysis should have been done before the machine was installed. And yes, adding an inspection process could well be a lazy (and costly) way to fix the problem (depending on the other special circumstances of the case). I hope everyone understands that.

I just wanted an easy example to show the logic whereby the ISO TC 176 concluded that they could remove wording related to "preventive action" because the same work was already covered by "risk-based thinking." I never meant anyone to take that simple classroom-example as a guide to professional practice!

Maybe I should have made my wording clearer to emphasize that this was purely a thought-experiment, and I apologize for the unclarity. In any event, I'm glad to know that you and others are reading with a critical eye. It's what makes our profession work.

  • Reply

Submitted by greg (not verified) on Thu, 04/10/2025 - 10:31

How do you audit someone's…

How do you audit someone's risk based thinking.  You can't.  Unless, you've passed Mind Reading 101.  This is the fatal flaw in ISO RBT.  

Challenge is ISO never defined RBT so it could be operationalized, audited, and assured.  We define RBT as risk based problem solving and decision making.  Each has evidence, audit trail, outcomes, assumptions so it can be audted and assured.

ISO and EOQ believe: Future of Quality: Risk(R)

  • Reply

Submitted by Bas-rev1 on Mon, 04/14/2025 - 12:27

In reply to How do you audit someone's… by greg (not verified)

True but how is it any…

True but how is it any better than preventive measures?

While risk based thinking is a bit lame. It is still better auditable than Preventive measures. So you have 2 preventive measures like “good coffee” and then you comply.

  • Reply

Submitted by Christopher Paris (not verified) on Wed, 04/23/2025 - 13:12

In reply to True but how is it any… by Bas-rev1

Under the older standard,…

Under the older standard, users were required to have (1) a procedure on preventive action processing, (2) records, (3) root cause analysis, (4) follow up verification. All of those were auditable. ISO only bungled it because they confused people as to the preventive aspects of CORRECTIVE action (you have to prevent an existing problem from recurring again) and "pure" PREVENTIVE action (you prevent a problem from occurring in the first place.) This could have been fixed with simple editing, but ISO jammed "risk" into the standard to make money, and they mucked up the entire thing. Now "risk-based thinking" doesn't require anything at all -- no procedure, no records, no verification, nothing. You can "think" about risk, and you've accomplished the requirement. That was a huge step backward.

  • Reply

Submitted by Dirk van Putten (not verified) on Thu, 04/10/2025 - 11:31

Auditing Practices Group Guidance on: Risk Based Thinking

Another resource is the paper offered by ISO and IAF Auditing Practices Group.

https://committee.iso.org/files/live/sites/tc176/files/PDF%20APG%20New%20Disclaimer%2012-2023/ISO-TC%20176-TF_APG-RiskBasedThinking.pdf

  • Reply

Submitted by Michael Willia… (not verified) on Thu, 04/10/2025 - 21:25

RBT

It is incorrect to say "comply"  - "We’re even told exactly what an organization must prove to comply with the standard. "

  • Reply

Submitted by Bas-rev1 on Mon, 04/14/2025 - 12:47

CAPA

Where is this CAPA thing coming from? I have seen it in some nonconfomity reports of clients. They take preventive measures AFTER something happens. How is that preventive? 

  • Reply

Add new comment

Image CAPTCHA
Enter the characters shown in the image.
Please login to comment.
      

© 2025 Quality Digest. Copyright on content held by Quality Digest or by individual authors. Contact Quality Digest for reprint information.
“Quality Digest" is a trademark owned by Quality Circle Institute Inc.

footer
  • Home
  • Print QD: 1995-2008
  • Print QD: 2008-2009
  • Videos
  • Privacy Policy
  • Write for us
footer second menu
  • Subscribe to Quality Digest
  • About Us
  • Contact Us