What Is Risk-Based Thinking?

One of the foundations of quality management

Loic Leray

Thu, 04/10/2025 - 00:03

Risk-based thinking—it sounds easy. How hard can it be to think about risk? But did you know that the phrase “risk-based thinking” was only invented in 2015? 

ADVERTISEMENT

Did you know that the ISO says “risk-based thinking” is one of the foundations of quality management, but never defines it? Or that it sparked a big controversy in the quality community when it first came out?

Did you know that you can use risk-based thinking as a business strategy in the real world, even if you ignore ISO and all of its standards?

It’s all true. Let me explain.

The words “risk-based thinking” first appeared in the 2015 edition of the ISO 9001 standard, which right away declared it to be something fundamental. The standard’s introduction makes risk-based thinking a part of the process approach and says that it “is essential for achieving an effective quality management system.” Three paragraphs in the introduction, and five paragraphs in the annex are dedicated to explaining how risk-based thinking works and why it’s so important.

Is there a definition?

We never get a formal definition: not in ISO 9001, not in the companion standard ISO 9000, and not in the guidance document ISO 9004. There’s a practical reason for the silence: ISO 9001 is used across a wide range of industries, many of which already have their own specialized ways to handle risk, and no formal definition could do justice to them all. But it still feels a little odd. How can this concept be so important if no one is willing to define it?

Pragmatically, I think the implicit definition of risk-based thinking runs something like this:

“There are things you don’t know or aren’t sure of, and they can make your plans go astray. Risk-based thinking is when you keep these possibilities in mind while making your plans and take steps to guard against them.”

On the other hand, the standard does explain in some detail how risk-based thinking works and what it does for us:
• Risk-based thinking drives requirements for planning, review, and improvement. (If nothing ever went wrong, we wouldn’t need to plan, review, or improve.)
• Risk-based thinking identifies the weaknesses in a quality management system so that we can implement protective measures. (If nothing ever went wrong, we wouldn’t need to protect against failure.)
• Risk-based thinking allows us greater flexibility as we build our quality management systems. (If we know that there are big risks in one area and not another, we can build up more requirements in the area with the big risks and we can afford to leave the other area looser or more free-form.) 

We’re even told exactly what an organization must prove to comply with the standard. There’s no requirement for any formal risk management methodology. Instead, the rule is simply, “To conform to the requirements of this International Standard, an organization needs to plan and implement actions to address risks and opportunities.” That’s it.

Risk and prevention

So far, so good. But when that edition came out, there was a big controversy over one point. The new standard said, “Now that we’ve got risk-based thinking, we don’t need rules about preventive action.” But quality experts around the world had all been trained that when anything goes wrong, you respond with “corrective action and preventive action.” It was even a common acronym: CAPA. What did ISO mean by monkeying with that rule?  

The background is that, yes, earlier editions of ISO 9001 had explicit requirements for organizations to undertake preventive actions “to eliminate the causes of potential nonconformities” as well as corrective actions to eliminate the causes of actual ones. And yes, the current 2015 edition does away with those rules. But it’s not because ISO thinks preventive actions have suddenly become a bad thing. It explains the change as follows:

“One of the key purposes of a quality management system is to act as a preventive tool. Consequently, this International Standard does not have a separate clause or subclause on preventive action. The concept of preventive action is expressed using risk-based thinking in formulating quality management system requirements.”

In other words, ISO doesn’t want anyone to stop doing preventive actions. It just thinks it doesn’t have to say it in so many words because preventive actions are already covered by risk-based thinking.

Here’s how it works: Let’s say that your company makes widgets. One product line is decorative widgets for the home market, sold in a range of colors to coordinate with the buyer’s furniture. And let’s say you received a customer complaint that a certain batch of widgets was the wrong color when it arrived. Of course, you look for root causes of the failure. The technical root cause, you find, is that something is wrong with the machine that mixes the paint used on the widgets. But you also ask why nobody caught the discrepancy before the product left your dock, and you discover that there is no step in the manufacturing process to check the color before shipping the widgets.

Naturally, you address both problems. First, you fix the machine, and maybe put it on a more proactive maintenance schedule for the future. Second, you implement an inspection step to check the color of widgets on this line before they get packaged. But you’re not done.

Under an earlier edition of the standard, you would have been required to take preventive action as well, against failures that hadn’t happened yet. That means you ask yourself, “Where else in our operations is color important but we aren’t checking it?” Maybe you find that some of the widgets you make for industrial applications have color requirements as well, so you introduce an inspection step for them, too. This step is preventive because there hasn’t been a failure yet. But better safe than sorry.

It’s important to reflect like this. But what the critics miss is that when you apply risk-based thinking, you’ll still do the exact same thing. Today there’s no requirement in the standard to take “preventive action” in those words. What happens instead is that—because of your root cause analysis into the initial customer complaint—you learn more about the product than you knew before. Specifically, you learn that there is a risk that the color might be wrong, and that a wrong color might make your customer unhappy. Now that you know this, risk-based thinking means that you also ask, “Where else in my operation could this risk show up?” And when you find places where it could show up, then you take steps to prevent it.

In other words, your practical work in real life doesn’t change. Whether you call it “preventive action” or “risk-based thinking,” you’re still doing the same analysis to prevent problems before they start. The only difference is in how the standard describes your work—but not in the work itself.

Risk-based thinking as a business strategy

So far I’ve talked a lot about the ISO standard. But risk-based thinking has applications far beyond that. Recently, I talked with an old friend who had just finished auditing a farming operation that produces nuts for the gourmet market. He said that the requirements in the quality management system were very stringent, even though the contractual requirements from their customers were pretty lax. When he asked why the system was so strict, they told him:

“Look, we’re a small farm. We’ll never compete with the big players on volume, so we have to compete on quality. It’s true that the formal requirements from our customers are pretty lax. But informally, we get business because they all know our nuts will be perfect: every package, every time. If we get even a single customer return, that reputation will crumple and so will our business. So, we cannot afford a single failure.”

As a result, the farm is always thinking ahead about what could go wrong. It has systems in place to prevent mold, disease, discoloration, grit, impurities—any possible imperfection in the nuts. Whenever it identifies a new risk, it jumps to address it before it ever comes true. And because the company is so rigorously focused on identifying and planning for risks, the nuts that it sells are flawless. The company has an excellent reputation in the industry, and sales are always good.

This is how it turned risk-based thinking into a business strategy.

Fundamentally, risk-based thinking isn’t anything strange or hard. All it really means is that you’re aware that things can go wrong and you plan for them. That’s common sense. But if you do it consistently, the benefits are huge.

Comments

Submitted by Mike Goodsell (not verified) on Thu, 04/10/2025 - 10:00

I must disagree with the examples. Every example is based on allowing risk to exist in the process at inception. This is common where “timeliness” is mistaken to mean speedy.

Pushing a poor process through to “ship tomorrow” is not the correct way to go about it. In the example of the off-color widgets, the risk analysis should have happened before the first batch was ever run. “What could go wrong?” needs to be asked up front and those conditions need to be guarded against through error proofing. Adding inspection does not change quality, it only increases costs.

Preventative actions at this point result in lower scrap costs, lower labor costs, lower raw material costs and greater customer satisfaction. That is the real reason it was taken out. Waiting until the customer has experienced pain due to an error that should not have happened in the first place, is the wrong time to put in the due diligence.

There will be many who believe that this would cost too much; that the time it takes would somehow prevent maximum profits. Nothing could be further from the truth. Again, back to the example, equipment was purchased and installed without any thought to what COULD fail. If that was added then, the time expense is amortized over all the products that run across that equipment. Waiting to increase labor costs for every product made by adding additional inspection people to the process. Raw material costs increase due to necessitating forecast for loss into the material stream. Shipping costs increase through additional costs to replace unusable product. Overall operational efficiency has decreased due to the necessity to make the same product twice while only being paid once.

Quality is not inspection. It isn’t sorting out rejects. Quality is a set of inherent characteristics within a product making it fit for its intended use. It occurs at the point of process where those individual characteristics are produced.

Control those and quality truly is free.

Submitted by Michael Mills … (not verified) on Mon, 04/14/2025 - 08:24

Hi, I'm the author. Just a quick note.

Of course you are absolutely right that in real life a risk analysis should have been done before the machine was installed. And yes, adding an inspection process could well be a lazy (and costly) way to fix the problem (depending on the other special circumstances of the case). I hope everyone understands that.

I just wanted an easy example to show the logic whereby the ISO TC 176 concluded that they could remove wording related to "preventive action" because the same work was already covered by "risk-based thinking." I never meant anyone to take that simple classroom-example as a guide to professional practice!

Maybe I should have made my wording clearer to emphasize that this was purely a thought-experiment, and I apologize for the unclarity. In any event, I'm glad to know that you and others are reading with a critical eye. It's what makes our profession work.

Submitted by greg (not verified) on Thu, 04/10/2025 - 10:31

How do you audit someone's risk based thinking.  You can't.  Unless, you've passed Mind Reading 101.  This is the fatal flaw in ISO RBT.  

Challenge is ISO never defined RBT so it could be operationalized, audited, and assured.  We define RBT as risk based problem solving and decision making.  Each has evidence, audit trail, outcomes, assumptions so it can be audted and assured.

ISO and EOQ believe: Future of Quality: Risk(R)

True but how is it any better than preventive measures?

While risk based thinking is a bit lame. It is still better auditable than Preventive measures. So you have 2 preventive measures like “good coffee” and then you comply.

Under the older standard, users were required to have (1) a procedure on preventive action processing, (2) records, (3) root cause analysis, (4) follow up verification. All of those were auditable. ISO only bungled it because they confused people as to the preventive aspects of CORRECTIVE action (you have to prevent an existing problem from recurring again) and "pure" PREVENTIVE action (you prevent a problem from occurring in the first place.) This could have been fixed with simple editing, but ISO jammed "risk" into the standard to make money, and they mucked up the entire thing. Now "risk-based thinking" doesn't require anything at all -- no procedure, no records, no verification, nothing. You can "think" about risk, and you've accomplished the requirement. That was a huge step backward.

Submitted by Dirk van Putten (not verified) on Thu, 04/10/2025 - 11:31

Another resource is the paper offered by ISO and IAF Auditing Practices Group.

https://committee.iso.org/files/live/sites/tc176/files/PDF%20APG%20New%20Disclaimer%2012-2023/ISO-TC%20176-TF_APG-RiskBasedThinking.pdf

Submitted by Michael Willia… (not verified) on Thu, 04/10/2025 - 21:25

It is incorrect to say "comply"  - "We’re even told exactly what an organization must prove to comply with the standard. "

Submitted by Bas-rev1 on Mon, 04/14/2025 - 12:47

Where is this CAPA thing coming from? I have seen it in some nonconfomity reports of clients. They take preventive measures AFTER something happens. How is that preventive? 

Add new comment

The content of this field is kept private and will not be shown publicly.
About text formats
Image CAPTCHA
Enter the characters shown in the image.