Tools for Risk-based Thinking in ISO 9001:2015



Risk-based Thinking in ISO 9001:2015

Risk-based thinking is something we do automatically in everyday life. Like looking both ways before crossing the street. Or baby-proofing the entire house before our little ones are born. Or making sure our assets are diversified.

But risk-based thinking in quality is hard. When I was a quality manager, it was one of the hardest things to implement. Even when we did successfully apply risk-based thinking, managing it gave us the most heartache.

Together and through experience, the quality community can conquer risk-based thinking. We must.

As I mentioned in my last blog post, risk-based thinking has always been part of ISO 9001. It just has greater emphasis now. And instead of removing preventive action, risk-based thinking is now built into the entire quality management system. This enables organizations to be proactive risk managers rather than reactive.

Risk-based thinking ensures consistency of quality and safety. It can improve customer satisfaction, enhance an organization’s reputation, and help maintain compliance.

“Risk-based thinking” is a generalized term that does not require any specific tools or method to be used. It just requires you to think about risks and opportunities. Organizations are given autonomy over how to set up their risk management program. Whatever approach your organization chooses, it should ensure a consistent, repeatable, and documented process.

Organizations must identify, understand, and control risks that can negatively impact their processes and the QMS. The goal is to avoid, eliminate, or reduce risks to an acceptable level to prevent undesirable outcomes. You may also make an informed decision to keep a risk. Additionally, identifying opportunities allows an organization to capitalize on the possibilities and achieve improved results promoting a balanced approach to maintaining an effective quality management system.

Before you begin setting up your program, make sure you have the right people present. Risk assessments only work if people understand the process, the product, or the impact of the service and can contribute to a robust discussion.


Here are some tools and how you can use them.

1. Risk Assessment and Risk Matrix Complete a risk assessment on each quality event. Triaging quality events as they come in allows you to have better control of your system and resources. But don’t assume low risk without evidence. 

Reduce the effort for low-risk events and focus your time and resources to aggressively and effectively address high-risk events. Higher risk = more timely and aggressive response.

Use a risk assessment matrix for an objective assessment to complete this activity. Quantifiable data makes it easier to visualize risk level. Using severity and probability or likelihood an event will occur, you can objectively decide how to handle a situation. Here's a common example.

Risk Assessment Matrix


2. Failure Modes and Effects Analysis (FMEA) A FMEA is used during the design phase of products and processes. It’s used to identify potential failures and their consequence. Each failure mode is assigned a value for occurrence, severity, and detectability that is multiplied to give the risk priority number (O x S x D= RPN). The RPN can be used to prioritize high risk items. If there are failure modes with similar or identical RPNs, address the high severity items first. 

In the end, remember the FMEA is a living document. Reassess after each nonconformity, especially customer feedback, and update as necessary. This is a very important and often overlooked step.

3. Fault Tree Analysis (FTA) Use the FTA method to complement your FMEA process. FTA diagram is used to analyze an undesirable outcome and its causes in a top-down approach. The top event is deconstructed into lower level events and analyzed. By determining the probability of each lower level event, you can assign probability of the top event. Then risk reduction actions focus on preventing the top event.

4. Risk Register A risk register can be used to log all identified risks in a system and their controls. The register can be used to assign and track implementation of proposed treatments. The risk level can be assessed before and after risk mitigation actions to monitor and determine effective reduction in risk.

5. Dashboard and Reporting An important requirement in ISO9001:2015 is leadership accountability. Reporting and dashboards enable visibility and transparency so that decisions can be timely and proactive. Monitoring and trending is an important aspect of risk management. Dashboards for trending and reporting should be discussed with management with documented meeting notes and action plans on a regular basis.

Risk-based thinking is an integral part of the process approach and Plan-Do-Check-Act (PDCA) cycle. You must plan and identify all risks, implement corrective and/or preventive actions, check to ensure mitigations were effective, and act to continuously improve the process.

We will discuss the importance of the process approach and PDCA in our next blog post.

Until then, have a quality-filled day!