top of page

Risk-Based Thinking for Certification to ISO Standards

All ISO standards now include risk-based thinking -- Know where, and how to deal with risks, for certification and business health

Business risk is inevitable, whether we consider it explicitly every day or not. ISO standards, beginning with the ISO 9001:2015 version, made risk-based thinking (RBT) explicit, requiring some thought and decision-making in order to achieve certification. Can we see in a simple way how we use, and how to better use, RBT in our daily work?

Where Is Risk-Based Thinking Explicit and Implicit in ISO standards?

In the latest version, published in 2015, ISO 9001 brought RBT to the fore, as part of top management’s responsibility in the planning stage. The concept is brought out briefly in clause 0.3.3: “[A]n organization needs to plan and implement actions to address both risks and opportunities…[this] establishes a basis for increasing the effectiveness of the quality management system, achieving improved results and preventing negative effects.” Such thinking acts as a preventive tool, helping foresee and deal with risks.

This doesn’t mean living in fear, or chilling into inaction. For instance, we may decide when crossing the street whether to go to the corner crosswalk, or just dash across. The same way, in business, we take daily actions knowing that there are some inherent risks no matter which way we go. What’s important is to know what those risks – and opportunities – are. Here are some of them, for four main standards.

ISO 9001:2015 – Quality Management Systems

RBT is involved throughout this base standard. In Clause 4, “Context of the organization,” the requirement is to consider what an organization is designed to do and what it leaves out, who its customers and other interested parties are, and the scope of its operations. All these include the subtext of both the risk of performing certain operations and the risk of leaving certain opportunities out. Clause 5 addresses management responsibilities including communication – which we know is fraught with risk of misunderstanding!

Clause 6 address risk directly, giving the requirement to “consider the issues…and determine the risks and opportunities that need to be addressed.” In clause 6.1.2, the organization is required to plan actions to address such risks and opportunities, and how to integrate those actions into its system and evaluate whether they have been effective.

Clause 7 requires us to consider what resources are needed for those activities, including people – the risk of hiring this person or that one, with different skills and personality, as well as the cost of wages and benefits, and ongoing training and education. The same with infrastructure (buildings, equipment, furnishings, etc.) and environment, which can include the physical and the company culture; and even the documentation of the system itself, so it is protected from unintended changes, for instance.

Clause 8 is loaded with RBT, including planning of operations, design of product or service, communication with customers about their requirements, purchasing and control of outside resources, processes or services, and so on. Each of these has inherent risk, and the Quality Management System is the way those risks are controlled in a regular manner. Clauses 9 and 10 also reflect the importance of considering how effective the current system is and how it can be improved, while still managing risk.

Certification to ISO 9001 can open up new markets and business opportunities

Ready to pursue ISO 9001 certification? Click here to get a free quote!

ISO 13485:2016 – Medical devices – Quality management systems

This standard is heavy with RBT, with good reason! It includes the requirements of 9001, and additional concerns about contamination control in the work environment (6.4.2), control of design and development records (7.3.10), purchasing (7.4.1) and verification of purchased product (7.4.3), cleanliness of product (7.5.2), both identification (7.5.8) and traceability (7.5.9) and preservation of finished goods (7.5.11). Nonconforming product is also a heavy emphasis, in clause 8.3 – to control the risk of letting something out that is not ready for use in or on the human body. ISO 13485 Certification helps make FDA audits less stressful also.

Interested in exploring ISO 13485 certification? Click here to get a free quote!

ISO 14001:2015 – Environmental Management Systems

The environmental management standard is, or ought to be, a big concern for any company that produces products or services. Judicious use of the right raw materials, the amount of water and energy used, how much waste is generated, and so forth, are all risks to be addressed. Similar to 9001:2015, this standard gives many areas where RBT can help the system be designed well in the first place, and improved over time with analysis. ISO 14001 Certification tells the world that you are being a good steward of the environment.

Interested in exploring ISO 14001 certification? Click here to get a free quote!

ISO 45001:2018 – Occupational health and safety management systems

Just saying “health and safety” should clue us in that RBT will be involved. The clauses follow 9001:2015 fairly closely, with the emphasis on health and safety rather than quality, and considering workers as a primary “interested party.” Clause 6 includes requirements on hazards, assessments, and determination of legal and other requirements (risks all around!). Operational planning and control, clause 8, as well as evaluation and improvement (Clauses 9 and 10) include the same principles. If a company is certified to ISO 45001, their next OSHA audit could be a lot easier.

Interested in exploring ISO 45001 certification? Click here to get a free quote!

But What Do You Do with Risk?

Once we’ve identified risks, we have to weigh relative importance, then decide how to deal with each according to its importance. Typically we consider how often something might occur versus how damaging it would be if it did. There are multiple methods for analysis readily available, which we won’t go into here. Here are four ways of dealing with risk.

Mitigate/Reduce: For purchasing, for instance, we can reduce the risk of not receiving goods on time or being out of stock, by choosing suppliers carefully. Requiring employees to use PPE, proper training and guards on equipment, etc. also reduce risks of accidents and injury.

Avoid: Bob Newhart was famous for a sketch in which he claimed to cure any personal problem by telling the patient “Stop!”. We can choose to not pursue an activity that is more risky than we feel can be controlled. That of course includes the risk of not entering a profitable market – which has to be weighed against the other.

Transfer/Share: One client of ours produced a particularly high-tolerance part made of very expensive material. The client wanted them to guarantee the tolerances after finishing, which could have changed some measurements. After some negotiation and push-back, the client agreed to accept the tolerances before the finishing process, which put the final risk on the client for purchasing more material and paying for production again.

Insure: If RBT has been part of your planning, and can be explained to your broker, insuring for risks may cost you less than if you had not. It’s worth a conversation!

Contact us at or email to get a free quote or ask us how to get started with any of these standards!


Featured Posts
Recent Posts
Search By Tags
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square
bottom of page