HOW TO: ADDRESS RISK-BASED THINKING IN

A QUALITY MANAGEMENT SYSTEM

info@riskza.com | www.riskza.com | 0861 RISK ZA

 How to: Address Risk-based Thinking in A Quality Management System

CONTENTS
OVERVIEW OF THE ISO 9001:2015 REVISION 3
MANAGING RISK IN A QUALITY MANAGEMENT SYSTEM 4
CONSIDERING AN ENTERPRISE-WIDE APPROACH TO RISK MANAGEMENT 5
RISK-BASED THINKING IN THE QUALITY MANAGEMENT STANDARD 5
SUMMARY OF THE BENEFITS OF RISK-BASED THINKING 6
THE IMPORTANCE OF INSTITUTIONAL KNOWLEDGE 6
WORK WITH RISK ZA 7

Page 2
 How to: Address Risk-based Thinking in A Quality Management System

OVERVIEW OF THE ISO 9001:2015 REVISION

The ISO 9001:2015 Quality Management Systems standard provides confidence in an organisation’s
ability to consistently provide customers with conforming goods or services and to enhance
customer satisfaction.

The revised Quality Management Systems (QMS) standard was published in September 2015, and
the committee responsible for the ISO 9001 revision introduced several changes, which are:

Providing a Quality Management standard with a foundation for integration with other
Management Systems.
Introducing Risk-based Thinking.
Aligning the QMS policy and objectives with the strategy of an organisation.
Providing greater flexibility for documentation.

The common format developed by ISO to facilitate integration is known as Annex SL or the High
Level Structure. It provides a standardised core text and structure common to all revised ISO
Management Systems as follows:

CLAUSE 1 Scope

CLAUSE 2 Normative references

CLAUSE 3 Terms and definitions

CLAUSE 4 Context of the organisation

CLAUSE 5 Leadership

CLAUSE 6 Planning

CLAUSE 7 Support

CLAUSE 8 Operation

CLAUSE 9 Performance evaluation

CLAUSE 10 Improvement

Page 3
 How to: Address Risk-based Thinking in A Quality Management System

MANAGING RISK IN A QUALITY MANAGEMENT

SYSTEM
Risk in the ISO 9001:2015 Quality Management standard relates to the uncertainty of achieving
the objectives of the QMS, which are to provide products and services that conform to customers’
requirements. Understanding risks and finding ways to mitigate them helps organisations to drive
changes and improvements.

Risk-based thinking is incorporated into the whole management system, in order to:

Ensure that risks are considered from the beginning and throughout the process approach.
Make proactive action part of strategic planning.
Identify opportunities for improvement.

There isn’t a requirement in ISO 9001:2015 to use formal risk management and an organisation
can choose the methods that best suit its needs. ISO/TS 9002:2016 states that organisations can
consider using the outputs of techniques such as:

SWOT: Strengths-Weaknesses-Opportunities-Threats
PESTLE: Political-Economic-Social-Technological-Legal-Environmental
FMEA: Failure Mode and Effects Analysis
FMECA: Failure Mode, Effects, and Criticality Analysis
HACCP: Hazard Analysis and Critical Control Points

Simpler approaches include methods such as brainstorming, Structured What IF Technique

(SWIFT), and risk matrix (consequences and probability).

The application of risk-based thinking can also help an organisation to develop a proactive and
preventive culture focused on doing things better and improving how work is done in general.

Page 4
 How to: Address Risk-based Thinking in A Quality Management System

CONSIDERING AN ENTERPRISE-WIDE APPROACH

TO RISK MANAGEMENT
Risk-based thinking is common to all revised ISO Management Systems standards, written using
the High-Level Structure. For some organisations facing high levels of risk, it may however be
worth considering taking an enterprise-wide approach to Risk Management and applying the ISO
31000:2018 Risk Management standard.

ISO 9001:2015 does not require a formal risk assessment. ISO 31000:2018 improves risk identification
and risk treatment by providing best practice Risk Management principles, a framework and a
process for managing risk at an enterprise-wide level.

Want to find out more about the ISO 31000:2018 Risk Management standard? Download our
FREE Guide ISO 31000:2018 – HOW DO I GET STARTED.

RISK-BASED THINKING IN THE ISO 9001:2015

STANDARD
Risk-based thinking is included in the following clauses of ISO 9001:2015:

Clause 4: risks which can affect an organisation’s ability to meet objectives must be determined.

Clause 5: top management needs to ensure that risks and opportunities that can affect the
conformity of a product or service are determined and addressed.

Clause 6: the organisation must identify risks and opportunities and plan how to address them.

Clause 8: the organisation is required to plan, implement and control its processes to address the
actions identified in Clause 6.

Clause 9: risks and opportunities must be monitored, measured, analysed and evaluated.

Clause 10: continual improvement is achieved by responding to changes in risk.

Page 5
 How to: Address Risk-based Thinking in A Quality Management System

THE BENEFITS OF RISK MANAGEMENT IN A

QUALITY MANAGEMENT SYSTEM
The benefits from successful risk management include compliance, assurance that customers will
receive the expected products or services and improved decision-making ability.

Summary of the Benefits of Risk-based Thinking:

Establishes a proactive culture of improvement.

Assures consistency of quality of goods or services.
Improves customer confidence and satisfaction.
Builds a strong knowledge base.
Proactively improves operational efficiency and governance.
Builds stakeholder confidence in the use of risk techniques.
Enables organisations to apply Management System controls to analyse risk and minimise
losses.
Improves Management System performance and resilience.
Enables organisations to respond to change effectively and protect their business as they
grow.

THE IMPORTANCE OF ORGANISATIONAL

KNOWLEDGE
Organisational knowledge needs to be captured, analysed, managed and improved on so that
an organisation can continually improve and achieve excellence. Businesses need tools to drive
continual improvement and purpose-built software is invaluable. Purpose-built software provides
your team with a complete view of documentation that is shared among auditors, managers and
executives in real-time so more effective collaboration can occur on issues that pose risks to the
business.

Find out more about ISO Document and Control Procedures and our tailored Software Solutions.
Download our FREE guide Automated Document Control: A Key Component of ISO Management
Systems.

Page 6
 How to: Address Risk-based Thinking in A Quality Management System

WORK WITH RISK ZA

Risk ZA provides a unique combination of complementary services. We help our clients to
understand how they are performing and identify areas for improvement through the following
services.

TRAINING SERVICES
We train our clients to understand ISO standards and how to implement them through:
Awareness training (in English, Afrikaans and isiZulu)
Introductory and intermediate courses
Advanced exposure to developing and implementing management arrangements to foster a
culture of continual improvement
Practical application of strategic elements of local and international best-practices
Internal and supplier auditing
SAATCA registered Lead auditor training

CONSULTING INTERVENTIONS
Gap Analysis and Project Planning
Steering Committees
Policy Development
Process Mapping and Evaluation
Corrective Action Systems
System Development and Implementation
Documentation Creation, Review and Control

Page 7
 How to: Address Risk-based Thinking in A Quality Management System

AUDITING SERVICES
Auditing is an integral function of continual improvement and we promote the use of risk-based
auditing. Our performance and conformance audits are conducted with influence from ISO 19011
and ISO 17021 for our clients or on their behalf and we provide the following services:
First party internal audits
Second-party supplier audits
Third-party preparation audits (pre-certification)

ONLINE LEARNING
Risk ZA is the regional channel and technical partner for Erudio Global, an Online ISO Training
and Coaching provider. This service is aimed at people who are pressed for time as well as
professionals working in remote locations who are unable to attend our public training courses.

Our online learning service focuses on ISO 9001:2015 Quality Management and ISO 14001:2015
Environmental Management.

Sign Up and discover more about our Online Learning Service here.

SOFTWARE SOLUTIONS
Purpose-built software offers your team more effective collaboration on issues that pose risks
to the business and a complete view of documentation that needs to be shared among auditors,
managers and executives in real-time.

Click here for information about our purpose-built Software Solutions designed to effectively
manage your Document and Control Procedures.

Contact us on +27 (0) 31 569 5900, or email info@riskza.com and find out how to manage key
risks in your enterprise more effectively.

OUR RISK MANAGEMENT EXPERTS ARE READY TO ASSIST YOU!

Page 8