This document discusses the changes to risk management in ISO 9001:2015. Risk is now considered throughout the standard rather than in a single clause. Organizations must take a risk-based approach to proactively prevent issues and promote improvement. Risk-based thinking involves identifying risks and opportunities, analyzing their impact, planning actions to address risks, implementing plans, checking effectiveness, and continually improving based on experience. By considering risk at every stage, organizations can better achieve their objectives and satisfy customers.
This document discusses the concept of risk-based thinking in ISO 9001:2015. It explains that risk is now considered throughout the standard rather than in a single clause. By taking a risk-based approach, organizations can be proactive in preventing undesired effects and promoting continual improvement. The document provides examples to illustrate risk-based thinking and explains how risk is addressed in different clauses of ISO 9001:2015. It emphasizes that risk-based thinking is not new and encourages organizations to identify risks and opportunities in their processes in order to improve results.
This document explains risk-based thinking as established in ISO 9001:2015. It involves taking a systematic approach to identifying, considering, and controlling risks throughout the quality management system. This makes preventive action inherent rather than a separate process. Risk-based thinking considers risks, opportunities, consequences, likelihood of objectives being met, and experience to continually improve processes. It is done by identifying risks, understanding their context and acceptability, planning actions to address risks, implementing plans, checking effectiveness, and learning from experience.
This document explains risk-based thinking in ISO 9001:2015. It defines risk-based thinking as a systematic approach to considering risk in all aspects of a quality management system. The revision builds risk-based thinking into the entire management system to make preventive action inherent. It provides examples of how to identify risks, understand risks, plan actions to address risks, implement plans, check effectiveness, and learn from experience to continually improve using a risk-based approach. The goal of risk-based thinking is to improve the likelihood of achieving objectives, increase consistency of outputs, and build customer confidence.
This document explains risk-based thinking as established in ISO 9001:2015. It defines risk-based thinking as a systematic approach to identifying, considering, and controlling risks throughout a quality management system. The revision builds risk-based thinking into the entire system rather than treating prevention as a separate component. Risk-based thinking involves identifying risks and opportunities, understanding their impacts, planning actions to address risks, implementing plans, checking effectiveness, and improving based on experience. The document provides examples and guidance on applying risk-based thinking to establish a proactive culture of continuous improvement.
This document discusses enterprise risk management and risk-based thinking. It defines risk as uncertainty that matters and can have both negative and positive consequences. The risk management process involves identifying risks, analyzing them based on impact and likelihood, evaluating risks, planning actions to address risks, implementing risk plans, checking the effectiveness of actions, and learning from experience to continually improve. Risk-based thinking considers potential uncertainties to help ensure objectives are met and undesired outcomes are avoided.
This document discusses risk management and risk-based thinking as it relates to ISO 9001:2015. It begins by outlining the objectives of understanding risk management and risk-based thinking. It then defines identifying and addressing risks, listing options like risk avoidance, mitigation, and acceptance. It provides definitions of risk and risk-based thinking, explaining that risk-based thinking is a process of addressing risks and opportunities to improve effectiveness and results. It discusses why risk-based thinking is important and how to implement a risk-based approach through steps like risk assessment, analysis, evaluation, and treatment.
Risk-based thinking (RBT) is addressed throughout ISO 9001:2015 and involves identifying risks and opportunities that could impact an organization's objectives. RBT promotes a proactive approach to managing quality rather than a purely reactive one. It requires organizations to determine risks and opportunities during planning, implementation, monitoring, and improvement activities. Adopting RBT builds knowledge, establishes a culture of improvement, and helps assure consistency in meeting customer needs and expectations.
This document discusses the concept of risk-based thinking in ISO 9001:2015. It explains that risk is now considered throughout the standard rather than in a single clause. By taking a risk-based approach, organizations can be proactive in preventing undesired effects and promoting continual improvement. The document provides examples to illustrate risk-based thinking and explains how risk is addressed in different clauses of ISO 9001:2015. It emphasizes that risk-based thinking is not new and encourages organizations to identify risks and opportunities in their processes in order to improve results.
This document explains risk-based thinking as established in ISO 9001:2015. It involves taking a systematic approach to identifying, considering, and controlling risks throughout the quality management system. This makes preventive action inherent rather than a separate process. Risk-based thinking considers risks, opportunities, consequences, likelihood of objectives being met, and experience to continually improve processes. It is done by identifying risks, understanding their context and acceptability, planning actions to address risks, implementing plans, checking effectiveness, and learning from experience.
This document explains risk-based thinking in ISO 9001:2015. It defines risk-based thinking as a systematic approach to considering risk in all aspects of a quality management system. The revision builds risk-based thinking into the entire management system to make preventive action inherent. It provides examples of how to identify risks, understand risks, plan actions to address risks, implement plans, check effectiveness, and learn from experience to continually improve using a risk-based approach. The goal of risk-based thinking is to improve the likelihood of achieving objectives, increase consistency of outputs, and build customer confidence.
This document explains risk-based thinking as established in ISO 9001:2015. It defines risk-based thinking as a systematic approach to identifying, considering, and controlling risks throughout a quality management system. The revision builds risk-based thinking into the entire system rather than treating prevention as a separate component. Risk-based thinking involves identifying risks and opportunities, understanding their impacts, planning actions to address risks, implementing plans, checking effectiveness, and improving based on experience. The document provides examples and guidance on applying risk-based thinking to establish a proactive culture of continuous improvement.
This document discusses enterprise risk management and risk-based thinking. It defines risk as uncertainty that matters and can have both negative and positive consequences. The risk management process involves identifying risks, analyzing them based on impact and likelihood, evaluating risks, planning actions to address risks, implementing risk plans, checking the effectiveness of actions, and learning from experience to continually improve. Risk-based thinking considers potential uncertainties to help ensure objectives are met and undesired outcomes are avoided.
This document discusses risk management and risk-based thinking as it relates to ISO 9001:2015. It begins by outlining the objectives of understanding risk management and risk-based thinking. It then defines identifying and addressing risks, listing options like risk avoidance, mitigation, and acceptance. It provides definitions of risk and risk-based thinking, explaining that risk-based thinking is a process of addressing risks and opportunities to improve effectiveness and results. It discusses why risk-based thinking is important and how to implement a risk-based approach through steps like risk assessment, analysis, evaluation, and treatment.
Risk-based thinking (RBT) is addressed throughout ISO 9001:2015 and involves identifying risks and opportunities that could impact an organization's objectives. RBT promotes a proactive approach to managing quality rather than a purely reactive one. It requires organizations to determine risks and opportunities during planning, implementation, monitoring, and improvement activities. Adopting RBT builds knowledge, establishes a culture of improvement, and helps assure consistency in meeting customer needs and expectations.
This document provides information about an upcoming training on quality management systems according to ISO 9001:2015 standards. The training will cover risk-based thinking, preparing a risk and opportunities analysis and action plan, conducting root cause analysis, and addressing non-conformities. It will explain how considering risks and opportunities is addressed in various ISO 9001 clauses and how to identify, evaluate, and take action to mitigate risks. The training will also review the PDCA cycle and how it is applied to DENR processes to achieve objectives and continually improve.
This document discusses decision-making in engineering management. It covers the following key points:
- Decision-making involves identifying alternative courses of action appropriate to the situation. It is a core management responsibility.
- There are three levels of decision-making - strategic, tactical, and operational - with higher levels making bigger, more complex decisions.
- The decision-making process involves 7 steps: diagnosing the problem, analyzing the environment, developing alternatives, evaluating alternatives, making a choice, implementing the decision, and evaluating/adapting the results.
- Approaches to problem-solving include qualitative and quantitative evaluation. Quantitative models discussed include inventory models, queuing theory, network models, forecasting,
This document discusses analyzing and managing project risk. It defines risk analysis as evaluating how likely risks are to occur and their potential impact on a project's schedule, quality, and costs. The key aspects of risk analysis covered are qualitative risk analysis, which prioritizes risks for further action based on likelihood and impact, and quantitative risk analysis, which uses statistics to analyze risks' effects on a project meeting its objectives. The document also outlines various tools and techniques for identifying risks, as well as strategies for developing risk response plans to address threats and opportunities.
This document discusses analyzing and managing project risk. It defines risk analysis as evaluating how likely risks are to occur and their potential impact on a project's schedule, quality, and costs. The key aspects of risk analysis covered are qualitative risk analysis, which prioritizes risks for further action based on likelihood and impact, and quantitative risk analysis, which uses statistics to analyze risks' effects on a project meeting its objectives. The document also outlines various tools and techniques for identifying risks, as well as strategies for developing risk response plans to address threats and opportunities.
This document provides an overview of a three-part training program on strategic risk management. Part One focuses on introducing participants to risk management processes and frameworks. It discusses principles of risk management and why strategic risk management is important. Tools covered include a risk inventory template to identify, assess and prioritize risks, and a risk heat map. The training aims to help participants understand their roles in risk management and how to implement strategic risk management in their work areas.
Risk response planning is the process of developing options to reduce threats to a project's objectives based on the results of risk analysis. It assigns risks to owners, applies resources through the risk management plan. Risk response strategies include avoiding risks by changing plans, transferring risks through insurance or contracts, mitigating risks by reducing likelihood or impact, and accepting some risks. Opportunities may be exploited to ensure they occur, shared with partners, or have their likelihood or impact enhanced. Contingency plans prepare for risks that do materialize.
This document provides an overview of Part One of a three-part training program on strategic risk management. It discusses key concepts in risk management including identifying risks, assessing their likelihood and impact, prioritizing risks, and developing mitigation strategies. A risk inventory template is also presented to catalog identified risks. Participants are encouraged to consider how they would implement strategic risk management in their own work areas to improve decision-making and better achieve organizational objectives.
This document provides an overview of Part One of a three-part training program on strategic risk management. It discusses key concepts in risk management including identifying risks, assessing their likelihood and impact, prioritizing risks, and developing mitigation strategies. A risk inventory template is also presented to catalog identified risks, existing controls, outcomes, scores, and mitigation plans. The document aims to introduce risk management processes and frameworks to help participants understand how to implement strategic risk management in their own work areas.
This document provides an overview of Part One of a three-part training program on strategic risk management. It discusses key concepts in risk management including identifying risks, assessing their likelihood and impact, prioritizing risks, and developing mitigation strategies. A risk inventory template is also presented to catalog identified risks, existing controls, outcomes, scores, and mitigation plans. The document aims to introduce risk management processes and frameworks to help participants understand how to implement strategic risk management in their own work areas.
This document provides an overview of Part One of a three-part training program on Strategic Risk Management. It introduces key concepts and frameworks for risk management. The training aims to help participants understand the risk management process, how it relates to their daily work, and reasons for implementing Strategic Risk Management. It provides tools to identify risks and prioritize them based on impact and likelihood. Participants are guided to develop a risk inventory and consider actions to mitigate high priority risks or accept residual risks. The training emphasizes establishing roles and accountability for risk management.
This document provides an overview of Part One of a three-part training program on strategic risk management. It discusses key concepts in risk management including identifying risks, assessing their likelihood and impact, prioritizing risks, and developing mitigation strategies. A risk inventory template is also presented to catalog identified risks. Participants are encouraged to consider how they would implement strategic risk management in their own work areas to improve decision-making and better achieve organizational objectives.
This document provides an overview of Part One of a three-part training program on Strategic Risk Management. It introduces key concepts and frameworks for risk management. The training aims to help participants understand the risk management process, how it relates to their daily work, and reasons for implementing Strategic Risk Management. It also provides tools to help identify, assess, and prioritize risks, including a Risk Inventory template. The training emphasizes creating a common risk language and accountability for risk across an organization.
This document provides an overview of Part One of a three-part training program on strategic risk management. It discusses key concepts in risk management including identifying risks, assessing their likelihood and impact, prioritizing risks, and developing mitigation strategies. A risk inventory template is also presented to catalog identified risks. Participants are encouraged to consider how they would implement strategic risk management in their own work areas to improve decision-making and better achieve organizational objectives.
In the present world of high Risk and unknown threats it is necessary for Security Manager to look for all Risk related to the site. His prime responsibility is to view the threat in all perspective and ensure preventive measure are in place with continual improvement. He should follow the PDCA cycle i.e.Plan ,do ,Check and Act on regular basis. The team should consult and discuss the total risk on regular interval with discussion on all issues related to security.this will ensure proper system in place to cater total security to personnel.
This document discusses risk management in software engineering projects. It defines risk as an uncertainty that could negatively impact a project. Risk management is the process of identifying risks, analyzing them, planning mitigation actions, tracking risks, controlling deviations, and communicating about risks. The key principles of risk management are taking a global perspective, having a forward-looking view, open communication, and integrating it into the overall project management process. Risk management should be continuous throughout the project life cycle using the main steps of identify, analyze, plan, track, control, and communicate.
This document discusses risk management in software engineering projects. It defines risk as an uncertainty that could negatively impact a project. Risk management is the process of identifying risks, analyzing them, planning mitigation actions, tracking risks, controlling deviations, and communicating about risks. The key principles of risk management are taking a global perspective, having a forward-looking view, enabling open communication, and making risk management an integrated part of project management through continuous monitoring. Risk management methodologies involve identifying, analyzing, planning, tracking, controlling, and communicating about risks. This helps manage risks effectively in projects of all sizes.
This document provides guidance on accident investigation and consists of several sections. It begins by explaining that the guide is intended to help businesses and individuals better understand the accident investigation process. It then outlines the four main steps of an accident investigation process: 1) gathering information, 2) analyzing the information, 3) identifying risk control measures, and 4) implementing an action plan. Finally, it provides some key questions to consider when investigating accidents to help identify immediate, underlying and root causes.
This document discusses decision analysis and risk management. It covers decision making under certainty, ignorance, and risk. Key concepts include expected monetary value, maximax, maximin, and expected return decision rules. Under certainty, the decision maker knows the state of nature with certainty. Under ignorance, all states are possible but probabilities are unknown. Under risk, probabilities of states are known. Expected monetary value quantifies risks by multiplying probability and impact. Maximax selects the strategy with highest possible return, while maximin selects the strategy with the lowest possible loss. Expected return selects the alternative with the highest expected long-term return based on probabilities of outcomes. The document emphasizes applying decision analysis concepts to project risk management.
This document provides guidance on conducting risk assessments through a 5-step process: 1) identify hazards, 2) identify those affected, 3) evaluate risks and controls, 4) record findings, and 5) review regularly. It outlines how to recognize hazards, consider who may be harmed and how, determine existing and needed controls, and document the process. Key steps include walking work areas to find hazards, asking employees for input, and comparing controls to good practices. The goal of risk assessment is to prevent harm through reasonable precautions.
More Related Content
Similar to Iso tc176-sc2 n1222-n1222_-_risk_in_iso_9001_2014-07
This document provides information about an upcoming training on quality management systems according to ISO 9001:2015 standards. The training will cover risk-based thinking, preparing a risk and opportunities analysis and action plan, conducting root cause analysis, and addressing non-conformities. It will explain how considering risks and opportunities is addressed in various ISO 9001 clauses and how to identify, evaluate, and take action to mitigate risks. The training will also review the PDCA cycle and how it is applied to DENR processes to achieve objectives and continually improve.
This document discusses decision-making in engineering management. It covers the following key points:
- Decision-making involves identifying alternative courses of action appropriate to the situation. It is a core management responsibility.
- There are three levels of decision-making - strategic, tactical, and operational - with higher levels making bigger, more complex decisions.
- The decision-making process involves 7 steps: diagnosing the problem, analyzing the environment, developing alternatives, evaluating alternatives, making a choice, implementing the decision, and evaluating/adapting the results.
- Approaches to problem-solving include qualitative and quantitative evaluation. Quantitative models discussed include inventory models, queuing theory, network models, forecasting,
This document discusses analyzing and managing project risk. It defines risk analysis as evaluating how likely risks are to occur and their potential impact on a project's schedule, quality, and costs. The key aspects of risk analysis covered are qualitative risk analysis, which prioritizes risks for further action based on likelihood and impact, and quantitative risk analysis, which uses statistics to analyze risks' effects on a project meeting its objectives. The document also outlines various tools and techniques for identifying risks, as well as strategies for developing risk response plans to address threats and opportunities.
This document discusses analyzing and managing project risk. It defines risk analysis as evaluating how likely risks are to occur and their potential impact on a project's schedule, quality, and costs. The key aspects of risk analysis covered are qualitative risk analysis, which prioritizes risks for further action based on likelihood and impact, and quantitative risk analysis, which uses statistics to analyze risks' effects on a project meeting its objectives. The document also outlines various tools and techniques for identifying risks, as well as strategies for developing risk response plans to address threats and opportunities.
This document provides an overview of a three-part training program on strategic risk management. Part One focuses on introducing participants to risk management processes and frameworks. It discusses principles of risk management and why strategic risk management is important. Tools covered include a risk inventory template to identify, assess and prioritize risks, and a risk heat map. The training aims to help participants understand their roles in risk management and how to implement strategic risk management in their work areas.
Risk response planning is the process of developing options to reduce threats to a project's objectives based on the results of risk analysis. It assigns risks to owners, applies resources through the risk management plan. Risk response strategies include avoiding risks by changing plans, transferring risks through insurance or contracts, mitigating risks by reducing likelihood or impact, and accepting some risks. Opportunities may be exploited to ensure they occur, shared with partners, or have their likelihood or impact enhanced. Contingency plans prepare for risks that do materialize.
This document provides an overview of Part One of a three-part training program on strategic risk management. It discusses key concepts in risk management including identifying risks, assessing their likelihood and impact, prioritizing risks, and developing mitigation strategies. A risk inventory template is also presented to catalog identified risks. Participants are encouraged to consider how they would implement strategic risk management in their own work areas to improve decision-making and better achieve organizational objectives.
This document provides an overview of Part One of a three-part training program on strategic risk management. It discusses key concepts in risk management including identifying risks, assessing their likelihood and impact, prioritizing risks, and developing mitigation strategies. A risk inventory template is also presented to catalog identified risks, existing controls, outcomes, scores, and mitigation plans. The document aims to introduce risk management processes and frameworks to help participants understand how to implement strategic risk management in their own work areas.
This document provides an overview of Part One of a three-part training program on strategic risk management. It discusses key concepts in risk management including identifying risks, assessing their likelihood and impact, prioritizing risks, and developing mitigation strategies. A risk inventory template is also presented to catalog identified risks, existing controls, outcomes, scores, and mitigation plans. The document aims to introduce risk management processes and frameworks to help participants understand how to implement strategic risk management in their own work areas.
This document provides an overview of Part One of a three-part training program on Strategic Risk Management. It introduces key concepts and frameworks for risk management. The training aims to help participants understand the risk management process, how it relates to their daily work, and reasons for implementing Strategic Risk Management. It provides tools to identify risks and prioritize them based on impact and likelihood. Participants are guided to develop a risk inventory and consider actions to mitigate high priority risks or accept residual risks. The training emphasizes establishing roles and accountability for risk management.
This document provides an overview of Part One of a three-part training program on strategic risk management. It discusses key concepts in risk management including identifying risks, assessing their likelihood and impact, prioritizing risks, and developing mitigation strategies. A risk inventory template is also presented to catalog identified risks. Participants are encouraged to consider how they would implement strategic risk management in their own work areas to improve decision-making and better achieve organizational objectives.
This document provides an overview of Part One of a three-part training program on Strategic Risk Management. It introduces key concepts and frameworks for risk management. The training aims to help participants understand the risk management process, how it relates to their daily work, and reasons for implementing Strategic Risk Management. It also provides tools to help identify, assess, and prioritize risks, including a Risk Inventory template. The training emphasizes creating a common risk language and accountability for risk across an organization.
This document provides an overview of Part One of a three-part training program on strategic risk management. It discusses key concepts in risk management including identifying risks, assessing their likelihood and impact, prioritizing risks, and developing mitigation strategies. A risk inventory template is also presented to catalog identified risks. Participants are encouraged to consider how they would implement strategic risk management in their own work areas to improve decision-making and better achieve organizational objectives.
In the present world of high Risk and unknown threats it is necessary for Security Manager to look for all Risk related to the site. His prime responsibility is to view the threat in all perspective and ensure preventive measure are in place with continual improvement. He should follow the PDCA cycle i.e.Plan ,do ,Check and Act on regular basis. The team should consult and discuss the total risk on regular interval with discussion on all issues related to security.this will ensure proper system in place to cater total security to personnel.
This document discusses risk management in software engineering projects. It defines risk as an uncertainty that could negatively impact a project. Risk management is the process of identifying risks, analyzing them, planning mitigation actions, tracking risks, controlling deviations, and communicating about risks. The key principles of risk management are taking a global perspective, having a forward-looking view, open communication, and integrating it into the overall project management process. Risk management should be continuous throughout the project life cycle using the main steps of identify, analyze, plan, track, control, and communicate.
This document discusses risk management in software engineering projects. It defines risk as an uncertainty that could negatively impact a project. Risk management is the process of identifying risks, analyzing them, planning mitigation actions, tracking risks, controlling deviations, and communicating about risks. The key principles of risk management are taking a global perspective, having a forward-looking view, enabling open communication, and making risk management an integrated part of project management through continuous monitoring. Risk management methodologies involve identifying, analyzing, planning, tracking, controlling, and communicating about risks. This helps manage risks effectively in projects of all sizes.
This document provides guidance on accident investigation and consists of several sections. It begins by explaining that the guide is intended to help businesses and individuals better understand the accident investigation process. It then outlines the four main steps of an accident investigation process: 1) gathering information, 2) analyzing the information, 3) identifying risk control measures, and 4) implementing an action plan. Finally, it provides some key questions to consider when investigating accidents to help identify immediate, underlying and root causes.
This document discusses decision analysis and risk management. It covers decision making under certainty, ignorance, and risk. Key concepts include expected monetary value, maximax, maximin, and expected return decision rules. Under certainty, the decision maker knows the state of nature with certainty. Under ignorance, all states are possible but probabilities are unknown. Under risk, probabilities of states are known. Expected monetary value quantifies risks by multiplying probability and impact. Maximax selects the strategy with highest possible return, while maximin selects the strategy with the lowest possible loss. Expected return selects the alternative with the highest expected long-term return based on probabilities of outcomes. The document emphasizes applying decision analysis concepts to project risk management.
This document provides guidance on conducting risk assessments through a 5-step process: 1) identify hazards, 2) identify those affected, 3) evaluate risks and controls, 4) record findings, and 5) review regularly. It outlines how to recognize hazards, consider who may be harmed and how, determine existing and needed controls, and document the process. Key steps include walking work areas to find hazards, asking employees for input, and comparing controls to good practices. The goal of risk assessment is to prevent harm through reasonable precautions.
Similar to Iso tc176-sc2 n1222-n1222_-_risk_in_iso_9001_2014-07 (20)
Iso tc176-sc2 n1222-n1222_-_risk_in_iso_9001_2014-07
1. ISO/TC 176/SC2 Document N1222, July 2014
“RISK” IN ISO 9001:2015
1. Objective of this paper
- to explain how risk is addressed in ISO 9001
- to explain what is meant by ‘opportunity’ in ISO 9001
- to address the concern that risk-based thinking replaces the
process approach
- to address the concern that preventive action has been
removed from ISO 9001
- to explain in simple terms each element of a risk-based
approach
2. Overview
One of the key changes in the 2015 revision of ISO 9001 is to establish a
systematic approach to risk, rather than treating it as a single component of a
quality management system.
In previous editions of ISO 9001, a clause on preventive action was separated
from the whole. Now risk is considered and included throughout the standard.
By taking a risk-based approach, an organization becomes proactive rather
than purely reactive, preventing or reducing undesired effects and promoting
continual improvement. Preventive action is automatic when a management
system is risk-based.
2. ISO/TC 176/SC2 Document N1222, July 2014
3. What is risk-based thinking?
Risk-based thinking is something we all do automatically.
Example: If I wish to cross a road I look for traffic before I begin. I will not step in front of a moving
car.
Risk-based thinking has always been in ISO 9001 – this revision builds it into the whole
management system.
In ISO 9001:2015 risk is considered from the beginning and throughout the standard, making
preventive action part of strategic planning as well as operation and review.
Risk-based thinking is already part of the process approach.
Example: To cross the road I may go directly or I may use a nearby footbridge. Which process I
choose will be determined by considering the risks.
Risk is commonly understood to be negative. In risk-based thinking opportunity can also be found
– this is sometimes seen as the positive side of risk.
Example:
Crossing the road directly gives me an opportunity to reach the other side quickly, but there is an
increased risk of injury from moving cars.
The risk of using a footbridge is that I may be delayed. The opportunity of using a footbridge is
that there is less chance of being injured by a car.
Opportunity is not always directly related to risk but it is always related to the objectives. By
considering a situation it may be possible to identify opportunities to improve.
Example:
Analysis of this situation shows further opportunities for improvement:
- a subway leading directly under the road
- pedestrian traffic lights, or
- diverting the road so that the area has no traffic
It is necessary to analyse the opportunities and consider which can or should be acted on.
Both the impact and the feasibility of taking an opportunity must be considered. Whatever
action is taken will change the context and the risks and these must then be reconsidered.
3. ISO/TC 176/SC2 Document N1222, July 2014
4. Where is risk addressed in ISO 9001:2015?
INTRODUCTION
The concept of risk-based thinking is explained in the introduction of ISO 9001:2015.
DEFINITIONS
ISO 9001:2015 defines risk as the effect of uncertainty on an expected result.
1. An effect is a deviation from the expected – positive or negative.
2. Risk is about what could happen and what the effect of this happening might be
3. Risk also considers how likely it is
The target of a management system is achieve conformity and customer satisfaction.
ISO 9001:2015 uses risk-based thinking to achieve this in the following way:
Clause 4 (Context) the organization is required to determine the risks which may affect this.
Clause 5 (Leadership) top management are required to commit to ensuring Clause 4 is followed.
Clause 6 (Planning) the organization is required to take action to identify risks and opportunities.
Clause 8 (Operation) the organization is required to implement processes to address risks and
opportunities.
In Clause 9 (Performance evaluation) the organization is required to monitor, measure, analyse and
evaluate the risks and opportunities.
In Clause 10 (Improvement) the organization is required to improve by responding to changes in
risk.
4. ISO/TC 176/SC2 Document N1222, July 2014
5. Why use risk-based thinking?
By considering risk throughout the organization the likelihood of achieving stated objectives is
improved, output is more consistent and customers can be confident that they will receive the
expected product or service.
Risk-based thinking therefore:
• builds a strong knowledge base
• establishes a proactive culture of improvement
• assures consistency of quality of goods or services
• improves customer confidence and satisfaction
Successful companies intuitively take a risk-based approach
6. How do I do it?
Use a risk-driven approach in your organizational processes.
Identify what YOUR risks and opportunities are – it depends on context
Example
If I cross a busy road with many fast-moving cars the risks are not the same as if the road is small
with very few moving cars. It is also necessary to consider such things as weather, visibility, personal
mobility and specific personal objectives.
Analyse and prioritize your risks and opportunities
What is acceptable, what is unacceptable? What advantages or disadvantages are there to one
process over another?
Example
Objective: I need to safely cross a road to reach a meeting at a given time.
It is UNACCEPTABLE to be injured.
It is UNACCEPTABLE to be late.
The opportunity of reaching my goal more quickly must be balanced against the likelihood of injury.
It is more important that I reach my meeting uninjured than it is for me to reach my meeting on time.
It may be ACCEPTABLE to delay arriving at the other side of the road by using a footbridge if the
likelihood of being injured by crossing the road directly is high.
5. ISO/TC 176/SC2 Document N1222, July 2014
I analyse the situation. The footbridge is 200 metres away and will add time to my journey. The
weather is good, the visibility is good and I can see that the road does not have many cars at this
time.
I decide that walking directly across the road carries an acceptably low level of risk of injury and an
opportunity to reach my meeting on time.
Plan actions to address the risks
How can I avoid or eliminate the risk? How can I mitigate risks?
Example: I could eliminate risk of injury by using the footbridge but I have already decided that the
risk involved in crossing the road is acceptable.
Now I plan how to reduce the likelihood of injury and/or the effect of injury. I cannot reasonably
expect to control the effect of a car hitting me. I can reduce the probability of being hit by a car.
I plan to cross at a time when there are no cars moving near me and so reduce the likelihood of an
accident. I also choose to cross the road at a place where I have good visibility and can safely stop in
the middle to re-assess the number of moving cars, further reducing the probability of an accident.
Implement the plan – take action
Example
I move to the side of the road, check there are no barriers to crossing and that there is a safe place in
the centre of the moving traffic. I check there are no cars coming. I cross half of the road and stop in
the central safe place. I assess the situation again and then cross the second part of the road.
Check the effectiveness of the actions – does it work?
Example
I arrive at the other side of the road unharmed and on time: this plan worked and undesired
outcomes have been avoided.
Learn from experience – continual improvement
Example
I repeat the plan over several days, at different times and in different weather conditions.
This gives me data to understand that changing context (time, weather, quantity of cars) directly
affects the effectiveness of the plan and increases the probability that I will not achieve my objectives
(being on time and avoiding injury).
Experience teaches me that crossing the road at certain times of day is very difficult because there
are too many cars.
6. ISO/TC 176/SC2 Document N1222, July 2014
To limit the risk I revise and improve my process by using the footbridge at these times.
I continue to analyse the effectiveness of the processes and revise them when the context changes.
I also continue to consider innovative opportunities:
- can I move the meeting place so that the road does not have to be crossed?
- can I change the time of the meeting so that I cross the road when it is quiet?
- can we meet electronically?
7. Conclusion
• risk-based thinking is not new
• risk-based thinking is something you do already
• risk-based thinking is continuous
• risk-based thinking ensures greater knowledge and preparedness
• risk-based thinking increases the probability of reaching objectives
• risk-based thinking reduces the probability of poor results
• risk-based thinking makes prevention a habit
Useful documents
ISO 31000:2009 Risk Management – Principles and guidelines
PD ISO/TR 31004:2013. Risk management - Guidance for the implementation of ISO 31000