Apr 29, 2024

What is Risk-Based Thinking?

Risk-based thinking is a crucial concept in ISO standards. Previously, ISO 9001 featured the concept of “preventive action” that focused on eliminating any potential causes that can lead to non-conformity. However, this term has been replaced with “risk thinking,” which offers a more systematic approach to dealing with problems and opportunities.

The latest versions of ISO 9001 and ISO 14001 standards require that organisations use risk-based thinking when managing numerous processes through performance evaluation, operations, and planning. It has now become a key part of managing regulatory compliance, as businesses need to demonstrate risk-based thinking through their systems, processes, strategies, and objectives across the organisation to maintain compliance with ISO standards.

Let’s take a closer look at what the risk-based thinking approach is and how it helps organisations improve their quality and processes.

What is Risk-Based Thinking?

ISO 9001:2015 defines risk-based thinking as “the application of information, knowledge, and actions to determine uncertainties and potential opportunities.” It is a proactive approach to handling the risks and opportunities that requires organisations to evaluate risk while establishing processes, controls, and improvements in a QMS.

Moreover, ISO defines risk as something that deviates from the projected objective. This means that the risk-based approach isn’t limited to identifying and mitigating risks but also looks at the positive side of risk and identifies opportunities that can encourage growth.

As a result, taking a risk-based approach throughout the organisation allows you to avoid potential issues and take advantage of opportunities.

Is Risk-Based Thinking the Same as Risk Management?

At its core, risk-based thinking is a fundamental way of decision-making that goes beyond risk management.

Risk management involves identifying, evaluating, managing, and dealing with risks within the organisation. It requires organisations to track risks, monitor the progress of corrective actions, and establish communication.

On the other hand, risk-based thinking is a holistic approach to handling risk and must be made a part of its quality management system and every decision-making. For instance, with a risk-based thinking approach, ISO standards don’t require formal risk assessments, nor do they require a risk register to be maintained. The ISO requirements for risk-based thinking merely require that decision-making incorporate risk, and it does not specify how this should be done.

Risk-Based Thinking in ISO 9001

In the 2015 versions of the standards, the requirements for addressing risks and opportunities are as follows:

  • Context of the Organisation

    When the context of an organisation is established, the standard requires organisation to identify risks that could potentially impact the quality objectives.

  • Leadership

    The top management must be committed to promoting risk-based thinking across the organisation. It should identify and address opportunities and risks that could affect the quality of products and services.

  • Planning

    In the planning clause of the standard, it is specified that organisation not only needs to identify risks and opportunities but also needs to plan, implement, and manage its processes to address the identified risks.

  • Operations

    The standard also requires that actions listed during the planning process be implemented and controlled.

  • Performance evaluation

    The organisation is required to monitor, track, and analyse the opportunities and risks identified.

  • Improvement

    When any change in risk is identified, an organisation must make improvements.

    The new ISO standards are based on the PDCA (Plan-Do-Check-Act) cycle that can be used to improve processes.

Here, we discuss these requirements for addressing risk as per ISO 9001:2015 in detail

1. Identification

How an organisation determines its risks and opportunities depends on the context of the organisation – its objectives, size, nature of products, culture, and stakeholder requirements. Consider these factors and use models like SWOT analysis, PESTEL analysis, or process mapping to identify and document the identified risks.

2. Analysis

According to ISO 9001, the risk is, simply put, a positive or negative deviation from the result expected, the possibility of what can happen, what effect it can have, and the likelihood of reoccurring the risk.

In this next step, the standards require organisations to evaluate the risks based on the above factors to understand their potential impact. While risk-based thinking ISO 9001 does not require conducting a full risk assessment, it suggests monitoring, measuring, analysing, and evaluating the risks.

3. Evaluation

Once the organisation has analysed and communicated the risks and opportunities, it is important to evaluate them to determine how to prioritise and address each risk. For this, organisations are required to consider the potential impact of the risk, the consequences, and the cost of addressing the risk for the organisation.

Based on this, businesses can prioritise and plan appropriate actions to address the risk – whether you want to avoid it, eliminate the source, change its likelihood, or take the risk to chase an opportunity.


Finally, risk-based thinking requires organisations to implement controls to mitigate the risk or benefits from the opportunity. This also involves measuring the effectiveness of actions taken by analysing data or conducting internal or external audits. This way, you can improve the efficiency of your decision, minimise losses, and increase business growth and profitability.

Technical Tools to Mitigate Risk

When using a risk-based thinking approach for your quality management processes, making it an integral part of your processes is critical rather than viewing it as a separate activity.

This means the risk tools should be part of your quality management system to identify and respond to risks more efficiently. While ISO 9001:2015 doesn’t mention specific tools or methods to address risk, manual processes are often time-consuming and difficult to manage. As a result, using automated solutions like QMS Software or Risk and Opportunity Management Software is an ideal solution.

These digital tools, geared to facilitate risk-based thinking, should include the following key capabilities:

  • Risk Register: A risk register allows you to record and describe individual risks to be monitored in a central location. Although a Risk Register is not required by the ISO standards, consistently using one will allow you to prioritise risk, record its potential impact, and assign responsibilities for rectification.
  • Risk tools: Risk assessment programs, including a decision tree or risk matrix, should be available in any quality management system software. These should include audits, deviations, and regulatory compliance management.
  • Effectiveness checks: Having a final verification step that is used for processes such as corrective actions will help satisfy improvement and performance evaluation requirements.
  • Risk data assessment: With Risk and Opportunity Management Software, you can track the key data sets for the risks identified through a centralised dashboard to understand the severity of the risk, potential impacts, and the likelihood of reoccurrence.
  • Root cause analysis: Root cause analysis is a systematic approach to identifying risks. This tool can help address the root cause once the risk has occurred.

Adopting a risk-based thinking strategy has become more necessary than an option to promote business growth and profitability. By fostering a culture of active risk management within the organisation, you can maintain the quality of processes and products, enhance operational efficiency, and ensure regulatory compliance.

Kaushal Sutaria

Managing Director at Effivity Technologies
Kaushal Sutaria is an expert in strategic business management and an entrepreneur behind three global companies. His latest venture, Effivity Technologies, simplifies ISO standard compliance with innovative automation. Kaushal's dedication to best practices and mentorship has earned him clients in over 50 countries.

You may also like...

Most Popular

Digitize Your Calibration Management with Effivity Pro

Unlock efficiency in your calibration processes with Effivity's calibration management software.

Why Industry Leaders Choose Effivity for their EHS Software

Learn how Effivity's Environment Management Systems software offers innovative, user-friendly solutions.


Talked About

Effivity is Proud to Be A Part of Idea Pattarai

Effivity, with its user-friendly and scalable software solutions, is glad to be a part of Idea Pattarai.

Global Giants of Chemical Industry joins with Effivity Pro to enhance QHSE Compliance

Discover how Global Giants of Chemical Industry partnered with Effivity PRO to revolutionise QHSE.


Effivity is a leading QMS software for Quality Management System automation as per ISO 9001 standard, HSE software for Health – Safety - Environment Management System as per ISO 14001 & ISO 45001 standards and FSMS – HACCP software for food safety management system automation as per ISO 22000 / FSSC 22000 standards.