ISO9001 certification & risk-based thinking

The 2015 version of ISO9001 Quality management systems the ISO introduced the concept of risk-based thinking. Although many who have experience with the standard will argue that it was always there in one form or another with preventative action. The updated version of the standard just articulates preventative action as risk-based thinking. This change has shifted the way both auditors and clients think about the standard.


The aim of risk-based thinking is to take advantage of opportunities and prevent undesirable outcomes having negative impacts on a business. Importantly nowhere in the standard does it say that you need a risk register or a risk matrix. The standard doesn’t specify that these types of records need to be kept. This goes back to a little mantra we have here at Compass, don’t create stuff because you think we want to see it. In some businesses, risk registers are an effective method of addressing business risk but if they don’t work for you, we don’t need to see them.


ISO 9001 does require you to be able to identify risk and opportunities that may affect your customer, products and services. You also need to put in place actions to address these risks and opportunities and this is what you must be able to demonstrate at your audit.


There are many ways you can demonstrate risk-based thinking apart from formal, traditional approaches. This may mean you have a business plan that addresses risks and opportunities, are the directors considering risk and opportunity in board meetings? Are senior management planning the business strategically and assessing what might go wrong and well in the business future operations?


These approaches take a different look at assessing risk and demonstrating risk-based thinking. Considering risk and opportunities and undertaking risk based thinking is intuitive to good business practice. Risk-based thinking is often something that business owners and leaders do inherently on a day to day basis. ISO 9001 has taken this concept and made it integral to maintain your quality management system to drive good business practice.