Explaining Risk-Based Thinking in ISO 9001:2015

Risk-based thinking is a core concept introduced in ISO 9001:2015 (the current version as of March 2026). It represents one of the biggest mindset shifts from the previous 2008 (and earlier 2000) editions.

In simple terms: Risk-based thinking means proactively considering potential risks and opportunities that could affect your ability to consistently deliver conforming products/services, meet customer requirements, and achieve your quality objectives—and then taking action to address them—throughout your entire Quality Management System (QMS), rather than treating prevention as a separate, one-off activity.

Click here to access the ISO 9001:2015 standard in plain English.

Official ISO Guidance

"One of the key changes in the 2015 revision of ISO 9001 is to establish a systematic approach to considering risk, rather than treating 'prevention' as a separate component of a quality management system. Risk-based thinking ensures these risks are identified, considered and controlled throughout the design and use of the quality management system."

ISO defines risk broadly: "effect of uncertainty" on objectives (from ISO 31000). It includes both negative threats and positive opportunities.

Read more: Definition of Risk-Based Thinking

When facing disruptions in the supply chain, organizations can take several strategic and operational measures to mitigate risks, ensure continuity, and maintain quality and delivery standards. Here are some strategies and actions organizations can consider:

1. Develop a Contingency Plan

• Risk Assessment: Regularly assess risks to the supply chain, including supplier vulnerabilities, geopolitical issues, natural disasters, and market fluctuations.
• Alternative Suppliers: Identify and qualify alternative suppliers for critical components or materials to reduce dependency on a single source.
• Inventory Management: Increase safety stock levels for critical items or components, considering the lead time and demand variability.

2. Strengthen Supplier Relationships

• Communication: Maintain open lines of communication with key suppliers to receive early warnings about potential disruptions.
• Collaboration: Work closely with suppliers to identify potential supply chain bottlenecks and develop joint contingency plans.
• Support: Consider supporting key suppliers financially or technically, if feasible, to ensure their stability and reliability.

3. Leverage Technology

A Management System’s Management Review is a structured process through which the management team of an organization evaluates its performance and effectiveness. The “Management Review” requirement is fundamental for the success of your management system.  Check your standard for the specifics:

• ISO 9001 – Clause 9.3
• AS9100 – Clause 9.2
• IATF 16949 – Clause 9.3
• ISO 13485 – Clause 5,6
• Etc…

Contact your ASR auditor if you have questions about your Management Review.

Here's an overview of what generally comprises a Management Review:

Management reviews are critical. They provide a formalized, systematic evaluation of the system's performance, offering opportunities for improvements and corrective actions. These reviews are conducted at planned intervals (i.e. typically on an annual basis) to ensure the MS remains effective and aligned with the strategic direction of the organization.

Managing online training for your ISO management system effectively involves several key steps. Here's a comprehensive approach:

1. Assess Training Needs: Identify the specific training needs related to your ISO management system. This may vary depending on the standard (e.g., ISO 9001, ISO 14001, ISO 27001) and should include understanding the requirements of the standard, specific process training, and training in internal audit procedures.

2. Select Appropriate Online Training Programs: Choose online training courses that are reputable and align with your ISO standard's requirements. Look for courses that offer interactive content, real-life examples, and assessments to gauge understanding.

3. Develop a Training Plan: Create a schedule that outlines who needs training, what training is required, and the timeline for completion. Ensure the plan is flexible to accommodate varying schedules and learning paces.

4. Integrate Training with Your ISO Management System: Ensure that the training is relevant to your specific processes and procedures. Tailor the training content, if possible, to include your company’s policies, objectives, and examples related to your ISO management system.

   Read more: Training and your Management System

Communicating the quality policy effectively is essential to ensure that everyone in your organization understands and aligns with your quality objectives and standards. Here are some best practices for communicating the quality policy:

1. Keep It Simple and Clear: The quality policy should be concise, easy to understand, and free of jargon. Avoid overly technical or complex language. Use plain and straightforward wording that conveys the essence of your commitment to quality.

2. Make It Memorable: Craft a quality policy statement that is memorable and easy to recall. A brief and catchy phrase can help employees remember the key principles of quality that your organization values.

3. Display It Prominently: Place the quality policy statement where it is visible to all employees. Common locations include the workplace entrance, break rooms, and bulletin boards. Use posters, banners, or digital displays to make it prominent.

4. Incorporate It Into Training: Integrate the quality policy into your employee training programs. New hires should be introduced to the policy as part of their onboarding process. Ongoing training and reminders can reinforce its importance.

5. Cascade Down the Organization: Ensure that the quality policy is communicated throughout the entire organization hierarchy. It should be understood and embraced by top management, middle managers, and front-line employees alike.

6. Lead by Example: Leaders and managers should demonstrate a commitment to the quality policy through their actions and decisions. When employees see that management values quality, it sets a positive example for the entire organization.

7. Provide Context: Help employees understand how the quality policy relates to their roles and responsibilities. Explain how their work contributes to achieving the quality objectives outlined in the policy.

   Read more: What is the best way to communicate the quality policy?

Leadership is an essential component of the ISO management system standards. The International Organization for Standardization (ISO) has identified leadership as one of the seven quality management principles that underpin management systems

Here are some key points about leadership and the ISO management system:

Creating an ISO scope statement involves careful consideration of your organization's objectives, activities, and boundaries. Here are the steps to help you create an ISO scope statement:

1. Understand the ISO Standard: Familiarize yourself with the specific ISO standard that you are working towards (e.g., ISO 9001 for quality management or ISO 14001 for environmental management). Review the requirements and guidelines outlined in the standard to ensure compliance.

2. Identify Organizational Boundaries: Determine the physical locations, departments, or functions within your organization that will be covered by the management system. This includes defining the scope in terms of geographical locations and organizational units.

3. Define the Products/Services: Clearly specify the products or services that fall within the scope of the management system. This can include specific product lines, service offerings, or any other relevant deliverables.

   Read more: What are the steps to create an ISO Scope Statement?

The Plan-Do-Check-Act (PDCA) cycle is an interactive problem-solving strategy to improve processes and implement change. It is a method for continuous improvement and is an ongoing feedback loop for iterations and process improvements.

The PDCA cycle has four stages:

1. Plan — determine goals for a process and needed changes to achieve them.
2. Do — implement the changes.
3. Check — evaluate the results in terms of performance.
4. Act — standardize and stabilize the change or begin the cycle again, depending on the results

In the Plan stage of the PDCA cycle, the purpose  is to determine the goals for a process and identify the changes needed to achieve them. This involves recognizing an opportunity or a risk and planning a change. This stage is crucial for setting the foundation for the rest of the cycle.

In the Do stage of the PDCA cycle, the changes planned in the previous stage are implemented. This involves carrying out a small-scale study to test the change. This stage is important for putting the plan into action and seeing how it works in practice.

In the Check stage of the PDCA cycle, the results of the changes implemented in the Do stage are evaluated. This involves reviewing the test, analyzing the results, and identifying what has been learned. This stage is important for understanding the impact of the changes and determining if they were successful.

In the Act stage of the PDCA cycle, action is taken based on what was learned in the Check stage. If the change was successful, it can be incorporated into wider changes and standardized. If the change was not successful, the cycle can begin again with a different plan. This stage is important for making continuous improvements and ensuring that the changes are stable.