Call Today! (800) 244-5409

ISO 9001:2015 Risk Analysis

Key Questions –

  1. Why implement Risk Based Thinking?
  2. What does ISO 9001:2015 require?
  3. What is Risk Based Thinking?
  4. What is Risk?
  5. What is a simple Risk Tool?
  6. How does it integrate into the Process Approach?
  7. How do you make Risk Based Thinking a Continual Process Improvement activity?

ISO 9001:2015 Risk & Opportunities –

“4.4 Quality management system and its processes

The organization shall establish, implement, maintain and continually improve a quality management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard.

“The organization shall determine the processes needed for the quality management system and their application throughout the organization and shall determine…

f) The risks and opportunities in accordance with the requirements of 6.1, and plan and implement the appropriate actions to address them;”

6 planning for the Quality Management system

6.1 Actions to Address Risks and Opportunities

6.1.1 When Planning for the Quality Management System,

The organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:

  1. Give assurance that the quality management system can achieve its intended result(s);
  2. Prevent, or reduce, undesired effects;
  3. Achieve continual improvement.


6.1.2 The Organization Shall Plan:

  1. a) Actions to address these risks and opportunities;
  2. b) How to integrate and implement the actions into its quality management system processes (see 4.4) and evaluate the effectiveness of these actions.


Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.”


The Main Objectives of International Standards are to provide confidence in the organization’s ability to consistently provide customers with conforming goods and services and enhance customer satisfaction


The concept of “risk” in the context of the ISO 9001:2015 international standard relates to the uncertainty in achieving these objectives.


What is “Risk Based Thinking”?

Risk-based thinking is something we all do automatically and often sub-consciously


The concept of risk has always been implicit in ISO 9001, but the ISO 9001:2015 makes it explicit and requires formal inclusion across the entire management system


Risk-based thinking is already part of the process approach Risk-based thinking enhances Preventive Action. Risk is often thought of only in the negative sense.


Risk-based thinking can also help to identify opportunities. This can be considered to be the positive side of risk

Why Should I adopt “Risk-Based Thinking”?

  1. To improve customer confidence and satisfaction
  2. To assure consistency of quality of goods and services
  3. To establish a proactive culture of prevention and improvement
  4. Successful companies intuitively take a risk- based approach


What Should I Do?

Identify what the risks and opportunities are in your organization

  1. Analyze and prioritize risks and opportunities in your organization and quantify them
    1. What is acceptable?
    2. What is unacceptable?
  2. Plan actions to address the risks by prioritizing them based on RPN numbers
    1. How can I avoid or eliminate the risk? Can it be designed out?
    2. How can I mitigate the risk? Increase detection? Reduce Occurrence?
  3. Implement the plan – take action based on priorities
  4. Check the effectiveness of the actions – and re-score your RPN’s.
  5. Learn from experience – continual improvement

Key Points to Remember


  1. Risk Based Thinking is Preventative Action
  2. Risk Based Thinking is everyone’s job
  3. Risk Based Thinking is not just the sole responsibility of management
  4. Risk Based Thinking is an integral part of the organizational DNA


What is Risk?

Risk is the possibility of events or activities impacting the organization’s strategic and operational objectives.


Risk Definitions

Risk can be defined by three (3) parameters


  1. Severity – The Seriousness of the harm
  2. Probability (or Occurrence) – The Probability that the harm will occur
  3. Detection – How well can the item be detected


Severity x Occurrence x Detection or “SOD” = Risk Priority Number or RPN


The Importance of a Risk (or FMEA) Worksheet


The risk worksheet, (example – FMEA), is essential, as it records identified risks, their severity, and the actions steps to be taken.


It can be a simple document, spreadsheet, or a database system, but the most effective format is a table.

A table presents a great deal of information in just a few pages.


There is no standard list of components that should be included in the risk worksheet. Some important ones include –


  1. Description of the Risk: A phrase that describes the risk.
  2. Risk Type (business, project, failure, yield, stage, etc.)
  3. Classification of the risk:
    1. Business risks relate to delivery of achieved benefit
    2. Project risks relate to the management of the project such as timeframes and resources
    3. Stage risks are risks associated with a specific stage of the plan.
  4. Likelihood of Occurrence: An assessment on how likely or often the risk will occur. Examples are:
    1. L-Low >30%)
    2. M-Medium (31-70%)
    3. H-High (>70%).
  5. Severity of Effect: Provides an assessment of the impact that the occurrence of this risk would have on the project.
  6. Detection – how well a risk can be detected via countermeasures
  7. Components of a Risk Worksheet (example – FMEA)
  8. Countermeasures: Actions to be taken to prevent, reduce, or transfer the risk. This may include production of contingency plans.
  9. Owner: The individual responsible for ensuring that risks are appropriately engaged with countermeasures undertaken.
  10. Status: Indicates whether this is a current risk or if risk can no longer arise and impact the project.


Other columns such as quantitative values can also be added if appropriate.




Integrating Risk Based Thinking with the Process Approach


Purpose of the Process  Approach

The purpose of the process approach is to enhance an organization’s effectiveness and efficiency in achieving its defined objectives. This means enhancing customer satisfaction by meeting customer requirements. Effective Risk Management means integrating it into your Process & Interactions Map, and resulting KPI’s.

Integrating Risk Management into Management Review Input

“Top management shall review the organization’s quality management system, at planned intervals, to ensure its continuing suitability, adequacy, and effectiveness. The management review shall be planned and carried out taking into consideration – d) The effectiveness of actions taken to address risks and opportunities (see clause 6.1)”


If the organization has a formalized Management Review procedure it is very important to update it to include the elements of Risk Management into the procedure.


In summary, Risk Management with respect to ISO 9001:2015 compliance is not optional. It is an integral part of the overall QMS.


Quality Resource Center offers an array of training and services in this area. Contact QRC today.