The concept of risk has always been implicit in ISO 9001; this new revision only makes it more explicit and builds it into the whole management system.
In ISO 9001:2015, risk management is being added with focus on risk-based thinking. Here a systematic approach to risk is established by considering and including it throughout the standard.
In the Introduction the concept of risk-based thinking is explained. Risk is defined as the effect of uncertainty on an expected result, where:
- An effect is a deviation from the expected – positive or negative.
- Risk is about what could happen and what the effect of this happening might be.
- Risk also considers how likely it is to take place.
The main goal of this quality management system is for an organization to achieve conformity and customer satisfaction. In ISO 9001:2015 a risk-based thinking is used to achieve this goal.
- In Clause 4 (Context) the organization is required to determine the risks which may affect its ability to meet the system’s objectives. The new ISO 9001 recognizes that the consequences of risk are not the same for all organizations, and this is why every organization will need to consider risk quantitatively as well as qualitatively, depending on their context.
- In Clause 5 (Leadership) top management is required to demonstrate leadership and commit to ensuring that risks and opportunities that can affect the conformity of a product or service are determined and addressed.
- In Clause 6 (Planning) the organization is required to take action to identify risks and opportunities, and plan how to address each of them.
- Clause 8 (Operation) establishes that the organization is required to plan, implement and control its processes to address its risks and opportunities.
- In Clause 9 (Performance evaluation) the organization is required to monitor, measure, analyze and evaluate the risks and opportunities.
- In Clause 10 (Improvement) the organization is required to improve by responding to changes in risk.
These requirements are considered to cover the concept of preventive action (which has been replaced) and takes a wider view that looks at risks and opportunities. By understanding those risks and exploring ways in which the risks can be mitigated, the organization will also have an opportunity to drive change and improvement.
In order to effectively meet the quality management system’s goal, ISO 9001:2015 will require organizations to consider their risks as part of their management’s plan, which will call for an improved commitment and more involvement of top management.