31. Mar 2015

ISO 9001 Revision explained in simple terms

The concept of “Risk-Based Thinking”

In March 2015, ISO sent a communiqué to its members in order to inform them about the future timetable for the publication of ISO 9001:2015. According to the timetable, the last draft (FDIS ISO 9001:2015) should be published in German along with the other official languages of ISO in early July. This means that worldwide matching would be finished by early September and that the Standard could appear in September 2015.In a series of technical lectures, Quality Austria provides information on the revision of ISO 9001:2015. 

Each month, a key concept of the revision will be explained more profoundly. This month, Eckehard Bauer, MSc, explains the concept of “risk-based thinking”.

Risks and opportunities in ISO 9001:2015

Eckehard Bauer, MSc


The key requirements relating to “risk-based thinking” are included in Clause 6-1 of ISO 9001:2015 “Actions to address risks and opportunities”.

Managing risks and opportunities is a decision for a positive future and means that it is necessary to realized today what can influence us tomorrow, seize the best opportunities and control the commensurate risks by taking adequate actions with the aim to achieve the corporate goals and strategy.

Systematic handling of risks is no formal system but rather reflects a basic entrepreneurial attitude and the will to design. In order to manage risks and opportunities successfully, risk-based thinking will have to be fully integrated in the corporate steering systems and the organizations’ decisional processes. For this purpose, it is required to anchor systematic management of risks and opportunities in the heads of decision-makers.

In this respect, the most important objective consists in systematically preventing damaging events and systematically seizing opportunities by taking well-aimed actions.

Risks form an integral part of any entrepreneurial activities. Risks denote any future (financial and non-financial) events and any possible developments within and outside an organization, which can impact the degree to which corporate goals are achieved (negatively or positively).

In order to be capable of acting on the market successfully, organizations need to avoid or reduce risks or transfer them to third parties. However, it will also be necessary to deliberately accept and tackle risks in order to seize opportunities (entrepreneurial risk). In practice, there are many tools and methods for managing known risks but also for identifying new risks and changes of risks already identified in a timely manner. Systematic management of risks identified is a significant tool supporting this task. In contrast to so-called crisis or problem management, managing risks by distinctly focusing on the future is characterized by focusing on opportunities.

Active actions are to help effective and efficient management of risks to contribute to avoiding occurrence of acute problems, which may lead up to crises, or to avoid their effects, which mostly are negative - according to the motto “Good managers manage risks, poor managers manage problems”.

“Does ISO 9001:2015 require an organization to demonstrate a risk management system?” No, there is no requirement for a complete risk management system as it is, e.g., described in ISO 31000. It is necessary to consider the risks and opportunities at the points designated by the Standard and take adequate actions for managing risks.

The integration of risk-based thinking in ISO 9001:2015 is aimed at supporting organizations in assuming customer focused opportunities while managing the resulting risks. The risks and opportunities are an important element in the planning process, which ranges from the strategy and the environment in which the organization is operating to processes and sub-processes. The focus always is on achieving the results planned the organization and the effectiveness of the system, i.e. the capability and robustness of the system when it comes to achieving objectives and targets.


The implementation of the “risk-based approach” in practice

For implementing the “risk-based approach”, there are many tools and methods. In practice, determining first what methods and tools are known in the organization and are utilized in everyday work has stood the test.


  • Organizations that have never used a risk-based approach before can use such tools as the risk scan to get a first general view and thus create a basis for processing opportunities and risks. The result of the risk scan (cf. (German) Figure 1) can then be directly processed or refined, if necessary, by taking actions.
  • For identifying the potential risks, brainstorming can be used. The result of brainstorming can be processed further in an Ishikawa Chart in order to quantify the result by means of classical scoring.
  • The following procedure has stood the test quite often: conducting brainstorming and then making an initial assessment by using the 3F Method (three-factor method) and continuing to process specific aspects (e.g. product specific or process specific aspects) by means of an FMEA (Failure Mode and Effects Analysis).

Any result desired or planned by the organization can be scrutinized by putting simple questions in the sense of the risk-based approach until the result is achieved positively. In this respect, it does not matter whether corporate strategy, a process or a sub-process is considered:

  • What makes it easier to achieve the result, or what can increase the positive effects?
  • What prevents the achievement of results, or what can prevent it?
  • How can positive effects be reinforced?
  • How can undesired effects on the desired result be prevented or reduced?
  • How can continual improvement be achieved?


For planning the quality management system (QMS) acc. to ISO 9001:2015, the organization needs to consider the requirements stated in Clauses 4.1 “Understanding the organization and its context” and 4.2 “Understanding the needs and expectations of interested parties” and derive the risks and opportunities from this.
Then the organization will have to plan the following according to Clause 6.1.2:

  • actions to address these risks and opportunities
  • how to integrate and implement the actions into its quality management system processes
  • how to evaluate the effectiveness of these actions


In order to work with risks as to holistically create value for the organization, it is decisive to systematically assess risks. This also includes the following: analyzing and evaluating pertaining data and information, taking relevant decisions at the management review and scrutinizing assumptions about the risks and opportunities in the event of occurrence of failures.


Unfortunately your search was unsuccessful. Please check your settings and your spelling.

Contact Person


Ms. Dr. Anni Koubek

Executive Vice President Innovation, Business Development Certification Quality

News & Events

The basis for long-term success!

08. Feb 2023

New International training program 2023

Start your next career adventure!

Learn more
10. Jan 2023

QMD Services obtains designation as a Notified Body for in vitro diagnostic devices

Milestone for the Medical Device Industry

Learn more
03. Jan 2023

Christian Matzku (50) takes over the Management of “Sales Steering” at Quality Austria

Sales professional starts at certification organization

Learn more
14. Oct 2022

The new EU Guideline on the implemen­tation of Food Safety Management Systems published

New developments for Food Businesses

Learn more
05. Oct 2022

What’s in for an Assessor?

Experience report from Mario Mauracher

Learn more
16. Sep 2022

New cooperation with ENFIT for highest standards

HQF Certification in supply chains acc. to the ENFIT Standard

Learn more
08. Aug 2022

The Many Uses of Lean Six Sigma

Guest article by Mischa Lucyshyn

Learn more
26. Jul 2022

Ransomware & other potential threat scenarios

07. Jul 2022

Building up Competency as Change Management

Continual Improvement Process

Learn more
07. Jun 2022

The five stumbling blocks you should dodge on your way to a management system

Mind the step!

Learn more
16. May 2022

25th anniversary of successful cooperation in certification

Alkaloid celebrates 25 years of successful cooperation

Learn more
03. May 2022

IFS Food Version 8 – first DRAFT version published

What changes and new features are coming

Learn more
+43 732 34 23 22