qms.best Independent Quality Management Systems reference

Glossary

Risk-based thinking

An approach that requires the organisation to identify risks and opportunities relevant to the QMS and its outcomes, and to plan actions to address them.

Source standard: ISO 9001:2015 §0.3.3, §6.1

Risk-based thinking replaced the standalone “preventive action” clause of ISO 9001:2008. The 2015 revision integrates risk and opportunity across the standard: every clause that asks for planning, control, or review now expects the organisation to consider what could go wrong and what could be improved.

Clause 6.1 of ISO 9001:2015 sets out the explicit obligation. The organisation must determine risks and opportunities that need to be addressed to give assurance that the QMS can achieve its intended results, enhance desirable effects, prevent or reduce undesired effects, and achieve improvement. Actions to address those risks and opportunities must then be integrated into QMS processes and their effectiveness evaluated.

The standard does not prescribe a methodology. ISO 31000 risk management principles are a useful reference but not mandatory. Many organisations use a register with risk, likelihood, impact, treatment, and residual exposure. What auditors look for is evidence that:

Risk-based thinking also applies to opportunities, which is the part many implementations skip. An opportunity is an action that could strengthen QMS outcomes — adopting a better tool, simplifying a process, training a team to a higher competence level. The standard does not require every opportunity to be acted on, only that they be considered.

See: compliance gap analysis template, ISO 9001 implementation guide, AI QMS post-market monitoring.

Related terms