Qualityze Logo
All Posts

What to think for Risk-Based-Thinking (RBT) in ISO 9001:2015?

01 Aug 2023

Table of Content


The ISO standards are reviewed every five years and accordingly revised if needed.

This is mainly to keep pace with changing business environment and to provide effective tools to tackle new industry challenges specifically in Lifesciences and manufacturing Industry. It also clearly reflects in Mission & Vision statement of ISO Subcommittee for Quality Systems (ISO/TC 176/SC 2)

The latest version of ISO 9001:2015 edition has replaced the 2008 version which has High Level Structure (HLS) with identical subclause titles, identical text, common terms and core definitions.

In this restructured international standard; a key focus is given on the risk-based-thinking in ISO 9001:2015.

TC 176 has ingeniously rebranded the Preventive Action as risk-based thinking (RBT) by allowing not to specifically include any actual requirements such as records, procedures, processes or evidences rather it mainly focuses on “Thinking” approach.

Now, ISO 9001 being intended for Third Party Assessment; it becomes very challenging for the organizations to prove their “thought-process” to external auditors for a considerate effort towards “risk”.

So, what to really think for Risk-Based-Thinking in ISO 9001:2015?

Even the ISO also approves of the fact that “Risk-based thinking is something we all do automatically in everyday life.” However, during the organizational risk planning, a viable approach towards this can be applied in terms of the “contextual” conditions of the organization.

Although Clause 6.1 in the revised standard does not mandatorily requires any documented information on actions to address risks and opportunities, it does described in new guidance for documented information which is needed to be “maintained” and “retained”. Hence, it can be taken into consideration and accordingly be produced during the certification audit for demonstrating risk-based -thinking at the organizational level.

For example, the records of management review (9.3.3), Audit Program (9.2.2), organizational knowledge (7.1.6), calibration management ( and the competence (7.2) constitute amongst the key elements of controlling risk; hence they are mandatorily required to retain the documented information.

Another risk-based approach in terms of Quality Management System can be taken with a “31:31:31” Approach!

So, what is this “31:31:31” approach? Well, it’s not a universally recognised terminology, but we just try to point out an easy-to-remember term for establishing the compatibility to QMS by implementing ISO 31000 as a formal approach towards Risk Management and its supporting Standard IEC/ISO 31010 under which 31 Risk assessment techniques are provided.

Although, some may criticise the 31 tools being statistically oriented and ISO 31000 being viable mostly for large organizations (under a given context) the benefits of the approach cannot be overlooked as it applies to many company situations.

On the introduction page itself it narrates that the provided principles and guidelines in ISO 31000 is “for managing any form of risk in a systematic, transparent and credible manner and within any scope and context” hence giving it a try can be worthwhile to think about iso 9001:2015 risk-based-thinking and have holistic risk management perspective.

Discover more about Qualityze EQMS Software solutions.

To Request a demo:

Phone: +1-877-207-8616

e-mail: info@qualityze.com



Request Demo

© 2024 Qualityze | All rights reserved. | Privacy Policy