1. ISO 9001:2015 - Risk based thinking
One of the clauses in the new ISO 9001:2015 standard refers to Risk Based
Thinking. Risk Based thinking is now present in so many standards.
2. ● Examples include - ISO 14971, OHSAS 18001, ISO 14001 and ISO 31000 that for most
organizations, it is a mind-set that many are comfortable communicating and operating
with on a daily basis. By alignment with these standards, the ISO 9001 standard itself is
being continually improved in order to minimise the work involved where requirements of
various standards are integrated.
● For enterprises, bringing ISO 9001:2015 explicitly in line with other standards and include
risk based thinking is sensible as it aligns risk methodologies, mind-sets and mitigating
actions across various standards and processes.
● For ISO 9001:2015, the risk mindset does not always come naturally to us. There are
frequent occasions where management and staff of an organisation are aware of potential
risks but do consider that these risks will ever occur, they fail to consider these risks as real
and actual threats, and are often surprised when the risks become a reality. Whether risks
are naturally occurring events or manmade, the Risk based thinking allows the organization
to identify these risks, consider the severity of the outcome, and quantify what risks need
to be acted upon and what mitigating actions are necessary for the enterprise to undertake.
3. At its simplest level, the register can outline
a)The risks the enterprise has identified as having an impact on its
performance/continuation
b)The severity of the outcome
c)The likelihood of the outcome
d)The opportunity for the enterprise to detect the occurrence of an outcome.
4. Starting with Top level management, the deeper Risk Based Thinking develops within
the levels of an enterprise the greater the opportunity the organization has of
continually using risk based thinking to identify actual risk and put in place effective
mitigating actions. This does require collaboration and involvement of all staff or as
many of its staff as is practical. The enterprise does not have to have all staff fully
versant in the risk methodologies, but the tools are currently available through
modern day cloud communications or with direct face to face interactions to allow all
staff to contribute to what they consider are the risks to the organization. It is
important that all risk real or perceived are considered and included on the register.
Once on the register, it can be assessed.
Where there are risks and the enterprise has put in actions or fixes to prevent or
minimise the occurrence of these specific risks, every enterprise should be careful to
consider how strong these fixes are and what these fixes are dependent on, i.e.
human behaviour, infrastructure & utilities.