1. TUV Middle East
Member of TÜV NORD Group
ISO 9001:2015 & Risk Based Thinking
(based on ISO DIS 9001:2015)
By: Shibu Davies – GM

2. Content
 ISO 9001:2015 – elements addressing risk management
 Risk based thinking
 Reason for risk based thinking (as per ISO)
 Risk definition
 Types of risk
 Risk management frame work
 Risk evaluation matrix
 Risk register
 Risk reporting / communication
 Risk monitoring / review
TUV ME │ ISO 9001:2015 & Risk Management2

3. ISO 9001:2015 – ELEMENTS ADDRESSING RISK
MANAGEMENT
 0.1 General – QMS is influenced by the context of the organization, (b) particularly with
respect to “the risks associated with its context and objectives”
 0.3 Process approach – Management of the processes and the system as a whole can
be achieved using a PDCA methodology with an overall focus on “risk based thinking
aimed at preventing undesirable outcomes”
 0.5 Risk based thinking – full clause is about risk, key statement – “this international
standard makes risk-based thinking more explicit and incorporates it in requirements for
the establishment, implementation, maintenance and continual improvement of the
QMS”
 0.6 Compatibility with other management system standards:
- “Processes for planning and consideration of risks and opportunities (Clause 6)”
- However, this International Standard enables an organization to use the process
approach, coupled with the PDCA methodology and “risk-based thinking” to align or
integrate its QMS with the requirements of other management system standards as it
sees fit
TUV ME │ ISO 9001:2015 & Risk Management3

4. ISO 9001:2015 – ELEMENTS ADDRESSING RISK
MANAGEMENT
 3.09 – risk (various terms and definitions related to risk)
 4.4 – QMS and its processes – for planning the organization shall determine (f) the
“risks and opportunities” in accordance with the requirements of 6.1, and plan and
implement the appropriate actions to address them
 5.1.2 Customer focus – Top management shall demonstrate leadership and
commitment with respect to customer focus by ensuring that (b) “the risks and
opportunities” that can affect conformity of products and services and the ability to
enhance customer satisfaction are determined and addressed
 6.1 Action to address risks and opportunities – this full clause is about risk –
including PDCA elements of risk management
 8.5.5 Post-delivery activities - In determining the extent of post-delivery activities that
are required, the organization shall consider (a) the “risks associated with the products
and services”
 9.3 Management review – The management review shall be planned and carried out
taking into consideration (d) the effectiveness of actions taken to address risks and
opportunities (see clause 6.1)
TUV ME │ ISO 9001:2015 & Risk Management4

5. RISK BASED THINKING
TUV ME │ ISO 9001:2015 & Risk Management5
!!! risk management is an
integral part of any
organization's strategic
management. It is
the process whereby
organizations
methodically address the
risks attaching to
their activities with the goal
of achieving
sustained benefit within
each activity and
across the portfolio of all
activities !!!
identify and treat
risks
integrate risk
management in to
the culture
risk can be
internal or
external
objective of risk
management is
sustainability
risk management
should be an
ongoing process
responsibility shall
be assigned
better to define
and document
this is a
preventive
measure
this is everyone's
responsibility

6. REASON FOR RISK BASED THINKING
(AS PER ISO)
TUV ME │ ISO 9001:2015 & Risk Management6
• Improve customer satisfaction and
confidence
• Assure consistency of quality of the
product
• Establish pro-active culture of prevention
and improvement
• Successful companies intuitively take a
risk-based approach
Reason

7. RISK DEFINITION
TUV ME │ ISO 9001:2015 & Risk Management7
Risk
Effect of uncertainty on an expected result
Note 1: An effect is deviation from expected – positive or
negative
Note 2: Uncertainty is the state, even partial, of deficiency of
information related to, understanding or knowledge of, an
event, its consequence, or likelihood
Note 3: Risk is often expressed in terms of a combination of
the consequences of an event and the associated likelihood
occurrence
Ref.: ISO DIS 9000:2014

8. TYPES OF RISK
TUV ME │ ISO 9001:2015 & Risk Management8
!!!
focus should be on product
for ISO 9001:2015
!!!

9. RISK MANAGEMENT FRAMEWORK
TUV ME │ ISO 9001:2015 & Risk Management9
!!!
organization
can adapt the
framework
!!!

10. RISK EVALUATION MATRIX
TUV ME │ ISO 9001:2015 & Risk Management10
!!!
organization
can adapt the
risk
evaluation
matrix
!!!

11. RISK REGISTER
TUV ME │ ISO 9001:2015 & Risk Management11
!!!
organization can
adapt the risk
register
!!!
Ref. # Process Risk Mitigation Contigency
Pro. Sev. Sig.
Rating
Responsibility
Pro. Sev. Sig.
Res. Risk Rating
Rating can be done
based on 3X3 matrix
or 5X5 matrix or any
suitable methods
a. Avoiding risk
b. Taking risk in order to pursue an
opportunity
c. Eliminating the risk source
d. Changing the likelihood or consequences
e. Sharing the risk
f. Retaining risk by informed decision
This will be the risk
rating after the
implementation of
mitigation &
contingency plan
Product related

12. RISK REPORTING / COMMUNICATION
TUV ME │ ISO 9001:2015 & Risk Management12
• Share holders
• Board of directors
• Top management
• Middle management
• Other staff
Internal
reporting /
communication
• Regulators
• Associations
• Other stake holders
External
reporting /
communication
!!!
organization can adapt according to the nature of business
!!!

13. RISK MONITORING / REVIEW
TUV ME │ ISO 9001:2015 & Risk Management13
• Did the intended result achieved
• Did the mitigation and contingency plan
appropriate
Monitoring
/ review

14. Thanks
www.tuvme.com
www.tuv-nord.com