Whenever risk is mentioned, one immediately associates it with health and safety and identify hazards that cause risk. 

Immediately Risk Assessments and Risk Registers come to mind, and formal Risk Management Training is required as well as the use of other risk management tools, i.e. the Delphi technique, SWOT (Strength, Weakness, Opportunities, and Threats) analysis, Probability and Impact Matrixes, etc. becomes a necessity. 

Although the above-mentioned is applicable to ISO 45001 (Occupational Health and Safety) and ISO 14001 (Environmental), this is totally misinterpreted when it comes to the latest ISO 9001:2015 International Standard. 

ISO 9001 only requires Risk-based Thinking (RBT) to be applied. 

One of the key changes from the previous ISO 9001:2008 version to the current ISO 9001:2015 version was that Preventative Action was removed as a separate clause, BUT replaced with “Actions to address risks and opportunities” through the application of Risk-Based Thinking (RBT). 

The main purpose of the initial “Preventative Actions” requirement was to identify possible problems before they occur and take the necessary actions to address the root cause to prevent it from occurring. 

One of the key purposes of a quality management system is to act as a preventive tool. 

As a result, “Understanding the organization and its context” and “Understanding the needs and expectations of interested parties” was added to the ISO 9001:2015 version of the standard, i.e. by identifying the interested parties that have a direct impact on the organization, its services, and products in relation to the external/internal issues relevant to the organization’s purpose and strategic direction that affect its ability to achieve the intended result(s) of its quality management system, the risks, and opportunities for improvement must be taken into consideration when establishing a quality management system. 

HOWEVER, the standard specifically mentions and is clear, as per page 22 of the ISO 9001 Standard, point A.4, the fourth paragraph: 

“Although 6.1 (Actions to address risks and opportunities) specifies that the organization shall plan actions to address risks, there is NO requirement for formal methods for risk management or a documented risk management process. Organizations can decide whether or not to develop a more extensive risk management methodology than is required by the International Standard, e.g. through the application of other guidance or standards.” 

Therefore, in conclusion, no auditor can expect or force any organization to show him/her records of formal training regarding risk management on the basis of being competent, nor can he/she expect any formal documentation such as a Risk Register or Risk Assessments or other risk management tools. If/when an organization is using suitable experts, i.e. consultants like 9001 Consult, Risk-Based Thinking (RBT) will be applied within various areas of an organization’s quality management system, i.e. an Organisational Context Table, Procedures, Concessions and Non-conformance Forms. 

Call us to mitigate risk through the application of Risk-Based Thinking (RBT).