ISO 9001,risk management

ISO 9001 Revision Imminent

This article was written by Nico Snyman, Crest Advisory Africa CEO and Founder, and first published in Hi-Tech Security Solutions Magazine

ISO 9001, the world’s leading quality management standard, is under revision, with an updated version due by September 2015. This is a very important change to the ISO standards as ISO 9001: 2015 is totally integrated with ISO 31000:2009, and thus risk based.

Why is ISO 9001 being revised?

All ISO standards are reviewed every five years to establish if a revision is required to keep it current and relevant for the marketplace. The future ISO 9001:2015 will respond to the latest trends and be compatible with other management systems such as ISO 14001.

ISO 9001 is about to reach the Final Draft International Stage, the fifth stage of a six stage process whereby the ISO subcommittee revising the standard will now go through all the comments received during the DIS vote in order to produce a final draft which will then be put forward to all ISO members for voting.


One of the key changes in the 2015 revision of ISO 9001 is:

• To establish a systematic approach to risk, rather than treating it as a single component of a quality management system.

In previous editions of ISO 9001, a clause on preventive action was separated from the whole. Now risk is considered and included throughout the standard.

By taking a risk-based approach, an organisation becomes proactive rather than purely reactive, preventing or reducing undesired effects and promoting continual improvement. Preventive action is automatic when a management system is risk-based.

What is risk-based thinking?

Risk-based thinking is something we all do automatically. For example:

• If I wish to cross a road I look for traffic before I begin. I will not step in front of a moving car.

• Risk-based thinking has always been in ISO 9001, this revision builds it into the whole management system.

• In ISO 9001:2015 risk is considered from the beginning and throughout the standard, making preventive action part of strategic planning as well as operation and review.

• Risk-based thinking is already part of the process approach. For example, to cross the road I may go directly or I may use a nearby footbridge. Which process I choose will be determined by considering the risks.

• Risk is commonly understood to be negative. In risk-based thinking opportunity can also be found, this is sometimes seen as the positive side of risk. For example, crossing the road directly gives me an opportunity to reach the other side quickly, but there is an increased risk of injury from moving cars. The risk of using a footbridge is that I may be delayed. The opportunity of using a footbridge is that there is less chance of being injured by a car.

• Opportunity is not always directly related to risk but it is always related to the objectives. By considering a situation it may be possible to identify opportunities to improve. For example, analysis of this situation shows further opportunities for improvement:

– a subway leading directly under the road,

– pedestrian traffic lights, or

– diverting the road so that the area has no traffic.

It is necessary to analyse the opportunities and consider which can or should be acted on. Both the impact and the feasibility of taking an opportunity must be considered. Whatever action is taken will change the context and the risks and these must then be reconsidered.

Where is risk addressed in ISO 9001:2015?

The concept of risk-based thinking is explained in the introduction of ISO 9001:2015. The standard defines risk as the effect of uncertainty on an expected result.

• An effect is a deviation from the expected – positive or negative.

• Risk is about what could happen and what the effect of this happening might be.

• Risk also considers how likely it is.

The target of a management system is to achieve conformity and customer satisfaction.

ISO 9001:2015 uses risk-based thinking to achieve this in the following way:

• Clause 4 (Context) the organisation is required to determine the risks which may affect this.

• Clause 5 (Leadership) top management are required to commit to ensuring Clause 4 is followed.

• Clause 6 (Planning) the organisation is required to take action to identify risks and opportunities.

• Clause 8 (Operation) the organisation is required to implement processes to address risks and opportunities.

• In Clause 9 (Performance Evaluation) the organisation is required to monitor, measure, analyse and evaluate the risks and opportunities.

• In Clause 10 (Improvement) the organisation is required to improve by responding to changes in risk.

Why use risk-based thinking?

By considering risk throughout the organisation the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product or service.

Risk-based thinking therefore:

• Builds a strong knowledge base.

• Establishes a proactive culture of improvement.

• Assures consistency of quality of goods or services.

• Improves customer confidence and satisfaction.

Successful companies intuitively take a risk-based approach.

How do I do it?

The Plan, Do, Check, Act (PDCA) principle is still the primary principle within ISO 9001. The process below indicates how the risk based approach and the Quality Management System (QMS) approach integrates.

• Use a risk-driven approach in your organisational processes.

• Identify what your risks and opportunities are, it depends on context. For example, if I cross a busy road with many fast-moving cars the risks are not the same as if the road is small with very few moving cars. It is also necessary to consider such things as weather, visibility, personal mobility and specific personal objectives.

• Analyse and prioritise risks and opportunities.

• What is acceptable, what is unacceptable? What advantages or disadvantages are there to one process over another? For example, my objective is to safely cross a road to reach a meeting at a given time. It is unacceptable to be injured; it is UNACCEPTABLE to be late. The opportunity of reaching my goal more quickly must be balanced against the likelihood of injury. It is more important that I reach my meeting uninjured than it is for me to reach my meeting on time.

It may be acceptable to delay arriving at the other side of the road by using a footbridge if the likelihood of being injured by crossing the road directly is high. I analyse the situation. The footbridge is 200 metres away and will add time to my journey. The weather is good, the visibility is good and I can see that the road does not have many cars at this time. I decide that walking directly across the road carries an acceptably low level of risk of injury and an opportunity to reach my meeting on time.

Plan actions to address the risks

In our example, I could eliminate risk of injury by using the footbridge, but I have already decided that the risk involved in crossing the road is acceptable. Now I plan how to reduce the likelihood of injury and/or the effect of injury. I cannot reasonably expect to control the effect of a car hitting me. I can reduce the probability of being hit by a car.

I plan to cross at a time when there are no cars moving near me and so reduce the likelihood of an accident. I also choose to cross the road at a place where I have good visibility and can safely stop in the middle to re-assess the number of moving cars, further reducing the probability of an accident.

Implement the plan – take action

I move to the side of the road, check there are no barriers to crossing and that there is a safe place in the centre of the moving traffic. I check there are no cars coming. I cross half of the road and stop in the central safe place. I assess the situation and then cross the second part of the road.

Check the effectiveness of the actions – does it work?

I arrive at the other side of the road unharmed and on time: this plan worked and undesired outcomes have been avoided.

Learn from experience – continual improvement

I repeat the plan over several days, at different times and in different weather conditions. This gives me data to understand that changing context (time, weather, quantity of cars) directly affects the effectiveness of the plan and increases the probability that I will not achieve my objectives (being on time and avoiding injury).

Experience teaches me that crossing the road at certain times of day is very difficult because there are too many cars. To limit the risk I revise and improve my process by using the footbridge at these times.

I continue to analyse the effectiveness of the processes and revise them when the context changes. I also continue to consider innovative opportunities:

– Can I move the meeting place so that the road does not have to be crossed?

– Can I change the time of the meeting so that I cross the road when it is quiet?

– Can we meet electronically?


The changes in ISO 9001:2015 are critical for each and every company who has been ISO 9001 certified as well as for companies striving to be ISO 9001 certified. With the ISO 9001:2015, quality practitioners need to be re-trained to understand the interrelationship between QMS and risk management.

Crest Advisory Africa are experts in Corporate Governance, which includes Risk Management (ISO 31000:2009) and Quality Management (ISO 9001).

Nico Snyman,Risk Management ExpertContact Nico Snyman