Risk-Based Thinking with ISO 9001:2015

Risk Based Thinking with ISO 9001 2015, AS9100, riskIts projected that starting late 2015 many organizations (thru the quality professional) face the prospect of installing a risk management process into their ISO 9001:2015 quality management system. There are several questions to be answered: [bulletlist]

  • What is risk-based thinking?
  • How extensive does it have to be?
  • How much more work will this be?
  • Could I do this quick enough?
  • How do I get started?


How extensive does it have to be?

Risk-based thinking will be new for ISO 9001:2015. In the aerospace industry, risk-based thinking has been required as a part of the AS-series of standards for years. The federal government and NASA also have standards addressing risk management. The AS9100 standard does not specify how to implement a risk management process.

How much more work will this be?

Actually, risk-based thinking could prove to be a very valuable process for your company. Risk entails a probability and impact of a loss or gain. Some useful risk publications include:


  • ISO 31000:2009, Risk management – Principles and guidelines, provides principles, framework and a process for managing risk.
  • (Sept, 2012). NIST Special Publication 800-30 revision 1: Guide for conducting risk assessments.
  • Project Management Institute. (2013). A guide to the project management body of knowledge (PMBOK Guide
  • Prichard, C., & Tate, K. (2013). The risk management memory jogger.
  • ISO Guide 73:2009, Risk management - Vocabulary complements ISO 31000 by providing a collection of terms and definitions relating to the management of risk.
  • ISO/IEC 31010:2009, Risk management – Risk assessment techniques focuses on risk assessment.


Can I do this quick enough?

Get started now! There have been some articles on risk-based thinking in Quality Progress (ASQ magazine). See Palmes, P. (Sept 2014). “A new look: 15 things you must know about the upcoming ISO 9001 revision”. Also, there are opportunities to network with experts through ASQ section meetings and through webinars.

How do I get started?

Seek advice from your Registrar about how they are directing their auditors to assess risk. You may want to write a new risk management procedure containing the concepts and body for a risk-based thinking process. It should follow the steps of the standard you want to use, such as NIST SP80-31. (The NIST standard and NASA procedures/ standards are free to the public.)

There will be more blogs on details of risk-based thinking to follow. Of course, Concentric is in place to be the external resource for you to succeed in implementing a good risk-based thinking process. For Glenn's full article register for our upcoming ISO 9001:2015 Forum - January Webinar. You can get update on all the changes including risk-based thinking. Register online here.