A “Risk Based Thinking” Model for ISO 9001:2015

No Image Description
Media Type
A “Risk Based Thinking” Model for ISO 9001:2015A “Risk Based Thinking” Model for ISO 9001:2015Presentation by Bob Deysher1746 KB


Log in to post a comment.

Greetings Bob,
Risk Based Thinking is one of the many sections in the standard that a lot of quality professionals struggle with when trying to demonstrate compliance to a registrar. I am a lead ISO consultant and have worked with over 40 companies in the last year and half to acquire certification in ISO 9001 and  AS9100. I cut my teeth in the automotive industry where FMEAs were required and caused a lot of stress to everyone, except the quality engineering nerds like me.
I know that the Risk Register and anything like it can be intimidating, therefore, I have used a technique that has not raised an eyebrow by a registrar yet. I encourage my ISO 9001 clients to identify risks and opportunities (the positive risks as you mentioned in the white paper) in three areas: Context of the Organization, Relevant Interested Parties, and in the Key Process Definition Documents (formerly Turtle Diagrams).
For example, a context issue may be an aging workforce where tribal knowledge has not been documented and the risk is that our processes, products and services may go haywire when our prized, seasoned employees retire or leave us to open a bar in Jamaica. The risk mitigation can include a shadowing program for new hires to work with seasoned employees to learn the processes and in turn document that knowledge. Encourage the seasoned employees to suggest improvements during this process and reward them for being team players and being committed to a culture of improvement.
During the Management Review meeting, discuss this risk and the progress that we are making toward the actions to mitigate the risk. Reviewing and updating the context issues,  their risks and improvement suggestions during the Management Review demonstrates compliance to 4.1, 6.1, 7.3, 9.3 and 10.3.

Thank you for sharing this content, Bob!
  • Posted Thu 30 May 2019 01:27 AM CDT
Marla, you're correct that identifying risks to the QMS is done best by starting with the context, then interested parties (stakeholder analysis), and if they then do a SWOT analysis based on the information raised (keeping in mind the quality objectives), they should be able to identify any high level risks.  Summarizing them in a risk register that is reviewed during management review then completed the PDCA cycle.

However, for process-level risks there are many options (ISO 31010 has a list of 31 different techniques), and which is chosen will depend on the context of the process itself.
  • Posted Thu 30 May 2019 11:27 PM CDT

Resource Details

Average Rating:
Date Added: May 23, 2019
Category: Resources
Edit Item Photos