ISO 9001:2015, 6.1

Consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system. According to the draft ISO 9001:2015 standard, management of these processes and the system as a whole can be achieved using a “Plan-Do-Check-Act” (PDCA) methodology, with an overall focus on “risk-based thinking” aimed at preventing undesirable outcomes.

Risk-based Thinking
Section 0.5 in ISO/DIS 9001:2015 states that risk is the “effect of uncertainty on an expected result”, and that the concept of risk-based thinking has always been implicit in ISO 9001.

An “effect” is a deviation from the expected, and can be positive or negative. The term “uncertainty” is the state, even partial, of a deficiency of information related to the understanding or knowledge of an event, its consequence, or likelihood.

Risk is often expressed in terms of a combination of the consequences of an event, including changes in circumstances and the associated likelihood of occurrence.  The term “risk” is sometimes used when there is only the possibility of negative consequences.

ISO/DIS 9001:2015 makes risk-based thinking more explicit and incorporates it into the requirements for the establishment, implementation, maintenance, and continual improvement of the quality management system. Of course, organizations can choose to develop a more extensive risk-based approach than is required by the draft ISO 9001:2015 standard, and the ISO 31000 standard is mentioned as providing guidelines on formal risk management which can be appropriate in certain organizational contexts.

All processes of a system do not represent the same level of risk in terms of the organization’s ability to meet its objectives. The consequences of process, product, service, or system nonconformities are not the same for all organizations. For some organizations, the consequences of delivering nonconforming products and services can result in minor inconvenience to the customer; for others, the consequences can be far-reaching and even fatal.

Using “risk-based thinking” means to consider risk qualitatively (and, depending on the organization’s context, quantitatively) when defining the rigor and degree of formality needed to plan and control the system, as well as, its component processes and activities.

ISO 9001:2008 in its requirements section, clauses 4 through 8, does not mention the terms risk or risks. ISO/DIS 9001:2015 in its requirements section, clauses 4 through 10, mentions the terms risk or risks 14 times. The main requirements related to risk are stated in clause 6.1 of the draft standard.

6.1 Actions to Address Risks and Opportunities
When planning for the quality management system, consider the issues referred to in 4.1, and the requirements referred to in 4.2, and determine the risks and opportunities that need to be addressed to:

  • give assurance that the quality management system can achieve its intended results;
  • prevent, or reduce, undesired effects;
  • achieve continual improvement.

6.1.2 Plan actions to address these risks and opportunities and how to:

  • integrate and implement the actions into its quality management system processes (see 4.4);
  • evaluate the effectiveness of these actions.

Take actions to address risks and opportunities that are proportionate to the potential impact on the conformity of products and services.

NOTE: Options to address risks and opportunities can include: avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision.

A.4 Risk-Based Approach
Annex A provides a clarification of the draft standard’s new structure, terminology, and concepts. Annex A.4 states that the draft standard requires the organization to understand its context and determine the risks and opportunities that need to be addressed (see clause 6.1).

One of the key purposes of a quality management system is to act as a preventive tool. Consequently, the draft standard does not have a separate clause or sub-clause titled “Preventive Action”. The concept of preventive action is expressed through a risk-based approach to formulating quality management system requirements.

The risk-based approach to drafting this revised standard has facilitated some reduction in prescriptive requirements and their replacement by performance-based requirements.