ISO/DIS 9001:2015, Clause 0.5

Clause 0.5 of the Introduction section of the draft ISO 9001:2015 standard states that risk is the “effect of uncertainty on an expected result”, and that the concept of risk-based thinking has always been implicit in ISO 9001.

As background information, an “effect” is a deviation from the expected, and can be positive or negative. The term “uncertainty” is the state, even partial, of a deficiency of information related to the understanding or knowledge of an event, its consequence, or likelihood.

Risk is often expressed in terms of a combination of the consequences of an event, including changes in circumstances and the associated likelihood of occurrence.  The term “risk” is sometimes used when there is only the possibility of negative consequences.

The draft ISO 9001:2015 standard makes risk-based thinking more explicit and incorporates it into the requirements for the establishment, implementation, maintenance, and continual improvement of the quality management system.

Organizations can choose to develop a more extensive risk-based approach than is required, and the ISO 31000 standard is mentioned as providing guidelines on formal risk management which can be appropriate in certain organizational contexts.

All processes of a system do not represent the same level of risk in terms of the organization’s ability to meet its objectives. The consequences of process, product, service, or system nonconformities are not the same for all organizations. For some organizations, the consequences of delivering nonconforming products and services can result in minor inconvenience to the customer; for others, the consequences can be far-reaching and even fatal.

Using “risk-based thinking” means to consider risk when defining the rigor and degree of formality needed to plan and control the quality management system, as well as, its component processes and activities.

ISO 9001:2008 in its requirement clauses 4 through 8, does not mention the term “risk”, although it does refer to “preventive action”, which by identifying potential nonconformities is a type of risk analysis. However, the draft ISO 9001:2015 standard in its requirement clauses 4 through 10, mentions the term “risk” 14 times. The main requirements related to risk are stated in clause 6.1 of the draft standard.