Revisions to ISO9001:2008 Quality Management Systems are in the pipeline, with a draft currently expected to be published in April and the updated Standard anticipated in October 2015.

Chatter about the revision has included the term “risk-based thinking”, but many are uncertain about what this means to the practical use of the Standard.

Previous versions of the Standard have included risk management via a clause relating to preventative action. With the new revision of the Standard, risk management is not an isolated clause but instead is considered and integrated throughout the Standard.

The underlying intent of a Quality Management System is still to achieve conformity and customer satisfaction with an organisation’s products or services. What is different in the new standard is that a risk-based approach is taken to accomplish this outcome.

From available draft materials, examples of how this approach is embedded in the new Standard include the following requirements:

  • The organisation must determine the risks which may affect its ability to achieve conformity and customer satisfaction
  • Senior management are required to commit to this risk-based approach to quality management
  • The organisation is obliged to take action to identify risks and opportunities
  • It is also required to implement processes to address the identified risks and opportunities, and to monitor and evaluate the risks and opportunities
  • There is also a requirement to continually improve by responding to changes in risk.

The underlying intent of requiring organisations to utilise “risk-based thinking” in their approach to quality management is to maximise the likelihood of achieving the objectives of a quality management system (i.e. to make output more consistent and to give confidence to customers that they will receive the expected product/service).

In reality, this new focus in the approach to quality management systems should not significantly change the systems and processes of well-run organisations – after all, it is already good business to utilise risk management principles in the operation of any organisation, and the majority of organisations do so, either formally or informally.

However, in order to demonstrate best practice, and especially to achieve certification after the new Standard is released, organisations will need to give consideration to the ways in which their quality management system and the processes used to implement it are documented and communicated.

Please contact QRMC for more information.