In the lead up to the release of the revised version of the ISO 9001 Quality Management Systems Standard, there was a great deal of discussion and conjecture about how the Standard’s requirements might change. Much of this discussion was around the planned introduction of risk-based thinking into quality management.

Whilst the management of risk was implied within the superseded ISO 9001:2008 version of the Standard, it is now explicit in the recently released 2015 version.

In reviewing the requirements around risk-based thinking now in the Standard (listed below), it is evident that they are not novel concepts, and most organisations with management systems that meet the requirements of ISO 9001:2008 will be already fulfilling many of these however, what is different is that these requirements must now be formally considered and included in an organisation’s management system.

In essence, the new ISO 9001:2015 mirrors ISO 3100 Risk Management, with organisations required to consider their risk appetites when planning their products or services.

Organisations seeking to ensure their readiness for certification under the revised ISO 9001:2015 should ensure that the risk-based thinking encapsulated in the clauses quoted below are evident in their management systems.

Whilst there is a three-year transition period to migrate current quality management systems to the new edition of the Standard, the revisions are designed to improve business performance and it would benefit organisations to start the transition process prior to this time.

Specific references to risk in the new ISO 9001:2015 include:

  • 4.1 f) Quality Management System and its processes – Organisations are required to determine the risks and opportunities in accordance with clause 6.1.
  • 1.1 d) Leadership and commitment – The use of a process approach together with risk-based thinking is promoted.
  • 1.2 b) Customer focus – Risks and opportunities that can affect the conformity of products must be contemplated.
  • 1.1 & 6.1.2 Actions taken to address risks and opportunities – Actions taken to address the risks and opportunities must be proportional to the potential impact of the risk.
  • 1 Operational planning and control – Organisations are required to review the consequences of unintended changes and must take action to mitigate adverse effects.
  • 3.3 Design and development inputs – There is a design input requiring organisations to review the potential consequences or product or service failure.
  • 5.5 b) Post delivery activities – Where post delivery activities are required, organisations must now consider potential undesired consequences related to these activities.
  • 1.3 e) Analysis and evaluation – Actions taken to address risks and opportunities must be addressed.
  • 3.2 Management Review – Reviews must now consider the effectiveness of actions taken to address risks and opportunities from clause 6.1 that includes the planning requirements for addressing risks and opportunities
  • 1 b) Improvement General – Correcting, preventing or reducing undesired effects as a risk.
  • 2.1 Non conformity and corrective action – Post non-conformances, organisations are required to update their risks and opportunities as determined during the planning phase.

Please contact QRMC for more information.