ISO 9001



COVID-19 has highlighted the importance of implementing a preemptive approach to risk management. In this article, we look at why risk-based thinking is vital for forward-thinking businesses.  

ISO 9001 is the world’s most recognizable standard for a quality management system (QMS). It enforces confidence in an organization’s ability to consistently supply products and services to a uniform standard. This is achieved by controlling processes within the organization and an important aspect of that is the introduction of risk-based thinking throughout the entirety of the QMS.

Adverse risk events, such as COVID-19, demonstrate the importance of adopting a risk-based way of thinking. Unpredictable, negative events can significantly reduce a company’s ability to deliver consistency. Without risk-based thinking at the heart of a QMS, an organization is always reacting to an event, rather than proactively anticipating it. A system that is reacting will be delayed and disrupted, but an organization that has adopted proactive behaviors will already have processes in place to mitigate the negative impact of the event.

Unlike previous iterations of ISO 9001, which separated preventative actions into their own clause, the latest version – ISO 9001:2015 – ensures it is part of every facet of the organization. This is because risk-based thinking is key to achieving continual improvements within the QMS.

Defining Risk-Based Thinking

It is easier to start by defining what it is not. It is not:

  • Risk management
  • An implementable model
  • A documentable practice


Instead, risk-based thinking is a systematic and organic process for the integration of risk management thinking into an organization. It is all-encompassing and continual.

What Options?

Businesses are not single, linear structures. It is therefore important for risk-based thinking to be introduced in a way that links all aspects of the organization. The level of complexity the risk-based thinking needs to encompass will depend on the size and structure of the building.

An Enterprise Risk Management (ERM) structure is pertinent for the highest levels of the organization. It must be developed and implemented at a strategic level and it must be capable of identifying risk in all aspects of the business. It must also remain focused on adding value to the business.

The ISO 31000 family of standards provide an up-to-date framework for companies wishing to implement risk management processes. They aim to create and protect value within an organization by providing a framework for managing risk, making decisions, setting objectives, and improving performance.

At the simplest level, a risk matrix can be developed that incorporates a list of risks.

Implementation Strategies

To achieve maximum efficacy, risk-based thinking must be promoted from the top down, encompassing everything from high-level strategic planning to functional processes. In theory, this should not be difficult because, as individuals, we all employ risk-based thinking all the time. The difficulty is that businesses often become stultified in their thinking and this creates reactive tendencies.

A simplified strategy for implementing risk-based thinking should include:

  • Assess risks
  • Identify corrective practices
  • Record and report
  • Monitor and review


It is important during implementation to ensure strategy and practice are aligned. This will increase opportunities and positive outcomes, while optimizing resource management and enhancing long-term viability.

Benefits of Adopting Risk-Based Thinking

The way risk-based thinking is now woven throughout the framework of ISO 9001 is a demonstration of how important it is to adopt this way of working in today’s business world. It not only helps the process of mitigating the impact of adverse risk events, it also:

  • Builds a strong knowledge base
  • Establishes a proactive culture of continual improvement
  • Helps ensure consistency in goods and services
  • Improves customer confidence and satisfaction
  • Helps build market share


In today’s turbulent business environment, it is companies who have adopted a forward-looking risk-based thinking strategy that have been able to adapt best to the impact of COVID-19.

Learn more about ISO 9001 Certification.



Your name

Your e-mail

Name receiver

E-mail address receiver

Your message




Sign up