A guide to risk-based thinking in IATF 16949


How does risk relate to IATF 16949?

What is risk and how does it apply to IATF 16949 – quality management system for the automotive industry?

A quick recap of IATF 16949

The standard was developed by the International Automotive Task Force (IATF), an ad hoc group of automotive manufacturers and their respective national automotive industry associations.

IATF 16949 better defines Quality Management System (QMS) requirements for automotive industry organizations, including those involved in production, service or accessory parts.

It aligns with and refers to ISO 9001. The IATF maintains strong cooperation with ISO by continuing liaison committee status, ensuring continued alignment with ISO 9001.

IATF 16949 has 42,000 data points and our analysis is based on the standard’s data.

IATF 16949’s key benefits
  • Simplified language and a common structure of terms
  • Emphasis on defect prevention
  • Support for continual improvement
  • Automotive industry-specific requirements and tools
  • Reduced supply chain variation and waste
What is risk-based thinking?

Risk is the effect of uncertainty. We all do risk-based thinking automatically, often subconsciously, to get the best results.

Context + risk = basis for QMS planning. Risk-based thinking has always been implicit in the ISO 9001 QMS and ensures that risk is considered from the beginning and throughout. It also makes “prevention” part of strategic and operational planning.

What is risk management?

According to ISO 31000, risk management is “coordinated activities to direct and control an organization with regard to risk”.

Implementation and improvement considerations

You must follow the Plan-Do-Check-Act Cycle.

Use a risk-driven approach throughout your organizational process (PLAN) and identify and prioritize the risks in your organization, depending on context, product, process or organizational complexity. You must ask yourself – what is acceptable and unacceptable?

Begin to plan actions to address the risks and ask – how can I avoid, eliminate or mitigate risks?

Next, implement the plan/act (DO) before checking the effectiveness of the action, asking – does it work? (CHECK).

Finally, learn from experience/improve (ACT). Preventative actions are one result of risk-based thinking.

The clauses involved


Clause 4: Context of the organization
Clause 5: Leadership
Clause 6: Planning
Clause 7: Support


Clause 8: Operation


Clause 9: Performance evaluation


Clause 10: Improvement

Risk-based thinking in ISO 9001 and IATF 16949

There are 36 specific requirements referencing risk, plus several more in MMOG/LE.

ISO 9001 requirements
  • Clause 4: The organization is required to determine its QMS processes and address risks and opportunities
  • Clause 5: Top management is required to promote awareness of risk-based thinking, and determine and address risks and opportunities that can affect product/service conformity
  • Clause 6: The organization is required to identify risks and opportunities related to QMS performance and take appropriate actions to address them
  • Clause 7: The organization is required to determine and provide necessary resources (risk is implicit whenever “suitable” or “appropriate” is mentioned)
  • Clause 8: The organization is required to manage its operational processes (risk is implicit whenever “suitable” or “appropriate” is mentioned)
  • Clause 9: The organization is required to monitor, measure, analyze and evaluate the effectiveness of actions taken to address risks and opportunities
  • Clause 10: The organization is required to correct, prevent or reduce undesired effects and improve the QMS, as well as update risks and opportunities
IATF 16949 requirements (supplemental to ISO 9001)

Clause 6 – PLAN

The organization is required to:

(Linkages: Risks and opportunities are derived from Clause 4)

  • Identify risks to the success of the QMS, such as legal noncompliance, shutdown, cyberattack, turnover and supplier problems
  • Identify opportunities for the success of the QMS, such as advertising performance/success, design and new technologies, raw materials and partners
  • Determine the risk preventive actions and contingency plans


Clause 7 – PLAN

The organization is required to:

  • Determine risk identification and risk mitigation methods to develop, improve and optimize the material flow (synchronous material flow) – value‐added use of floor space
  • Develop methods for manufacturing feasibility assessment and capacity planning
  • Provide suitable measuring tools and train operators
  • Safeguard the organization from loss of knowledge (e.g. through staff turnover or failure to capture and share information)
  • Analyze the risks involved for customers with nonconforming products – risk awareness
  • Plan to perform re-evaluation relative to risk (refer to PDCA)


Clause 8 – DO

The organization is required to:

  • Perform manufacturing feasibility assessments, capacity planning (DFMA/DFSS)
  • Perform product design and process risk analysis (DFMEA/PFMEA), prioritizing risk and potential impact on customers
  • Mitigate risks in the process design that are commensurate with risk encountered (PFMEA), with specific attention to the Special Characteristics (SC)
  • Perform re-evaluation and monitor the risk controls for effectiveness (FMEA RPN reduction)
  • Assess the selected supplier’s product quality and uninterrupted supply; implement and adjust the control based on supplier performance
  • Using the risk-based model, define the minimum acceptable level and target QMS development level
  • Determine the supplier level of development using the risk-based approach
  • Document risk analysis outputs (update control plans at a set frequency)
  • Assess the risks in rework and repair processes


Clause 9 – CHECK

The organization is required to:

  • Identify tools to analyze the process controls (DFMEA, PFMEA, SPC, internal audit program, management review, warranty and field failures information)


Clause 10 – ACT

The organization is required to:

  • Assess and address the consideration of impact on similar processes and products (read-across)
  • Determine and document methods used in process risk control (error proofing)
  • Identify, document and use the risk analysis tools in CI
The objectives

In order of importance:

  • The ultimate objective – IATF 16949 third-party certification
  • IATF 16949 second-party conformity
  • ISO 9001 registration and customer-defined QMS (MAQMSR or AIAG CQI-19)
  • ISO third-party registration
  • The minimal level – ISO 9001 second party (only with customer approval)


How we can help

Our IATF 16949 solutions include certification and training courses.

An audit against the standard from us will help your organization to stand out from the crowd by supporting you to improve product quality, reduce waste and prevent defects.

We also offer a range of complementary services:

  • AIAG and VDA FMEA Handbook Training Course
  • APQP 2nd Edition Executive Overview Training Course
  • APQP 2nd Edition Training Course
  • IATF 16949 Automotive QMS Introduction eLearning Training Course
  • IATF 16949 Automotive QMS Lead Auditor Training Course – Module 1 Introduction
  • IATF 16949 Automotive QMS Lead Auditor Training Course – Module 2 Internal Auditing
  • IATF 16949 Automotive QMS Lead Auditor Training Course – Module 3 Core Tools


With a global presence, we have a history of successfully executing large-scale, complex international projects. We speak the language, understand local markets and operate consistently, reliably and effectively globally.

Get in the driving seat, reduce risks and issues. Learn more here.



Your name

Your e-mail

Name receiver

E-mail address receiver

Your message




Sign up