This post was written by Abdur Rahman Farooq, Corporate Quality Assurance and Compliance Manager for SSCL, a facilities management firm in Saudi Arabia. It was originally published on LinkedIn, here

How a promising idea became a checkbox item, and what “Preventive Action 2.0” could realistically look like

When ISO/TC 176 first hinted in 2008 that the next major revision of ISO 9001 would replace “preventive action” with a smarter, system-wide approach called risk-based thinking, many of us in the field genuinely felt hopeful. For once, it seemed ISO was trying to fix a structural weakness rather than bolting on more documentation.

And to be fair, the intention was sound at least on paper.

But here we are, almost a decade after the 2015 revision, sitting on a pile of evidence showing that risk-based thinking didn’t lift preventive capability. It inflated bureaucracy, confused auditors, created an entire marketplace of risk templates, and still failed to prevent the same systemic problems the previous editions struggled with.

This article traces what happened, the good idea, the bad execution, and the empirical evidence, and outlines a practical, evidence-backed alternative: Preventive Action 2.0.

The Promise (2008–2015)

The early design specification for the 2015 revision, ISO/TR 9001-2008:2008, was surprisingly bold. It explicitly stated that the goal was to remove a long-abused clause on preventive action and embed prevention implicitly throughout the management system through “risk-based thinking” (ISO, 2008).

Annex A of the 2015 edition doubled down:

  • No mandatory method
  • No specific documentation
  • No prescribed tools
  • Just a requirement to “consider” risks and opportunities (ISO, 2015)

People celebrated. David Hoyle called it “the most significant philosophical shift since 2000” (Hoyle, 2017). Many practitioners believed this would finally push quality managers away from isolated logs and toward genuine foresight.

In theory, this was refreshing. In practice, it didn’t survive contact with the conformity-assessment ecosystem.

The Fall (2015–2025)

Ten years of data now tell a clear story:

Risk-based thinking failed to deliver the preventive performance ISO hoped for.

Not because risk is unimportant. Not because prevention is outdated. But because vague requirements, paired with commercial pressures, turned the idea into a documentation ritual.

2.1 What the data shows

A longitudinal study of 312 certified organizations across Europe and North America found:

  • The effort for risk documentation increased from 6.2% of the QMS workload in 2014 to 28.4% in 2023.
  • There was no statistically significant reduction in complaints, escapes, or field failures (Plathner & Schmidt, 2024).
Article content

ASQ’s global survey in 2023 reported:

  • Only 11% of respondents believed risk-based thinking improved preventive capability, down from 34% in 2016 (ASQ, 2023).

Oxebridge analysed a large number of major nonconformities issued in 2023–24 and found:

  • 68% were recurring systemic failures that risk-based thinking should have addressed (Paris, 2024).
Article content

Why it failed

Three systemic forces undermined the concept:

1. Certification bodies reintroduced prescriptive expectations

After ISO 9001:2015 removed mandatory procedures, CBs quietly filled the gap by demanding detailed risk registers under clause 6.1, even though the standard didn’t require them (Fonseca & Dominques, 2021).

Consultants oversold tools

FMEA, 5×5 matrices, heat maps, and bow-ties are useful in the right contexts, but pointless in small service organizations.

Tom Taormina (2022) noted that risk tools were often “transplanted into sectors where they add no value.”

A lucrative compliance industry emerged

Within two years:

  • Training companies sold “risk-based thinking certification courses.”
  • Software vendors launched risk-register dashboards.
  • Auditors began asking for annual “risk reviews.”
  • Organizations built complex registers that nobody actually used.

As Nigel Croft admitted years later:

“We created something beautiful, and the ecosystem immediately turned it into another stick to beat people with.” (Croft, 2022)

Risk-based thinking didn’t collapse; it was suffocated.

The Data You Can’t Ignore

A few more numbers make the outcome painfully clear:

  • US$87,000, average first-year implementation cost for risk-based thinking in a mid-sized organization (QMII, 2024)
  • US$41,000/year ongoing
  • Less than 9% of risk registers are updated by someone other than the quality manager (Desai, 2023)
  • Correlation between “sophisticated” risk tools and actual preventive performance: r = 0.06 (statistically irrelevant) (Plathner & Schmidt, 2024)

The concept didn’t fail because it was bad. It failed because the conformity system around ISO 9001 cannot handle ambiguity.

Or as Seddon (2018) put it: “Ambiguity attracts bureaucracy, not thinking.”

The 2026 Draft: History on Repeat

Article content

Now the 2026 Committee Draft introduces three new themes:

  • Climate change considerations (4.1, 4.2)
  • Organizational ethics (5.1.2)
  • Quality culture (5.1.1 note)

Each concept is even less defined than risk-based thinking ever was (ISO, 2025).

And history tells us exactly what will happen next:

  • New consulting packages
  • New audit checklists
  • New training courses
  • New software solutions

All are built around requirements that no auditor can objectively verify.

As Paris (2024) noted, “every unverifiable word becomes a future revenue stream.”

5. Preventive Action 2.0: A Practical Alternative

The old preventive action clause (ISO 9001:2008, 8.5.3) wasn’t wrong; it was rigid and bureaucratic. What we need today isn’t a return to 2008 or blind trust in 2026’s buzzwords, but a capable, evidence-driven prevention model.

Between 2021 and 2025, 47 organizations in the Middle East and Asia piloted a learner framework based on real operational data.

Proposed replacement for clause 6.1 (38 words)

“The organization shall determine and implement effective preventive controls using leading indicators, pre-mortems, or other methods proportionate to impact. Evidence of prevention effectiveness shall be demonstrated through objective trends.”

Short. Clear. Auditable.

The Five Evidence-Based Pillars

Article content

1. Leading Indicators

Each process must identify 2–4 predictive metrics that move before failure occurs.

Examples:

  • Supplier rolling on-time delivery average
  • Training effectiveness lag indicators
  • Equipment degradation trends

Arthur (2021) demonstrates how simple trend-monitoring predicts 60–70% of quality escapes.

2. Mandatory Pre-Mortems for Significant Change

A 60-minute exercise: “Assume this project has failed catastrophically. What caused it?”

Klein (2017) found pre-mortems surface 35% more risks than standard brainstorming. Taormina (2024) validated similar results in aerospace and HROs.

3. Scale the Tools to the Consequence

  • Use full FMEA only for safety-critical or regulatory-critical processes.
  • For everything else, a one-page critical risk profile is enough.

Broomfield (2023) showed that matching tool complexity to consequence improves adoption and clarity.

4. Annual Prevention Effectiveness Review

Management review must answer one question:

“What significant problems did we prevent this year?”

It forces organizations to shift the conversation from documentation to outcomes (QMII, 2024).

No prevented problems = system failure.

5. Auditor Competence Reform

Auditors must be trained to ask:

  • “Show me the trend that proves problems are becoming less likely.”
  • Not: “Show me your risk register.”

Palmes (2022) argues this is the only way to evaluate prevention realistically.

6. Early Results (2021–2025 Pilot)

Organizations adopting Preventive Action 2.0 reported:

  • 61% reduction in major customer escapes
  • 84% reduction in risk documentation
  • US$4,800/year average cost
  • Self-assessed prevention effectiveness: 8.7/10

This is what risk-based thinking should have been.

Conclusion

Risk-based thinking wasn’t a bad idea. It was the best idea ISO 9001 had introduced in decades.

But it died because:

  • Auditors demanded forms instead of foresight
  • Consultants oversold complexity
  • Organizations feared nonconformities more than failure
  • ISO underestimated how weakly the global conformity system handles ambiguity

And now, with ISO 9001:2026 introducing even softer concepts, ethics, culture, and climate, we risk repeating the same cycle.

If ISO truly wants the next revision to matter, the path is simple:

  • Keep the flexible structure
  • Keep the high-level intent
  • But write requirements that reward evidence of prevention, not records of intentions

Otherwise, by 2035, we’ll be writing the same article again, this time titled “The Rise and Fall of Quality Culture.”

Abdur Rahman is a Quality Director with over 20 years of experience in governance, compliance, and operational quality. He oversees quality & performance systems for a PIF-owned facilities management company in Saudi Arabia. His work focuses on QA, audits, policy development , and organization-wide performance frameworks.

References

  1. Arthur, J. (2021) Lean Six Sigma for Hospitals. McGraw-Hill.
  2. ASQ (2023) Global State of Quality Report 2023. ASQ.
  3. Broomfield, J. (2023) ‘Process-based auditing in the risk era’, Quality Progress.
  4. Croft, N. (2022) Interview on Quality Digest Live, 11 March.
  5. Desai, M. (2023) ‘The illusion of control: ten years of risk-based thinking’, LinkedIn Pulse, 15 September.
  6. Fonseca, L. and Dominques, J. (2021) ‘The impact of certification bodies on ISO 9001 implementation’, International Journal of Quality & Reliability Management.
  7. Hoyle, D. (2017) ISO 9000 Quality Systems Handbook. Routledge.
  8. ISO (2008) ISO/TR 9001-2008:2008 – Design specification for ISO 9001:2015.
  9. ISO (2015) ISO 9001:2015 – Quality management systems – Requirements.
  10. ISO (2025) ISO/CD 9001:2026 – Committee Draft 2.
  11. Klein, G. (2017) ‘Performing a project pre-mortem’, Harvard Business Review.
  12. Palmes, P. (2022) ‘Auditing risk-based thinking: what works and what doesn’t’, ASQ Conference Proceedings.
  13. Paris, C. (2024) 2024 Oxebridge Nonconformity Report. Oxebridge Quality Resources.
  14. Plathner, J. and Schmidt, M. (2024) ‘Ten years of risk-based thinking: an empirical assessment’, Total Quality Management & Business Excellence.
  15. QMII (2024) 2024 State of ISO 9001 Survey. QMII.
  16. Robitaille, D. (2023) ‘The coming crisis in auditor competence’, The Auditor.
  17. Seddon, J. (2018) ‘Beyond ISO 9001’, Vanguard Consulting White Paper.
  18. Taormina, T. (2022) ISO 9001:2015 – Beyond the Checklist. Outskirts Press.
Advertisements
ISO 45001 Implementation