Many discussions — and disreputable marketing efforts — are now claiming (or coyly implying) that ISO 9001:2015 requires “risk management.” Sorry, gang… not so.

Strictly speaking, ISO 9001:2015 does NOT add risk management, but “risk based thinking.” In fact, the Committee Draft specifically says that ISO 9001 does not require formal risk management.” The latest DIS has similar, but less decisive, language about that point, and merely points the readers to ISO 31000 for guidance on risk management if they opt to adopt full risk management. (And ISO gets to product-place it’s own product, within another product. Ka-ching!)

So what is “risk based thinking?”

Well because I’m smart enough to know when I’m stupid, I polled a few actual, real, breathing risk management professionals — the types with actual published credentials, doctorates, and other credible credentials — and they are befuddled. This includes some authors of the ISO 31000 standard itself.

Said one:

Unfortunately it almost impossible for humans not to follow risk based thinking. Selling RBT would be like selling cans of air or bottles of sound.


That’s really funny. It sounds like it is going to be the new trend… risk based thinking, risk based sporting, risk based eating, etc.

Another called it a cluster f***. Another said TC 176 were “clowns.” Remember: these are the real, working risk management professionals saying this.

placeboHomeopathic Quality Standards

Homeopathy relies on the debunked, and dangerous, fake-theory that if you dilute something enough times, its effects actually get stronger. TC 176 has adopted a homeopathic approach to its development process, assuming that if you dilute risk management enough, it will improve it’s meaning. Like drinking homeopathic bleach, it doesn’t.

The major problem lies with TC 176’s hesitance to go all-in on risk management. Risk management is a well established discipline, and has been for centuries. Rather than either leave risk out, and allow ISO 31000 to do its job, or go all-in and include actual RM requirements in 9001, TC 176 created an entirely new concept called “risk based thinking,” which doesn’t exist in other industries at all. The closest precursor to “risk based thinking” is some FDA approach imposed on inspections of pharmaceutical companies, but even that’s a stretch.

I want to repeat that: ISO has created a new method of management that has never been vetted in any industry, much less one which reflects an accepted “best practice.” This is unprecedented in ISO 9001 history. They are now inventing new methods, rather than publishing known, validated methods. Whether “risk based thinking” succeeds or fails will be determined only after ISO 9001 users adopt it.

Are the un-vetted, dubiously-credentialed TC 176 volunteers — who attain their rank purely by showing up at meetings, and not by any assessment of their ability or knowledge — even qualified to be inventing world practices? I doubt it.

cannedairBecause there’s no such thing as “risk based thinking,” it’s definition and application will be defined by the assumptions of the various players, who will fill in the gaps with whatever they think it means. And be warned: they are going to make these proclamations with absolute assurance and total confidence. They will ignore the fact that their definitions and proclamations contradict those of others who exhibit equal confidence and arrogance. They will impose their opinions as law. Everyone will claim to be an expert, because no one actually can be an expert — because risk based thinking doesn’t actually exist.

It’s like me claiming to be an expert in designing “negative buoyancy wearable flotation devices.”

Consider this: the entirety of what quality experts Deming, Juran, Shewhart, Feigenbaum, Ishikawa, Taguchi and Crosby had to say about “risk based thinking” can be collected and published on … well, nothing, because they never said anything about it.

And sure enough, we are already being given conflicting advice by idiots who claim sudden mastery over something that didn’t exist 15 minutes ago. Some are saying that risk-based thinking is satisfied by a formal risk management approaches like FMEA. Others are saying, no, that’s not required, that merely “being aware of risks” is sufficient.

Here are just a few links of the various blowhards, blowing hard on the subject, oblivious to the fact that they all disagree in some way or another:

What’s On the Label, Then? 

The official TC 176 talking points are as follows, and are not much better:

  • risk-based thinking is something we all do automatically and often sub-consciously
  • The concept of risk has always been implicit in ISO 9001 – this revision makes it more explicit and builds it into the whole management system
  •  risk-based thinking is already part of the process approach
  • risk-based thinking makes preventive action part of the routine

The mantra from ISO is the same: risk has always been there, you just didn’t know it, and we accidentally called it “preventive action” before, but we fixed it.


In a rare bit of lucidity, Quality Digest actually published someone who “gets it.” This, from Umberto Tunesi:  

That risk-based thinking was always implicit in ISO 9001 is doubtful; instead, the standard has always pushed hard on conformity to specifications. Leaving the ISO 31000 guideline to help companies establish a formal risk management system sidesteps a basic QMS responsibility, in my view. There’s an obvious difference between the ISO 9001 standard and the ISO 31000 guideline: The former is a standard with stipulated requirements; the second a suggestion-based guideline. The standard addresses quality, while the guideline addresses risk. … ISO is starting to realize the risk of not meeting quality specifications, but it needs to do more to address this than suggest possible actions via ISO 31000.

Well said.

The main takeaway from the ISO talking points — literally included in the foreword of ISO DIS 9001 itself — is that “the concept of risk-based thinking has always been implicit in ISO 9001.”

No… no, it hasn’t. Seriously, you are completely making that up.

The fact that “life is risky” is not only irrelevant to QMS standards, it gives absolutely nothing to hold onto relative to requirements intended for (among other things) objective, third party certification. The ISO authors may well have added a clause about “life is unfair” and “taxes are too high” and then let people figure out how the hell to audit that.

Stating the obvious — “risk is inherent” — doesn’t tell us anything. What’s the actual requirement then? Do we just think about risk?

The drug-addled Foreword in the DIS tells us (emphasis added):

“Risk-based thinking” therefore means considering risk qualitatively (and, depending on the organization’s context, quantitatively) when defining the rigor and degree of formality needed to plan and control the quality management system, as well as its component processes and activities.

So, yes… they just added a new concept that is nearly entirely qualitative — meaning subjective — in a standard intended to be used for objective compliance auditing. Because no one on TC 176 actually undergoes ISO 9001 audits, they have no experience in constantly dealing with CB auditors whose “interpretations” (read: opinions) differs from yours, and intentionally adding subjectivity into the standard will only worsen this a hundredfold.

Here’s the actual clause from the DIS, which is likely to remain untouched in the final 9001 standard:

6.1    Actions to address risks and opportunities

6.1.1 When planning for the quality management system, the organization shall consider the issues .. and the requirements … and determine the risks and opportunities that need to be addressed to:

a)       give assurance that the quality management system can achieve its intended result(s);

b)       prevent, or reduce, undesired effects;

c)       achieve continual improvement.

6.1.2  The organization shall plan:

a)       actions to address these risks and opportunities;

b)       howto:

1)      integrate and implement the actions into its quality management system processes (see 4.4);

2)      evaluate the effectiveness of these actions.

Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.

NOTE Options to address risks and opportunities can include: avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision.

This murky mess clearly defines what the risk industry calls “risk treatment” methods (“avoiding risk, taking risk,” etc.) which is a formal part of risk management, but TC 176 wants us to believe that, no, it’s not risk management — it’s risk based thinking. It just looks exactly like risk management. But it’s not. Unless you want it to be, then it’s okay.


So there are two ways to approach this, since ISO 9001 is so contradictory and confused on the requirements:

  • Perform conventional, formal risk management and be done with it. It’s not required, but it will shut everyone up. The fact that it will be expensive, burdensome on most users, and over-the-top, and poorly implemented is irrelevant. Keep your cert, shut up the auditors, and throw some FMEAs at them.


  • Take ISO’s word on it, and just “think” about risks, and then roll that out — somehow — into tailored QMS approaches that aren’t necessarily written down, and can’t be proven with evidence, and are likely to be argued to death by customers and certification body auditors. Take your chances, and fight out the battles this will cause one at a time. Hope to win a few.

Neither solution is optimal. And, remember: this is all out of the blue, created without any actual risk management industry input or participation, and mostly in contradiction of actual risk management practices. It’s a wimpy, New Age repackaging of an assortment of half-ideas, served nearly raw and garnished with marketing spin.

I’ll have an article soon on how I think companies should approach “risk based thinking,” but since I’ll be pulling it out of thin air as much as everyone else, expect a lot of sudden experts on RBT to disagree.

But one thing: anyone insisting that ISO 9001 now includes “risk management” is uninformed, or lying.


(Full disclosure: I started what is now a hugely popular thread on LinkedIn which suggested, at the time, that ISO 9001 would require risk management. This was written way back at the end of last year, and of course I’ve subsequently come to identify that RM is not required. This post today aims to rectify some of that error.)





Traditional Tri-System