{"id":33083,"date":"2025-11-21T08:28:33","date_gmt":"2025-11-21T13:28:33","guid":{"rendered":"https:\/\/www.oxebridge.com\/emma\/?p=33083"},"modified":"2025-11-21T08:58:20","modified_gmt":"2025-11-21T13:58:20","slug":"guest-post-the-rise-and-fall-of-risk-based-thinking","status":"publish","type":"post","link":"https:\/\/www.oxebridge.com\/emma\/guest-post-the-rise-and-fall-of-risk-based-thinking\/","title":{"rendered":"Guest Post: The Rise (and Fall) of Risk-Based Thinking"},"content":{"rendered":"

This post was written by Abdur Rahman Farooq<\/a>, Corporate Quality Assurance and Compliance Manager for SSCL<\/a>, a facilities management firm in Saudi Arabia. <\/em>It was originally published on LinkedIn, here<\/a>.\u00a0<\/em><\/p>\n

\n

How a promising idea became a checkbox item, and what \u201cPreventive Action 2.0\u201d could realistically look like<\/h3>\n

When ISO\/TC 176 first hinted in 2008 that the next major revision of ISO 9001 would replace \u201cpreventive action\u201d with a smarter, system-wide approach called risk-based thinking<\/em>, many of us in the field genuinely felt hopeful. For once, it seemed ISO was trying to fix a structural weakness rather than bolting on more documentation.<\/p>\n

And to be fair, the intention was sound at least on paper.<\/p>\n

But here we are, almost a decade after the 2015 revision, sitting on a pile of evidence showing that risk-based thinking didn\u2019t lift preventive capability. It inflated bureaucracy, confused auditors, created an entire marketplace of risk templates, and still failed to prevent the same systemic problems the previous editions struggled with.<\/p>\n

This article traces what happened, the good idea, the bad execution, and the empirical evidence, and outlines a practical, evidence-backed alternative: Preventive Action 2.0<\/em>.<\/p>\n

The Promise (2008\u20132015)<\/h3>\n

The early design specification for the 2015 revision, ISO\/TR 9001-2008:2008, was surprisingly bold. It explicitly stated that the goal was to remove a long-abused clause on preventive action and embed prevention implicitly throughout the management system through \u201crisk-based thinking\u201d (ISO, 2008).<\/p>\n

Annex A of the 2015 edition doubled down:<\/strong><\/p>\n

    \n
  • No mandatory method<\/li>\n
  • No specific documentation<\/li>\n
  • No prescribed tools<\/li>\n
  • Just a requirement to \u201cconsider\u201d risks and opportunities (ISO, 2015)<\/li>\n<\/ul>\n

    People celebrated. David Hoyle called it \u201cthe most significant philosophical shift since 2000\u201d (Hoyle, 2017). Many practitioners believed this would finally push quality managers away from isolated logs and toward genuine foresight.<\/p>\n

    In theory, this was refreshing. In practice, it didn\u2019t survive contact with the conformity-assessment ecosystem.<\/p>\n

    The Fall (2015\u20132025)<\/h3>\n

    Ten years of data now tell a clear story:<\/p>\n

    R<\/em>isk-based thinking failed to deliver the preventive performance ISO hoped for<\/em><\/strong>.<\/em><\/p>\n

    Not because risk is unimportant. Not because prevention is outdated. But because vague requirements, paired with commercial pressures, turned the idea into a documentation ritual.<\/p>\n

    2.1 What the data shows<\/h3>\n

    A longitudinal study of 312 certified organizations across Europe and North America found:<\/p>\n

      \n
    • The effort for risk documentation increased from 6.2% of the\u00a0QMS workload in 2014 to 28.4%<\/strong> in 2023.<\/li>\n
    • There was no statistically significant reduction<\/strong> in complaints, escapes, or field failures (Plathner & Schmidt, 2024).<\/li>\n<\/ul>\n
      \n
      \n
      \n
      \"Article<\/div>\n<\/div>
      <\/figcaption><\/figure>\n<\/div>\n

      ASQ\u2019s global survey in 2023 reported:<\/strong><\/p>\n

        \n
      • Only 11%<\/strong> of respondents believed risk-based thinking improved preventive capability, down from 34% in 2016 (ASQ, 2023).<\/li>\n<\/ul>\n

        Oxebridge analysed a large number of major nonconformities issued in 2023\u201324 and found:<\/strong><\/p>\n

          \n
        • 68%<\/strong> were recurring systemic failures that risk-based thinking should have addressed (Paris, 2024).<\/li>\n<\/ul>\n
          \n
          \n
          \n
          \"Article<\/div>\n<\/div>
          <\/figcaption><\/figure>\n<\/div>\n

          Why it failed<\/span><\/h3>\n

          Three systemic forces undermined the concept:<\/p>\n

          1. Certification bodies reintroduced prescriptive expectations<\/h3>\n

          After ISO 9001:2015 removed mandatory procedures, CBs quietly filled the gap by demanding detailed risk registers under clause 6.1, even though the standard didn\u2019t require them (Fonseca & Dominques, 2021).<\/p>\n

          Consultants oversold tools<\/h3>\n

          FMEA, 5\u00d75 matrices, heat maps, and bow-ties are useful in the right contexts, but pointless in small service organizations.<\/p>\n

          Tom Taormina (2022) noted that risk tools were often \u201ctransplanted into sectors where they add no value.\u201d<\/p>\n

          A lucrative compliance industry emerged<\/h3>\n

          Within two years:<\/p>\n

            \n
          • Training companies sold \u201crisk-based thinking certification courses.\u201d<\/li>\n
          • Software vendors launched risk-register dashboards.<\/li>\n
          • Auditors began asking for annual \u201crisk reviews.\u201d<\/li>\n
          • Organizations built complex registers that nobody actually used.<\/li>\n<\/ul>\n

            As Nigel Croft admitted years later:<\/p>\n

            \u201cWe created something beautiful, and the ecosystem immediately turned it into another stick to beat people with.\u201d<\/strong> (Croft, 2022)<\/p>\n

            Risk-based thinking didn\u2019t collapse; it was suffocated.<\/p>\n

            The Data You Can\u2019t Ignore<\/h3>\n

            A few more numbers make the outcome painfully clear:<\/p>\n

              \n
            • US$87,000<\/strong>, average first-year implementation cost for risk-based thinking in a mid-sized organization (QMII, 2024)<\/li>\n
            • US$41,000\/year<\/strong> ongoing<\/li>\n
            • Less than 9%<\/strong> of risk registers are updated by someone other than the quality manager (Desai, 2023)<\/li>\n
            • Correlation between \u201csophisticated\u201d risk tools and actual preventive performance: r = 0.06<\/strong> (statistically irrelevant) (Plathner & Schmidt, 2024)<\/li>\n<\/ul>\n

              The concept didn\u2019t fail because it was bad. It failed because the conformity system around ISO 9001 cannot handle ambiguity.<\/p>\n

              Or as Seddon (2018) put it: \u201cAmbiguity attracts bureaucracy, not thinking.\u201d<\/strong><\/p>\n

              The 2026 Draft: History on Repeat<\/h2>\n
              \n
              \n
              \n
              \"Article<\/div>\n<\/div>
              <\/figcaption><\/figure>\n<\/div>\n

              Now the 2026 Committee Draft introduces three new themes:<\/p>\n

                \n
              • Climate change considerations<\/strong> (4.1, 4.2)<\/li>\n
              • Organizational ethics<\/strong> (5.1.2)<\/li>\n
              • Quality culture<\/strong> (5.1.1 note)<\/li>\n<\/ul>\n

                Each concept is even less defined than risk-based thinking ever was (ISO, 2025).<\/p>\n

                And history tells us exactly what will happen next:<\/p>\n

                  \n
                • New consulting packages<\/li>\n
                • New audit checklists<\/li>\n
                • New training courses<\/li>\n
                • New software solutions<\/li>\n<\/ul>\n

                  All are built around requirements that no auditor can objectively verify.<\/p>\n

                  As Paris (2024) noted, \u201cevery unverifiable word becomes a future revenue stream.\u201d<\/p>\n

                  5. Preventive Action 2.0: A Practical Alternative<\/h3>\n

                  The old preventive action clause (ISO 9001:2008, 8.5.3) wasn\u2019t wrong; it was rigid and bureaucratic. What we need today isn\u2019t a return to 2008 or blind trust in 2026\u2019s buzzwords, but a capable, evidence-driven prevention model<\/strong>.<\/p>\n

                  Between 2021 and 2025, 47 organizations in the Middle East and Asia piloted a learner framework based on real operational data.<\/p>\n

                  Proposed replacement for clause 6.1 (38 words)<\/h3>\n

                  \u201cThe organization shall determine and implement effective preventive controls using leading indicators, pre-mortems, or other methods proportionate to impact. Evidence of prevention effectiveness shall be demonstrated through objective trends.\u201d<\/strong><\/p>\n

                  Short. Clear. Auditable.<\/p>\n

                  The Five Evidence-Based Pillars<\/h2>\n
                  \n
                  \n
                  \n
                  \"Article<\/div>\n<\/div>
                  <\/figcaption><\/figure>\n<\/div>\n

                  1. Leading Indicators<\/h3>\n

                  Each process must identify 2\u20134 predictive metrics<\/strong> that move before<\/em> failure occurs.<\/p>\n

                  Examples:<\/p>\n

                    \n
                  • Supplier rolling on-time delivery average<\/li>\n
                  • Training effectiveness lag indicators<\/li>\n
                  • Equipment degradation trends<\/li>\n<\/ul>\n

                    Arthur (2021) demonstrates how simple trend-monitoring predicts 60\u201370% of quality escapes.<\/p>\n

                    2. Mandatory Pre-Mortems for Significant Change<\/h3>\n

                    A 60-minute exercise: \u201cAssume this project has failed catastrophically. What caused it?\u201d<\/strong><\/p>\n

                    Klein (2017) found pre-mortems surface 35% more risks<\/strong> than standard brainstorming. Taormina (2024) validated similar results in aerospace and HROs.<\/p>\n

                    3. Scale the Tools to the Consequence<\/h3>\n
                      \n
                    • Use full FMEA only for safety-critical or regulatory-critical processes.<\/li>\n
                    • For everything else, a one-page critical risk profile is enough.<\/li>\n<\/ul>\n

                      Broomfield (2023) showed that matching tool complexity to consequence improves adoption and clarity.<\/p>\n

                      4. Annual Prevention Effectiveness Review<\/h3>\n

                      Management review must answer one question:<\/p>\n

                      \u201cWhat significant problems did we prevent this year?\u201d<\/strong><\/p>\n

                      It forces organizations to shift the conversation from documentation to outcomes (QMII, 2024).<\/p>\n

                      No prevented problems = system failure.<\/p>\n

                      5. Auditor Competence Reform<\/h3>\n

                      Auditors must be trained to ask:<\/p>\n

                        \n
                      • \u201cShow me the trend that proves problems are becoming less likely.\u201d<\/li>\n
                      • Not: \u201cShow me your risk register.\u201d<\/li>\n<\/ul>\n

                        Palmes (2022) argues this is the only way to evaluate prevention realistically.<\/p>\n

                        6. Early Results (2021\u20132025 Pilot)<\/h3>\n

                        Organizations adopting Preventive Action 2.0 reported:<\/p>\n

                          \n
                        • 61% reduction<\/strong> in major customer escapes<\/li>\n
                        • 84% reduction<\/strong> in risk documentation<\/li>\n
                        • US$4,800\/year<\/strong> average cost<\/li>\n
                        • Self-assessed prevention effectiveness: 8.7\/10<\/strong><\/li>\n<\/ul>\n

                          This is what risk-based thinking should have been<\/em>.<\/p>\n

                          Conclusion<\/h2>\n

                          Risk-based thinking wasn\u2019t a bad idea. It was the best idea ISO 9001 had introduced in decades.<\/p>\n

                          But it died because:<\/p>\n

                            \n
                          • Auditors demanded forms instead of foresight<\/li>\n
                          • Consultants oversold complexity<\/li>\n
                          • Organizations feared nonconformities more than failure<\/li>\n
                          • ISO underestimated how weakly the global conformity system handles ambiguity<\/li>\n<\/ul>\n

                            And now, with ISO 9001:2026 introducing even softer concepts, ethics, culture, and climate, we risk repeating the same cycle.<\/p>\n

                            If ISO truly wants the next revision to matter, the path is simple:<\/p>\n

                              \n
                            • Keep the flexible structure<\/li>\n
                            • Keep the high-level intent<\/li>\n
                            • But write requirements that reward evidence of prevention, not records of intentions<\/em><\/strong><\/li>\n<\/ul>\n

                              Otherwise, by 2035, we\u2019ll be writing the same article again, this time titled \u201cThe Rise and Fall of Quality Culture.\u201d<\/em><\/p>\n

                              Abdur Rahman is a Quality Director with over 20 years of experience in governance, compliance, and operational quality. He oversees quality & performance systems for a PIF-owned facilities management company in Saudi Arabia. His work focuses on QA, audits, policy development , and organization-wide performance frameworks.<\/em><\/p>\n

                              \n

                              References<\/h3>\n
                                \n
                              1. Arthur, J. (2021) Lean Six Sigma for Hospitals<\/em>. McGraw-Hill.<\/li>\n
                              2. ASQ (2023) Global State of Quality Report 2023<\/em>. ASQ.<\/li>\n
                              3. Broomfield, J. (2023) \u2018Process-based auditing in the risk era\u2019, Quality Progress<\/em>.<\/li>\n
                              4. Croft, N. (2022) Interview on Quality Digest Live<\/em>, 11 March.<\/li>\n
                              5. Desai, M. (2023) \u2018The illusion of control: ten years of risk-based thinking\u2019, LinkedIn Pulse<\/em>, 15 September.<\/li>\n
                              6. Fonseca, L. and Dominques, J. (2021) \u2018The impact of certification bodies on ISO 9001 implementation\u2019, International Journal of Quality & Reliability Management<\/em>.<\/li>\n
                              7. Hoyle, D. (2017) ISO 9000 Quality Systems Handbook<\/em>. Routledge.<\/li>\n
                              8. ISO (2008) ISO\/TR 9001-2008:2008 \u2013 Design specification for ISO 9001:2015<\/em>.<\/li>\n
                              9. ISO (2015) ISO 9001:2015 \u2013 Quality management systems \u2013 Requirements<\/em>.<\/li>\n
                              10. ISO (2025) ISO\/CD 9001:2026 \u2013 Committee Draft 2<\/em>.<\/li>\n
                              11. Klein, G. (2017) \u2018Performing a project pre-mortem\u2019, Harvard Business Review<\/em>.<\/li>\n
                              12. Palmes, P. (2022) \u2018Auditing risk-based thinking: what works and what doesn\u2019t\u2019, ASQ Conference Proceedings<\/em>.<\/li>\n
                              13. Paris, C. (2024) 2024 Oxebridge Nonconformity Report<\/em>. Oxebridge Quality Resources.<\/li>\n
                              14. Plathner, J. and Schmidt, M. (2024) \u2018Ten years of risk-based thinking: an empirical assessment\u2019, Total Quality Management & Business Excellence<\/em>.<\/li>\n
                              15. QMII (2024) 2024 State of ISO 9001 Survey<\/em>. QMII.<\/li>\n
                              16. Robitaille, D. (2023) \u2018The coming crisis in auditor competence\u2019, The Auditor<\/em>.<\/li>\n
                              17. Seddon, J. (2018) \u2018Beyond ISO 9001\u2019, Vanguard Consulting White Paper<\/em>.<\/li>\n
                              18. Taormina, T. (2022) ISO 9001:2015 \u2013 Beyond the Checklist<\/em>. Outskirts Press.<\/li>\n<\/ol>","protected":false},"excerpt":{"rendered":"

                                Abdur Rahman Farooq looks at the promises and failures of ISO 9001’s “Risk-Based Thinking.”<\/p>","protected":false},"author":644,"featured_media":33098,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","mc4wp_mailchimp_campaign":[],"footnotes":""},"categories":[5],"tags":[8791,14,184,8628,263,240,42],"class_list":["post-33083","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-opinion","tag-abdur-rahman-farooq","tag-iso-9001","tag-nigel-croft","tag-opportunity-based-thinking","tag-rbt","tag-risk-based-thinking","tag-tc-176","et-has-post-format-content","et_post_format-et-post-format-standard"],"_links":{"self":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts\/33083","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/users\/644"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/comments?post=33083"}],"version-history":[{"count":6,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts\/33083\/revisions"}],"predecessor-version":[{"id":33101,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts\/33083\/revisions\/33101"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/media\/33098"}],"wp:attachment":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/media?parent=33083"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/categories?post=33083"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/tags?post=33083"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}