What is Risk Based Thinking?

By Scott Dawson
August 7, 2023

What is Risk-Based Thinking in a QMS?

Whether it’s ISO 9001, 14001, 27001, or 45001, in the world of ISO certifications, risk-based thinking is the driving force behind effective management system implementation. Gone are the days when risk was solely associated with negative connotations. By adopting a proactive approach to risk management and facing risks head-on, companies can increase their likelihood of successfully sustaining growth and continuously improving.

Business risks consultants

Risks are Unique to each Organization

Each organization’s risk management strategy is unique and tailored to its appetite for growth and risk tolerance. From cautious tactics to bold endeavors, the way businesses choose to handle risks shapes their path towards success.

Identifying Internal and External Risks

The first step in this process involves evaluating the context of the business within the framework of the specific ISO certification they are pursuing. By identifying both internal and external risks and considering the needs of interested parties, companies can prioritize their risk management efforts for maximum impact.

Involve your Employees

To gain a clear understanding of their risk position, companies must thoroughly assess the issues they face, their relevance to business operations, and their potential impact on goals and objectives. By involving the entire workforce in the risk identification process, companies can tap into the expertise of their employees and create effective solutions. Employees, being intimately familiar with their roles, can provide valuable insights and feel more invested in the improvement process.

ISO 27001 certification consultants having a meeting

Deciding how to address each risk takes careful consideration. With cooperation, companies work to develop a strategic improvement plan that outlines their intentions for handling significant risks. They may choose a variety of approaches for each risk and their direction is impacted by the projected outcome.

Eliminating the Source of the Risks

Companies can choose to avoid risk by putting safeguards in place or by working to eliminate the source of the risk:

    • They could choose to take the risk, focusing their efforts on ensuring a positive outcome from their actions.
    • Sharing the risk is another option, and some companies call in external stakeholders to strategically manage the effects of the risk.
    • For low-priority issues, risks may simply be retained, and care taken to document the natural progression that follows the inaction.

The purpose of the improvement plan is to narrow down the top areas of concern where the most effort and energy are needed and to create aggressive plans to address those areas.

Taking calculated risks is a common practice for businesses seeking growth and opportunities. Whether it’s launching new products, adopting new technology, entering new markets, or acquiring customers, risk-taking can lead to significant rewards. However, the key to success lies in effective risk management and mitigation.

A Discussion with an Expert ISO Certification Consultant

To shed light on Risk Based Thinking, we sat down with Brian Smatko, a consultant at CORE Business Solutions. You can find this episode, Episode 17, “Your QMS and Risk-Based Thinking”, here: The Quality Hub.

Understanding Risk-Based Thinking

Brian Smatko explains that ISO 9001:2015 emphasizes risk-based thinking:

In this episode of The Quality Hub, expert Brian Smatko joins host Xavier Francis to discuss effective risk management strategies. They explore the identification of internal and external risks, prioritization methods, and the importance of proactive risk analysis. Drawing from Brian’s experience, they highlight the significance of documenting actions and showcasing a commitment to continuous improvement. Listen Now

Expert at Risk-Based Thinking

Brian Explains:

Identifying Different Types of Risks


“To begin the risk management process, companies must first identify both internal and external risks. Internal risks are factors that the organization can control or influence, such as quality performance, costs, technology needs, or succession planning. External risks, on the other hand, are beyond the company’s direct control, including industry trends, competition, economic conditions, and legal or regulatory compliance.”

Prioritizing Risks

“Once the risks have been identified, prioritizing them becomes essential, as it is not feasible to address all risks simultaneously. Brian Smatko suggests using a risk assessment matrix, which scores risks based on their potential impact and likelihood of occurrence. By multiplying these scores, businesses can determine the overall risk level and focus on the most impactful risks first.”

Developing Response Options

“After prioritizing risks, companies can develop response options to mitigate or address the identified risks. This involves creating an improvement plan that outlines specific actions to be taken, assigning owners responsible for implementing these actions and setting estimated due dates for completion. Documentation of these actions is critical to demonstrate a commitment to continuous improvement, as required by ISO standards.”

Real-Life Success Stories

Brian shared a success story about a California-based company that initially lacked a formal risk management approach. After implementing Risk-Based Thinking and addressing the identified risks through an improvement plan, the company saw significant positive changes. They mitigated risks related to single-source suppliers and improved their bottom line, leading to a substantial increase in business and market growth.

Risk-Based Thinking is a Powerful Tool

Risk-based thinking is a powerful tool that enables organizations to face challenges proactively and safeguard their business continuity and customer satisfaction. By identifying and addressing potential risks, businesses can improve their bottom line, maintain compliance with standards, and foster a culture of continuous improvement.

ISO Risk-based thinking consultant

ISO 9001 and similar quality management systems provide valuable guidelines and requirements to assist companies in implementing effective risk-based approaches. Embracing Risk-Based Thinking is not only a compliance requirement but also a strategic choice for thriving in today’s dynamic business landscape.

At Core Business Solutions, our goal is to help you navigate the ISO standards and make your journey to certification simple. We’ll dig into your existing systems and help you outline a path to success with ISO certification.

Related Articles:

How to Avoid False Claims Act Violations

How to Avoid False Claims Act Violations

Understanding How to Avoid False Claims Act Violations In today's highly regulated environment, understanding the intricacies of the False Claims Act (FCA) is imperative for organizations,...

The ISO 9001:2025 Revision Explained

The ISO 9001:2025 Revision Explained

Understanding the Upcoming ISO 9001 Revision The ISO 9001 standard, a cornerstone for quality management systems (QMS) worldwide, is undergoing a significant revision to stay relevant in the digital...

ISO 27001 Climate Change Amendment

ISO 27001 Climate Change Amendment

ISO 27001 Climate Change Amendment Effective Immediately In response to the escalating challenges posed by climate change, the International Organization for Standardization (ISO) has introduced a...