Will the ISO 9001:2015 standard require formal risk analysis or risk management?

The short answer is no, a formal process of risk analysis or risk management is not required in the ISO 9001:2015 standard.

However, the concept of risk and the term “risk” are included in several areas of the current draft of the new standard. Consideration of risks (and opportunities) must be part of:

1. Determining risks and opportunities that affect the quality management system.
2. Planning of changes to the quality management system.
3. Evaluation of processes, as part of the process approach.
4. Establishing appropriate controls of external providers (such as suppliers)
5. Identifying risks that can affect the company’s products and services and overall customer satisfaction.
6. As part of new product design and development.
7. As part of determining post-delivery support (e.g. warranty, maintenance, and other services).
8. In establishing monitoring and measurement (i.e. “quality objectives”).

The inclusion of risk throughout the standard is referred to as “risk based thinking”. My way of stating this is consideration of risk as part of your quality management system.

But the standard stops short of requiring specific processes or procedures such as risk analysis, FMEA, risk management, etc. This was done to allow companies to determine how best to address risk within their own organizations.

Keep in mind, though, that consideration of risk is essential in the current ISO 9001:2008 standard, it’s just not called by that name. ISO 9001:2008 we have requirements such as “planning”, “quality objectives” and “preventive action” (among others) that all include the need to consider actual or potential risks with appropriate action taken.

So, I see the new standard as providing more focus on risk but not a significant change in course for the standard.