How to Ensure Effective Risk Management in ISO 9001:2015

Risk Management in ISO 9001:2015

How does ISO 9001:2015 integrate risk management into quality management? How can an organization navigate risk and uncertainty through risk management in ISO 9001:2015?

Risk is a topic that is currently taking the business world by storm. It is becoming more often to hear about risk management and taking smart decisions based on data that will show us the risks associated with such decisions.

Risk management is an essential aspect of quality management and a critical component of the ISO 9001:2015 standard. This standard outlines the requirements for an organization to maintain a high level of quality in its products, services, and processes. By integrating risk management into the quality management system, organizations can proactively identify and mitigate potential risks, ensuring the achievement of their quality objectives.

This blog will provide an overview of the role of risk management in ISO 9001:2015, the key elements of an effective risk management process, and practical tips for implementing risk management in your organization. Whether you’re new to ISO 9001:2015 or an experienced practitioner, this blog will help you understand how to effectively integrate risk management into your QMS and improve your overall quality management system.

If you’re more of a listener than a reader, head over to Luke Desira’s Youtube video where he talks about risk management in ISO 9001:2015. But without further ado, let us jump straight into the action and discover what risk management in ISO 9001:2015 is.

Risk Management in ISO 9001:2015 | A new addition
to the latest version of ISO 9001

The notion of risk management is a relatively new addition to the ISO 9001 standard. Although risk management has been featured in previous versions, it was more implicit and generally taken for granted. In the newer version, ISO 9001:2015, risk management is regarded as a critical topic. As a matter of fact, risk management in ISO 9001:2015 is the pinnacle of the management system that the standard provides.

In the most recent version of ISO 9001, the idea of what a business is changed slightly to accommodate the modernization of the markets. ISO 9001:2015 now looks at a business as if it were part of an ecosystem, a living organism where this organism interacts with other organisms within the ecosystem (a.k.a the market). In an ever-changing market, the company interacts with a multitude of internal or external factors. Such factors include competitors, suppliers, customers, employees, regulations and more.

Naturally, the first step to take when managing risks as an organization is to identify all the internal and external factors that are bound to have some sort of influence on the organization’s quality management system. This is generally done within Clause 4 of the ISO standard.

To get a better understanding, let us look at an example scenario. Imagine your firm offers professional services, and your IT systems and data storage systems are outsourced. That would mean that your quality management system may focus less on equipment maintenance. However, suppose your company, for example, rents automobiles and other vehicles. In that case, maintenance is a vital part of your organization since your business’s reliability depends on the reliability of the equipment you rent out to your clients.

In recent years, ISO has been working to create a standardized structure across all standards. All ISO standards share the same high-level system, comprising 10 clauses. In this case, Clause 4 revolves around the identification of factors and their respective impact that factors will have on the business organization in question.

When going over risk management for your organization, the most crucial thing to consider is prioritizing risks and potentially even opportunities.

Risk management in ISO 9001:2015 does not explicitly say that you have to consider opportunities; the actual clause is about risk management, not risk and opportunities management. However, when looking at ways to improve, it is suggested to consider opportunities the same way you would consider risks.

Opportunities are events that can have a positive effect on your organization. Our organization is constantly phased with risks and opportunities; more often than not, the exact external or internal change can positively or negatively impact our organization. Let us say that we are part of the cleaning industry, and a customer demands that your organization has ISO 9001 and ISO 14001 certifications to work with them.

This type of requirement is, in fact, cropping up in tenders more often these days. This can either be seen as a risk or as an opportunity. If you perceive this as a risk, you, as an organization, are not ready to get certified. Suppose you see this as an opportunity to get certified quickly and before your competitors. In that case, it will put the company in a position where for a few months or even years, the competition pool will significantly reduce as there will be few companies who are, in fact, certified for these ISO standards.

Always remember that the exact internal or external change can have a positive or negative impact, depending on how you perceive it.

Managing risks is more complex than some may think. How do we conclude the threat level of risk? How is the prioritization of risks going to be carried out? These are all indeed great questions that have been asked by many organizations in the past. As a result, nowadays, a tool called the FMEA is being used.


Whether you’re after ISO Certification, internal audits, or results-oriented consultancy, Luke has the plan for you. Reach out to him and start your journey today.
ISO Consultant in Malta


Luke has a plan for you whether you want ISO certification, internal audits, or results-oriented consulting. Contact him immediately to begin your adventure.

Using FMEA tool for Risk Management in ISO 9001:2015

The FMEA, which is short for ‘Failure Mode and Effects Analysis’, is an engineering risk analysis tool made of four (4) key metrics that will enable any organization to determine a risk’s threat level. It utilizes a scale of 1-10 to simplify the identification of threat levels.

Its definition can be split into two:

Failure Mode | This implies the potential paths or modes of failure. Failures can be potential or current and encompass any mistakes or flaws, especially those that negatively impact the client.

Effects Analysis | This refers to understanding the consequences that might follow if a failure identified above occurs.

All in all, the FMEA can be described as a methodology used to develop any process to anticipate potential failures and their effects. FMEA is an effective tool for identifying and mitigating risk in the design and production of a product or process. The ultimate objective of the FMEA is to prevent problems before they occur by predicting and analyzing potential failures and implementing corrective actions to mitigate the risk of failure.

Going back to the key metrics that the FMEA utilizes, we have to understand how such metrics are used. SeverityOccurrence and Detection are the first three (3) metrics of the FMEA. These metrics will help us determine the overall threat level of any risk, also known as the Risk Priority Number (RPN) or metric #4. The RPN is obtained by multiplying all values for the Severity, Occurrence and Detection. The product of these values is the RPN. It is important to note that the higher the RPN is, the higher the risk and, therefore, the higher the focus that this risk must be given within the organization.

FMEA for Risk Management in ISO 9001:2015

Depending on the organization, several implementation strategies may be used for the implementation of the FMEA. As a result, each organization may have different steps involved. FMEA procedures often consist of the following:

  1. Assemble a group of individuals who are familiar with the system, design, or process at hand and the respective client expectations. Such a team should be cross-functional, composed of people with diverse expertise in sales, customer service, production, design, maintenance, and quality.
  2. Determine the overall scope and purpose of the system, design or process being analyzed.
  3. Dissect a system, a design, or a process into its constituent parts.
  4. Examine each component of the system, design, or process to find any potential problems or single points of failure.
  5. Analyze the potential causes of failures and the respective effects those failures would have.
  6. Rank each failure using a scale from 1-10 for the Severity, Occurrence and Detection. Use these numbers to get the product, also known as the Risk Priority Number (RPN).
  7. Determine the best methods for spotting, reducing, mitigating, and fixing the most severe errors by identifying possible failures and necessary corrective measures. This lowers the likelihood of failure effects.
  8. Review risk parameters as necessary.

The benefits of using Failure Modes and Effects Analysis (FMEA) include the following:

  1. Improved product quality: FMEA helps to identify potential failure modes and assess their impacts, allowing organizations to prevent problems before they occur and improve the overall quality of their products.
  2. Reduced risk of failure: By anticipating and mitigating potential failure modes, FMEA helps to reduce the risk of failure and improve the reliability of products and processes.
  3. Enhanced customer satisfaction: By preventing problems and improving product quality, FMEA can lead to increased customer satisfaction.
  4. Improved design and production processes: FMEA can identify areas for improvement in the design and production processes, leading to more efficient and effective processes.
  5. Better risk management: FMEA provides a structured approach to risk management, helping organizations to prioritize the highest risk issues and focus on mitigating those first.
  6. Increased teamwork and collaboration: FMEA often involves a cross-functional team, which can lead to increased collaboration and improved communication within an organization.
  7. Compliance with industry standards: FMEA is widely used in various industries and may be required by industry standards, such as ISO 9001.

So all in all, what is FMEA in a nutshell? The Failure Mode and Effects Analysis is a proactive approach to risk management that helps organizations reduce the risk of failure and improve the overall quality and reliability of their products and processes.

But when shall we draw the line? Should an organization tackle all risks? Should an organization negate all risks below the RPN value of 200? Or tackle the five top-most threats?

There is no right or wrong, really. This is decided by the business’s risk appetite. But let us first understand what this term means.

Risk Appetite and Risk Management in ISO 9001:2015

Risk appetite refers to the amount of risk an organization or individual is willing to accept in pursuit of their goals. It is the level of uncertainty that an organization or individual is willing to tolerate in order to achieve a desired outcome.

Risk appetite is determined by considering factors such as the organization’s goals and objectives, its tolerance for losses, its financial strength and stability, and the regulatory and legal environment in which it operates.

Having a clear understanding of an organization’s risk appetite is important as it helps guide decision-making, determine the types of risks that are acceptable, and establish limits on risk-taking.

An organization with a high-risk appetite may be willing to accept significant risk in pursuit of high returns. In contrast, an organization with a low-risk appetite may focus on preserving capital and avoiding losses.

If a corporation wants to manage all risks and is not comfortable with having any lingering dangers within the organization, it is perfectly acceptable. However, if an organization has a greater risk tolerance, it can also opt to focus on the first five most critical risks within the firm.

It is important to note that risk appetite is not the same as risk tolerance, which refers to the ability of an organization or individual to handle a loss or adverse event. An organization may have a high-risk appetite but a low-risk tolerance if it lacks the resources or capacity to handle significant losses.

INTERESTED IN LEARNING MORE about Risk Management in ISO 9001:2015?

Luke Desira is an ISO management system consultant who understands that taking the first step to achieve ISO certification is never easy. Make sure to listen to what Luke Desira has to say about Risk Management in ISO 9001:2015 and be sure to realize that mishaps are never far off. Read more about it here, where you can understand how things can go wrong when implementing any ISO Standard. Achieving consistency in quality is never an easy task.

Anything can go wrong when implementing ISO Standards, make sure that you are aware of such mishaps before they occur! All management systems based on ISO Standards that are implemented should pertain directly to the organization’s objectives, and ISO 9001 – Quality Management System  should be no different. Have a look at different ISO Certification specialised by Industry to understand in which category your organization falls.

Luke offers a variety of ISO certification services that puts him as the #1 ISO Certification consultant in Malta. He can help you achieve ISO certification efficiently. When ready, take the first step to success and call Luke Desira.

Make sure to follow us on our Facebook and LinkedIn profiles, and subscribe to our Youtube Channel for more great content.

Book a Free 15 minute discovery call

Select a date and time to schedule a free 15 minute discovery call with Luke Desira.

Message Luke through an email


Give Luke a call

+356 7920 6686

Related Articles

Clause 10 of ISO 9001
ISO 9001

Close Examination | Clause 10 of ISO 9001

Clause 10 of ISO 9001 is the final clause of the standard. Clause 10 of ISO 9001 talks about improvement and the purpose of this blog is to give more information about this particular clause by going through what the standard says in this clause. Here, you can either listen to the video where Luke

Read More »
ISO 9001 Clause 9 - Management Review
ISO 9001

ISO 9001 Clause 9 – Performance Evaluation

Hey there, are you interested in ISO 9001? Well, you’re in the right place. This blog covers ISO 9001 Clause 9, to be exact. This blog is in fact part of a mini-series where the ISO 9001 standard is put under the spotlight and examined really closely. If you haven’t looked at the other blogs

Read More »
ISO 9001 Clause 8
ISO 9001

ISO 9001 Clause 8 Shining a Light on Key Processes

The scope of this blog is to go into great detail about ISO 9001 clause 8. Now given that ISO 9001 clause 8 talks about the key processes of your organization, this blog will cover the sales, purchasing, operations and design processes of your organization. In this blog, an overview will be given about each

Read More »
Scroll to Top