Introduction to Risk-Based Thinking (RBT)

Posted On:


Every business faces risk. Why is it such a hot topic in business media?

The latest version of the International Organization for Standardization (ISO) 9001 now requires companies to address risk within the quality management system (QMS). Managing risk via the QMS was implied in previous versions of the standard but is explicit in 9001:2015.  

Let’s start with a brief explanation from ISO’s paper, Risk-Based Thinking in ISO 9001:2015, published with the updated standard:

“Risk is inherent in all aspects of a quality management system. There are risks in all systems, processes and functions. Risk-based thinking ensures these risks are identified, considered and controlled throughout the design and use of the quality management system.” 1

RBT Benefits

While adhering to standards can require additional work, most companies benefit from meeting the requirements because of the order and stability they bring to business strategy, operations, and results.

Risk-based thinking offers benefits:

  • Prevention: RBT helps reduce and eliminate delays, costs, and customer dissatisfaction caused by problems that should have been caught earlier in the planning and development stages of products and services.
  • Identify opportunities: Every business process should include steps that explicitly ask the question, “Is there an opportunity here we might have overlooked?” when a problem or challenge is encountered. Many of the world’s greatest inventions have their origins in “mistakes.”

A Sample RBT Approach

Risk identified during day-to-day operations is typically addressed as a normal part of doing business through a company’s QMS.  However, discovering risks that aren’t generated through day-to-day operations must be done through an orderly process. Here is a suggested approach.

To start with, most company risks stem from the relationships between the company and each of its stakeholders, especially in terms of what each wants or expects from the other.

The following sample table is one way to organize this information.

Key Stakeholders (KS)

What Your Company Wants from Each KS in Order to Prosper

What Each KS Wants from Your Company



To buy from you / meet their need


Predictable funding

To invest in you / increase their wealth


Productivity / innovation

To work for you / have job/career


Quality / on-time delivery

To supply to you / increase their revenue

Once the table is completed, ask:

  1. What’s at risk if the expectations aren’t met?
  2. Which relationships are at risk and which aren’t? Why or why not?
  3. What’s the potential impact of the risk? How will it be dealt with?

Incorporating a similar chart and questions into strategic and operational discussions can go a long way to identifying risks early and dealing with them before their impact expands.


Regardless of the level of interest in ISO 9001, a systematic approach to identifying and addressing risk is essential to prevent or minimize undesired outcomes and to allow business leaders to be more confident when making decisions.

1, ISO9001andRisk.docx

About the Author

Lori Cohen, president of Compass Quality Solution, is a Quality Management Consultant specializing in ISO-based Quality Management System implementation and improvement. Lori can be reached at or 585-737-8441.

Posted in: Business Tips & Advice, Eastman Business Park
Tagged: business strategy, risk-based thinking