A.4 Risk-based thinking
The concept of risk-based thinking has been implicit in previous editions of this International Standard,
e.g. through requirements for planning, review and improvement. This International Standard
specifies requirements for the organization to understand its context (see 4.1) and determine risks as
a basis for planning (see 6.1). This represents the application of risk-based thinking to planning and
implementing quality management system processes (see 4.4) and will assist in determining the extent
of documented information.
One of the key purposes of a quality management system is to act as a preventive tool. Consequently,
this International Standard does not have a separate clause or subclause on preventive action. The
concept of preventive action is expressed through the use of risk-based thinking in formulating quality
management system requirements.
The risk-based thinking applied in this International Standard has enabled some reduction in
prescriptive requirements and their replacement by performance-based requirements. There is greater
flexibility than in ISO 9001:2008 in the requirements for processes, documented information and
organizational responsibilities.
Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement
for formal methods for risk management or a documented risk management process. Organizations can
decide whether or not to develop a more extensive risk management methodology than is required by
this International Standard, e.g. through the application of other guidance or standards.
Not all the processes of a quality management system represent the same level of risk in terms of the
organization’s ability to meet its objectives, and the effects of uncertainty are not the same for all
organizations. Under the requirements of 6.1, the organization is responsible for its application of riskbased
thinking and the actions it takes to address risk, including whether or not to retain documented
information as evidence of its determination of risks.