Risk-Based Thinking Resource Center

What is Risk-Based Thinking?

Risk-based thinking starts with identifying risks.

Risk-based thinking gets organizations to formally and systematically consider the risks they face and how those risks can be eliminated or minimized.

Quality standards generally describe risk to be the “effect of uncertainty on objectives.”

On a broader scale, risk represents the potential of events or situations to hinder or conflict with an organization’s capability to achieve its strategic and operational objectives. For the purpose of risk-based thinking, this broader description probably makes sense.

Threats and Opportunities

Risk can refer to either a threat or an opportunity.

  • Threats may need to be mitigated for the organization to fulfill its obligations and responsibilities.
  • Opportunities worth pursuing have the chance of enhancing the organization’s capabilities and competitiveness.

Benefits of Risk-Based Thinking

Risk-based thinking helps organizations be proactive and prepare for the unexpected. By dealing with risk on a proactive basis, organizations will:

  • Achieve greater consistency of quality of goods and services.
  • Develop a culture of continual improvement.
  • Be prepared to capitalize on unforeseen opportunities.
  • And improve customer satisfaction.

Risk-Based Thinking and Industry Standards

Three industry-wide standards that focus on risk are ISO 9001, ISO 31000 and ISO 22301. All three provide guidance on risk management concepts and practices but with different perspectives.

  • ISO 9001 deals with risk associated with the organization’s objectives and business practices.
  • ISO 31000 presents general guidelines for managing any type of risk and is not industry or sector specific.
  • ISO 22301 is a business continuity management standard that offers guidelines on how to prepare for and deal with potential disruptive incidents.

Some of the main industry-specific standards requiring risk management to be part of the foundation of their quality management system requirements are:

  • IATF 16949: Technical Specification for Automotive Quality Management Systems
  • AS9100: Quality Management System – Requirements for Aviation, Space and Defense Organizations
  • ISO 13485: Medical devices — Quality management systems — Requirements for regulatory purposes
  • TL 9000: Quality Management System (A standard for the Telecommunications industry.)