Risk Based Thinking How To

The How To's of Risk Based Thinking

The International Organization for Standardization (ISO), through the ISO 9001:2015 Standard and now other ISO Standards i.e. ISO 14000, ISO 22000 and ISO 45000 have incorporated the concepts of risk based thinking.

What is the definition of Risk? “Risk is the effect of uncertainty.” Uncertainty in a company can have both positive and negative effects which needs to be strategically considered. Organizations have traditionally been involved in strategic and business planning, however in the past the management system has not always been considered or formally included in the planning process. To meet the requirements for Risk Based Thinking, we need to address certain inputs.

1. Complete an analysis of external and internal issues impacting the organization.

2. Determine the strategic direction of the organization.

3. Identify your interested parties, specific to the Management System i.e., Quality, Environment and/or Food Safety and what are their requirements.

4. The scope of the Management System of the company.

5. The defined and documented processes of the organization.

We have developed a Risk Based Thinking format that allows you to meet the requirements of the standard and clearly link interested parties, Risk and Opportunities, Risk Planning and Quality Objectives.

A SWOT Analysis, the first step in our process, is a strategic balance sheet of the organization; incorporating the strengths and the weaknesses of the organization, the opportunities and threats facing the organization. This is one of the cornerstone analytical tools to help an organization develop a preferred future. It is one of the time-tested tools that has the capacity to enable an organization to understand itself. To respond effectively to changes in the environment, we must understand our external and internal contexts so we can develop a vision and strategies. We need to have an understanding of our organization’s issues and our actions to develop a future.

Outlined below is an example of the structure we utilize to identify interested parties within the SWOT Analysis Planning Documents.


Once we have identified the interested parties and their management system requirements, we complete a SWOT Analysis identifying the organizations Strengths, Opportunities, Weaknesses and Threats. It is a framework used to evaluate a company's competitive position and to develop a strategic plan. We utilize this tool to accomplish the same objective with a focus on the management system.


 Once we have completed the SWOT Analysis, we have the inputs to create a Risk Management Plan. 

Risk Management Planning has a variety of benefits:

• It increases everyone’s awareness of risk.

• It focuses our effort on the things that matter most. A good Risk Management Plan identifies significant risks and opportunities.

• It helps create a culture of prevention and risk management.

• The ultimate result of a risk management system is more success and less failure.

The ISO Standard explicitly says that the organization shall “determine risks and opportunities that need to be addressed.” Clearly, not all risks and opportunities need to be addressed, just the ones that you determine to be the most significant. Without rating them in some manner, you will not have any way of knowing which risks and opportunities deserve the most attention.

The Figure below shows a sample rating scheme for evaluating your risks.


The Risk Management Plan requires you to plan actions and address risks and opportunities.re the requirements to ensure:

• They are planned. You carefully define what will happen, who will be involved, when it will be done, and what resources will be needed, as applicable.

• They are integrated into the Management System processes.

• They must be proportional. The most significant risks will be matched with the most significant actions. Opportunities with the biggest payback will include robust plans.

• They are checked for effectiveness. Once you implement your actions, you’re not finished. This is the input to establishing objectives.

Outlined below is an example of a Risk Management Plan.

Risk Management is an important process that managers should maintain in an organization. It is inevitable to have risks and managers should have better strategies to deal with risks. The long-term survival of an organization depends on the ability to manage risks.

Our next communications will be about Objective Setting and how to ensure maximum effectiveness when setting objectives.

We hope you enjoy reading this blog post. Keep up-to-date with the latest ISO standards-based management news. Don’t miss out. Subscribe to our emails below.