Does ISO 9001 require a formal risk register?

No. ISO 9001 does not require a specific tool, format, or methodology for addressing risks and opportunities. A formal risk register is one way to document and manage risks, but it is not mandated. What the standard requires is that risks and opportunities are identified, that actions are planned and implemented to address them, and that the effectiveness of those actions is evaluated. A small organisation might achieve this through a simple documented process rather than a formal register.

What is the difference between risk based thinking and a risk assessment?

Risk based thinking is a mindset and an approach that is embedded throughout the management system. A risk assessment is a specific activity where risks are identified, analysed, and evaluated in a structured way. ISO 45001 requires formal risk assessments for safety hazards. ISO 9001 requires risk based thinking but not necessarily a formal risk assessment methodology. The two concepts are related but not the same, and applying the wrong level of formality to the wrong standard creates unnecessary complexity.

How do opportunities fit into risk based thinking?

ISO standards require organisations to consider both risks and opportunities when planning their management systems. Opportunities are favourable circumstances that could be exploited to improve performance, such as a new technology, a change in regulation, or an improvement in supplier capability. Many organisations focus only on risks and overlook opportunities entirely. An auditor reviewing Clause 6.1 will look for evidence that opportunities have been considered alongside risks, not just threats.

Can risk based thinking satisfy the old preventive action requirement?

Yes. The 2015 revision of ISO 9001 deliberately replaced the standalone preventive action clause with risk based thinking embedded throughout the standard. The intent is the same: prevent problems before they occur. The difference is that risk based thinking is meant to be integrated into how the system operates rather than managed as a separate compliance activity. If your risk based thinking approach genuinely addresses potential nonconformities and drives preventive action, it satisfies what the old clause was trying to achieve.

What is the most common audit finding related to risk based thinking?

The most common finding is that risks have been identified but the actions taken to address them are either absent, inadequate, or not integrated into the system. Organisations often create a risk register that satisfies the documentation requirement but make no changes to their actual processes or procedures as a result. A second common finding is that the risk register has not been reviewed or updated to reflect changes in the organisation's context, such as new customers, new suppliers, or changes in the regulatory environment.

Risk Based Thinking: Practical Examples for ISO Auditors

Q: How should risk based thinking show up in an internal audit?

Risk based thinking should be visible in multiple parts of the management system, not just in the risk register. An auditor would expect to see it reflected in how the audit programme was planned (higher risk areas audited more frequently), in management review inputs, in how changes are managed, in how objectives were set, and in how operational controls were designed. If risk thinking only appears in a Clause 6.1 document and nowhere else in the system, that suggests it is not genuinely embedded in how the organisation operates.

What Risk Based Thinking Actually Means

Risk based thinking is one of those phrases that gets used constantly in ISO circles but rarely explained well. Most people hear it and picture a risk register. Some picture a formal risk assessment process. A few picture nothing at all and hope no one asks them about it in an audit.

On this page

The reality is simpler and more practical than the jargon suggests. Risk based thinking means considering what could go wrong, or go right, before you commit to a course of action. It means building that consideration into how you plan, operate, and improve your management system rather than treating risk as a separate activity that happens once a year in a spreadsheet.

ISO 9001:2015 introduced risk based thinking as a core concept, and it has since appeared in ISO 14001, ISO 45001, and every standard built on the harmonised structure. Clause 6.1 of each of these standards asks organisations to determine the risks and opportunities that need to be addressed. What that looks like in practice depends entirely on the organisation, the sector, and the maturity of the system.

This article walks through risk based thinking in plain terms, with real examples from quality, environmental, and safety management systems. If you are preparing for an internal audit, getting ready for a certification audit, or trying to explain this concept to a sceptical manager, this is the guide you need.

Why ISO Replaced Preventive Action With Risk Based Thinking

Before the 2015 revision of ISO 9001, the standard included a specific clause on preventive action. Organisations were required to identify potential nonconformities and take action to prevent them. In theory, this was sensible. In practice, most organisations treated it as a paperwork exercise that ran parallel to everything else rather than being embedded in how they actually worked.

The 2015 revision removed the standalone preventive action clause and replaced it with risk based thinking woven throughout the standard. The idea was that if you genuinely think about risk at every stage of planning and operation, you do not need a separate preventive action clause. Prevention becomes part of how you design processes, set objectives, and make decisions.

This was a significant philosophical shift. It moved risk from a compliance activity to a management habit. For organisations that already thought this way, the change was barely noticeable. For organisations that had been filling in a preventive action register to satisfy an auditor, the change exposed how superficial their approach had been.

If you want to understand how this connects to the broader structure of ISO standards, the article on the high level structure in ISO standards is worth reading alongside this one.

Become a certified ISO auditor

Globally recognised auditor training — Foundation, Internal Auditor and Lead Auditor — self-paced online with a shareable certificate.

ISO 9001 ISO 14001 ISO 45001 ISO 27001 ISO 42001

Explore Courses

Recognised Training ProviderRTP No. 310970

Where Risk Based Thinking Appears in ISO Standards

ISO 9001 Clause 6.1

ISO 9001 Clause 6.1 requires organisations to consider the context of the organisation and the needs of interested parties when determining risks and opportunities. The risks and opportunities identified must be addressed through planned actions, and those actions must be integrated into the quality management system processes.

Importantly, ISO 9001 does not require a formal risk management methodology. It does not require a risk register, a risk matrix, or a specific tool. What it requires is that risks and opportunities are considered, addressed, and evaluated for effectiveness. How you do that is up to you.

ISO 14001 Clause 6.1

ISO 14001 takes a similar approach but adds the concept of environmental aspects and compliance obligations as inputs to the risk and opportunity determination process. An organisation must consider what could go wrong environmentally, what legal requirements apply, and what opportunities exist to improve environmental performance.

The 2026 revision of ISO 14001 has strengthened this by adding an explicit subclause on risks and opportunities that did not exist as clearly in the 2015 edition. If you are managing an environmental management system, understanding how this has changed is important. The article on the ISO 14001:2026 transition covers these changes in detail.

ISO 45001 Clause 6.1

ISO 45001 goes further again. It distinguishes between risks to the OH&S management system and risks to workers. Clause 6.1.2 requires a formal hazard identification and risk assessment process, which is more prescriptive than the quality or environmental standards. There are also OH&S opportunities to consider, which is a concept many safety professionals initially find counterintuitive.

Risk Based Thinking vs Risk Management: An Important Distinction

Risk based thinking is not the same as risk management in the formal ISO 31000 sense. This distinction matters because organisations sometimes build elaborate risk management frameworks to satisfy ISO 9001 Clause 6.1, when in fact the standard asks for something far less bureaucratic.

Risk management as a discipline involves identification, analysis, evaluation, treatment, monitoring, and communication of risk. It has its own standard, its own terminology, and its own methodology. ISO 9001 does not require you to implement ISO 31000. It requires you to think about risk when you plan and operate your system.

A small business with five employees does not need a risk committee, a risk appetite statement, or a heat map. It needs to think about what could go wrong with its key processes and do something sensible about it. A large organisation may well use a formal risk management framework, and that is fine. The standard accommodates both approaches.

The test an auditor applies is not whether you have a sophisticated risk management system. It is whether there is evidence that risk and opportunity thinking has shaped how the organisation plans, operates, and improves.

Practical Examples of Risk Based Thinking in ISO 9001

Example 1: A Construction Subcontractor

A civil works subcontractor identifies through its context analysis that it relies heavily on a single concrete supplier. If that supplier fails to deliver on time or delivers substandard material, the company's ability to meet contract milestones is at serious risk.

Risk based thinking in this context means the company does not just note this risk in a register. It takes action. It qualifies a second supplier. It includes minimum notice periods in its supply contracts. It builds concrete testing into its incoming inspection process. These actions are integrated into how the company manages its supply chain, not treated as a separate risk activity.

An auditor reviewing this organisation would look for evidence that the risk was identified, that actions were taken, and that those actions are working. A risk register entry with no corresponding process change tells an auditor that the organisation has identified the risk but has not actually addressed it.

Example 2: A Professional Services Firm

An engineering consultancy identifies that key technical knowledge is concentrated in two senior engineers. If either leaves, the company's ability to deliver on existing contracts is compromised. This is both a risk to quality and a risk to the business.

Risk based thinking leads to documented procedures for technical processes, cross training of junior engineers, and a succession planning conversation at management review. The risk does not disappear, but it has been addressed proportionately. The actions are embedded in how the firm manages its people and its knowledge.

This connects directly to what ISO 9001 Clause 7.1.6 requires around organisational knowledge. Risk based thinking and knowledge management are closely related in practice, even if they appear in different clauses.

Example 3: A Food Manufacturer

A food manufacturer identifies that a change in a key ingredient supplier could affect product consistency and customer satisfaction. The risk is that the new supplier's ingredient performs differently in the production process, leading to product that does not meet specifications.

Risk based thinking means the change is not just approved by procurement. It triggers a review of the formulation, a trial production run, updated specifications, and a communication to the quality team before the change takes effect. This is Clause 6.3 planning of changes in action, informed by risk based thinking from Clause 6.1.

Practical Examples of Risk Based Thinking in ISO 14001

Example 4: A Transport Operator

A road transport company identifies that fuel spills during refuelling are a realistic risk given the volume of vehicles and the frequency of refuelling operations. The environmental impact of a spill reaching the stormwater system is significant.

Risk based thinking leads to bunded refuelling areas, a spill response kit at each depot, and a procedure for immediate containment and reporting. These controls are integrated into the operational procedures for depot management. They are not just listed in an aspects and impacts register. They are part of how the depot actually operates.

An environmental auditor checking this organisation would look for the bunding, the spill kit, evidence of training, and records of any incidents. If the risk is documented but the controls are absent or untested, that is a nonconformity.

Example 5: A Construction Company

A construction company identifies an opportunity to reduce waste sent to landfill by segregating materials on site and engaging a recycling contractor. This is an environmental opportunity, not a risk. Risk based thinking includes both.

The company sets an environmental objective around waste diversion, puts a process in place for on site segregation, and tracks the percentage of waste recycled against its target. At management review, it reports on progress and considers whether additional opportunities exist. This is risk based thinking applied to opportunities, producing measurable improvement in environmental performance.

Practical Examples of Risk Based Thinking in ISO 45001

Example 6: A Warehousing Operation

A warehousing business identifies through its hazard identification process that pedestrian and forklift interactions in the receiving area create a significant risk of serious injury. The risk assessment rates this as high likelihood and high consequence without controls.

Risk based thinking using the hierarchy of controls leads to physical segregation of pedestrian and forklift paths, designated crossing points with stop signs, and a site rule prohibiting pedestrian access to the forklift operating zone without a specific procedure. PPE alone would not be an adequate response to this risk. The controls address the risk at a higher level in the hierarchy.

An ISO 45001 auditor would verify that the hazard was identified, the risk was assessed, controls were implemented at the appropriate level of the hierarchy, and workers were consulted and informed. A risk register entry with only PPE as a control would likely attract a finding.

Example 7: A Healthcare Provider

A healthcare organisation identifies that manual handling of patients creates a significant risk of musculoskeletal injury to workers. This is a known and well documented risk in the sector.

Risk based thinking leads to a manual handling training programme, the procurement of patient handling equipment, and a process for assessing individual patient handling needs before transfers. The organisation also identifies an opportunity to reduce injury rates by introducing a peer coaching programme for manual handling technique. Both the risk response and the opportunity are addressed through planned actions with measurable outcomes.

What Auditors Look for When Auditing Risk Based Thinking

When auditors review risk based thinking, they are not looking for a perfect risk management system. They are looking for evidence that the organisation has genuinely considered risk and opportunity in its planning and operations. There are several things that consistently indicate whether this is real or superficial.

Is the Risk Register Connected to Real Processes?

A risk register that was created for the certification audit and has not been updated since is a red flag. Risks should evolve as the context of the organisation changes. New suppliers, new regulations, new products, staff turnover, customer complaints, and near miss incidents should all feed into how risks are reviewed and updated.

Do the Actions Actually Address the Risks?

An organisation might identify a risk of customer complaints due to poor communication but list the action as communicate better. That is not an action. It is a wish. Risk based thinking requires specific, implementable actions that are assigned to someone and tracked to completion.

Is Risk Thinking Visible in Other Parts of the System?

Risk based thinking should show up in the audit programme, in management review inputs, in how changes are managed, and in how objectives are set. If risk is only visible in Clause 6.1 and nowhere else, the organisation has treated it as a compliance exercise rather than a management habit.

The article on risk based audit scheduling explores how risk thinking shapes the internal audit programme itself, which is a good practical application of these principles.

Are Opportunities Being Captured as Well as Risks?

Many organisations focus entirely on risks and ignore opportunities. ISO standards explicitly require both. Opportunities might include new technology that could improve process efficiency, a change in regulation that opens a new market, or a supplier improvement that could reduce defect rates. If an organisation's risk register contains only threats and no opportunities, that is worth exploring in an audit.

Common Mistakes Organisations Make With Risk Based Thinking

The most common mistake is treating risk based thinking as a documentation exercise. The risk register gets created, reviewed once a year, and filed. Nothing in the actual operation of the business changes as a result. This satisfies the letter of the requirement but misses the point entirely.

The second common mistake is confusing risk based thinking with the risk assessment required for specific operational activities. ISO 45001 requires a formal hazard identification and risk assessment process for safety risks. ISO 9001 does not require the same level of formality for quality risks. Organisations sometimes apply the ISO 45001 approach to all three standards, creating unnecessary complexity.

The third mistake is failing to involve the right people. Risk identification is most effective when it draws on the knowledge of the people who actually do the work. A risk register created entirely by the quality manager in an office, without input from operations, is likely to miss significant risks that are obvious to anyone on the floor.

If you are preparing for a certification audit and want to make sure your risk based thinking approach will hold up, the article on how to prepare for a certification audit as the quality manager covers this alongside other key preparation areas.

How to Build a Proportionate Approach to Risk Based Thinking

The right approach to risk based thinking depends on the size and complexity of the organisation. Here is a practical framework that works across different contexts.

Step 1: Start With Context

Your risks and opportunities should flow from your context analysis. The internal and external issues identified in Clause 4.1, and the needs and expectations of interested parties from Clause 4.2, are the primary inputs to risk identification. If your risk register does not connect back to your context analysis, it is probably not capturing the most significant risks.

Step 2: Identify Risks and Opportunities for Each Key Process

Rather than trying to identify all organisational risks in one exercise, work through each key process and ask what could go wrong, what could go better, and what external factors could affect this process. This produces a more grounded and actionable set of risks and opportunities than a top down exercise.

Step 3: Determine What Actions Are Needed

For each significant risk or opportunity, determine what action is needed. The action should be proportionate to the potential impact. Not every risk needs a control procedure and a monitoring programme. Some risks are adequately addressed by awareness training or by including a check in an existing process.

Step 4: Integrate Actions Into the System

Actions should be integrated into existing processes rather than managed as a separate risk management activity. If a risk is addressed by adding a step to a procedure, update the procedure. If an opportunity is being pursued through a new objective, make sure the objective is resourced and tracked.

Step 5: Evaluate Effectiveness

At management review and through internal audits, evaluate whether the actions taken have been effective. Have the risks reduced? Have the opportunities been realised? If not, what needs to change? This is the PDCA cycle applied to risk based thinking.

Bringing It All Together

Risk based thinking is not complicated. It is the habit of asking what could go wrong or go right before you act, and doing something sensible about the answer. What makes it challenging in practice is that it requires genuine engagement from people at all levels of the organisation, not just the quality or safety manager.

When it works well, risk based thinking produces a management system that is genuinely proactive. Problems are anticipated and prevented rather than discovered after the fact. Opportunities are identified and pursued rather than missed. Audits become conversations about how well the system is working rather than compliance checks against a checklist.

When it works poorly, risk based thinking produces a risk register that no one reads and a compliance exercise that satisfies an auditor once a year without changing anything about how the organisation operates.

The difference between those two outcomes is not the quality of the documentation. It is whether the people running the organisation actually think this way, and whether the management system is designed to support that thinking rather than just record it.

If you want to build genuine competence in auditing risk based thinking, including how to ask the right questions and evaluate the evidence, the auditor training courses at Audit Workshop cover this in depth across ISO 9001, ISO 14001, and ISO 45001. The training is built around real audit scenarios, not theory, so you leave with skills you can apply immediately.

Risk Based Thinking in ISO Standards: A Practical Guide With Real Examples