Risk Management in a Quality Management System

Risk management has a significant role in a business’s quality management system. 

Effective risk management facilitates compliance (risk has a notable role within ISO9001) and overall business effectiveness through forward-thinking processes and environment.

The result is a Quality Management System that generates an environment for excellence, innovation and competitive advantage.

In today’s article, we’ll be looking at Risk Management in a Quality Management System. We’ll be covering the following:

What is Risk Management in a Quality Management System

Risk can have a profound effect on your business.

As individuals, we look to manage risk as part of our daily lives (we check the road is clear before crossing, we check that we’ve cooked something long enough to avoid food poisoning etc.).

Equally, risk-based approaches within business are not new.

Most of us will have had some exposure to managing risk in our job. Commonly this might be supporting a function or project to identify or assess risk.

Many organizations will have integrated processes that look to make managing risk habitual.

Organizations do this to mitigate the impact that risks can deliver. They may lead to consequences that can have a negative impact on both your business and potentially your customers.

Managing risk successfully provide numerous benefits from competitive advantage, profitability and a higher likelihood of achieving goals. 

So how does this relate to your quality management system?

Risk management and Quality Management systems have always been close bedfellows.  

Over the years, as ISO9001 has evolved, risk has developed from being heavily suggested to implicit with an expectation that risk management is embedded within your management system.

ISO9001:2015 aims to make the identification and management of risk a natural part of an organization’s approach.

Your Quality Management System should facilitate the identification of both risks and opportunities in an end-to-end fashion rather than merely certain functional areas and cover areas with respect to improved decision-making, effectiveness and planning of the management system.

There are numerous inferences to risk management and risk-based systems peppered throughout ISO 9001:2015 clauses; these include:

  • Clause 4 Context of organization
  • Clause 5 Leadership
  • Clause 6: Planning
  • Clause 8 Operation
  • Clause 9 Performance Evaluation

Of particular interest is clause 5, which includes “Promote risk-based thinking, Clause 6, which includes “Actions to Address Risks and opportunities”, and Clause 9, which includes evaluating and reviewing the effectiveness of actions on risk.

Both risk and opportunities should, therefore, be applicable to the systems that help you execute your business, and as a result, it’s recommended that you document the associated procedures.

As a minimum, this helps your organization apply risk processes in a consistent fashion and supports training, knowledge and deployment across the business.

Common characteristics of risk management in a QMS

While every business will have their own unique approach to risk, there are likely to be some common characteristics; these include:

a) Approach to standards

Firstly Risk Management will look to address the specific points from applicable standards such as ISO9001:2015.

b)Processes, Policies & Documents

Risk management is likely to require a set of processes, policies and documents within an organization not only based on how risks will be captured but how they will be subsequently managed and tracked.

As we described in our introduction, Risk Management is not a new conundrum to be solved, and there are some well-trodden paths; these are likely to include aspects such as:

Generic Risk Management process

  • Identifying risks
  • Assessing risks (which will probably include a level of prioritization)
  • Tracking risks
  • Monitoring
  • Documentation
    • Risk Registers
  • Training
  • Communication

c) Training & Learning

Once a methodology has been articulated (with policies, processes and resources), it will need to be promulgated through the organization through effective training.

c) Evaluation & Control

Monitoring activities to confirm that the business is compliant to its policies and processes. 

d) Ownership

Risk Management should be the responsibility of the whole organization and should permeate through all processes and functions.  

All staff are likely to touch on elements of risk management through their daily tasks and, as a result, need to have an appropriate comprehension of its importance and associated management methods.

e) Role of Leadership

It is unlikely that leadership will get involved in all levels of risk management. Instead, their role should focus on 

  • Appropriate participation where necessary (Significant risk management, review and control, establishing appropriate budgets etc.) 
  • Establishing a realistic appetite for risk and enabling this to be permeated through the organization.
  • Promoting (and facilitating) cross-functional collaboration between teams on the subject of risk.

Why we need an approach to Risk Management in our Quality Management System

You could be forgiven for thinking when you look at many of our common Quality tools (such as corrective action reports, root cause analysis, check sheets and analysis methods) that our traditional approach to risk has been one that is reactionary.

We come across a problem, then look at what went wrong, then put in a fix, so it doesn’t happen again.

Continuous improvement is all well and good, but a reactionary approach to risk by its very nature is one that is fixing non-conformance and updating processes after the horse has bolted.

The focus of risk management should place emphasis on prevention through the use of a methodology and processes. This approach requires two things, 

  • Processes with much more focus on planning and action management.
  • A culture where the whole organization understands risk and their part to play in its management

There is no better place to drive both of these characteristics than through the quality management system.

Who is responsible for Risk Management in QMS

The answer to this is easy enough.  

Everyone in the organization has some responsibility for managing risk. 

However, certain elements have specific roles to play; let’s consider the following.

a) Leadership

While it’s true that everyone has a role to play in managing risk, leadership has a subsidiary task which is to ensure that the business is structured to manage risk and to enable its workforce to do it effectively.

These enablers include:

  • Strategy – Your strategy should have embedded within it an approach that seeks to identify and manage risk.
  • Resources: Funding for tools, people and systems to enable effective risk management
  • Communication: Clear, consistent organizational communication that explains how risk will be managed

b) Quality:

Quality management has a specific role, ensuring that management systems, controls, policies, and procedures are structured and documented in such a way that risk management is effective.

c) Employees

Have responsibility for executing management systems, policies and procedures that deal with risk.

Benefits of Risk Management in a QMS

There are several clear benefits of integrating risk management into our QMS; these include the following:

  • Compliance
  • Capturing risks before they become issues 
  • Contributes to improving Quality
  • Helps reduce costs by avoiding the expenditure of fixing issues that arise as a result of not stopping them before they happen
  • Involves the whole organization

Issues with Risk Management in a QMS

Issues associated with integrating risk management into a QMS include

  • The business fails to communicate methods, policies and processes to business
  • Ineffective processes (i.e. without evaluation steps)
  • Not resourced effectively
  • Forgetting 3rd party processes and interfaces during implementation
  • Poor levels of workforce training


Risk management is not a new methodology; it’s something that most organizations do already.

Integrating risk into your Quality Management System does require some thought and planning, particularly around adherence to the intent of ISO9001:2015.

As with your Quality Management System in general, risk management is not a singular activity that takes place just once but is something that is continuous and, as a result, requires resources, processes and policies and leadership buy-in.

Thinking about risk prevention rather than dealing with the effects is a cultural mind shift, so when deploying risk management (ensuring it’s habitual) in your QMS, you can think of it as a transformational activity.

There are major advantages to adopting the approach, not only from a compliance standpoint but also from the fact that adopting risk management helps you increase the likelihood of achieving your goals.

What has your organization done to manage risk? As ever, we’d love to hear some feedback; you can reach us, as usual, by Twitter or via the comments section below.