When the ISO 9001:2015 first was released, I started looking at how this new standard was going to impact industries. I had been a full time auditor for about two years with one of the old time registrars and I was eager to see how the new standards for both the ISO 9001 and ISO 14001 would affect companies. Now approaching 10 years and a senior lead management system audit and having conducted well over 700 audits, there are some patterns that have developed that are interesting to note.
One of the early ways I updated myself on the new standard was an ASQ TV webinar offered by Mark Ames (AQS Management systems). He was talking about the concept of “risk” being added into the new standard, and commented about the number of times the words “as necessary” or “as appropriate” appear in the 9001. He said that whenever these two phases are used that it was the intent of the ISO TAG 176 to mean “risk-based thinking”! To me, that was a very powerful statement and I comment to clients today that I better never hear another supervisor say to me during an audit that the company does something in a specific way because “That is the way that we have always done it.” Talk about setting up an audit trail. However, this comment does not seem to have been widely publicized and many people seem to be unaware of the depth of “risk-based thinking” requirements in the 9001 or other ISO Management System Standards (MSS). In reality, the ISO 9001 has 34 reference to risk-based thinking instead of just the nine times that the word “risk” appears in the standard.