© Transition Support Last edit  24/11/2023 







Transition Support

A flexible approach to business improvement

Preventive action to Risk-Based Thinking

The requirements for preventive action which were a feature of previous versions of ISO 9001 have been moved in the 2015 version under under the heading “Actions to address risks and opportunities”.

There are many actions one can take to prevent the occurrence of nonconformity and if we look at ISO 9001 through a preventive action tinted lens we would see many requirements in ISO 9001 aiming to prevent nonconformity rather than detect, correct and prevent recurrence of nonconformity. In fact in the scope statement of the 1987 version it stated that “ The requirements specified in this International Standard  are aimed primarily at preventing nonconformity at all stages from design through to servicing.”  

It was therefore inappropriate to have a preventive action clause in a standard whose aim was to prevent nonconformity. The clause carried the wrong heading and it should always have been concerned with risk determination and mitigation. This is what JTCG Guide N359 has to say about the move:

Preventive action

The preventive actions requirements of ISO 9001 were often misunderstood as shown in the table below.


Common term for this

ISO term for this + definition

Correct a nonconformity

Corrective action


Action to eliminate a detected nonconformity

Prevent recurrence of nonconformity

Preventive action

Corrective action

Action to eliminate the cause of a nonconformity and to prevent recurrence

Prevent occurrence of a nonconformity


Preventive action

Action to eliminate the cause of a potential nonconformity or other potential undesirable situation

The result of this misunderstand led to many documented quality management systems containing CAPA (Corrective and Preventive Action) forms on which were recorded the action to fix the nonconformity and prevent its recurrence and there being no form for capturing the preventive actions that had been defined in the standard.

The misunderstanding also led to documented quality management systems including risk assessment under planning rather than under preventive action and training not being perceived as a preventive action but an action to develop competence. Ordinarily, when planning to achieve an objective, one anticipates what could go wrong and makes provision for avoiding, reducing or controlling such eventualities and therefore placing a clause on preventive action under the heading of Improvement misled not only users of ISO 9001 but authors of management systems standards e.g. FMEA didn’t appear in ISO/TS 16949 under preventive action but under design and development.

Risk-based thinking

For those who understood what preventive action was really about risk based thinking might be a new term but they won’t be baffled by the intent. At a simplistic level, its nothing more than assessing a situation by looking at the potential for success and failure and weighing up the potential benefits and harms of exercising one choice of action over another. So you may be presented with a policy, plan, a design, a proposal or a solution to a problem etc and instead of assuming it will be alright as you might do if it’s presented by a person or organization you believe to be competent, you examine it for inherent risks; a process characterized by asking:

  1. What are we trying to do? (This reveals the objective of the policy, plan, design etc)
  2. What might affect what we are trying to do? (This reveals the uncertainties, the things that could help or hinder achievement of the objective
  3. What is the likelihood these uncertainties will occur? (This may be expressed as a frequency (once a month) or probability (20%)
  4. What are the likely consequences or effects if the uncertainties occur? (This may be expressed as a narrative plus a severity rating)
  5. Which of these is most important? (This arises from assessment of risk)  
  6. What can we do about it? (This reveals the risk treatment or course of action to mitigate the risk?

This does not mean that risk-based thinking should lead to risk aversion; quite the opposite in fact. By identifying uncertainties, their likelihood and consequences one is able to assess their importance on the achievement of objectives and act proportionately rather than assuming every potential failure must be prevented at all costs. Risk-based thinking is a pragmatic approach to management and enables resources to be applied to those uncertainties that pose the greatest risk to success.

The implication is that while policies and procedures will have been written with the best intentions, it does not follow that conformity with them should be defended regardless of the consequences. The object is not to conform but to perform. See also Conformance to Performance.

More details are in Chapter 10 and 21 of the ISO 9000 Quality Systems Handbook 7E

“The high-level structure and identical text does not include a clause giving specific requirements for “preventive action”.This is because one of the key purposes of a formal management system is to act as a preventive tool.  Consequently, a MSS requires an assessment of the organization’s “external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s)” in clause 4.1, and to “determine the risks and opportunities that need to be addressed to: assure the XXX management system can achieve its intended outcome(s); prevent, or reduce, undesired effects; achieve continual improvement.” in clause 6.1.  These two sets of requirements are considered to cover the concept of “preventive action”, and also to take a wider view that looks at risks and opportunities”.

Previous Next
Previous Next