1.5 Risk-Based Thinking & the Annex SL High-Level Structure
Key Takeaways
- Risk-based thinking replaced the standalone 'preventive action' clause from the 2008 edition of ISO 9001
- Risk-based thinking requires proportionate action, not a mandatory formal risk-management methodology, risk register, or quantified scoring
- Risk-based thinking surfaces in clauses 4.4, 5.1.2, 6.1, 9.3, and the preventive spirit of clause 10
- The Annex SL High-Level Structure (HLS) gives ISO 9001, ISO 14001, ISO 45001 and other management system standards the same ten-clause skeleton
- HLS clauses 1-3 (scope, references, terms) are not substantive audit criteria; the auditable requirements live in clauses 4-10
Risk-Based Thinking & the Annex SL High-Level Structure
Quick answer: Risk-based thinking is an explicit requirement woven throughout ISO 9001:2015 — most visibly in clause 6.1 — and it replaced the standalone "preventive action" clause from the 2008 edition. It is a mindset applied proportionately, not a mandate for a formal, documented risk-management methodology. Separately, the Annex SL High-Level Structure (HLS) is the common ten-clause skeleton shared by ISO 9001 and every other modern ISO management system standard, which is why organizations can build integrated management systems and why auditors trained on one HLS standard can navigate another quickly.
Risk-Based Thinking Replaced "Preventive Action"
The 2008 edition of ISO 9001 had a standalone clause requiring "preventive action" — identifying potential nonconformities and acting to prevent them. The 2015 revision removed that clause and, instead, built the concept of risk-based thinking into the structure of the whole standard. The logic: preventive action, done well, is really just risk management applied to quality — so rather than isolate it in one clause, ISO 9001:2015 requires organizations to consider risks and opportunities at multiple points throughout the QMS.
Risk-Based Thinking Is Not Formal Risk Management
This is one of the most commonly misunderstood points in the whole standard, and a frequent exam distractor. ISO 9001:2015 does not require:
- A documented risk-management methodology (such as full compliance with ISO 31000)
- A mandatory risk register or formal risk log
- Quantified risk scoring (probability × impact matrices) as a compliance requirement
What it does require is that the organization determines the risks and opportunities that need to be addressed to give assurance the QMS can achieve its intended results, and that it plans actions to address them, proportionate to the potential impact on conformity of products and services. A small, low-complexity organization might address this with a simple team discussion documented in meeting minutes; a large, high-risk manufacturer might run a full formal risk-management program. Both can conform, provided the depth is proportionate to the organization's context. An auditor who cites a nonconformity purely because an organization lacks a formal risk register, with no other evidence of a gap, has misapplied the standard.
Where Risk-Based Thinking Surfaces in ISO 9001:2015
Risk-based thinking is not confined to one clause — it threads through the standard:
- Clause 4.4 — when determining QMS processes, the organization must address the risks and opportunities associated with them.
- Clause 5.1.2 — top management must promote awareness of risk-based thinking.
- Clause 6.1 — "Actions to address risks and opportunities" is the clause most directly dedicated to this principle: determine risks/opportunities, plan actions to address them, integrate those actions into QMS processes, and evaluate their effectiveness.
- Clause 9.3 — management review must consider risks and opportunities as a required input.
- Clause 10 — although framed around nonconformity and improvement rather than "prevention" by name, acting on risk before it becomes an actual nonconformity is the preventive spirit carried forward from the old 2008 clause.
The Annex SL High-Level Structure (HLS)
Separately from risk-based thinking, ISO 9001:2015 was also the first major revision to adopt Annex SL — a mandated common structure, common core text, and common terminology used across all new and revised ISO management system standards. The goal is interoperability: an organization running ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (occupational health and safety) side by side can integrate them far more easily because all three share the same skeleton.
The ten HLS clauses are:
| Clause | Title |
|---|---|
| 1 | Scope |
| 2 | Normative references |
| 3 | Terms and definitions |
| 4 | Context of the organization |
| 5 | Leadership |
| 6 | Planning |
| 7 | Support |
| 8 | Operation |
| 9 | Performance evaluation |
| 10 | Improvement |
Clauses 1 through 3 are not substantive audit criteria — they set scope, point to normative references, and define terms (for ISO 9001, clause 3 simply refers to ISO 9000's vocabulary rather than repeating it). The requirements you actually audit against, clause by clause, live in clauses 4 through 10, which is exactly the territory covered by Chapters 2 through 5 of this guide, mapped onto the PDCA cycle from section 1.4.
Why the HLS Matters to an Auditor
Because every HLS-based standard uses the same clause numbers for the same broad topic — clause 6 is always "Planning," clause 9 is always "Performance evaluation" — an auditor who has internalized the structure for ISO 9001 can navigate an integrated management system audit (quality plus environmental plus safety) without relearning the skeleton from zero for each standard. Only the substantive requirements within each clause differ; the architecture holding them is shared by design.
An auditor cites a nonconformity solely because a small organization has no formal, documented risk register, even though the audit found no other evidence of a QMS process failing to achieve its intended results. What is the problem with this finding?
Under the Annex SL High-Level Structure shared by ISO 9001, ISO 14001, and ISO 45001, which clauses contain the substantive, auditable requirements rather than scope, references, or vocabulary?