6 min read

What is 'Risk Thinking' in the context of the updated ISO standards

Featured Image
Risk-based thinking requires consideration and evaluation of risks and opportunities relative to the organisation’s context when planning and establishing processes, controls and improvements.

Specific areas within the standards that dictate risk thinking include:

Organisational context

Identify and evaluate the risks and opportunities associated with the context of the organisation’s objectives.

Examples risks and/or opportunities could be:

  • the business location/s in relation to the marketplace

  • regulatory compliance issues related to workplace and other stakeholders

  • productivity and equipment resources investment

  • public risk/liabilities for service industries

  • product liability for manufactured or imported goods

  • cost of being competitive

  • reliance on other parties or partnership arrangements


Evaluation of the risk/opportunity could include:


  • estimating the overall impact on the business

  • putting a measure against each item to quantify and prioritise

  • options for mitigation that would reduce risk

  • options for converting a risk to an opportunity.


Management needs to understand and have a documented process in place for managing the risk-thinking concept. This needs to be addressed on an ongoing basis in order to contain risk and leverage opportunities. Although the ISO standards don’t require the risk assessment process to be documented unless it is formalised and structured its effectiveness can be lost.


Plans need to be put in place to manage risk and opportunities. Such plans may be detailed or simple, depending on the nature of how they are intended to be addressed and who actually addresses them.


Wherever plans are in place there will need to be actions to enact such planning. These are operational policies, processes and various tools.

Performance measurement & evaluation

Risks and opportunities identified, planned, operationally delivered then need to be monitored, measured, analysed and evaluated for effectiveness.


Continuous improvement should be based on risk thinking

How does technology support risk based thinking?

From a technical perspective, risk based tools are a simple solution.

Lucidity Software examples:

  • Risk Register

  • Centralised space and process driven software to identify, assess, plan, develop, monitor and measure risk controls.

  • Flexible tools that build in risk thinking

  • Build in risk assessment processes into electronic forms

  • Incident Reporting and Investigation software

  • Build risk assessment into investigation processes and assists in causal analysis