ISO 9001:2015 has been out for almost a year, and many organizations have already updated their quality management systems to the revised standard or are in the process of alignment and adjustments. In addition, the International Aerospace Quality Group (IAQG) updated AS9100 – Quality Management Systems – Requirements for Aviation, Space, and Defense Organizations – to align with ISO 9001:2015. While there are not a lot of new concepts in ISO 9001:2015, there are new ways of looking at some of the requirements. The AS9100D revision embraces most of those concepts, expands many of them a bit further, and adds some new requirements pertaining to counterfeit parts and product safety for aviation, space, and defense (AS&D) organizations.One area that has gotten a lot of attention in both standards and is significantly amplified is the concept of risk. Risk is not a new concept for the standards, but it has a more pronounced role, content, and influence in an organization’s actions and approach to processes and the quality management system.

Defining risk

While AS&D has always had a major focus on examining risks that may occur in jeopardizing satisfactory outcomes of processes, the word “risk” is barely mentioned in ISO 9001:2008. However, in the new ISO 9001:2015 and in AS9100D, the concept of risk is much more prevalent, including a complete section devoted to the subject in the informational clauses and the annex.

Why the ISO 9001:2015 change, and are there more stringent risk requirements in the AS9100 standard as well?

To answer these questions, we must first and foremost understand that not all risk is equal. Additional wording was added to AS9100D and to the annex to highlight and acknowledge that the usage of risk within the standard varies depending on the stated requirements. While the risks are inherently related, their treatment can be significantly different between the standards. ISO 9001:2015 explains some of this in both clause 0.3.3 and the Annex A.4 where it concedes that risk was always inherent in the standard, but not overtly stated. The idea that organizations must have risk-based thinking to fulfill their mandates and the amount of risk assessed was based on their context. ISO 9001:2015 states that risk-based thinking is essential in all forms of planning and execution of the quality management system.

A formal and documented risk management process is not a requirement of the ISO standard, but rather risk is a concept for both positive and negative actions to fulfill the organization’s mandate to its external organizations (customers and stakeholders). ISO 9001:2015 refers to risk as having both a possible positive and negative outcome in the same vein as it does with opportunities. It then goes on to state throughout the standard and in clause 6.1 specifically that risks and opportunities should be addressed proportionate to their impacts on the ability to deliver products and services to the customer and the functioning of the quality management system. When interpreted literally, this could be a very minimal consideration.

This contrasts significantly with the use of risk in AS9100D, where it’s made clear in clause 8.1 and annex A.4 of the standard that “risk is expressed as a combination of severity and likelihood of having a potential negative impact to processes, products, services, customer, or end users.” This goes beyond ISO’s intent and requirements by making risk management a requirement of the AS standard relative to operational processes. AS9100D further defines risks to include those relative to product safety and counterfeit parts, enhanced product verification requirements, and driving risk identification and actions into management review as an input and an output (clause 9.3.3.d).

Managing risk

Within the framework of ISO 9001:2015 what do we really need to do with risk?

The ISO/TC 176 quality management and quality assurance committee presented the 2015 revision as having neutral impact to organizations with quality management systems (QMS) using the 2008 version of the standard. The assumption here is that risk assessment of the QMS processes were intuitive, and the requirement is now more overt than covert in the standard. If proper preventive actions and management reviews were being performed, and the “P” in the plan-do-check-act (PDCA) cycle was robust, then risk-based thinking was occurring naturally. The ISO Audit Practices Group (APG) states that risk cannot be assessed independently of anything else in the organization. Rather, it should be evaluated as an embedded part of all other activities of the QMS and determined by asking if various considerations were made when designing and executing processes.

Unlike ISO 9001:2015, AS9100 organizations’ premise for and focus on risk is much more advanced than before. Clause 8.4 regarding control of external providers is an example: the items to consider have grown from AS9100C. While ISO does not mention risk at all for external providers, aerospace considers the operational risk significant and provides additional detail of risk considerations.

The AS9100D standard enhances the ISO’s use of risk, making sure that organizations document, consider, evaluate, and mitigate risk to the requirements. AS&D organizations ensure product safety so risky business does not put lives at risk. ISO 9001:2015 also addresses risk, but actions speak louder than words, so a robust risk management system is worth considering in order to be world class.

For more information about ISO 9001:2015, visit ASQ Quality Management Standards at

ANSI-ASQ National Accreditation Board (ANAB)

About the author: Dale K. Gordon is the management systems accreditation manager – AS&D, for ANAB. He can be reached at or at 414.501.5482. Previously Director of Supply Chain Quality for Aerojet Rocketdyne, he is also an ASQ fellow, past chair of the SAE Americas Aerospace Quality Standards Committee (G-14), and has served on committees for the aerospace series of standards.