Procedure, Work Instruction, or Flowchart?

-by Dr. IJ Arora

The choice between writing a procedure or a work instruction is an essential decision when designing a management system. Clause 4.4.1 of ISO 9001:2015 (as well as all the ISO management system standards using the harmonized structure) requires the establishment and implementation of a management system. This management system will have procedures and work instructions and further down the hierarchy, checklists and forms.

Processes can be actualized in many forms. Today, mapped processes make it easy to visualize the functioning of the process. This is an important distinction in quality management systems based on ISO 9001—or for that matter any sector-specific standard like those dedicated to management within maritime, aerospace, etc. Many organizations struggle with when to write a procedure, when to write a work instruction, and how and when a flowchart should be used.

I think the core difference between a procedure and a work instruction is that a procedure answers the question, “What happens and who does it?” A procedure defines the process, its purpose, its sequence (clause 4.4.1b), and who is responsible for the work, perhaps as process owners (clause 4.4.1e). It answers what is to be done, when it must be done, who is responsible, and why it matters. The flowchart then helps visualize the inputs and outputs that flow between the steps.

What is a procedure and how it is used?

A procedure does not tell someone how to do a task; it simply describes the steps or stages necessary to accomplish it. I think of the procedure as the blueprint of the workflow. Therefore, I would recommend using the procedure when multiple people or departments are involved, when there is decision-making or sequencing, when the process crosses functional boundaries, and when documenting the process supports consistency, audits, or training. The procedure is also best when regulatory bodies expect clearly defined processes.

What is a work instruction and how is it used?

On the other hand, a work instruction shows stakeholders how exactly a task is to be accomplished. A work instruction “goes into the weeds” to the extent required by the workforce (depending on their confidence, competence, knowledge, and so on). It describes specific methods, often at a deep level of detail. It answers questions such as:

  • “How do I perform this task?”
  • “What tools, equipment, settings, forms, and/or software steps are required?”
  • “What are the acceptance criteria?”
  • “What do I check and how do I measure performance?”

Remember, work instructions are intended to be simple, direct documents for use by the workforce. Use them when:

  • A task requires technical, step-by-step details
  • Training new personnel
  • Incorrect execution can create quality or safety risks
  • Standardization is essential
  • Variation in execution must be eliminated

What is a flowchart and how is it used?

Flowcharts can technically be used to support both procedures and work instructions, but I generally recommend their use in conjunction with procedures. This helps make the procedure visual by mapping the 50,000-foot view of a process. A flowchart is ideal when the process has multiple decision points, parallel paths, several departments interacting, and inputs/outputs that must be made clear. The flowchart helps avoid the confusion that can come when procedures are described in long paragraphs. Flowcharts make complex processes easy to understand immediately. I therefore believe in flowcharting a procedure when the process needs high-level clarity, the sequence matters, when an organization wants to show interactions between departments, when it supports risk-based thinking, and when you want to simplify training for new personnel.

Flowcharts work best for document control, non-conformances, and corrective action processes, purchasing and supplier management, production scheduling, quality inspection, and testing flows and change management processes (as seen in clauses 5.3e, 6.3., 8.2.4, 8.3.6, and 8.5.6). Flowcharts do not replace work instructions; they complement them.

Final thoughts

To sum up how these tools work together, the practical document hierarchy an organization could consider starting with policy (and why that policy exists), move into documenting the procedure (preferably supported by a flowchart) to convey what happens and in what order, and then crafting work instructions to clarify how to carry out specific tasks. Finally, document everything through records and forms to provide evidence that the work was performed.

All this should connect as a system where a flowchart procedure should describe the process, a work instruction explains each critical task, and the documented information provides traceability. Performance monitoring (clause 9) can be documented via procedures, work instructions, and flowcharts.

 

Note – The above article was recently featured in an Exemplar Global publication ‘The Auditor’. 

Hope Is Never A Plan

Wishful thinking is fine, but it rarely achieves positive results in professional settings. The best path to reach a desired outcome is to implement a structured, process-based management system. It is not a guarantee of success, but if implemented by competent and motivated teams, such a system allows the organization to produce conforming products and services and embrace continual improvements.

I often hear from leadership about their faith in the power of hope, but my experience tells me that hope is never a plan. For those who believe in hope, my advice is to base it on a well-designed management system. There is no need to re-invent the wheel. ISO standards exist for management teams to use.

In organizations of every size, across industries and borders, there is often an invisible reliance on hope. Leaders hope customer complaints will decline. Managers hope processes will perform as intended. Teams hope risks won’t materialize.

Hope can inspire, but it cannot control outcomes. It is not a strategy, and it is certainly not a plan. In contrast, a good management system transforms that hope into structured action, measurable results, and continual improvement.

A Better Way

At my organization, we have long stressed (and said) “Hope is never a plan.” The plan—the real plan—is embedded in the process-based management approach that underlies ISO 9001 and other international standards. This approach replaces uncertainty with understanding and reactivity with resilience.

The problem with hope as a strategy is there is no plan. In times of uncertainty—economic shifts, market volatility, supply chain disruptions—many organizations fall back on hope as a substitute for planning.

However, in my experience, success is built upon the foundation of a process-based management system. Remember the wise words of Deming: “A bad system will beat a good person every time.” The process approach, central to ISO 9001 and mirrored in ISO 14001, ISO 45001, and numerous other ISO standards, recognizes that results come from well-managed processes.

The journey from wishful thinking to structured management is embodied in the process approach, which was first formalized in ISO 9001:2000 and reinforced in ISO 9001:2015. The standard recognizes that consistent, predictable results arise from well-defined and managed processes, not from chance. In particular, sub-clause 4.4 of ISO 9001:2015 requires organizations to establish, implement, maintain, and continually improve a management system, including the processes needed and their interactions.

Where hope says, “Let’s see how it goes,” a process-based system asks:

  • What inputs are required, and what outputs are expected?
  • Who is responsible for the process?
  • What resources and controls are necessary?
  • How will we measure performance?

This thinking moves an organization from reacting to problems to controlling the variables that create success. Rather than managing departments or reacting to problems, organizations use the process approach to:

  • Define interrelated processes that deliver outputs valuable to customers and stakeholders (sub-clause 4.4.1).
  • Identify inputs, activities, and controls within each process (sub-clause 4.4.1).
  • Establish measurable objectives and performance indicators (sub-clauses 6.2 and 9.1.3)
  • Use data and analysis to drive decisions.

This approach replaces hope with evidence, accountability, and continual improvement.

Plan, Do, Check, Act (PDCA) and the Importance of Leadership

The PDCA cycle implies planning as the basis for turning vision into reality. Clause 6 emphasizes “Planning,” i.e., the transformation of organizational context (subclauses 4.1 and 4.2) and risks (sub-clause 6.1) into actionable objectives and opportunities for improvement:

  • Risks and opportunities (not just reacting to issues)
  • Resources and competence needed to achieve results
  • Process interactions that maintain flow and consistency
  • Measurable outcomes that guide continual improvement

In this framework, hope is replaced by proactive thinking, i.e., identifying what could go wrong and preparing responses before it happens. This is far superior to a reactive approach. Of course, in the initial functioning of the management system, any non-conformances (NCs) found will drive corrective action. However, once data accumulates (based on closed NCs and other monitoring and analysis) then those data will drive risks and trends and enable proactive system.

Leadership plays a very important part in the success of an organization. From slogans to systems, true leadership is not about motivational statements but about embedding systems that work even when leaders aren’t watching.

Leaders demonstrate commitment by:

  • Integrating the management system into business strategy (sub-clause 5.1.1c)
  • Promoting process ownership and accountability
  • Ensuring alignment of policies (sub-clause 5.2), objectives (sub-clause 6.2), and actions

A strong system outlives individual personalities—it ensures the organization runs effectively on principles, not just people. What employees learn during their work life at the organization is captured as lessons learned and forms the organization’s corporate knowledge (sub-clause 7.1.6).

Continual improvement (sub-clause 10.3) is the antidote to complacency. Even good systems fail if they stop evolving. ISO’s process-based model ensures continual improvement through:

  • Audits and reviews that identify gaps and inefficiencies
  • Corrective actions that prevent recurrence
  • Performance metrics that inform decision making

Hope says, “Things will get better.” A good management system says, “Here’s how we’ll make them better—and how we’ll know it worked.”

Conclusion

My advice to leaders is to replace hope with a system. Every organization faces uncertainty, but those that succeed do not count on hope—they rely on structured management, clear processes, and evidence-based decisions. Leadership is responsible for maintaining customer focus (sub-clause 5.1.2), understanding customer requirements and associated risks, having thorough knowledge of their products, and carefully selecting vendors.

Uncertainty and hazards must not be passed to employees, users, or other stakeholders. Instead, they should be converted into manageable and low-impact risks. Those risks can then be addressed and/or converted into opportunities for improvement.

In an uncertain world, replacing hope with a system is a must. Hope may be emotionally comforting, but it is operationally dangerous. A good management system, based on ISO 9001’s process approach, gives structure to intention and reliability to performance. It enables organizations to anticipate risks, seize opportunities, and deliver consistent value. It creates confidence among customers, regulators, and employees that the organization is not merely hoping for success—it is planning, executing, and improving toward it.

The above article was recently featured in ‘The Auditor’, an Exemplar Global publication

About the Author

This article was written by Inderjit “IJ” Arora, Chairman, Board of Directors at QMII. With more than 30 years’ experience spanning military service, merchant marine and civilian industries, he is an Exemplar Global-certified lead auditor and member of the U.S. TAG to ISO/TC 176 (the ISO 9000 family of standards). IJ holds an MBA from The College of William & Mary and an MSc in Defense Studies, and he brings a unique leadership and crisis-management background into quality systems consulting. He specialises in transforming management-system certification into a strategic advantage for organisations.

Cost-Benefit Analysis: ROI of ISO 9001 Registration for U.S. Manufacturers

For some U.S. manufacturers, registration to ISO 9001 raises one question: “Is it worth the investment?” In other words, how can an organization maximize the benefits of ISO 9001 registration and convert them to a solid return on investment (ROI)?

Analyzing ROI

A consideration of costs and benefits must be included in an ROI analysis to allow manufacturers to make good decisions about ISO 9001 registration. Calculating the value of an effective quality management system (QMS) must include integrating quality and the overall management of the organization (as seen in clause 5.1.1 of ISO 9001). This would include the costs and payoffs that create the real ROI of ISO 9001 registration.

Mere compliance to the language of the standard is not enough; what is required is that ISO 9001 registration leads to competitive advantage. The intent for any manufacturer is to boost efficiency and revenue. In this new environment, where a considerable amount of manufacturing is being re-shored to the United States, ISO 9001 registration matters more than ever. Registration to ISO 9001 is worth it if it brings a clear ROI, such as cash in the bank in the form of cost savings or revenue increases. The answer lies in understanding the ROI that comes from building a strong QMS based on ISO 9001 or other relevant industry-specific standards such as AS9100, etc.

There is no free lunch. In other words, there are costs associated with ISO 9001 registration. Therefore, manufacturers should budget for:

  • Consulting and training. Staff must be prepared to align processes with the requirements of ISO 9001.
  • System development. This may include documenting procedures, implementing software, and updating workflows.
  • Certification audits. Certification bodies (CBs) require fees for initial certification and surveillance audits.
  • Time and resources. These may include employee hours spent on training, process improvements, and audits.

Costs vary depending on company size and can run from tens of thousands of dollars for small factories to much more for large, multi-site operations. The good news is that the benefits of working systematically using a process-based management system (as per clause 4.4.1 or ISO 9001) drive the ROI as the system implementation reduces waste and other production inefficiencies.

Although there can be significant upfront costs, the benefits of ISO 9001 registration often compound over time. These can include operational efficiency with streamlined processes which reduce waste, downtime, and rework, leading directly to lower production costs. Customer confidence and market access improve as the manufacturer consistently produces confirming products and services. Many U.S. manufacturers find ISO 9001 and/or relevant industry-specific standards to be a “ticket to entry” for bidding on contracts, especially in sectors such as automotive, aerospace, and military/defense.

Reducing Risk

Documented processes and corrective action systems reduce the likelihood of costly failures or recalls. Employee engagement improves, resulting in highly motivated teams working within clearly defined roles. Appropriate training oriented toward competency (as seen in clause 7.2 of ISO 9001) reduces errors and boosts productivity. Continual improvement is an added benefit of ISO 9001 as the implementation of the standard promotes a culture of ongoing improvement, helping companies stay competitive in fast-changing markets.

Calculating the ROI of ISO 9001 registration can be assessed by comparing costs against measurable gains such as:

  • Reduced scrap/rework = cost savings
  • Improved on-time delivery = fewer penalties and more repeat orders
  • Access to new markets/contracts = increased revenue
  • Enhanced reputation = long-term customer retention

Example: If a manufacturer spends $50,000 on registration but reduces rework costs by $80,000 and gains $200,000 in new contracts, the ROI is clear and compelling.

Then there is the real-world impact. Studies consistently show manufacturers that achieve ISO 9001 registration experience:

  • 5–15% cost savings from efficiency gains
  • Revenue growth due to market access
  • Improved customer satisfaction scores, leading to stronger long-term partnerships
Final Thoughts

Initially, ISO 9001 registration may seem like a simple expense. But when viewed as an investment, the ROI to be found in ISO 9001 registration becomes clear. It brings definite improved efficiency, stronger customer trust, and measurable financial gains. For U.S. manufacturers competing in global markets, the payoff often far outweighs the cost.

The above article was recently published in an Exemplar Global publication ‘The Auditor’.

About the Author

This article was written by Inderjit “IJ” Arora, Chairman, Board of Directors at QMII. With more than 30 years’ experience spanning military service, merchant marine and civilian industries, he is an Exemplar Global-certified lead auditor and member of the U.S. TAG to ISO/TC 176 (the ISO 9000 family of standards). IJ holds an MBA from The College of William & Mary and an MSc in Defense Studies, and he brings a unique leadership and crisis-management background into quality systems consulting. He specialises in transforming management-system certification into a strategic advantage for organisations.

Integrating Standards for Safe Nuclear Expansion

-by Dr. IJ Arora

As nuclear energy regains attention as a low-carbon solution, organizations developing these energy sources need to consider a systems approach to the safe launch and growth of facilities. Once considered a great alternative to gasoline and coal, the nuclear energy industry’s growth was negatively affected by incidents like those at Chernobyl and Three Mile Island.

In this short article, I will attempt to convey that customer focus (clause 5.1.2 of ISO 9001:2015) is best ensured by proactive, not reactive, measures. This can be achieved through appreciating hazards, converting them to risks, prioritizing them, and planning the management system to achieve desired objectives.

Having served on a nuclear submarine and been on board when a nuclear accident took place, I know the pros and cons of this energy source. However, the world has changed since these tragic incidents and now there are advancements in not only nuclear technology but also in the management of nuclear facilities. ISO 19443:2018 a quality management system (QMS) standard built on the foundation of ISO 9001, but which is specific to the management of nuclear facilities. For those in the United States, ASME offers the NQA-1:2024 standard which is similarly dedicated to the nuclear industry.

Nuclear energy is perhaps an answer to the world’s power requirements. The demand for electricity is growing by the day with the extensive use of artificial intelligence and large data centers. A systems approach to management of this industry gives the world the best chance to appreciate risks systematically and plan for consequences proactively.

Grave negative effects to safety, security, health, and the environment are all likely consequences if a nuclear mishap takes place once again. Although the primary objective of a QMS is to get the desired output, it should not be at the cost of these potential harms.

The Three Mile Island facility is in the news once again for re-opening ahead of schedule. For those who do not remember, on March 28, 1979, a partial meltdown occurred at the Unit 2 reactor outside of Harrisburg, Pennsylvania. Environmental impacts included the release of radioactive gases into the atmosphere (albeit in limited amounts), long-term challenges in radioactive waste storage, and site contamination. Additionally, there were psychological and social effects that caused a loss of public trust in the nuclear energy industry.

As discussions emerge about reopening the Three Mile Island facility (now scheduled by 2027), evaluating its environmental effects through the lens of the ISO 14001:2015 environmental management system (EMS) is both prudent and proactive. Therefore, in the following section, I will outline the relevant applicable clauses from ISO 14001:2015.

Applicability of ISO 14001:2015 to a nuclear facility

Clauses 4.1 and 4.2, “Context of the Organization” and “Needs and Expectations of Interested Parties”

Nuclear facilities would benefit from considering:

  • Historical context (e.g., past accidents and public concern)
  • Stakeholders such as regulatory bodies, local communities, and environmental NGOs
  • Emerging media reports and public opposition or support as environmental risk indicators

Clause 6.1, “Actions to Address Risks and Opportunities related to Significant Environmental Aspects”

Considering a lifecycle approach, a reopened nuclear plant must assess:

  • Emissions of ionizing radiation
  • Spent fuel storage and long-term waste management
  • Thermal pollution from coolant discharge
  • Accident and emergency scenarios
  • And other significant environmental aspects requiring control measures and documentation

Clause 6.1.3, “Compliance Obligations”

This subclause involves alignment with:

  • Nuclear Regulatory Commission (NRC) rules
  • EPA guidelines on radiological impacts
  • International agreements on nuclear safety and waste

Clause 6.1.4, “Planning Action”

The plant must establish plans to:

  • Prevent recurrence of accidents like those of March 28, 1979
  • Contain and manage radioactive leaks
  • Mitigate environmental risks in both normal and abnormal operating conditions

Clause 8.2, “Emergency Preparedness and Response”

This subclause includes details critical for a nuclear facility and requires:

  • Detailed emergency response procedures for nuclear accidents
  • Training for first responders and public communication plans
  • Coordination with local and federal emergency management agencies

Clause 9.1.1, “Monitoring, Measurement, Analysis, and Evaluation”

To meet the requirements of this subclause, facilities must continuously monitor:

  • Radiation levels in air, water, and soil
  • Effectiveness of containment systems
  • Compliance with regulatory thresholds

Clause 10.1, “Nonconformity and Corrective Action”

This subclause would require that:

  • Any incident or near-miss must trigger a formal investigation
  • Includes lessons learned from:
    • The March 28, 1979 event itself
    • Any deviations during recommissioning or startup

A system approach to nuclear facility management

The opening (or, in this case, reopening) of a nuclear facility offers an opportunity to integrate modern management system practices with lessons learned from the past. ISO 19443:2018 and ISO 14001:2015 provide a structured framework to manage the needs of nuclear operations as well as public environmental concerns.

During my time consulting for numerous industries, I have found a strengths, weaknesses, opportunities, and threats (SWOT) analysis to be a very useful tool— especially the weaknesses and threats that help identify risks. A detailed SWOT analysis for the Three Mile Island facility might provide the following inputs as an example:

Technical and operational risks: aging infrastructure

  • Although it was not the site of the 1979 meltdown, Unit 1 is more than 50 years old.
  • Restarting involves complex retrofits, control system upgrades, and re-licensing—all of which require time and precision.
  • Rushing these checks might lead to overlooked fatigue, corrosion, or component failures.

Human factors

  • Post-incident, nuclear workforce training and institutional memory may be weak.
  • Skilled nuclear operators must be retrained or recruited, and hasty onboarding increases the chance of human error—a factor in many historical nuclear mishaps.

Environmental risks: radioactive emissions and waste

  • Restarting means handling spent fuel, coolant systems, and storage pools.
  • Hurrying these operations risks could lead to:
    • Leaks during fuel handling or containment failures
    • Inadequate radioactive waste protocols

Ecosystem disruption

  • Cooling systems may discharge thermal pollution into nearby rivers.
  • Emergency preparedness might not be fully revalidated for post-reopening conditions.

Better alternatives to a rushed restart

Although early reopening offers incentives like energy security, carbon reduction, and economic revival, these gains are precariously balanced against high-impact risks that could derail long-term viability. The strengths and opportunities may only be fully realized with a controlled, phased, and transparent approach, not through acceleration that bypasses environmental, technical, and social due diligence.

As such, organizations pursuing the development of nuclear energy plants must consider:

  • Phased reopening with public oversight
  • Third-party safety audits after at least two cycles of internal audits post implementation of the management system
  • Full-scale emergency drills and community outreach prior to operation
  • Independent environmental impact assessments (EIA)

Conclusion

The benefits of a fast reopening exist, however, the risks far outweigh short-term gains unless stringent safety, regulatory, and public engagement protocols are followed. Strategic value lies in measured and transparent activation/reactivation, not haste. ISO 14001:2015, ISO 19443:2018, and ASME NQA-1:2024 provide the framework for an integrated management system.

In conclusion, I would say a good strategy to implement and to safely accelerate nuclear energy deployment must include the adoption of a management system. ISO 14001:2015 ensures environmental responsibility and community accountability; ISO 19443:2018 drives quality, culture, and nuclear-supplier discipline; and ASME NQA-1:2024 enforces technical rigor and traceable QA processes. Together, these standards offer a comprehensive, risk-based, and stakeholder-aligned approach.

Rushing implementation without such integration would leave critical blind spots. An integrated implementation roadmap including these standards could guide the strategic and operational implementation in support of safe, controlled nuclear energy expansion.

The article was recently published in “The Auditor” An Exemplar Global Publication.

Types of Challenging Auditees – and How to Engage Them Effectively

– by Julius DeSilva

In every audit, auditors will encounter a diverse range of personalities—some cooperative, others a bit more complex. Understanding and managing these interactions is a core skill, particularly when auditees inadvertently—or intentionally—create barriers to transparency. Here are the most common types of challenging auditees, and expanded strategies on how to engage them effectively.

1. The One Word Wonder

Characteristics:

  • Offers short, clipped answers.
  • Rarely expands on details unless specifically asked.
  • May be uncomfortable, anxious, or disengaged.

Enhanced Strategies:

  • Build rapport early: Start with informal, low-stakes conversation before diving into audit questions. A simple “How long have you been with the company?” can ease tension.
  • Use layered questioning: Follow up “Yes/No” questions with: “Can you walk me through how that works?” or “What happens next?”
  • Prompt with context: “When I reviewed the procedure, it mentioned X—how is that handled in your area?”
  • Be patient and unhurried: Silence is a tool. After a question, wait calmly. Many reserved auditees will fill the silence with additional information if not interrupted.

2. The Egoist

Characteristics:

  • Seeks to dominate the conversation.
  • May condescend or subtly undermine the auditor’s authority.
  • Talks more about theory than actual practice.

Enhanced Strategies:

  • Acknowledge their expertise: Use phrases like “You clearly have deep experience in this process” to soften defensiveness.
  • Redirect focus to conformity: “That’s a great point. Let’s tie it back to what the standard requires and how your team demonstrates that.”
  • Anchor with facts: Use documentation and objective evidence as neutral ground—“Let’s take a look at the latest calibration log to verify that.”
  • Avoid debates: Don’t match ego with ego. Instead, maintain a calm, confident presence grounded in your role and purpose.

3. The Perfectionist

Characteristics:

  • Presents carefully curated documents.
  • May try to steer you away from real-time observations.
  • Views any finding as a personal failure.

Enhanced Strategies:

  • Normalize findings: “It’s common for systems to evolve, and audits are a way to support that continuous improvement.”
  • Use the PDCA approach: Frame observations as part of the cycle—”This finding shows an opportunity to adjust and refine the process.”
  • Request real-time demonstrations: Ask to observe actual practices in the workplace—not just documentation—to validate implementation.
  • Showcase positive practices: Where applicable, cite strengths during the audit to balance critique and support their desire for excellence.

4. The Over-Talker

Characteristics:

  • Provides excessive detail, often going off-topic.
  • Turns simple answers into storytelling sessions.
  • May genuinely enjoy the audit—or be trying to obscure weak spots.

Enhanced Strategies:

  • Set time expectations upfront: “We’ve got 30 minutes scheduled to cover this section, so let’s focus on the core areas first.”
  • Use summary statements: “So, to confirm, your process begins with A, goes through B, and ends at C—is that correct?”
  • Politely interrupt: “Sorry to cut in—I just want to make sure we stay on track. Can you show me the documentation for that step?”
  • Assign structure: Give the auditee a format to follow. “Can you explain this in three steps—input, action, output?”

5. The Ghost

Characteristics:

  • Avoids being present.
  • Pushes responsibility to others.
  • Responds only under pressure.

Enhanced Strategies:

  • Secure buy-in from leadership: During opening meetings, confirm auditee availability and responsibilities with senior management.
  • Use formal scheduling tools: Calendar invites, email confirmations, and audit plans in writing create accountability.
  • Document delays diplomatically: If access is denied or delayed, note this in the audit record professionally.
  • Adapt and improvise: Shift to records review or interview other personnel if the primary auditee is unavailable. Highlight systemic access issues in findings if applicable.

6. The Nervous Novice

Characteristics:

  • Easily flustered.
  • May fear saying the “wrong thing.”
  • Often new to audits or in a junior role.

Enhanced Strategies:

  • Create a low-pressure environment: Explain that the audit is not a test of their personal performance.
  • Break questions down: Instead of asking “How does your process ensure compliance with Clause 8.5.1?”, ask “What’s the first step you take when starting this task?”
  • Avoid audit jargon: Use plain language, e.g., “How do you make sure things are done the right way every time?”
  • Reassure through transparency: Let them know what you’ll be asking and why. “Next, I’d like to look at how you manage incoming materials—is that okay?”

Final Thoughts: Mastering the Human Element of Auditing

At its core, auditing is not just about finding nonconformities—it’s about understanding how people interact with systems. Every auditee, no matter how challenging, offers insight into how the organization truly functions. As auditors, our role is not to judge personalities but to uncover evidence that reflects the effectiveness of processes. This requires patience, emotional intelligence, and a steady commitment to impartiality.

By adapting our approach to the individual while remaining anchored in the audit objectives, we build credibility and foster cooperation—even in the most resistant environments. Ultimately, the success of an audit is measured not only in findings, but in the quality of the dialogue, the clarity of the evidence, and the positive influence it has on continual improvement. A skilled auditor doesn’t just complete a checklist—they leave behind a stronger, more self-aware organization.

The article was recently published in “The Auditor” An Exemplar Global publication.

What Is Risk-Based Thinking in ISO Standards?

Over the past two decades of working closely with clients in both the manufacturing and service sectors, I’ve witnessed firsthand the transformation that occurs when organizations stop treating compliance as a checklist exercise and start thinking in terms of risk and opportunity. With the 2015 revisions to many ISO standards, particularly ISO 9001, we saw a deliberate shift away from siloed “preventive actions” toward an integrated, strategic approach known as Risk-Based Thinking (RBT). 

This wasn’t just a semantic change. It marked a cultural evolution, an acknowledgment that uncertainty is inherent in every business process, and that success belongs to those who plan for it, not those who simply react to it. RBT has empowered organizations to navigate complexity with greater confidence, embedding foresight into their planning and decision-making at all levels. 

In this article, I’ll draw from real-world consulting experiences across diverse industries to demystify Risk-Based Thinking. We’ll explore what it really means, why it matters, how it supports proactive leadership, and what tools you can use to bring it to life within your own management system. Whether you’re guiding a mature enterprise or a fast-scaling startup, the principles of RBT are not only practical, but they’re also essential.

What Is Risk-Based Thinking (RBT)?

Risk-Based Thinking (RBT) is the proactive approach embedded in ISO standards like ISO 9001:2015, ISO 14001:2015, and ISO 45001:2018. Rather than treating risk as a separate component, RBT integrates it into every facet of an organization’s management system. This shift moves organizations from a reactive stance to a proactive culture, where potential issues are anticipated and addressed before they escalate. 

In my consulting journey, I’ve observed that organizations embracing RBT don’t just prevent problems, they identify opportunities for improvement and innovation. For instance, a manufacturing client leveraged RBT to streamline their supply chain, resulting in reduced lead times and increased customer satisfaction.

How Risk-Based Thinking Supports Proactive Decision-Making:

  • Identifying Potential Risks and Opportunities: By assessing both internal and external factors, organizations can foresee strategic and operational challenges and capitalize on opportunities. 
  • Integrating Risk Assessment into Planning: This ensures that objectives are achievable, and resources are allocated effectively. 
  • Enhancing Stakeholder Confidence: Demonstrating a proactive approach to risk management builds trust among customers, suppliers, and regulators.

A service industry client I worked with implemented RBT in their project management processes. This led to improved project delivery times and a significant reduction in unforeseen issues.

Key Objectives of Risk-Based Thinking:

The primary goals of RBT include: 

  • Enhancing Organizational Resilience: By anticipating potential disruptions, organizations can develop contingency plans. 
  • Promoting Continuous Improvement: Regular risk assessments lead to ongoing enhancements in processes and systems. 
  • Aligning Risk Management with Strategic Objectives: Ensuring that risk considerations are integral to achieving business goals. Read clause 6.1 connected to clause 4.1 and 4.1 per ISO harmonized structure. 
  • Fostering a Culture of Risk Awareness: Encouraging employees at all levels to consider risk in their daily activities. Clause 7.3 drives awareness to employees on how they can contribute to the system.

Practical Application of Risk-Based Thinking:

Implementing RBT involves: 

  1. Contextual Analysis: Understanding the organization’s internal and external environment. 
  2. Risk Identification: Recognizing potential events that could impact objectives. 
  3. Risk Assessment: Evaluating the likelihood and impact of identified risks. 
  4. Risk Treatment: Determining appropriate actions to mitigate or capitalize on risks. 
  5. Monitoring and Review: Continuously tracking risk factors and adjusting strategies accordingly.

Comparison: Preventive Action (Old) vs. RBT (New):

Previously, ISO standards emphasized preventive actions as separate clauses. However, this often led to a checkbox mentality, where organizations implemented measures without truly integrating them into their processes. 

With RBT: 

  • Integration: Risk considerations are embedded throughout the management system. 
  • Proactivity: Organizations anticipate and address potential issues before they occur. 
  • Flexibility: RBT allows for tailored approaches based on the organization’s specific context. 

This evolution encourages a more dynamic and effective approach to risk management. 

Tools & Techniques to Support Risk-Based Thinking:

1. SWOT Analysis (Strengths, Weaknesses, Opportunities, Threats) 

Use: SWOT analysis helps organizations evaluate their internal strengths and weaknesses, alongside external opportunities and threats. It’s particularly useful during strategic planning sessions or when entering new markets or launching new products. 

When to Use: Early in the business planning process or during the review of the organization’s context. 

Clause Alignment: ISO 9001:2015 – Clause 4.1 (Understanding the organization and its context) and Clause 6.1 (Actions to address risks and opportunities). This tool ensures that strategy and quality objectives are grounded in a realistic assessment of the internal and external environment. 

2. Failure Mode and Effects Analysis (FMEA) 

Use: FMEA systematically evaluates potential failure points in a product, process, or system and ranks them by severity, occurrence, and detection. It’s widely used in manufacturing, healthcare, and aerospace sectors. 

When to Use: During product design, process development, or when implementing changes that could introduce new risks. 

Clause Alignment: ISO 9001:2015 – Clause 8.3 (Design and development of products and services) and Clause 6.1 and 8.1. It supports risk-based planning and preventive strategies by analyzing “what could go wrong” and mitigating those risks before implementation. 

3. Risk Registers 

Use: A risk register is a living document that captures identified risks, assesses their likelihood and impact, and outlines mitigation actions and responsible parties. It provides transparency and traceability for risk management activities. 

When to Use: Continuously throughout project lifecycles or operational management, especially in industries like construction, logistics, or IT. 

Clause Alignment: ISO 9001:2015 – Clause 6.1 and Clause 9.1 (Monitoring, measurement, analysis and evaluation). It helps document ongoing risk review processes and links actions to strategic and operational plans. While not a requirement it is beneficial. 

4. Root Cause Analysis (RCA) 

Use: RCA investigates underlying causes of nonconformities, defects, or failures to prevent recurrence rather than just treating symptoms. It’s a staple in corrective action processes. 

When to Use: After incidents, near misses, or nonconformities—often triggered by audit findings or customer complaints. 

Clause Alignment: ISO 9001:2015 – Clause 10.2 (Nonconformity and corrective action). It supports continual improvement by ensuring lessons are learned and corrective actions address the source of problems. 

5. ISO/IEC 31010 – Risk Assessment Techniques 

Use: This standard outlines a variety of risk assessment tools including brainstorming, checklists, fault tree analysis, and bowtie analysis. It offers structured approaches tailored to industry-specific needs. 

When to Use: Depending on organizational maturity, criticality of operations, or regulatory environment. 

Clause Alignment: Supports ISO 9001:2015 – Clause 6.1, as well as clauses in ISO 14001 and ISO 45001 related to risk and opportunity planning. This framework provides flexibility for choosing appropriate methods suited to specific organizational risks. 

These tools, when chosen and applied correctly, don’t just satisfy audit checklists, they cultivate a culture of resilience and foresight. Over the years, I’ve seen organizations evolve by not just using these techniques mechanically, but integrating them into daily decision-making, making risk-based thinking a true operational philosophy rather than a compliance exercise. 

About the Author

Dr. Julius is a Senior Consultant at QMII with over 25 years of experience in ISO and aerospace quality systems. He has trained and guided hundreds of U.S. defense contractors on AS9100 and compliance, turning certification into a competitive advantage.

Top 10 Common ISO Audit Findings and How to Avoid Them

Importance of Being Audit-Ready:

Audits serve a critical role in verifying that an organization’s processes are aligned with established standards and functioning as intended. Far from being a punitive exercise, audits offer valuable insight into the strengths and weaknesses of a management system.

In my three decades of working with organizations across industries, one universal truth remains. An audit is not a surprise inspection, it’s a mirror. It reflects your organization’s systems, leadership engagement, and cultural commitment to quality and improvement. 

However, many organizations approach audits reactively, preparing only when one is imminent. This mindset often leads to unnecessary stress, inefficiencies, and missed opportunities for improvement. Being audit-ready means that compliance and performance monitoring are built into everyday operations, not treated as one-time events.

When an organization maintains a state of readiness, it reflects a culture of discipline, transparency, and continual improvement. Employees are aware of their responsibilities and of their processes, documentation is up-to-date, and leadership is engaged in the oversight of the system. This proactive approach not only supports successful audit outcomes but also enhances organizational resilience, stakeholder trust, and long-term sustainability.

Understanding ISO Audit Findings: What They Are and Why They Matter:

ISO audit findings are the documented results of an audit. Specifically, they identify areas where an organization’s management system either conforms to or deviates from the requirements of the ISO standard being audited. Findings can range from conformities, to observations (areas for potential improvement), to nonconformities, which indicate a failure to meet a specific requirement.

Audit findings are like diagnostic tools. Much like a physician’s report, they highlight where systems are healthy and where they need attention. Nonconformities, in particular, require careful attention. They are typically classified as minor or major. Left unaddressed, even minor nonconformities can escalate and lead to reputational damage, customer dissatisfaction, or even loss of certification.
In essence, audit findings are not setbacks, they are stepping stones toward improvement.

1. Poor Document Control

Uncontrolled, outdated, or missing documents can quickly lead to findings. Document control is critical for ensuring staff use the correct and current information. Organization can avoid this ISO Audit finding by implementing version control, limiting access to documentation, voiding printed copies of documentation, training employees on document management and regularly reviewing and updating procedures

2. Incomplete or Missing Records

Auditors expect to see evidence that procedures are being followed. If records are absent, it creates doubt about system effectiveness. Was the work really done? Further incomplete records are not able to evidence if the process step was followed as required by the procedure.

Organization can avoid this ISO Audit finding by automating recordkeeping, performing regular record audits, employee awareness and assigning clear ownership for maintaining records

3. Lack of Management Review

Without regular management reviews, there’s no top-level oversight of the system’s performance and alignment with strategic goals. Clause 9.3 of the ISO standards requires these reviews to be done at planned intervals. In some cases the organization may evidence the inputs provided to management but the outputs (decisions and actions) fail to get recorded.

Organizations can avoid this ISO Audit finding by scheduling periodic reviews, using metrics to guide discussions, making sure the leadership participates and documenting decisions and follow-up actions.

4. Ineffective Internal Audits

Weak internal audits fail to uncover problems and leave issues for external auditors to find. This could be caused by  poorly trained and qualified auditors, poor audit planning, using ‘canned’ checklists and a fear of audits and non-conformities causing personnel to hide issues.

Organizations can avoid this ISO Audit finding by training auditors from recognized training providers like QMII, auditing processes and not just documents, closing out internal audit findings promptly.

5. Unclear Roles and Responsibilities

When staff are unsure of their responsibilities, process gaps and accountability issues arise. In companies I have worked with there sometimes arises a confusion from where it is not clear which operator will conduct the task since all have the same job descriptions. 

Organizations can avoid this ISO Audit finding by defining roles and responsibilities in a RACI matrix or in the documented procedure, communicating changes clearly and verifying understanding during onboarding and training.

6. Non-Conformance Not Properly Addressed

Failure to analyze root causes or verify corrective actions can lead to repeat findings. A common cause of this may be a poorly written non-conformity as also a lack of structured root cause analysis training.

Organizations can avoid this ISO Audit finding by following a structured corrective action process, using tools like 5 Whys or Fishbone diagrams and reviewing the effectiveness of corrections

7. Lack of Risk-Based Thinking

ISO standards expect organizations to identify and manage risks proactively. Many still rely too heavily on reactive approaches. In some cases, risks are known, but are not passed up the chain because no structure exists for this to occur. Organizations can avoid this ISO Audit finding by including risk assessments in the planning phase, training staff on risk identification and maintaining a risk register that is updated on a regular basis. 

8. Insufficient Training or Competence

Staff who aren’t trained properly or lack required skills pose a compliance risk. Organizations can avoid this ISO Audit finding by developing and using a skills matrix, providing refresher training, linking training to performance reviews. Once the training is complete organizations must have a process to verify that training resulted in competence. 

9. Failure to Meet Customer or Regulatory Requirements

Not understanding or failing to meet these requirements can lead to major nonconformities. This occurs when organizations do not have a robust process for determining new requirements that may impact them and planning ahead to mitigate the risks. 

Organizations can avoid this ISO Audit finding by reviewing customer contracts and regulations, staying updated on evolving regulations, conducting compliance checks and keeping requirements visible to relevant teams.

10. Lack of Continual Improvement Evidence

Without records of improvement, your ISO system can appear stagnant and ineffective. Organizations can demonstrate to auditors that they meet the intent of continual improvement by trending and tracking KPIs, logging and reviewing improvement initiatives and recognizing and rewarding improvements

About the Author

Dr. Julius is a Senior Consultant at QMII with over 25 years of experience in ISO and aerospace quality systems. He has trained and guided hundreds of U.S. defense contractors on AS9100 and compliance, turning certification into a competitive advantage.