Two Pillars, One QMS
ISO 9001:2015 is built on two distinct but interrelated methodological pillars: the process approach and risk-based thinking. The process approach organizes the QMS as a set of interrelated processes. Risk-based thinking is the discipline of identifying what could go wrong in each process and designing controls to prevent failure. Together, these two pillars create a QMS that is both systematic and preventive.
In the 2008 version of ISO 9001, the standard included a requirement for formal preventive action — planned actions to eliminate the cause of potential nonconformities. ISO 9001:2015 replaced the preventive action requirement with risk-based thinking, embedding risk awareness into every aspect of the QMS rather than isolating it in a separate preventive action system.
The Process Approach: Foundations
ISO 9001:2015 Annex A.4 provides the definitive description of the process approach. The process approach views the organization as a system of interrelated processes. Each process has inputs (materials, information, or services provided by a supplier), outputs (products, services, or information delivered to a customer), controls (procedures, criteria, and oversight that ensure the process produces the correct output), and resources (people, equipment, infrastructure, and methods).
Managing by process rather than by function produces more consistent outcomes. In a functional organization, each department pursues its own objectives — the sales department aims to close deals, the design department aims to complete drawings, the production department aims to maximize output. This can create conflicts where the sales department commits to features the design department cannot deliver, or the design department creates designs that the production department cannot manufacture reliably. Process management breaks down these silos by defining end-to-end processes that traverse functions and assigning process ownership to individuals who are accountable for consistent performance across the entire process.
Identifying and Mapping QMS Processes
The organization's QMS includes three categories of processes: core processes (that directly produce products or services for customers), support processes (that enable core processes but do not directly produce customer output), and management processes (that govern the QMS itself).
| Process Category | Examples | Key Inputs | Key Outputs | Quality Impact |
|---|---|---|---|---|
| Core Process | Sales → Design → Production → Delivery → Support | Customer requirements; materials; specifications | Conforming products/services delivered to customers | Direct |
| Support Process | Human Resources, IT, Finance, Facilities | Business requirements; policies; budgets | Enabled core processes; trained staff; working infrastructure | Enabling |
| Management Process | Planning, audit, management review, improvement | QMS performance data; nonconformity reports; risk assessments | Decisions, objectives, improvement initiatives | Governing |
For a manufacturer, core processes might be: Requirements Review → Design → Procurement → Production → Quality Inspection → Delivery → Customer Support. For a service organization, core processes might be: Lead Generation → Customer Qualification → Service Design → Service Delivery → Customer Satisfaction Measurement. Every organization's process map is unique because it reflects the organization's specific business model.
The Turtle Diagram: A Process Documentation Tool
The turtle diagram is the standard tool for documenting QMS processes in a way that ISO 9001 auditors recognize and expect. The turtle captures seven dimensions of a process:
1. Inputs — materials, information, or services that flow into the process
2. Outputs — products, services, or information that flow out of the process
3. Process Steps — the sequence of activities that transform inputs into outputs
4. People & Competence — who performs the process and what competence they require
5. Resources & Infrastructure — equipment, tools, facilities, and technology required
6. Procedures & Controls — documented procedures, criteria, and decision rules that govern the process
7. Performance Indicators (KPIs) — metrics that measure whether the process is performing as intended
A well-designed turtle diagram allows an ISO 9001 auditor to understand the entire process in a single view and identify what controls should exist to ensure quality. Many organizations find that the effort to create turtle diagrams forces clarity on processes that were previously informal or poorly understood.
Process Interaction and the Process Map
No QMS process operates in isolation. Each process produces an output that becomes the input to the next process. The process map documents how processes connect and interact. Process interaction points are quality risk points. If Process A produces defective output, that defective output will flow into Process B and either cause a defect in the final product or require expensive rework.
Understanding process interaction is essential for identifying where controls are needed. A common mistake is over-controlling the final inspection process while under-controlling upstream processes. If defects are created by poor supplier inputs or inadequate production control, no amount of final inspection can prevent defects from reaching the customer. The solution is to move control upstream, closer to where the problem originates.
Clause 4.4.2 requires the organization to maintain documented information describing the processes and their interaction. This is typically documented in a process map or process interaction matrix that shows each process and how it connects to others.
Risk-Based Thinking: What It Is and Isn't
Risk-based thinking is often misunderstood as requiring a formal risk management system or risk register. In the context of ISO 9001:2015, risk-based thinking is not a separate system — it is a mindset applied throughout the QMS. The question for every process is: What could go wrong that would result in a nonconformity, and how do we prevent it?
Risk-based thinking is distinct from ISO 31000 (Risk Management), which is a comprehensive framework for identifying, analyzing, and treating organizational risks across all categories. Risk-based thinking in ISO 9001 is narrower and process-focused: it is the integration of risk thinking into the design and control of processes that produce products and services.
In the 2008 version, the standard included "preventive action" as a separate requirement — if you identified a potential failure mode, you were supposed to take planned action to prevent it. In 2015, this was replaced with risk-based thinking embedded throughout. Every process design decision, every control specification, every monitoring procedure should be informed by risk thinking: what is the failure mode, how likely is it, how severe would it be, and what control prevents or mitigates it?
Applying Risk-Based Thinking to QMS Processes
Risk-based thinking is applied throughout the QMS. In design processes, the risk is that an unvalidated design is released to production, creating systematic defects. The control is design review gates where the design must be reviewed against input requirements before release. In supplier management, the risk is that non-conforming materials are used in production. The control is incoming inspection or supplier qualification and performance monitoring.
| Process | Example Risk | Risk-Based Control | ISO 9001 Clause |
|---|---|---|---|
| Customer requirements review | Misunderstanding customer specification; conflicting requirements not identified | Structured requirements review checklist; confirmation sign-off | 8.2.3 |
| Design and development | Unvalidated design released to production; design fails in customer use | Design review gates; design verification and validation procedures | 8.3 |
| Supplier management | Non-conforming input material used in production without detection | Incoming inspection; approved supplier list; supplier performance monitoring | 8.4 |
| Production control | Variation in process parameters causing systematic nonconformance | Process control procedures; in-process monitoring; statistical control charts | 8.5.1 |
| Nonconforming output | Defective product reaches customer; warranty claims and reputation damage | Inspection at release; hold-on-inspection; customer notification procedure | 8.7 |
| KEY IDEA | Risk-based thinking in ISO 9001:2015 is not a separate risk management system — it is a mindset applied throughout the QMS. The question for every process is: what could go wrong that would cause a nonconformity, and how do we prevent it? This thinking is embedded in process design, controls, monitoring, and improvement. |
| IMPORTANT | The process approach requires organizations to identify process owners — someone who is accountable for the performance of each QMS process. Without named process owners, process performance monitoring becomes unaccountable and process improvement stalls. This is one of the most common root causes of QMS degradation between certification audits. |
| BITLION INSIGHT | Indonesian organizations frequently underestimate the effort required to genuinely implement the process approach. Mapping processes, assigning owners, defining KPIs, and building performance monitoring for every QMS process is significant work. The payoff — consistent, measurable quality outcomes — justifies the investment, but organizations should plan for 3–4 months of process mapping and documentation work before beginning QMS documentation. |