Where Is Preventive Action?

Prevention emphasized through risk-based thinking

by John E. "Jack" West and Charles A. Cianfrani

Clause 6.1 of ISO 9001:2015 contains new requirements that direct the organization to consider risks when planning its quality management system (QMS). It also requires that the actions taken to address risks shall be proportionate to the potential impact on the conformity of products and services. In addition, the organization is required to consider how to evaluate the effectiveness of the actions it plans to take to address risks.

Previous versions of ISO 9001 included requirements for correction, corrective action and preventive action. These requirements still exist in ISO 9001:2015, but there is no mention of a requirement for preventive action in clauses 4 to 10. And, while ISO 9001:2008 didn’t mention risk, the 2015 version mentions risk in various forms and contexts about 16 times in clauses 4 to 10.

What does this change in emphasis, wording and direction mean? It depends on your QMS’s content and how it was deployed. For some organizations, QMS changes won’t be required, but others will need changes or new processes.

Understanding key words

To help organizations determine how to ensure compliance with ISO 9001:2015 we’ll start by defining the key words and their meanings (see ISO 9000:2015):

  • Correction—action to eliminate a detected nonconformity.
  • Corrective action—action to eliminate the cause of a nonconformity and to prevent its recurrence.
  • Preventive action—action to eliminate the cause of a potential nonconformity or other potential undesirable situation.
  • Nonconformity—nonfulfillment of a requirement.
  • Risk—an effect of uncertainty. Note that there are six notes elaborating on this definition in ISO 9000, which include references to three ISO Guides and to the ISO/IEC Directives Part 1).1

Correction and corrective action are still required in ISO 9001:2015 and are addressed in clauses 9 and 10. In simple terms, an organization is required to react to nonconformity and take action to control and correct it, and to deal with the consequences. For correction, clause 9 also requires an organization to take appropriate correction without undue delay.

The organization also is required to evaluate the need for action to eliminate the cause(s) of the nonconformity to ensure that it does not recur or occur elsewhere. To accomplish this, the organization is required to review the nonconformity, determining the causes of the nonconformity and determining whether similar nonconformities exist, or whether conditions exist under which similar nonconformities may occur.

An organization also is required to implement any necessary action, review the effectiveness of corrective actions and make appropriate changes to its QMS if changes are necessary.

ISO 9001:2015 notes that corrective actions shall be appropriate to the effects of the nonconformities encountered.2

So far, the requirements are not much different from those in ISO 9001:2008.

The cloudy path to risk

In the development of ISO 9001:2015, preventive action was an area of concern. There was a belief that many organizations either did not understand the true concept of preventive action or chose a path of least resistance with regard to processes that address this requirement. To resolve this, ISO 9001:2015’s standards writers chose a path of using risk and risk-based thinking to encourage organizations to embrace concepts of planning and acting to prevent problems and potential nonconformities.

The standard’s writers had good intentions, but there has been considerable discussion about the degree to which ISO 9001:2015 has described this requirement in a way that is more easily understood than the prior preventive action requirement. The need to embrace Annex SL of ISO 9001 directives also exerted an influence on how the risk approach was ultimately used in ISO 9001:2015. 

The path to achieving conformity possibly became cloudy in addressing the risk dimension. Clause 6.1 requires determining the risks and opportunities that must be addressed in planning an organization’s QMS to enable it to achieve intended results, prevent or reduce undesired effects, and achieve improvement.

Planning activities are required to address how to integrate the actions into a QMS and how to evaluate their effectiveness. Clause 6.1 also says that actions taken to address risks and opportunities shall be proportionate to their potential effect on conformity of products and services.

Addressing risk

Organizations can address the requirements of clause 6.1 related to determining risk in many different ways. In a previous column, we explained how these areas can be integrated into an overall QMS.3

An organization can define a process for conducting an external scan of the marketplace to evaluate possible opportunities (positive risks) and threats (negative risks). The opportunities and threats could arise from many sources, such as anticipated competitor activities, changes in technology or a potential disruption of the supply of purchased materials.

After positive or negative risks are identified, an organization can decide what, if anything, it should do to address them.

Positive risk

Some are asking what "positive risk" means. In the past, the standards world typically thought of risk in a negative light. Encouraging consideration of many types of risk is a new dimension included in ISO 9001:2015.

In place of the old preventive action requirement, which many organizations  ignored or met by massaging corrective actions, ISO 9001:2015 now requires organizations to consider risk and to incorporate requirements to address potential risks, if any, in their QMSs.

This is just one example of how to approach ISO 9001:2015’s risk requirements and to reconcile contemporary QMS activities with the processes deployed in the past to effectively address preventive action. 

Overcoming uncertainty

Going forward, complying with correction and corrective action will not pose a challenge to most organizations, but addressing risk may be trickier for many.

There can be no disagreement that uncertainty is a natural phenomenon that cannot be avoided and that there is no "opting out" of risk. Risk-based thinking is needed. Failure to deal in a systematic way with known uncertainties of the organization may not just be foolhardy, but it also means the organization will have a tendency to avoid situations that could bring great difficulties or opportunities. The 2015 revision of ISO 9001 recognizes this reality.

In addition to considering processes to assess threats and opportunities, another effective approach to identifying and prioritizing risks is to conduct a self-assessment. Assessments can be complex, using criteria such as the Malcolm Baldrige National Quality Award, European Foundation for Quality Management or the guidelines for performing a self-assessment of a QMS.4

An assessment also can be simplified by using the seven quality management principles as a guide.5 It’s up to an organization to determine how detailed its analysis should be and the necessary follow-up action, monitoring and review.

Organizations may lack familiarity with ISO 9001:2015’s new concepts and perceive some requirements as being vague. These, however, are not excuses to ignore or be cavalier in addressing the requirements of clause 6 related to risk assessment.

Thoughtful integration of processes required to address clause 6’s requirements (and by reference, clause 4 as well) will broaden the scope, depth and strength of a QMS. It also will enhance alignment of quality management with an organization’s strategic and tactical objectives.

Does preventive action exist?

After the requirements of clauses 4 and 6 are deployed, the reality is that the essence of preventing potential nonconformity has been enhanced in the 2015 revision of ISO 9001. If risk is addressed with an open mind and creativity, it will be a vibrant process in a QMS with value-adding outputs. An additional benefit of sensitizing an entire organization to contemplating risk is enhanced prioritization of projects and resource allocation and understanding of overall objectives.

In the 2008 version of ISO 9001, preventive action was the last clause in the standard. In ISO 9001:2015, risk processes are emphasized as a key planning activity. In our current environment, accentuated attention to risk is critical to the success of any organization.


  1. International Organization for Standardization (ISO) and International Electrotechnical Commission, ISO/IEC Directives Part 1—Consolidated ISO Supplement—Procedures specific to ISO, sixth edition, 2015, http://tinyurl.com/directivespartone.
  2. ISO, ISO 9001:2015—Quality management systems—Requirements.
  3. John E. "Jack" West and Charles A. Cianfrani, "Systems That Go the Distance," Quality Progress, August 2015, pp. 54-57.
  4. U.S. Technical Advisory Group to ISO Technical Committee 176, ASQ Z1 TR1–2012: Guidelines for performing a self-assessment of a quality management system.
  5. ISO, Quality Management Principles, www.iso.org/iso/pub100080.pdf.

John E. "Jack" West is a member of Silver Fox Advisors in Houston. He is past chair of the U.S. Technical Advisory Group to the International Organization for Standardization Technical Committee 176 and lead delegate of the committee responsible for the ISO 9000 family of quality management system standards. He is an ASQ fellow and has co-authored several ASQ Quality Press books.

Charles A. Cianfrani is a principal consultant for Green Lane Quality Management Services in Green Lane, PA. An ASQ fellow, Cianfrani is a U.S. expert representative to ISO/TC 176 and has co-authored several ASQ Quality Press books. He holds an MBA from Drexel University in Philadelphia and a master’s degree in applied statistics from Villanova University in Pennsylvania.

While the article and the philosophy is sound; there are statements that are just simply incorrect.

" For correction, clause 9 also requires an organization to take appropriate correction without undue delay." First off, it is clause 10 which provides the guidance. Nowhere does the clause say "without undue delay". And there is not a documented definition of 'correction'.

One of the bad assumption is this notion that preventive action and corrective action have to be separate. In deploying a corrective action, prevention can be addressed as well. In correcting the root cause, An organization could come up with a solution that prevents the issue from ever happening again.

--Joe, 02-01-2019

Our company is not currently ISO certified but I would like to use the information in this article to drive correction and preventive action on supply chain issues in the company using the strong risk-based-analysis approach advocated in the article. Are there any issues with using the article this way? I think this article is an outstanding accumulation of quality based thinking I've been exposed to though the ASQ over the last 20 years.
Thank you!
--Ed Gibeny, 10-07-2016

Average Rating


Out of 1 Ratings
Rate this article

Add Comments

View comments
Comments FAQ

Featured advertisers