Back to Learning Resources

Preventive Action or Managing Risk

Preventive actions are pro-active - you take action to stop something from happening. This is also called addressing risk.


Preventive actions are pro-active - something could go wrong and these are actions taken to stop it from happening, or to stop it from becoming too severe.

If something has already gone wrong, it is a non-conformance that is addressed with corrective actions.

ISO 9001:2015 has no clause referring to 'preventive action'. Instead, the concept is embedded in 'risk-based thinking' that is part of your planning processes to address risks and opportunities (clause 6.1).

In order to identify risks that need preventive action, adequate monitoring and controls must be in place in the quality system to assure that potential problems are identified and addressed before they happen. The same monitoring and review processes can be used to identify an opportunity and plan actions to ensure it does happen.

You can identify risks and opportunities in a number of ways:

  • Through the management review process
  • Process / performance monitoring
  • Analysis of warranty data and customer feedback for trends
  • Process analysis
  • Look for trends in the root causes of corrective actions
  • Risk assessment, FMEA - Failure Mode Effects Analysis
  • Employee suggestions for improvement
  • Contingency planning, Disaster recovery planning
  • Production planning
  • Monitoring changes in legislation, regulations
  • Reviewing changes in the marketplace
  • Assessing new technology
  • Internal / External Quality Audit Findings
  • Employee Observation

Once you've identified a potential source of problems and the possible effects, you need to assess how likely it is to happen, and whether the costs associated with reducing the risk are worth it. This is effectively risk-management.

If you are documenting a Preventive Action or 'Managing Risk' procedure, you should include information on:

  • How you identify a potential problem
  • Where and how it should be recorded
  • how the potential causes should be investigated, and by who
  • deciding on what action will be taken
  • how to record the actions taken
  • assessing the solution for effectiveness and documenting the evidence to support your decision.
  • when and who can finally close the issue

Although there's no explicit requirement to keep records under ISO 9001:2015 clause 6.1, you might decide that you ought to based on clause "4.4 QMS and its processes", which states that you should 'retain documented information' ... 'to the extent necessary' 'have confidence that the processes are being carried out as planned'.

The records you keep on actions taken provide evidence that an effective quality system has been implemented and that it is able to anticipate, identify and eliminate potential problems.

If you decide to do nothing in response to an identified risk, be sure to document the reasons behind the decision.

You can document Risks and their controls in Toolbox under the 'Risks' module. You could also record them as an Issue in the 'Issues' module. Our user guide has more information on how Toolbox helps you manage various kinds of issues, and how to manage risk assessments.

Get started today

Book a guided tour of Toolbox, one-on-one via Zoom