Let me be blunt about what happened with risk-based thinking under ISO 9001:2015. It was the most important new concept in the revision, and it became the most widely ignored requirement in the history of the standard.

I have reviewed over 200 QMS implementations. In roughly 80% of them, the "risk-based thinking" evidence consisted of an Excel spreadsheet listing five to ten generic risks — "supplier delivery failure," "equipment breakdown," "key personnel departure" — with a color-coded column for likelihood and impact. The spreadsheet was created a week before the certification audit, presented to the auditor, and never opened again until the next surveillance audit. It was not risk management. It was risk theater.

ISO 9001:2026 tightens the screws. The new risk requirements close the gap between "you must think about risk" and "you must demonstrate that risk management is an active, integrated process." For quality leaders, this is not a minor documentation update. It is a structural change in how the standard expects you to operate.

What actually changed

From document to process. Under 2015, you could satisfy the risk requirement by producing a risk register. The register was a document. It existed. The auditor checked the box. Under 2026, risk management must be demonstrably active — meaning you must show the loop: risks identified, assessed, prioritized, acted upon, and reviewed for effectiveness. A static register is no longer sufficient evidence.

From generic to operational. The 2015 version was vague enough that generic risks satisfied the requirement. "Market competition" and "economic downturn" appeared in risk registers across every industry, in every country, regardless of whether they had any operational relevance. ISO 9001:2026 requires risks to be connected to specific processes, specific objectives, and specific decision points. You must show that risk assessment feeds into planning, resource allocation, and process design — not that it exists in a parallel spreadsheet universe.

From periodic to continuous. The new standard expects risk assessment to be triggered by events — internal audit findings, nonconformities, customer complaints, process changes, supplier changes — not just performed annually as a management review input. Risk must be reassessed when conditions change. If your process capability shifts, your risk profile shifts. If a supplier changes their process, your supply chain risk shifts. The standard now expects you to detect and respond to these shifts.

A risk register that has not been updated since the last audit is not risk management. It is evidence of negligence.

What real risk management looks like

I have operated risk-based quality systems in environments where the consequences of failure are measured in lives, not euros. Aerospace. EASA-regulated operations. The risk management approach I use is not theoretical — it is a daily operational discipline.

At Airbus, we integrated risk into QRQC — Quick Response Quality Control. Every nonconformity triggers a risk assessment. Not a generic one. A specific one: what is the probability that this nonconformity indicates a systemic issue? What is the severity if it does? What is the detection capability of our current controls? The risk assessment feeds directly into the escalation decision — contained at cell level, escalated to plant quality, or escalated to engineering authority. Risk drives action. Action generates evidence. Evidence feeds back into the risk model.

That is what ISO 9001:2026 is asking for. Not a spreadsheet. A living, breathing risk loop that demonstrably influences how the organization allocates attention, resources, and corrective effort.

The five things you need to fix before your 2026 audit

If you are a Quality Director preparing for the ISO 9001:2026 transition, here are the specific risk management gaps I see most frequently and how to address them.

1. Connect risk to objectives. Your quality objectives should have identified risks attached to them. What could prevent achievement of each objective? What is the mitigation plan? This connection between risk and objectives was implied in 2015 but is explicit in 2026.

2. Connect risk to change management. Every process change — new equipment, new supplier, new product, modified process parameter — must trigger a risk assessment. Document the trigger. Document the assessment. Document the outcome. This is now auditable.

3. Connect risk to corrective action. Every corrective action should include an assessment of whether it introduces new risks. You fixed one problem and created another. The standard now expects you to demonstrate this consideration.

4. Connect risk to resource planning. Risk assessment should demonstrably feed into budget and resource allocation. If you identified equipment failure as a high risk but did not request preventive maintenance resources, your risk assessment is disconnected from action.

5. Review risk in every management review — not annually, not as a static input. Show changes since the last review. Show new risks identified. Show old risks reassessed. Show the dynamic, living nature of the process.

The organizations that will struggle

Organizations that built genuine risk management systems over the past decade — the ones that took "risk-based thinking" seriously even when the auditor did not require them to — will transition smoothly. Their systems already do what the 2026 revision demands.

Organizations that treated risk as a compliance checkbox will face a difficult transition. Their risk registers are fiction. Their processes do not include risk loops. Their people do not think in risk terms. Fixing this is not a documentation project — it is a cultural and operational change that takes months, not weeks.

If you are in the second category, start now. The gap between a paper risk register and a real risk management system is exactly the kind of structural change that requires the full transition window. Do not leave it until year three.