Risk-based thinking is not something new. In fact, you do it automatically with every decision you make! Consciously or unconsciously, you weigh different options against each other, based on the impact and likelihood of something occurring. Whether you are overtaking a swerving truck on the highway, buying a new television, or wanting to cross the road: you weigh things against each other.
This way of "weighing things against each other" is the basis of risk-based thinking in ISO 9001. Whether you're planning, implementing, analyzing or evaluating something, risk-based thinking makes you better prepared. A simple example, from the ISO/TC 176 itself, is about risk-based thinking while crossing a road.
When you cross a road to arrive on time for an appointment, there are a variety of factors at play that affect your ability to achieve your goal. You can choose to cross the road to get to the appointment faster, or opt for a pedestrian bridge further down the road to cross more safely but also more slowly.
Both options involve some form of uncertainty and unpredictability: the rush of traffic, the possibilities of getting to the other side of the road, your own mobility, the clarity of the road, the purpose of the appointment, or the weather. It is also about impact: what is acceptable and what is not? To what extent does the risk of being late outweigh the risk of getting hit?
You will probably prefer to be a little late for your appointment rather than get hit by a car. So do you use the bridge or cross the road directly?
Fortunately, the answer is not unequivocal.
If the road is busy, then the first option is best, but if the road is quiet, then the second option seems best. Thus, the context in which you find yourself plays an important role in risk-based thinking!
The context analysis in Chapter 4 of ISO 9001 is there for good reason: it provides a good basis for risk-based thinking since the impact and likelihood of risks vary by organizational context. For example, a power outage is annoying for a business service, more annoying for a data warehouse, and catastrophic for a nuclear reactor.
ISO 9001:2015 explicitly talks about risk-based thinking, not risk management. ISO 9001 contains no requirements for maintaining a risk management system, nor does it contain any requirements for maintaining documented information about risk. So ISO 9001:2015 also does not create an expectation that every time you cross a road (or make any other decision), you are a professional risk manager.
The major difference between the risk-based thinking of ISO 9001:2015 and a risk management system (such as the handbook of ISO 31000), is that risk management is more explicit, structured and cyclical. ISO 9001 requires you to consider risks, based on the context of your organization, in order to arrive at, as ISO 9001 calls it, ‘appropriate’ measures. After all, something is only an appropriate measure when the various risks it entails have been considered!
In short: risks that play into the context of your organization affect the decisions you take. Be aware of those risks and consider them to make better decisions.