Enquire Now
Maree Stuart
Written by Maree Stuart
Maree Stuart is a Analytical Chemist, a Quality expert and a person who thrives on solving challenging conundrums. She has qualifications and over 30 years of experience in science, quality, and management of labs. She helps lab people with gaining and maintaining accreditation, with her no nonsense, practical and innovative approach. And did you know she is also a lawyer?

Risk-Based Thinking in ISO 17025: A Practical Guide for Laboratories

Consider a typical day in your life. You wake up, get out of bed, decide whether to get breakfast or skip it, get dressed, travel to work (even if it’s down the hallway) and then start work. There are myriad decisions involved in this simple exercise of starting your day. And each one involves an element of uncertainty or risk. Should I check that my feet are fully on the floor before getting out of bed? Can I afford to skip breakfast and be hangry by 9:00 am? We manage to wade through it all and somehow get through the day.

The thing is, every one of these decisions represents a risk. We don’t know what the outcome will be, but we can hazard a guess. So why do humans sometimes freak out about risk-based thinking and develop elaborate systems to manage it?

Risk-based thinking is now embedded across ISO standards, including ISO/IEC 17025, ISO 15189 and ISO/IEC 17020. It is intended to support better decision-making, stronger systems, and more reliable results.

In practice, however, it is often one of the most misunderstood aspects of implementation.

Many labs approach risk-based thinking by building extensive risk registers, complex scoring systems, and detailed matrices. While these can appear thorough, they do not always add clarity. In some cases, they make systems harder to use and more difficult to maintain.

This article takes a step back to explain what risk-based thinking is meant to achieve and how it can be applied in a way that is practical and effective.

 

What Risk-Based Thinking Is Trying to Achieve

 

At its core, risk-based thinking is about awareness. Being aware that your feet are not firmly on the ground. Being aware that you’re not at your best if you skip breakfast. Or being aware that if your lab QC fails, then chances are the results may not be correct.

It is about understanding what could affect the validity of results, the consistency of processes, and the overall performance of the laboratory. But there is also an upside. It is also about recognising opportunities to improve.

ISO/IEC 17025, ISO 15189 and ISO/IEC 17020 do not require laboratories to eliminate risk. It requires labs to identify, consider, and manage it in a way that is appropriate to their activities. The only place in the standard where the idea of elimination of risk is in terms of impartiality requirements is where the standards ask for labs to eliminate or minimise risks to impartiality. To eliminate a risk to impartiality would mean that no lab person could have any relationships with others.

When approached this way, risk-based thinking becomes part of normal operations rather than a separate exercise.

 

Where It Often Becomes Overcomplicated

 

In many labs, risk-based thinking becomes synonymous with documentation.

Risk registers grow over time. Scoring systems and matrices are introduced. Categories expand. Before long, the process becomes difficult to follow and even harder to use in practice.

The intention is usually to demonstrate thoroughness and conformance. The outcome is often complexity without clarity.

This can lead to situations where:

  • risks are recorded but not actively considered, to tick the “risk” box
  • controls exist on paper, but are not applied consistently
  • staff are unsure how risk information is used in decision-making

When this happens, risk-based thinking is no longer supporting the system. It’s adding to it.

 

Bringing Risk Back to the Work

 

In labs, we already do many things that represent risk-based thinking. The humble QC activity of repeating a test or calibration mitigates the risk that the first result was incorrect. A thorough check of a report by a senior staff member is a mitigation of the risk that incorrect or incomplete information will leave the lab and be used by the client.

A more practical approach begins with the work itself.

Instead of asking, “What risks do we need to document?”, a more useful question is:

“What could affect how this work is done, and the reliability of the result?”

This might relate to the everyday activities that happen in the lab. Activities such as:

  • how samples are handled
  • how methods are applied
  • how equipment is maintained
  • how results are reviewed
  • how staff are trained
  • how decisions are made

By focusing on real activities, risks become easier to identify and understand. They also become easier to manage.

 

Proportionate Control Matters

 

Not all risks require the same level of control.

Some are already well managed through existing processes. Others may require additional attention. A small number may need formal controls or documented actions.

The key is proportionality. And for that, we ask questions like “What are the chances of X happening?” and “What are the consequences if X were to happen?”.

Over-controlling low-level risks can make systems unnecessarily complex and hinder innovation and improvement. Under-controlling higher-level risks can affect the validity of results. A well-functioning system applies controls where they are needed and avoids adding unnecessary layers where they are not.

 

Integrating Risk Into Decision-Making

 

Risk-based thinking is most effective when it is part of everyday decisions.

This includes:

  • assessing the impact of changes to methods or processes
  • considering competence when assigning tasks
  • reviewing unexpected results or trends
  • evaluating the impact of equipment issues
  • responding to customer requirements or constraints

 

When risk is considered as part of these decisions, it becomes embedded in the way the laboratory operates. It is no longer a separate activity.

The trick to making things work is to know your risk appetite.

 

The Role of Nonconformances and Improvement

 

Nonconformances provide valuable insight into risk. If you think about it, a non-conformance is simply something with a negative outcome that you didn’t know would happen that did occur. What you get from a non-conformance is information on the likelihood (IT HAPPENED so it’s not impossible) and the consequence (Did the world shatter into a million pieces, or did you just have to pick up a few pieces and start again?)

They highlight where controls have not worked as intended, or where assumptions may need to be revisited. When investigated properly, they can reveal underlying issues that are not always visible during routine operations.

In this sense, nonconformances are not just problems to be resolved. They are inputs into understanding risk more clearly. And your non-conformance or corrective action register is simply a catalogue of those risks.

Over time, this strengthens the system. Especially if you manage to properly address the root cause!

 

Avoiding the “Risk Register Trap”

 

Risk registers can be useful, but only when they are used effectively.

If a register becomes:

  • too large to review
  • too complex to interpret
  • disconnected from actual work

then it is unlikely to add value. Nor is it a requirement to have a risk register.

In many cases, a simpler approach, supported by clear processes, competent staff, and consistent review, will provide better outcomes.

The focus should remain on understanding and managing risk, not documenting it for its own sake.

 

What Practical Risk-Based Thinking Looks Like

 

In a well-functioning laboratory, risk-based thinking is often not obvious as a separate activity. Instead, it is reflected in how the system operates.

 

Staff understand what could affect their work and how to respond. Decisions are made with an awareness of potential impacts. Processes are designed with control in mind. Issues are identified and addressed in a structured way.

The system feels stable, predictable, and responsive.

 

Moving From Complexity to Clarity

 

For many labs, improving risk-based thinking is not about doing more. It is about simplifying.

 

This might involve:

  • reducing unnecessary documentation
  • focusing on key risks rather than listing everything
  • integrating risk into existing processes
  • ensuring that staff understand how risk relates to their work

Clarity often leads to better control than complexity.

Where can you get clarity in the fog of risk?

 

Final Thoughts

 

Risk-based thinking under ISO/IEC 17025, ISO 15189 and ISO/IEC 17020 is not intended to be a separate system layered on top of everything else. It is meant to support how the laboratory operates.

When applied practically, it helps laboratories:

 

  • make better decisions
  • maintain control over processes
  • respond effectively to issues
  • and build confidence in the validity of results

 

The goal is not to document every possible risk. It is to understand what matters and manage it appropriately.

 

If your laboratory is finding that risk-based thinking has become complex or difficult to apply in practice, MAS Management Systems can assist in simplifying and aligning it with day-to-day operations in a structured and practical way. Email Maree at maree@masmanagementsystems.com.au, or call 0411 540 709 if you need support.

Remember, you don’t have to do this alone!

 

FAQs

What is risk-based thinking in ISO 17025?

Risk-based thinking in ISO 17025 is the process of identifying, considering, and managing factors that could affect the validity of results, the consistency of processes, or the performance of the laboratory.

 

Is a risk register required for ISO 17025?

ISO 17025 does not require a formal risk register. Laboratories need to demonstrate that risks are identified and managed appropriately, but this can be achieved through existing processes rather than separate documentation.

 

What risks should be considered in a laboratory?

Laboratories should consider risks that could impact the validity of results, including sample handling, method application, equipment performance, staff competence, and data integrity.

 

How do you apply risk-based thinking in ISO 17025?

Risk-based thinking is applied by considering potential impacts during everyday activities, such as method selection, assigning work, reviewing results, and managing changes, rather than treating it as a separate exercise.

 

How can risk-based thinking be simplified?

Risk-based thinking can be simplified by focusing on key risks, integrating it into existing processes, and ensuring staff understand how risk relates to their work rather than relying on extensive documentation.

 

How do assessors evaluate risk-based thinking under ISO 17025?

Assessors look for evidence that laboratories understand their risks and manage them appropriately. This is usually demonstrated through consistent processes, decision-making, and responses to issues rather than formal risk registers.

 

What is the difference between risk and nonconformance in ISO 17025?

Risk refers to a potential issue that could affect results or processes, while a nonconformance is an issue that has already occurred. Both are used to improve the system and strengthen control.

 

Do small laboratories need formal risk systems?

Small laboratories do not need complex risk systems. Risk-based thinking should be proportionate to the size and complexity of the laboratory and can often be managed through simple, well-understood processes.

 

Catch up on our System Strength and Control series

Part 1: Writing Laboratory Documentation That Is Clear, Compliant, and Usable

Part 2: ISO Lab Standard Implementation – Turning Conformance Into Working Systems

 

Or revisit our Accreditation Readiness series

Part 1: ISO/IEC 17025 Accreditation: What Laboratories Actually Need to Know

Part 2: Working with NATA Assessors: What Laboratories Should Know

Part 3: How to Prepare for an ISO 17025 Assessment (Without the Panic)

Get in touch