Risks in ISO 9001

I have also some question during consulting process but I have to study more on the spirit of ISO 9001-2015. But now I would like to give you question relating to item Risk-based thinking as follows:
1. Does organization shall address the risk for the realization or for all process or only for critical process ?
2. Risk-based thinking for all processes of system is described by establishing a documented information under support procedure ?
3. Does Risk-based thinking is a new thinking to be set in mind for personnel having work affecting quality and then records from problem solving, taking decision, eliminating risk,...can demonstrate that. So that no need to have procedure to analyse risk as well as for risk evaluation ?
Once again thanks a lot your support.

Answers:

1. The organization needs to consider entire context of the organization not only the processes, but it doesn't mean that you need to identify risks for each process. You can conduct a global assessment on the organizational leve l and that can be enough, then again you can go into details, it depends on needs of organization, the standard allows a lot of freedom regarding this requirement.

2. Documented procedures exist to prevent risk of noncomplying with the activities in the processes and in that sense they are used for avoiding risk. Also some activities like inspection or monitoring certain parameters within the process serve as precaution. But not all processes carry such risk within them so there doesn't have to be a documented procedure for each process.

3. Addressing risks and opportunities belongs to planning phase of the QMS so it is a requirement related mainly to top and mid management not employees. The management of the company should think about risks and opportunities related to the QMS and take actions to address them.

For more information, see: How to address risks and opportunities in ISO 9001 https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/