Last Updated on September 24, 2025 by Melissa Lazaro

How ISO 15189:2022 Applies Risk and Quality Management System Thinking

Let’s be honest—when labs first hear about ISO 15189:2022, most people jump straight to the technical stuff: equipment, staff qualifications, SOPs. But here’s what I’ve noticed after years of guiding labs through accreditation—what really sets the new standard apart is how it pushes you to think.

Not just about what you do, but how you plan, manage, and improve it.

ISO 15189:2022 introduces something many labs still find fuzzy: risk-based thinking and a quality management system (QMS) mindset. And while those terms might sound abstract, in practice? They’re game-changers. When done right, they make your lab more efficient, more consistent, and way more audit-ready.

In this article, I’ll walk you through exactly how ISO 15189:2022 applies risk and QMS thinking to your everyday lab operations. You’ll get real examples, no-nonsense explanations, and tips you can use—whether you’re just starting your QMS or looking to upgrade what you’ve already got.

Let’s dive in and make this practical.

Understanding QMS Thinking in ISO 15189:2022

Here’s what I’ve seen time and again: labs think of their quality management system (QMS) as a binder on a shelf—something you dust off before an audit. But ISO 15189:2022 takes a very different approach. It wants your QMS to be part of how your lab actually runs every day.

So what is “QMS thinking,” really?

At its core, it’s about shifting from a checklist mindset to a systems mindset. Instead of looking at each process in isolation—sample collection here, testing there, reporting over there—you start looking at how all those pieces connect, and where gaps, risks, or delays might creep in.

ISO 15189:2022 leans heavily on ISO 9001 principles, meaning:

• You define your processes clearly.

• You assign responsibilities and track performance.

• You look for patterns and use them to drive improvements, not just fix problems.

• And you make decisions based on evidence, not assumptions.

Real-world example

I worked with a diagnostics lab that had great SOPs, but no real system for tracking whether processes were followed—or if they were working well. We introduced weekly mini-reviews for each process owner: “What’s working? What’s slipping? What changed this week?” That small tweak turned their QMS into a living, breathing system—and their audit findings dropped by 80% over the next year.

Here’s why this matters

A strong QMS isn’t about documents—it’s about clarity, accountability, and continuous learning. And ISO 15189:2022 is designed to reward labs that build that kind of culture.

What “Risk-Based Thinking” Really Means in ISO 15189

Let’s be real—“risk-based thinking” sounds like one of those buzzwords consultants throw around to sound smart. But in ISO 15189:2022, it’s actually one of the most useful shifts you can make. And no—it doesn’t mean filling out endless risk matrices for every decision.

So what is risk-based thinking?

In simple terms, it’s the habit of asking “what could go wrong?” before something actually goes wrong—and putting controls in place to prevent it.

It’s about being proactive, not reactive. Instead of waiting for a nonconformity or a complaint to show you where a weakness is, you’re actively scanning your processes for weak points and addressing them early.

Where does ISO expect you to apply this?

Everywhere.

• Pre-analytical phase: Could incorrect patient ID or sample labeling cause harm?

• Analytical phase: What’s the risk of using expired reagents or an uncalibrated machine?

• Post-analytical phase: What if results go to the wrong doctor, or aren’t reviewed properly?

Risk-based thinking is baked into the standard now. It’s not a standalone section—it’s woven through everything: document control, equipment, purchasing, training, result reporting. ISO wants you to build risk awareness into your culture.

A client example

I helped a pathology lab that kept getting delayed results flagged during audits. Everyone assumed it was due to workload. But when we stepped back and did a quick risk review, we found the real issue—sample transport delays from outpatient clinics. They added a time-stamped tracking log, identified consistent late arrivals, and worked with the courier to reroute pickups. Result delivery improved and they eliminated a persistent nonconformity.

The bottom line?

Risk-based thinking isn’t about more paperwork. It’s about asking smarter questions earlier—and building a lab that’s ready for whatever comes next.

Where ISO 15189:2022 Embeds Risk and QMS Together

Here’s what I’ve noticed: a lot of labs treat risk and QMS as two separate checkboxes. One team handles risk assessments, another manages quality objectives, and they rarely talk to each other. But ISO 15189:2022 takes a totally different approach—it blends the two into one continuous system.

Where does this integration actually happen?

In real terms, ISO expects you to:

• Identify and manage risk as part of your QMS—not beside it.

• Use risk to inform your quality objectives, internal audits, and corrective actions.

• Review risks during management review—not just technical performance.

You’ll see risk language appear throughout key clauses:

• Document control: What’s the risk of using an outdated SOP?

• Process design: What risks exist in how samples move through the lab?

• Purchasing and suppliers: What’s the impact of a reagent stockout?

• Result reporting: What could go wrong between analysis and the final report?

What this looks like in practice

A lab I worked with started adding one simple line to their management review reports: “What risks are emerging in this area?” Suddenly, department heads weren’t just reporting on past performance—they were planning for future challenges. That shift turned their management review from a boring formality into a powerful improvement tool.

Why this matters

When your risk data and your QMS goals talk to each other, you:

• Prevent issues earlier,

• Prioritize improvements more effectively,

• And demonstrate to auditors that you’re running a mature, proactive system.

Building a Practical Risk Register That ISO Will Love

Let’s be honest—most labs either go overboard with risk registers (think massive spreadsheets no one ever opens) or skip them altogether because they seem too complicated. But ISO 15189:2022 doesn’t need perfection. It just needs proof that you’ve thought things through—and that your team is actually using the risk data to make better decisions.

So, what does a good risk register look like?

It’s not about fancy software. It’s about clarity, consistency, and actionability. A solid risk register should include:

• The process or activity at risk (e.g., sample transport, report review)

• What could go wrong (the risk event)

• Likelihood and impact ratings

• Existing controls in place

• What’s planned to reduce or monitor the risk

• Review dates and responsible persons

Simple columns. Plain language. Regularly updated.

Real-world example

One small clinical lab I worked with used a color-coded Excel sheet—nothing fancy. Green, yellow, red. Risks were reviewed quarterly, and owners were assigned to each one. During the audit, the assessor said it was one of the most usable risk registers they’d seen—because it was simple, current, and actually tied to lab operations.

Pro tip

Don’t let your risk register gather dust. Bring it into:

• Internal audits

• CAPA meetings

• Management review

That’s how you show ISO you’re not just doing risk management—you’re using it.

Embedding Risk into Day-to-Day Lab Operations

Let’s be real—if risk management only happens during management review or once a year before the audit, it’s not helping anyone. ISO 15189:2022 wants risk awareness to be part of how your team works every day, not just something the QA officer worries about.

So how do you make risk part of your routine?

Here’s what I’ve seen work best in real labs:

• Train your staff to spot and speak up about risks—whether it’s a cracked centrifuge lid, unclear SOPs, or a recurring result delay.

• Add simple risk checkpoints in your workflows—like verifying sample integrity during intake or confirming authorization before reporting results.

• Include risk prompts in SOPs and training. For example: “If the temperature is outside this range, stop and escalate immediately.”

These aren’t major changes—they’re small shifts in mindset that build a culture of prevention.

Field example

I worked with a midsize diagnostics lab that started doing daily five-minute huddles. Each shift discussed one question: “Did we see any risks today?” Within two weeks, they identified and corrected a gap in specimen labeling that had been causing delays for months. And when ISO auditors came in? The team could confidently explain how they managed risk—because they were actually doing it.

The key takeaway?

Risk management doesn’t need to be complicated. It just needs to be visible, practical, and team-driven. When your staff can explain what risks they watch for in their daily work, you’ve nailed it.

Using Risk and QMS Data for Continuous Improvement

Here’s what I always tell my clients: if you’re collecting data but not using it to improve something, you’re missing the point of ISO 15189:2022. The standard isn’t just about control—it’s about getting better over time. That’s where your risk register and QMS really start to shine.

So how does this actually work?

Your lab already collects a ton of data:

• Internal audit findings

• Nonconformities and incidents

• Complaints

• QC and EQA results

• Equipment service logs

ISO wants you to analyze that data through a risk-based lens. In other words:
What are we seeing repeatedly? What’s the risk if it keeps happening? And how can we fix the system—not just the symptom?

Real-world story

A genetics lab I supported had a recurring issue with report formatting—errors that weren’t serious, but looked unprofessional and occasionally led to confusion. Instead of just correcting each mistake, they logged the issue, rated the risk, and realized it pointed to a deeper design flaw in their reporting template. One redesign later, the problem disappeared—and they reduced review time by 25%.

How to apply this mindset

• Use your risk register to prioritize corrective actions.

• Bring audit findings into your risk review discussions.

• Add a “lessons learned” section to your management review that ties back to QMS goals and risk trends.

This kind of loop—observe > assess > act > improve—is exactly what ISO wants to see. And it makes your lab stronger, not just more compliant.

Pro Tips & Expert Insights: What I Tell Labs Behind the Scenes

Pro Tip 1: Don’t wait for management review to talk about risk
Quarterly reviews are great—but real progress happens when risk comes up in weekly meetings, shift handovers, or even casual lab huddles. Make it part of the daily conversation.

Pro Tip 2: Keep your risk language simple
If your staff can’t explain the risk register, it’s too complex. Use clear terms like “sample delay,” “mislabeling,” or “unstable temperature” instead of abstract phrases. Simpler language = better understanding.

Pro Tip 3: Connect your risk register to your internal audits
For every internal audit finding, ask: What’s the underlying risk? Then log it. This shows ISO that you’re not just fixing errors—you’re managing threats proactively.

Pro Tip 4: Don’t separate QMS and risk goals
If you’re setting quality objectives for the year, look at your risk register first. It helps you focus on what actually matters—not just what sounds good in a policy manual.

Pro Tip 5: Make improvement a habit, not a project
Don’t wait for a major failure to drive change. If you notice a weak point—whether it’s poor documentation or inconsistent training—log the risk and act on it now, even if it’s small.

Common Mistakes and FAQs: What Labs Get Wrong—and How to Stay Ahead

Common Mistakes to Avoid

Mistake 1: Treating risk as a one-time exercise
I’ve seen labs complete a risk assessment once—usually during accreditation prep—and never touch it again. ISO 15189:2022 expects risk to be ongoing. If it’s not reviewed regularly, it’s not doing its job.

Mistake 2: Keeping risk and QMS disconnected
Risk logs and quality objectives should be linked. If your QMS doesn’t reflect what you’ve learned from past risks, nonconformities, or complaints, you’re leaving improvement opportunities on the table.

Mistake 3: Overcomplicating the risk register
I’ve worked with labs that had 12-point scoring systems no one understood. If your team can’t explain how you score and manage risk, the system isn’t usable—and that will show during audits.

Mistake 4: Ignoring “low-risk” issues that happen often
Something might seem low impact, but if it happens every day, it adds up. Frequent labeling issues or communication breakdowns should still trigger preventive action.

Frequently Asked Questions

Q: Do we need a separate risk document for every lab process?
Not necessarily. You do need to show that risk has been considered across your key processes, but how you organize that is up to you. One well-maintained, categorized register often works best.

Q: Can we use Excel for our risk register?
Absolutely. ISO doesn’t care about the tool—you just need to show that it’s used, updated, and tied to your QMS decisions. I’ve seen simple Excel sheets pass with flying colors.

Q: How often should we update or review risks?
Ideally, quarterly. But also after any significant event—like a nonconformance, equipment failure, or major process change. At a minimum, every management review should include a risk update.

Make Risk and QMS Work For You, Not Against You

Here’s the bottom line: ISO 15189:2022 isn’t just about ticking boxes—it’s about building a lab that sees problems coming and takes action before they impact results or patients.

By now, you’ve seen how risk-based thinking and QMS are meant to work together—not as separate systems, but as a single mindset that keeps your lab consistent, compliant, and always improving. And the good news? You don’t need a massive overhaul to get there. Just small, steady changes that make risk part of your everyday decisions.

We’ve covered:

• What QMS thinking actually means under ISO 15189:2022.

• How risk shows up in every part of your lab—even if you’re not labeling it yet.

• How to build and use a simple, effective risk register.

• And how to turn data, audit findings, and daily observations into long-term improvements.

What now?

Start small. Review your current risk register—if you don’t have one, create a basic version tied to your main processes. Bring it into your next team meeting. Ask your staff where they see risks or bottlenecks. That’s where transformation starts.

And if you’re feeling overwhelmed? You’re not alone. Most labs I’ve helped didn’t know where to start either—until they did.

Need help building a risk-based QMS that actually fits your lab?
[Download our Risk & QMS Integration Checklist], or [book a consult] and I’ll walk you through it step by step. No jargon, no guesswork—just real strategies that work.

Let’s make ISO 15189:2022 not just something you pass—but something that actually makes your lab better.