Risk-based thinking did not arrive in ISO 9001 fully formed. It crept in over three decades, through cousin standards and committee compromises. Understanding the path explains why opportunity is the missing twin — and why 2026 is the natural moment to complete the picture.
1987 — procedural conformance
The first edition treated quality as conformance to documented procedure. Risk was implicit; opportunity was unmentioned. The standard's verb was 'shall,' not 'should consider.'
2000 — the process approach
The 2000 revision reframed quality as a system of interacting processes. This created the conceptual room for risk to enter — once you talk about process inputs and outputs, you have to talk about variability.
2009 — ISO 31000 arrives
ISO 31000 introduced a generic risk vocabulary — likelihood, consequence, treatment, residual risk — that 9001 would later borrow. Critically, ISO 31000 itself defined risk as 'effect of uncertainty on objectives,' explicitly bidirectional. The downside emphasis was a 9001 choice, not a Guide 73 mandate.
2015 — risk-based thinking, formalized
Clause 6.1 made risk-based thinking a central requirement. The phrase 'risks and opportunities' appeared together — but only risk got the supporting verbs, the corrective-action loop, and the management review hook. Opportunity was named and orphaned.
2026 — completing the pair
The current revision cycle is the first since 2015 with enough field evidence to argue that the asymmetry is not neutral. Organizations with mature risk practices and zero opportunity practice are systematically under-deciding. Closing the gap is the natural next step in a thirty-year arc.
“ISO 31000 always defined risk as bidirectional. ISO 9001:2015 chose to operationalize only one direction. 2026 is the moment to honor the original definition.”