Risk and Quality: Two Sides of the Same Coin
Most project managers treat Risk and Quality as separate disciplines. Risk sits in its own register, Quality lives in its own plan, and the two documents rarely speak to each other. But here is the uncomfortable truth: every quality failure is a risk that was not managed, and every unmanaged risk is a quality failure waiting to happen.
They are not two sides of the same coin by accident. They are structurally linked — and once you see it, you cannot unsee it.
The Risk Register and the Quality Plan: A Missed Conversation
Think about the last project you ran. You probably had a Risk Register that listed threats to your schedule, budget, and scope. You may also have had a Quality Management Plan that defined your standards, acceptance criteria, and testing approach.
Now ask yourself: how often did those two documents reference each other?
In most organisations, the answer is rarely — if ever. The Risk Register is owned by the PM. The Quality Plan is owned by whoever draws the short straw. They are reviewed in separate meetings, updated on separate cycles, and presented to separate stakeholders.
This is a structural problem. Because the risks that most frequently derail projects are not schedule risks or budget risks. They are quality risks — requirements that were never properly defined, testing that was compressed to meet a deadline, a supplier whose output was accepted without adequate verification.
What ISO 9001 Actually Says About Risk
ISO 9001:2015 introduced risk-based thinking as a core principle — not as a separate clause, but woven throughout the entire standard. Clause 6 (Planning) specifically requires organisations to determine the risks and opportunities that need to be addressed to give assurance that the quality management system can achieve its intended results.
In plain English: you cannot have a credible Quality Management System without thinking about what could go wrong and planning accordingly.
This is not a compliance checkbox. It is a recognition that quality and risk are inseparable. An organisation that manages quality without managing risk is building on sand. An organisation that manages risk without managing quality is plugging holes in a leaking ship.
Three Places Where Risk and Quality Intersect on Every Project
1. Requirements Definition
Poorly defined requirements are simultaneously a quality risk (the deliverable will not meet stakeholder expectations) and a project risk (scope creep, rework, delays). The quality discipline of getting requirements right upfront is one of the most powerful risk mitigation activities available to a project manager — and it costs nothing except time at the beginning.
2. Supplier and Vendor Management
Every time you accept a deliverable from a supplier without adequate quality verification, you are accepting a risk. ISO 9001 Clause 8.4 (Control of externally provided processes, products and services) exists precisely because organisations consistently underestimate how much risk they inherit from their supply chain. A quality gate is a risk control.
3. Testing and Acceptance
Compressed testing schedules are one of the most common project decisions that feel like schedule management but are actually risk management failures. When you reduce testing time to hit a go-live date, you are not saving time — you are deferring the cost of defects to production, where they are exponentially more expensive to fix. This is the Cost of Quality argument, and it belongs in every risk conversation.
A Practical Step: The Quality-Risk Crosswalk
One of the most useful tools I have introduced on projects is what I call a Quality-Risk Crosswalk — a simple table that maps each quality standard or acceptance criterion to the risk that would materialise if that standard were not met.
| Quality Standard | Risk if Not Met | Risk Rating | Mitigation |
|---|---|---|---|
| All requirements signed off before development begins | Scope creep, rework | High | Requirements review workshop with key stakeholders |
| Supplier deliverables reviewed against specification | Defective inputs, delays | Medium | Incoming quality inspection checklist |
| UAT completed before go-live | Post-launch defects, reputational damage | High | Minimum 10 business days UAT; no compression without sponsor sign-off |
This is not a complex document. It is a conversation starter — one that forces the Risk Register and the Quality Plan to finally talk to each other.
The Bottom Line
Risk management without quality thinking is incomplete. Quality management without risk thinking is naive. The most effective project managers I have worked with treat them as a single discipline with two lenses — one looking at what could go wrong, the other defining what “right” looks like.
If your Risk Register and your Quality Plan have never been in the same room, that is worth fixing. Start with the three intersections above. The conversation that follows will be one of the most useful your project team has had.
Michelle Mills is a Project Manager (PMP) and Quality practitioner with experience across multiple industries. This post is part of the “Quality in the Field” series on michellemills.co.za.
