Multi-Criteria Decision Making for Risk Management in Quality Management Systems

Abstract

This study addresses risk management in quality management systems by analyzing risk prioritization using the multi-criteria methods Decision-Making Trial and Evaluation Laboratory (DEMATEL) and Analytic Hierarchy Process (AHP). The primary objective was to identify and evaluate key risks, considering emerging factors such as climate change, to strengthen organizational resilience in the long term. A panel of 42 experts prioritized the following risk typologies: (i) geopolitical, (ii) economic, (iii) social, (iv) technological, and (v) environmental. The results revealed an increase in the importance of geopolitical and economic risks for 2024 compared to 2020, while technological and environmental risks decreased. Additionally, risks were projected over the next 10 years, highlighting extreme climate events and biodiversity loss as the most relevant for 2034. The findings emphasize the need for a proactive approach to risk management, aligned with ISO 9001:2015 standards and its recent climate change amendment published in 2024, to adapt organizational strategies for a constantly evolving global environment and ensure long-term sustainability.

1. Introduction

Risk management is a key activity in organizations as it enables the identification, evaluation, prioritization, and control of events that could negatively impact achieving objectives [1]. Effective risk management directly contributes to continuous improvement by promoting high-quality standards and compliance across all areas of the organization. According to Kashif Shad et al. (2019) [2], various organizations face the ongoing challenge of effectively integrating risk management into their business guidelines. Proper risk and sub-risk characterization and prioritization allow companies to mitigate potential impacts, optimize performance, and ensure sustained quality, which is critical for their competitiveness and market acceptance [3,4].

Risk characterization involves a detailed analysis of those risks that could affect daily operations and a company’s long-term viability and success. This process helps identify and understand potential threats. It simplifies the creation of effective mitigation strategies, accurately identifying the most relevant risks and contributing to efficient and proactive management within the company’s Quality Management System (QMS). Standards, particularly those issued by the International Organization for Standardization (ISO), are key in organizational risk management, as they guide companies through specific guidelines and established requirements. Certification in these standards is a vital compliance indicator, demonstrating that organizations have adopted a structured approach to risk management, including identifying, evaluating, and mitigating risks as part of compliance requirements. The publication of ISO 9001:2015, which introduced the concept of risk, marked a milestone in incorporating risk-based thinking into the planning and implementation of QMS. The QMS is a tool for structuring, controlling, and improving an organization’s activities, ensuring the quality of products and services, facilitating risk management, and promoting continuous improvement. Risk management has become a formal component in most globally certified management systems, introducing risk-based thinking in ISO 9001:2015. However, the standard does not provide formal or documented procedures specifically for risk management [5].

Additionally, it is essential to mention the climate change amendment published in 2024, which establishes new guidelines for its application within QMS. ISO has emphasized that climate change represents a challenge to the sustainability of organizations. Therefore, this amendment aims to integrate climate-related criteria, encouraging organizations to assess and manage their environmental risks more effectively. This update seeks to demonstrate entities’ commitment to managing the effects of climate and promote practices that contribute to mitigating its impacts and adapting to this global phenomenon [6]. The integration of this amendment into QMS has posed challenges for many companies in assessing and managing these risks, limiting their ability to develop adequate mitigation strategies. The amendment introduces new factors that need to be evaluated, which, if not adequately incorporated into the risk analysis, could be overlooked, limiting the ability to develop appropriate mitigation strategies. The lack of training and relevant resources complicates understanding the amendment and its relevance for sustainability. Organizations must adopt specific measures to integrate sustainability into QMS, such as incorporating environmental risk assessments into their risk management processes and ensuring compliance with the ISO 9001:2015 standard requirements.

Risk management associated with sustainability has become an essential discipline in the business world, attracting researchers seeking to optimize Enterprise Risk Management (ERM) systems. Companies use various frameworks, such as ISO 31000:2018, the Global Sustainable Development Report of the WBCSD and COSO, and the Global Risk Report [1,7,8], which provide valuable approaches, although their application varies significantly. The Global Sustainable Development Report from the WBCSD and COSO, developed by a group of experts from sponsoring organizations like accounting firms, auditors, regulators, consultants, and academics specializing in internal control and risk management, offers guidance for organizations to understand, manage, and disclose environmental, social, and governance (ESG) risks. This report helps companies meet legal requirements and achieve strategic sustainability objectives [9]. From another perspective, the Global Risk Report issued by the WEF, developed by experts, universities, government leaders, and CEOs of global organizations, identifies and projects risks and trends that humanity and organizations will face in the coming years. This document gives readers a general analysis of global risks and emerging trends that could impact the economy and society [8]. Meanwhile, ISO 31000:2018 provides general principles and a flexible model that adapts to different contexts, recognizing the relevance of organizational culture in risk management and emphasizing the need to make decisions based on objective information to reduce bias. Although it does not offer specific guidelines for dynamic contexts, it promotes a structured approach that helps mitigate subjective influences during the decision-making process [10]. Consequently, the ISO 31000:2018 standard may be less precise in managing risks in highly dynamic environments despite its flexibility; this gap in the standard presents a challenge in the model’s ability to manage risks from a subjective perspective as they evolve due to various factors, such as changes in the economic, social, political, and technological environmental. If organizations do not adapt to changing conditions, their ability to efficiently address emerging challenges and seize new opportunities may be limited. According to various risk management frameworks, such as ISO 31000:2018 [10] and the Global Sustainable Development Report of the WBCSD and COSO [1], the decision-making process should be cyclical and integral to continuous monitoring, evaluation, and review. This ensures constant feedback as risks are identified and/or updated or internal and external circumstances change, requiring previously made decisions to be reevaluated to respond quickly and proactively to evolving environmental conditions.

In this context, the need arises to adopt multi-criteria decision-making methods in groups, especially in highly uncertainty environments. Methods such as those proposed by Chen, Wei, Fu, Li, and Zhao (2022) [11] have addressed these challenges through innovative approaches. For example, Chen, Wei, Fu, Li, and Zhao (2022) [11] introduced a dynamic cloud similarity and trust-based decision-making method to solve decision-making problems in emergencies effectively. On the other hand, Jiang et al. (2024) [12] developed an approach that addresses decision-making in large groups using cloud models integrated into multi-granularity linguistic environments and bidirectional trust approaches in social networks. These methodologies are beneficial for problems that require consensus and detailed analysis in dynamic environments. Although this study focuses on established methodologies such as DEMATEL and AHP, these new approaches offer a promising framework for integrating diverse perspectives in future research related to risk management.

According to Shrivastava et al. (2023) [13], effective risk management is essential for ensuring the stability and success of an organization in a complex and volatile environment. Using multi-criteria decision-making methods, top management can make group-based, informed decisions, strengthening operational resilience and promoting innovation, value creation, and transparency when detecting, evaluating, and reducing risks. For example, in the study presented by Aguilera Sánchez et al. (2021) [14], the role of the AHP methodology in risk management is highlighted and how it affects organizational stability. This technique allows for a structured analysis of risks that includes planning, identification, evaluation, and response formulation. AHP optimizes group decision-making and facilitates a deeper and more accurate understanding of risks, significantly increasing the organization’s ability to ensure long-term success. In Benabdallah et al. (2020) research [15], a comprehensive framework was developed to assess sustainability risks in the supply chain, addressing environmental, economic, social, and operational dimensions. They used the DEMATEL method, which facilitates the analysis of interrelationships between different risks and group preferences in decision-making. Through this approach, the authors conclude that there is a significant gap in the sustainable management of risks as it does not encompass all dimensions of sustainability. They also emphasize the need to include additional risks that have not been considered to date, such as those related to technology and the environment, in line with the new climate change amendment to the ISO standard, which is essential for more accurate assessments. Additionally, they suggest reducing reliance on the subjective judgment of experts and applying quantitative risk occurrence probability assessments, which would allow for better prioritization and more thorough planning.

This research expands upon the work proposed by Benabdallah et al. (2020) [15] by considering geopolitical, technological, and environmental risk typologies, taking into account the climate change amendment, as well as economic and social risk typologies, and their respective sub-risks. Additionally, it emphasizes the participation of an interdisciplinary panel of experts, who contribute through pairwise comparison surveys and provide quantitative assessments. This approach enables a more comprehensive and holistic understanding of sustainability-related risks, addressing their interactions and potential impact in various contexts.

It is also important to highlight the research by Bathrinath et al. (2022) [16], where a two-phase methodology was used to identify and evaluate significant risks in the sugar industry of southern India. Initially, risk factors were gathered from literature and expert opinions; with this information, they finalized the risk factors based on industry experts’ opinions through the Delphi method. They used the AHP method to determine the most dominant and significant risk, complemented by the Best–Worst Method (BWM) to validate the results. The authors suggest extending the research to other sectors and regions, considering additional multi-criteria decision-making methods for more comprehensive evaluations. Studies like Yazo-Cabuya et al. (2024) [17] used DEMATEL and AHP methods to evaluate and select the best alternatives among the options considered in the organizational risk prioritization process, focusing on sustainability. Their research considers economic, geopolitical, social, technological, and environmental risks. These methods provide a hierarchical structure that facilitates the breakdown and prioritization of sub-risks associated with each significant risk. Both approaches proved helpful tools for multi-criteria decision-making, breaking down complex problems into a hierarchy of criteria and alternatives and using pairwise comparisons based on a numerical scale. Their ability to systematize and structure decision-making makes them methods for improving the accuracy of risk ranking and the selection of strategic alternatives. Their study also proposes that future research increases information on monitoring tools associated with prioritized risks, significantly contributing to risk management.

This research integrates new methodologies and frameworks that previous studies have not considered. While earlier studies addressed the identification and prioritization of risks with data from 2020 using methods like AHP and DEMATEL [17], these were conducted in static contexts without considering the rapid evolution of global conditions or regulatory changes, such as the recent 2024 amendment related to climate change attached to ISO 9001:2015, which has introduced new guidelines related to sustainability risk management, particularly regarding climate change. In this sense, the present study considers recent transformations and adopts a dynamic approach to evaluate the temporal variability of risks. The results from the study by Yazo-Cabuya et al. (2024) [17] are considered with the aim of exploring how modifications affect risk prioritization, reflecting a continuous and updated evaluation [18].

The dynamic approach shows a significant contribution, as it considers current conditions and projects the evolution of risks over the next 10 years, enabling organizations to adapt their risk management strategies to a constantly changing environment. This 10-year risk projection is based on global risks ranked by long-term severity according to the Global Risk Report 2024, which estimates the probable impact of risks over a decade. This projection evaluates how risks may evolve, considering global factors, emerging trends, and disruption [8]. Additionally, this study helps describe the application of ISO 9001:2015 by integrating a systematic approach to risk management within quality processes. Using methodologies like DEMATEL and AHP, risks are characterized, prioritized, and projected long-term, allowing organizations to address current and future risks. These methodologies stand out from traditional risk management tools due to their complementary capabilities in addressing complex and hierarchical problems. DEMATEL facilitates identifying and analyzing causal relationships between risks, providing a deep understanding of how certain factors can influence others within the system.

Meanwhile, AHP allows for structuring hierarchical problems and prioritizing risks based on defined criteria, ensuring that informed decisions aligned with organizational objectives. Together, these tools support proactive and strategic risk management and contribute to strengthening QMS by ensuring continuous improvement. This projection facilitates a more proactive risk management approach aligned with the standard’s requirements, contributing to broader compliance in certification processes. Moreover, including the 2024 climate change amendment strengthens the standard’s relevance and adaptability.

This research addresses the growing global threats related to risk management in QMS and proposes an approach for decision-making using multicriteria methods such as DEMATEL and AHP. Its objective is to provide more effective tools for anticipating, managing, and mitigating long-term risks in organizations, particularly in the face of climate change and other emerging risks. The main contributions of the study focus on the development of the decision-making approach based on multi-criteria decision-making methods, the approach to emerging risks with special attention to those focused on climate change, the optimization of long-term risk management based on expert opinion, and incorporating advanced prioritization techniques and a unique contribution to the strengthening of QMS from a risk-based approach.

This article is developed in six sections: (i) the presentation of a methodology that outlines the general approach to addressing the study and describes the methods used for risk management; (ii) risk and sub-risk characterization, analyzing the main types of risks relevant to the organizational context; (iii) the evaluation process conducted by a multidisciplinary expert panel, using surveys and pairwise comparisons to determine the relevance and impact of the characterized risks and sub-risks; (iv) through multi-criteria decision-making methods, the priorities for risk types and sub-risks are analyzed; (v) an analysis of variations in risks between 2020 and 2024, and a projection of key risks for 10 years, based on emerging patterns and global trends; finally, (vi) the discussion of how the prioritized risks and sub-risks are integrated into QMS following the ISO 9001:2015 guidelines, with a particular focus on the new 2024 amendment related to climate change.

2. Proposed Methodology

2.1. Research Design

Risk management enables organizations to anticipate threats and respond effectively to adverse situations. The process consists of several stages, including identifying, evaluating, prioritizing, and controlling the most relevant risks at the business level. Figure 1 illustrates the methodological framework adopted in this study, encompassing risk and sub-risk characterization, evaluation by a select group of experts, and the use of multi-criteria decision-making (MCDM) methods for prioritizing risks through the DEMATEL method and sub-risks using the AHP method. Additionally, the methodology includes an analysis of the variability in risk prioritization between 2020 and 2024 and a projection of key risks over a 10-year based on the Global Risk Report 2024. Finally, the study aims to analyze the prioritization results of their integration with the QMS according to ISO 9001:2015. This methodology is developed within a company that provides professional consulting services in various strategic areas.

2.2. Risk and Sub-Risk Characterization

This research begins with a detailed review of the Global Risk Report of the World Economic Forum and the Global Sustainable Development Report of the WBCSD and COSO [1,8], two of the global reports with key information to understand global risks and challenges, the former focusing on risks and their management and the latter on sustainable development and the implementation of effective policies. This review characterizes five risk typologies: geopolitical, economic, social, technological, and environmental. Each category is analyzed to identify a sub-risk characterization by typology based on the Global characterization of sub-risks, the Global Sustainable Development Report of the WBCSD and COSO, and the Global Risk Report 2024 of the WEF [1,8]. This allows for identifying and classifying events that could negatively affect the organization and provides a visualization of the nature, scope, and interrelationships between risks and sub-risks. A conscious characterization of risks allows more informed management decisions to be made, strengthening organizational resilience [19].

2.3. Evaluation of Risks and Sub-Risks by the Panel of Experts

The evaluation of risks and sub-risks facilitates the analysis of the relevance of each typology of risk characterized, with their respective sub-risks, establishing their possible impact on the organization. In this phase, the specialized knowledge of a group of experts becomes a key part of the accurate assessment of risks and sub-risks, where risks’ nature, interactions, and effects on each other, and their long-term consequences are considered. Two peer comparison surveys have been developed using the Google Forms tool to ensure the quality and objectivity of the assessment process of the characterized risks and sub-risks.

In the first survey, which consists of two sections, the risk typologies (environmental, social, geopolitical, economic, and technological) are initially compared. Participants compare these typologies, evaluating which they consider more relevant or impactful based on their likelihood of occurrence, potential impact, and the interactions they might generate with other factors. Additionally, the second part of this survey presents a 10-year risk projection according to the WEF (2024) [8], allowing participants to evaluate them and providing a more strategic perspective. The comparison aims to understand which typologies and risks present a greater global risk to the organization or the evaluated context, prioritizing the focus areas for risk management.

In the second survey, the factors compared are the sub-risks within each typology. Participants compare these sub-risks to determine which have a more significant impact or likelihood within the specific risk typology. Through pairwise comparison, the aim is to establish a hierarchy of sub-risks that enables organizations to focus their efforts more precisely on those with the highest priority. In both surveys, the goal is to ensure a clear and well-founded prioritization of risks, considering both the interrelation between factors (in the case of risk typologies) and the relative importance of each sub-risk within its category. This approach identifies the most critical risks, and the specific factors that require immediate attention within each typology.

After a study of the population, 42 experts, selected for their diverse professional backgrounds in risk management, economics, technology, and related fields, responded to the paired surveys.

Table 1. Surveyed Panel of experts.

Type of Profile	Number of People	Average Years of Experience
Professionals in public accounting with postgraduate degrees in auditing, digital transformation and/or sustainability.	11	20
Professionals in economics with a postgraduate degree in risk management.	7	20
Industrial engineering professionals with a postgraduate degree in risk management, sustainability and/or occupational health and safety.	6	10
Systems engineering professionals with a postgraduate degree in cybersecurity.	5	10
Professionals in psychology with a postgraduate degree in human resources.	7	15
Professionals in environmental sciences with specialization in risk management, sustainability and/or occupational health and safety.	6	10

includes a further breakdown of their professional profiles to illustrate the range of expertise represented in the study. The surveys were applied to the target population between September and October 2024, a relevant period given that risk management is subject to a temporal component that may influence the evolution and perception of risks.

The variety of perspectives provided by these experts gives a comprehensive view of the risks faced by the organization and avoids biases derived from a single disciplinary approach. As a one-to-one comparative approach, potential subjective biases are minimized, as the experts do not assess risks in isolation but about each other, ensuring a more balanced assessment. Organization decision-making is a collective construction involving multiple stages and participation from various stakeholders. Throughout this process, decisions go through different deliberation and evaluation mechanisms, allowing them to be enriched by different perspectives. This collaborative approach strengthens the quality of decisions by promoting commitment and shared responsibility among organizational members [20]. The collective knowledge and combined experience of the selected panel of experts allow for a more accurate and balanced assessment of risks. By involving multiple perspectives, individual biases are minimized, and decisions are guaranteed to be more robust, reflecting a comprehensive view of the situation.

Based on the linguistic comparison scale shown in

Table 2. Linguistic comparison scale for DEMATEL and AHP methods.

Quantitative Intensity	1	3	5	7	9
Detail	Equally important	Slightly more important	Strongly more important	Very strongly more important	Extremely more important

, the surveys allow a matrix of expert value judgments to be obtained on the relative importance of each risk and sub-risk typology.

Once the responses have been collected, the geometric mean method (GMM) aggregated the expert ratings to obtain an average value for each comparison, reflecting the opinions’ central tendency. The geometric mean is suitable for this data type because it preserves the proportionality relationships between the values [21].

The information was organized after collecting the experts’ opinions through the survey using individual comparison matrices that address each combination of factors, where each element $C_{ij}^p$ (i and j) represents the relative importance of criterion i concerning criterion j for expert p. The result is a matrix $\left(C_{ij}^p\right)$ for each set of comparisons provided by the 42 experts consulted. To calculate each element cij, the GMM method was used based on the assessments of the 42 experts, as follows:

$$c_{ij}={\left(\prod _{p=1}^{42}{c}_{ij}^p\right)}^{{\displaystyle \raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$42$}\right.}}$$

(1)

where p represents each of the experts surveyed. With this procedure, we obtained a matrix C = (cij) whose elements are defined by Equation (1). The matrix contains the average value of each criterion compared by the experts.

2.4. Prioritization of Risks and Sub-Risks

DEMATEL prioritizes risk typologies by identifying their importance and interrelation to achieve a rigorous evaluation. On the other hand, AHP is applied to prioritizing sub-risks, breaking down the main risks into more specific components. Through pairwise comparisons, experts assign weights to each sub-risk, assessing their relative importance within each risk typology. MCDMs are analytical tools that help decision-makers deal with complex problems involving multiple criteria and options. These approaches are valuable in practice, allowing decision-makers to better understand the interrelationships between criteria and make more informed choices.

2.5. Information Analysis

Once the prioritization of risks and sub-risks was obtained, the variability between the characterized risks in 2020 and 2024 was analyzed [17]. This analysis allowed significant changes in the risks affecting organizations to be observed. Subsequently, each global risk classified by long-term severity (10 years) according to the Global Risk Report 2024 [8] was assigned an identifier ranging from T1 to T10 respectively. By prioritizing the 10-year projection of these risk typologies, which was obtained through risk perception surveys completed by experts, considering emerging patterns and technological, economic, social, climatic, and geopolitical changes, this projection helped companies to anticipate future challenges and adapt their QMS to new needs. Finally, the prioritized risks and sub-risks were integrated into the QMS, according to the guidelines of ISO 9001:2015 and the 2024 amendment associated with the inclusion of climate change, to ensure that risk management remained aligned with organizational objectives. This facilitated the timely detection of potential adverse impacts, adapting quickly to changes and providing long-term resilience.

2.6. MCDM Methods

2.6.1. Application of the DEMATEL Method for the Prioritization of Risk Typologies

According to Tzeng & Huang (2011) [22], the DEMATEL method was designed to analyze and solve complex and interconnected problems. It facilitates the identification of solutions through a hierarchical structure, adapting the specific characteristics of the problem or situation to visualize the interdependence of variables. In addition, brief and precise insights into the situation’s complexity are obtained by processing individual subjective perceptions [23].

The steps for the application of the DEMATEL method are described below.

Step 1: Consolidation of expert group opinion and use of geometric mean.

Each matrix below consolidates the experts’ evaluations, calculated using geometric mean to highlight the assessment’s consensus. These average matrices reflect the expert group’s collective perception of the interrelationships and intensities of influence between the different risks that serve as input for the following stages of the DEMATEL analysis (

Table 3. Average typology matrix.

	Geopolitical	Economic	Social	Technological	Environmental
Geopolitical	0.000	2.486	2.222	1.658	1.739
Economic	0.402	0.000	2.558	2.387	2.096
Social	0.450	0.391	0.000	2.325	2.827
Technological	0.603	0.419	0.430	0.000	2.351
Environmental	0.575	0.477	0.354	0.425	0.000

and

Table 4. Average matrix of risks classified by severity in the long term.

	T1	T2	T3	T4	T5	T6	T7	T8	T9	T10
T1	0.000	2.228	1.914	1.729	2.216	2.848	1.834	1.813	1.753	1.788
T2	0.449	0.000	1.315	1.073	1.427	1.657	1.271	1.387	1.092	1.282
T3	0.523	0.761	0.000	1.311	1.793	1.897	1.566	1.924	1.584	1.597
T4	0.579	0.932	0.763	0.000	2.444	2.215	1.967	1.689	2.390	2.343
T5	0.451	0.701	0.558	0.409	0.000	1.593	1.407	1.496	1.601	1.136
T6	0.351	0.604	0.527	0.451	0.628	0.000	1.300	1.142	1.282	1.198
T7	0.545	0.787	0.639	0.508	0.711	0.769	0.000	1.344	1.865	1.318
T8	0.552	0.721	0.520	0.592	0.668	0.876	0.744	0.000	1.601	1.829
T9	0.570	0.916	0.631	0.418	0.625	0.780	0.536	0.625	0.000	1.029
T10	0.559	0.780	0.626	0.427	0.881	0.835	0.758	0.547	0.972	0.000

).

Step 2: Normalization of matrix C.

The matrix C′ is obtained by normalizing the average matrix C to remove the scale effect and convert the direct influences into a comparable measure across all factors. Normalization is performed to ensure that the values are not dependent on scale or data size. To calculate the normalized matrix C′, Equation (2) is considered:

$${C^{\prime }}_{ij}={\displaystyle \frac{C_{ij}}{M}}, \forall i,j$$

(2)

where M represents the sum of each column of the matrix C_ij. Thus, the new matrix C′ elements will be in the range of [0, 1].

Step 3: Calculate the total influence matrix T.

This step captures the direct and indirect influence between the factors. For this purpose, the matrix T is calculated using the power series of the normalized matrix C′ given by (3):

$$T=C^{\prime }+C^{\prime 2}+C^{\prime 3}+\cdots +{C^{\prime }}^K+\cdots =\sum _{n=1}^{\infty }{C}^{\prime n}$$

(3)

Since the matrix C′ is a normalized, the series described in (3) converges and can be computed in closed form as:

$$T={C^{\prime }\left(I-C^{\prime }\right)}^{-1}$$

(4)

Therefore, the matrix T is calculated through Equation (4).

Step 4: Obtaining the Impact Matrix (or Influence Matrix).

In this step, the direct (D) and indirect (R) influence matrices are obtained and analyzed in the context of the DEMATEL analysis. These matrices reflect the interrelationships between risks and are fundamental to interpreting the influence dynamics in the evaluated system (see

Table 5. Direct influence matrix risk typologies.

	Geopolitical	Economic	Social	Technological	Environmental	D	D + R	D − R
Geopolitical	0.223	0.412	0.465	0.483	0.604	2.187	2.901	1.474
Economic	0.145	0.223	0.429	0.488	0.574	1.859	2.573	0.869
Social	0.129	0.136	0.222	0.401	0.544	1.431	2.791	0.071
Technological	0.120	0.117	0.137	0.219	0.411	1.005	2.726	−0.715
Environmental	0.096	0.102	0.107	0.130	0.221	0.656	3.010	−1.698
R	0.714	0.990	1.360	1.720	2.354

and

Table 6. Direct influence matrix risks classified by severity in the long term.

	T1	T2	T3	T4	T5	T6	T7	T8	T9	T10	D	D + R	D − R
T1	0.114	0.217	0.190	0.172	0.245	0.302	0.232	0.237	0.262	0.255	2.226	2.875	1.576
T2	0.061	0.114	0.123	0.106	0.153	0.180	0.150	0.160	0.162	0.167	1.375	2.448	0.303
T3	0.071	0.110	0.113	0.124	0.182	0.204	0.176	0.199	0.204	0.198	1.582	2.534	0.630
T4	0.080	0.129	0.109	0.114	0.226	0.233	0.208	0.199	0.261	0.250	1.808	2.678	0.938
T5	0.055	0.088	0.074	0.061	0.113	0.157	0.139	0.148	0.170	0.141	1.145	2.512	−0.221
T6	0.045	0.074	0.064	0.056	0.084	0.113	0.122	0.117	0.138	0.130	0.943	2.552	−0.666
T7	0.059	0.090	0.076	0.064	0.096	0.110	0.113	0.135	0.177	0.145	1.064	2.470	−0.341
T8	0.058	0.085	0.068	0.067	0.092	0.113	0.098	0.113	0.159	0.168	1.020	2.494	−0.455
T9	0.053	0.086	0.067	0.053	0.080	0.097	0.077	0.084	0.114	0.113	0.825	2.586	−0.936
T10	0.053	0.080	0.068	0.053	0.095	0.102	0.091	0.082	0.115	0.113	0.851	2.532	−0.829
R	0.649	1.072	0.952	0.870	1.367	1.609	1.405	1.475	1.761	1.680

, respectively).

• Direct Influence (D): The influence of each factor on the other factors. It is obtained by summing the rows of the T matrix.

  $$D_i=\sum _{j=1}^n{T}_{ij,}\forall i$$

  (5)

• Indirect Influence (R): The influence that each factor receives from the others. It is obtained by adding the columns of the T matrix:

  $$R_j=\sum _{i=1}^n{T}_{ij,}\forall j$$

  (6)

These two measures are key to identifying the most influential factors in the system and to understanding their influence structure.

2.6.2. Application of the AHP Method for Sub-Risk Prioritization

In the AHP method, proposed by Thomas Saaty in 1980 [24], any decision problem is considered a structure. In the context of this study, AHP is used to prioritize sub-risks within each identified risk typology. This process is carried out exclusively for the sub-risks characterized in this research, based on the perceptions and evaluations of a multidisciplinary panel of experts and following the framework of the Global Sustainable Development Report by the WBCSD and COSO as well as the Global Risk Report 2024 by the WEF [1,8].

The steps for the application of the AHP method are described below:

Step 1: Apply the geometric mean to obtain the consolidated average matrix:

This step consolidates the experts’ evaluations, calculated using the geometric mean to highlight the evaluation consensus (see Equation (1)).

Step 2: Normalize the average matrix.

In this step, we use Equation (2) described previously in DEMATEL in “Step 2: Normalization of matrix C”.

Step 3: Calculate weights (prioritization).

Once the matrix has been normalized, the next step is calculating the weights for each risk (or alternative). To do this, the averages of each row of the normalized matrix are calculated. The result of this operation is the vector of relative weights, which indicates the importance of each risk concerning the others:

$$w_i={\displaystyle \frac{1}{m}}\sum _{j=1}^m\left({C^{\prime }}_{ij}\right)$$

(7)

where:

• $w_i$ is the weight or priority of risk i,
• c_ij is a value in the pairwise comparison matrix that reflects the relative importance of risk i compared to risk j.
• m is the total number of risks.

Step 4: Consistency evaluation.

The consistency of the comparison matrix is crucial to ensure that comparisons between risks are logical. The consistency index (C.I.) and the random consistency index (C.R.) are used to check consistency.

• Consistency index (C.I.): According to Saaty (1980) [24], this index should not be greater than 0.1 to obtain a reliable result. When n is the number of items being compared:

  $$C.I.={\displaystyle \frac{\left({\lambda }_{max}-n\right)}{\left(n-1\right)}}$$

  (8)

• Consistency ratio (C.R.): In order to obtain a reliable result, the ratio must be below 0.1. In Equation (9), R.I. is the random consistency index (

  Table 7. R.I. index for matrices of different sizes.

  Number of Elements	3	4	5	6	7	8	9	10
  $\mathit{R}.\mathit{I}.$	0.58	0.9	1.12	1.24	1.32	1.41	1.45	1.49

  ), which originated as a result of a sample of random reciprocal matrices:

  $$C.R.={\displaystyle \frac{C.I.}{R.I.}}$$

  (9)

The average matrices obtained for each risk typology are presented below (

Table 8. Average geopolitical matrix.

	1.1	1.2	1.3	1.4	1.5	1.6	1.7	1.8	1.9	1.10
1.1	1	1.799	1.563	2.024	1.496	1.590	1.708	1.717	1.749	1.771
1.2	0.556	1	1.855	1.713	1.632	1.709	1.574	1.542	1.717	1.515
1.3	0.640	0.539	1	2.163	1.447	1.339	1.535	1.500	1.169	1.519
1.4	0.494	0.584	0.462	1	1.535	1.458	1.644	1.285	1.485	1.623
1.5	0.669	0.613	0.691	0.652	1	1.874	1.836	1.399	1.558	1.409
1.6	0.629	0.585	0.747	0.686	0.534	1	1.855	1.704	1.808	1.265
1.7	0.585	0.635	0.652	0.608	0.545	0.539	1	1.836	2.237	1.279
1.8	0.582	0.648	0.667	0.778	0.715	0.587	0.545	1	2.780	1.687
1.9	0.572	0.582	0.855	0.674	0.642	0.553	0.447	0.360	1	1.181
1.10	0.565	0.660	0.658	0.616	0.710	0.790	0.782	0.593	0.847	1

,

Table 9. Average economic matrix.

	2.1	2.2	2.3	2.4	2.5	2.6	2.7
2.1	1	1.572	1.496	1.496	1.095	1.390	1.331
2.2	0.636	1	1.961	1.782	1.623	1.818	1.888
2.3	0.668	0.510	1	1.726	1.273	1.731	1.157
2.4	0.668	0.561	0.579	1	1.101	1.339	1.195
2.5	0.914	0.616	0.785	0.908	1	2.310	1.823
2.6	0.719	0.550	0.578	0.747	0.433	1	1.647
2.7	0.751	0.530	0.865	0.837	0.548	0.607	1

,

Table 10. Social average matrix.

	3.1	3.2	3.3	3.4	3.5	3.6	3.7	3.8
3.1	1	1.871	1.962	2.018	1.531	2.018	2.186	2.738
3.2	0.535	1	1.665	1.748	1.611	2.248	1.753	2.228
3.3	0.510	0.600	1	2.466	1.859	2.622	2.317	2.363
3.4	0.496	0.572	0.406	1	1.345	2.006	1.274	1.606
3.5	0.653	0.621	0.538	0.744	1	2.253	1.957	2.042
3.6	0.496	0.445	0.381	0.498	0.444	1	0.707	0.951
3.7	0.458	0.570	0.432	0.785	0.511	1.415	1	2.601
3.8	0.365	0.449	0.423	0.623	0.490	1.052	0.384	1

,

Table 11. Average technological matrix.

	4.1	4.2	4.3	4.4	4.5
4.1	1	1.590	1.209	2.056	1.491
4.2	0.629	1	1.164	1.771	1.599
4.3	0.827	0.859	1	3.414	1.751
4.4	0.486	0.565	0.293	1	1.245
4.5	0.671	0.625	0.571	0.803	1

and

Table 12. Average environmental matrix.

	5.1	5.2	5.3	5.4	5.5	5.6	5.7
5.1	1	1.321	1.527	1.591	1.802	1.406	1.635
5.2	0.757	1	1.984	2.033	2.550	2.343	3.069
5.3	0.655	0.504	1	1.935	1.894	1.873	2.293
5.4	0.629	0.492	0.517	1	2.224	1.909	2.494
5.5	0.555	0.392	0.528	0.450	1	1.414	2.207
5.6	0.711	0.427	0.534	0.524	0.707	1	3.044
5.7	0.612	0.326	0.436	0.401	0.453	0.329	1

). These matrices were constructed from the experts’ assessments and consolidated using the geometric mean. As can be seen in

Table 13. Sub-risk prioritization vectors.

1. Geopolitical		2. Economic		3. Social		4. Technological		5. Environmental
1.1	0.1533	2.1	0.1844	3.1	0.2138	4.1	0.2686	5.1	0.1922
1.2	0.1348	2.2	0.1982	3.2	0.1687	4.2	0.2179	5.2	0.2307
1.3	0.1158	2.3	0.1467	3.3	0.1695	4.3	0.2569	5.3	0.1659
1.4	0.1008	2.4	0.1190	3.4	0.1076	4.4	0.1208	5.4	0.1424
1.5	0.1029	2.5	0.1498	3.5	0.1199	4.5	0.1358	5.5	0.1006
1.6	0.0937	2.6	0.1032	3.6	0.0657			5.6	0.1047
1.7	0.0847	2.7	0.0987	3.7	0.0920			5.7	0.0635
1.8	0.0842			3.8	0.0627
1.9	0.0633
1.10	0.0667
CI	0.0336	CI	0.0285	CI	0.0272	CI	0.0278	CI	0.0421

, the C.I. values are below 0.1, making the results obtained reliable.

3. Results

3.1. Results of the DEMATEL

Finally,

Table 14. Prioritization vector for risk typologies.

Geopolitical	Economic	Social	Technological	Environmental
0.306	0.260	0.200	0.141	0.092

shows the prioritization of the risk typologies characterized, and

Table 15. Prioritization vector for long-term severity-ranked risks.

T1	T2	T3	T4	T5	T6	T7	T8	T9	T10
0.1733	0.1071	0.1232	0.1408	0.0892	0.0734	0.0829	0.0794	0.0642	0.0663

shows the prioritization of the risks ranked by severity in the long term (10 years). These vectors reflect each factor’s influence level in the analyzed system. Those with greater weight are the most significant, meaning they should be addressed first.

In this step, an impact map is constructed using a graph in four quadrants to visualize the interrelationships between the factors analyzed. The objective is to rank the factors according to two key criteria: influence and relevance.

• Influence (D − R): refers to the strength of factor’s influence on others: the higher the value, the more influential the risk is on others.
• Relevance (D + R): refers to the importance of a factor relative to the other criteria: the higher the value, the more relevant the risk is in terms of its overall contribution to decision-making or the system under analysis.

Figure 2 and Figure 3 depict how risks interact regarding their mutual impact and their strategic importance. This representation helps identify the critical factors that require priority attention, allowing decision-makers to focus resources and efforts on the areas that impact the organization. In the four-quadrant chart of the DEMATEL analysis, the risks located in the upper right corner (with high D + R and D − R values) are the most influential and drive role risks. This means that they exert a strong influence on other risks and, simultaneously, are less dependent on external influences. These risks are key in the management system and should be managed as a priority as they have the potential to affect the rest of the risk system significantly.

Figure 2 shows that the risk typology with the greatest influence and relevance is geopolitical, followed by economic and social.

Considering experts’ quantitative opinions and applying the DEMATEL method to globally classified risks by long-term severity [8], Figure 3 shows that the most relevant and influential 10-year projected risk is extreme weather events, followed by scarcity of natural resources, loss of biodiversity, and ecosystem collapse.

3.2. Results of the AHP

Table 13 presents the prioritization vectors derived from the AHP analysis for each risk typology. The sub-risks are prioritized based on the weights obtained. Those with the highest weight are the most important, meaning they should be addressed first. These vectors reflect the relative importance of each sub-risk within its respective category, as determined by the consolidated opinions of the expert group. The values of each vector indicate the priority assigned to each sub-risk based on its perceived impact, providing a clear view of which risks should be managed with greater attention within each typology. These results are fundamental for developing mitigation strategies and resource allocation, with the sub-risks of highest priority being the most critical within each risk typology.

4. Discussion

The analysis of risk typology prioritization using the DEMATEL method, comparing 2020 data from the study by Yazo-Cabuya, Herrera-Cuartas, & Ibeas (2024) [17] with the findings of this investigation for 2024 (see Appendix A,

Table A1. Numerical result of risk prioritization 2020 [17] vs. 2024.

Typology	Result 2020 [17]	Result 2024
Geopolitical	0.2108	0.306
Economic	0.2196	0.26
Social	0.1968	0.2
Technological	0.1957	0.141
Environmental	0.1771	0.092

), reveals significant changes in risk perceptions within organizations. The key variations observed in the risk typologies are detailed below:

• In 2020, economic risks topped the list, followed by geopolitical risks, reflecting a predominant concern for financial instability and global economic challenges. However, by 2024, geopolitical risks have taken the top position, relegating economic risks to second place. This change highlights a more volatile global environment marked by international conflicts and political tensions.
• Although social, technological, and environmental typologies maintain their relative positions, the evolution in prioritization underscores the need to adjust risk management strategies to address emerging challenges, particularly in an increasingly complex and dynamic context.

In a global scenario where climate change is intensifying its impact on business operations, organizations must react to risks and project them over the long term. Integrating climate change and risk management, including risks of environmental origin, in QMS according to ISO 9001:2015 and its 2024 amendment represents a challenge for organizations [2,6]. ISO 9001:2015 introduced the concept of risk-based thinking, representing a significant change in how organizations approach quality management [25]. This approach has allowed a transition from a reactive to a proactive model, in which risks are identified and managed in a preventive manner [26]. By Chapter 6 of this standard, planning to address risks and opportunities ensures that the objectives of the QMS are effectively achieved. Organizations should identify risks that may affect quality and opportunities to improve their performance and take measures to address them in a manner that is proportionate to their impact. In addition, the growing concern about climate change has led organizations to re-evaluate their management strategies, considering both traditional and emerging risks that could compromise their long-term viability [27]. In this sense, the projection of risks classified by severity in the long term, in this case for 10 years, that was carried out in this study allows us to identify, through the collective experience of interdisciplinary experts, those factors that could negatively impact the achievement of organizational objectives shortly.

Risk management must be supported by robust processes that enable its review and assurance through internal audit and management review, as set out in Chapters 9.2 and 9.3 of ISO 9001:2015. According to Chapter 9.2, the internal audit evaluates the effectiveness of the QMS, identifying gaps, possible deviations, and areas for improvement in risk management. It is essential to remember that organizational risks must be analyzed within the PDCA cycle, starting from an approach based on continuous improvement. This includes developing policies, identifying key processes, establishing objectives, and employee training. According to Chapter 9.3 of ISO 9001:2015, the management review process ensures that risk management aligns with the organization’s strategic goals and stakeholder needs. This periodic review makes it possible to assess the measures’ effectiveness, detect new risks and opportunities, and make real-time adjustments to mitigation strategies. Thus, top management can make informed decisions that ensure the continuous adaptation of the QMS to the changing environment [25,28]. In this context, Chapter 10 of ISO 9001:2015, focused on continual improvement, indicates the importance of continuously evaluating the measures taken. Implementing continuous monitoring and evaluation controls ensures the effectiveness of risk mitigation strategies. This allows organizations to adapt quickly to changing conditions and ensures that their actions align with strategic objectives. Furthermore, by incorporating advanced technological tools in monitoring and control, organizations ensure effective risk monitoring, contributing to more accurate and flexible management of evolving risks.

Considering the results obtained in this study, the geopolitical risk typology stands out as the highest priority, followed by economic, social, technological, and, finally, environmental risks. In addition, the following sub-risk prioritizations were obtained:

• The geopolitical sub-risks with the highest priority were (1.1) Intrastate violence (civil strikes, riots, coups), (1.2) Interstate armed conflict (hot wars, proxy wars), and (1.3) Biological or chemical hazards.
• The highest priority sub-risks in the economic domain were (2.2) Illicit economic activity, (2.1) Disruption to a systemically important supply chain, and (2.5) Economic downturn (recession, stagnation).
• The sub-risks with the highest priority in the social domain were (3.1) Inequality or lack of economic opportunity, (3.3) Unemployment, and (3.2) Involuntary migration.
• The sub-risks with the highest priority in the technology domain were (4.1) Misinformation and disinformation, (4.3) Cyber insecurity, and (4.2) Adverse outcomes of AI technologies.
• The sub-risks with the highest priority in the environmental domain were (5.2) Natural resource shortages (food, water), (5.1) Extreme weather events, and (5.3) Non-weather-related natural disasters.

Integrating sustainability into the QMS meets regulatory requirements and offers opportunities for innovation and continuous improvement [6]. In this sense, risk management, especially risks derived from climate change and other emerging factors, becomes a component of special interest in strengthening organizational resilience. By adopting a proactive approach to risk management, using advanced methodologies such as DEMATEL and AHP, organizations can anticipate potential threats, improve their resilience, take advantage of opportunities, and ensure competitive performance. The formal inclusion of climate change-related risks and the integration of sustainability into ISO 9001:2015 provide a strategic approach to maintaining adaptive capacity and continuously improving organizational processes in the face of new challenges [29,30].

Methodologies such as the one proposed in ISO 31000:2018, which establishes a general framework for risk management, can be used to support this process, help address inconsistencies between different approaches, and provide a basis for implementing risk-based thinking within organizations. The importance of promoting an organizational culture that supports informed, long-term decision-making can be emphasized. While implementing a risk-based approach in integrated management systems is crucial, few studies still focus on the specific practices for managing these risks in the integration process, as highlighted by the research from [28]. Despite this, the DEMATEL and AHP methods have proven to be concrete tools that enhance the quality of analysis and decision-making.

Developing capabilities through continuous sustainability and risk management training helps empower personnel and foster a proactive organizational culture. This, along with the implementation of structured methodologies such as AHP and DEMATEL, enables more precise risk assessment, facilitating prioritization and the design of appropriate responses.

From a managerial perspective, risk management supports identifying and mitigating potential threats and offers opportunities to improve organizational processes continuously [31]. However, an aspect identified in studies such as Smallman & Smith 2003 [32] mentions that leadership tends to focus on a limited range of organizational risks, prioritizing those directly related to competitiveness and internal processes. This affects their ability to anticipate and address a broader risk typology and create adequate contingency plans, harming the organization.

Given the above, leadership must ensure that risks are appropriately integrated with QMS using a risk-based conceptual model proposed by Samani et al. 2019 [27]. Through an approach based on constant monitoring and controls, an organizational culture is fostered that values both the prevention of problems and the identification of new opportunities. This integrated approach conforms to PDCA and process approach methodologies, meeting the requirements of ISO 31000:2018 and ISO 9001:2015. In addition, risk should not be seen only as something negative; risk can bring positive consequences, providing opportunities to evaluate and validate new strategies that can optimize the way organizational activities are developed and identify those factors that drive value and customer satisfaction, strengthening the reputation of the organization in the process.

For customer satisfaction, it is essential for organizations to adequately manage their operational risks, as this prevents inconveniences that affect the user experience. By identifying, analyzing, and implementing risk control measures, companies can minimize situations that generate dissatisfaction and reduce complaints [27]. Finally, concerning regulatory compliance, proper risk management ensures that organizations follow established regulations and standards, which, in turn, strengthens their reputation and reduces the possibility of legal sanctions. This approach protects the organization from a legal standpoint and gives it a competitive advantage in the marketplace by demonstrating its commitment to best practices and business ethics.

5. Conclusions

The results of this study reveal a clear prioritization of the most significant risks within the framework of QMS. Through multi-criteria decision-making methods, such as AHP and DEMATEL, risks and sub-risks with the most critical impact have been prioritized. Additionally, those considered most relevant for the coming years have been identified based on the opinions of the consulted experts. This contributes to strengthening informed decision-making in QMS. This research has classified geopolitical risks as the most critical, followed by economic, social, technological, and environmental risks. Geopolitical and economic risk typologies have gained relevance, while technological and environmental risk typologies have a lower priority.

A higher valuation is identified for the social risk typology, reflecting the need for organizations to adapt to labor and social changes. These results provide an indicator for reviewing, updating, and/or strengthening the organization’s risk management strategies. Regarding the prioritization of sub-risks, the following can be concluded (see Appendix A,

Table A2. Risk prioritization results [1,8,17].

Typology	ID 2020	Risks 2020	ID 2024	Risks 2024	ID 2034	Risks 2034
Geopolitical	1.1	Lack of ethics in the conduct of business	1.1	Intrastate violence (civil strikes, riots, coups)
	1.5	Corruption and instability	1.2	Interstate armed conflict (hot war, proxy wars)
	1.4	Non-compliance with regulations	1.3	Biological, chemical risk
Economic	2.6	Deficit in economic growth	2.2	Illicit economic activity
	2.7	Low growth in industry, innovation and infrastructure	2.1	Disruptions to a systemically important supply chain
	2.5	Water Scarcity and Sanitation	2.5	Economic downturn (recession, stagnation)
Social	3.6	Chemical safety	3.1	Inequality or lack of economic opportunity
	3.7	Demographic and health risks	3.3	Unemployment
	3.8	Lack of well-being and health	3.2	Involuntary migration
Technological	4.5	Massive data fraud or theft incident	4.1	Misinformation and disinformation
	4.4	Large-scale cyber-attacks	4.3	Cyber insecurity
	4.1	Information security risks and technological changes	4.2	Adverse outcomes of AI technologies
Environmental	5.4	Water depletion	5.2	Natural resource shortages (food, water)	T1	Extreme weather events
	5.7	Toxic emissions and waste	5.1	Extreme weather events	T4	Natural resource shortages
	5.1	Carbon Emissions	5.3	Non-weather-related natural disasters	T3	Biodiversity loss and ecosystem collapse

):

• Geopolitical Risks: In the typology of geopolitical risks, the prioritization of risks associated with ethical conduct and corruption in business (results in 2020) has changed to a greater emphasis on prioritization by relevance in intra-state violence and interstate armed conflicts (results in 2024).
• Economic Risks: In 2020, the most significant risks were related to economic growth deficits and financial stability. However, the focus of the current study’s results (2024) has shifted to supply chain disruptions and illicit economic activities, reflecting a more significant prioritization of global economic vulnerabilities.
• Social Risks: The prioritization of social risks has evolved, with a greater emphasis now placed on economic inequality and involuntary migration, as opposed to the chemical security risks and demographic issues observed in 2020 results.
• Technological Risks: In 2024, technological risks shifted focus toward disinformation and cybersecurity, with increasing concern over the negative impacts of artificial intelligence (AI), as opposed to the large-scale cyberattacks identified as priority sub-risks in 2020.
• Environmental Risks: These have expanded from the importance of natural resource management risks to broader issues in 2024 and 2034, such as ecosystem collapse and biodiversity loss, with a stronger focus on climate change.

It is also important to note that prioritizing sub-risks has shifted from immediate concerns to a broader, global perspective. Geopolitical and economic risks have gained greater relevance. In contrast, technological and environmental risks have become more complex and of global scope, addressing issues such as misinformation, artificial intelligence, and the impacts of climate change. Therefore, organizations must adapt to these changes with a more strategic approach toward long-term risks to effectively address future challenges.

Below are the most relevant sub-risks for 2034, highlighting those with the most significant impact and probability of occurrence:

• Environmental risks are the most critical for 2034. Extreme weather events (such as droughts, floods, and storms) are emerging as the risk with the most significant influence and relevance. They are highly likely to occur and substantially impact business operations and global infrastructure. These weather events could cause supply chain disruptions, damage to infrastructure, and effects on agricultural production, among other things.
• Biodiversity loss and ecosystem collapse are other significant risks for their long-term impact on ecosystem services and global environmental stability. The loss of biodiversity can devastate the availability of natural resources, food security, and human health.
• The exhaustion and scarcity of natural resources (such as essential minerals, water, and food) are also perceived as significant risks. This could lead to conflicts over obtaining these resources and impact operations and social and political stability in various regions.

The implications of these findings are significant both theoretically and practically, highlighting the importance of integrating a proactive approach to risk management aligned with the ISO 9001:2015 standards and its 2024 amendment related to climate change. This approach enables an agile response to global changes, strengthening the organization’s ability to adapt and remain competitive long-term, ensuring its sustainability. Applying methods such as DEMATEL and AHP for risk prioritization establishes a robust framework that facilitates the development of specific mitigation strategies designed to address each organization’s particular needs. Additionally, these methods can be implemented in various markets and companies, from big corporations to small and medium-sized enterprises, as they allow complex decision-making to be structured based on the quantitative prioritization of risks with interdependent factors. Some examples include the health and medical sector for risk evaluation in hospital management or medical treatments; the education sector for the evaluation and decision-making of educational programs; the transportation sector for route optimization; financial sector companies to manage investment and credit risks; the industrial sector to prioritize risks in the supply chain and production; and the service sector to anticipate and mitigate operational risks, thus improving customer service quality, among others.

Among the limitations of this study is that its results are not necessarily directly applicable to all organizations due to variations in their specific contexts, such as size, industry, and organizational culture. The identified and assessed risks must be adapted to the characteristics of each organization. Another limitation concerns the long-term risk projections (10 years) classified by severity as they are based on current trends and expert perceptions to date; however, these predictions may be variable due to unpredictable external factors, such as climate change, economic fluctuations, or regulatory changes.

Future research should explore how implementing mitigation strategies influences organizational performance and continuous adaptation to new risks, considering changes in applicable regulations. Similarly, developing and implementing mitigation plans tailored explicitly to prioritized risks would be valuable. This would involve a deeper analysis of how organizations can address key risks from an operational and practical perspective and assess the effectiveness of different risk management strategies within QMS. In addition, integrating controls within risk management strategies ensures constant monitoring of risks and implementation of actions when deviations are identified. These controls should be designed to provide continuous information on the status of risks and the performance of mitigation measures. The integration of these mechanisms allows for early detection of any changes in the organization’s risk profile and adjustment of strategies based on new conditions.

This study contributes to understanding risks within QMS, highlighting the importance of adopting a dynamic and results-based approach to decision-making. The purpose is to manage current risks and anticipate future ones so that organizations can adequately prepare for a challenging global environment. This strengthens organizational resilience and facilitates continuous adaptation to external transformations, ensuring that organizations remain competitive and sustainable long-term.