Thanks for this Andy. Yes indeed, I think preventive action is more often than not risk management by another (obfuscatory) name. What ISO 27001 has, which ISO 9001 lacks, is detailed requirements for identifying risks and their impacts upon the organization, and mitigation measures.
BS 31000 is helpful but generic, and like several ISO standards, is impossible to learn from - you have to understand risk management to understand BS 31000. I heard at a conference a few months ago that the next version will try to provide risk management methods common to quality, information security, health and safety, environment and so forth. I think that's probably a mistake because it will have to be so generic as to be unhelpful. For example, ISO 27001 requires the organization to consider threats (the things that can cause loss) and the vulnerabilities in information security mitigation measures they might exploit. The concept isn't helpful in engineering quality, where we identify failure modes - the concept of a threat (a thief) and a vulnerability (an open door) has no analogous concept in engineering where a failure mode is, for example, running an engine with bad or too little oil.
For risk management in information security ISO 27005 is okay, but the SEI's Octave Allegro method is IMHO better. The UK's GCHQ/CESG offers good guidance too, some of it public on their website.
http://www.sei.cmu.edu/solutions/risk/octave-allegro.cfm
http://www.cesg.gov.uk/
I don't know of anything as helpful in quality management and imagine that the medical device industry and aviation are furtherest ahead, along with defence subcontractors. If anyone knows of some useful quality risk management models that fill ISO 9001's current gap I'd be interested to know of them.
Hope this helps,
Pat