ISO 9001 Risks and Opportunities: DO's & DON'Ts

Photo of a line of mysterious doors representing risk and opportunity


An ongoing series of Posts: Practical advice on ISO 9001:2015 Clause 6.1.

Planning has always been a familiar element of ISO 9001, but now there is an increased focus on ensuring that it is considered with Clause 4.1 ‘context of the organization’ and Clause 4.2 ‘interested parties’.

Table of Contents

Key Elements of ISO 9001 Clause 6.1

Applying Risk-Based Thinking

One of the key purposes of implementing a Quality Management System is to act as a preventive tool, that is, to prevent adverse events. As a result, the formal requirement for preventive action, with perhaps a narrow focus, has been removed. This is being replaced by risk-based thinking, a concept intended to be applied to every aspect of a quality management system.  

This approach then applies throughout the QMS and requires that each organization identifies, plans for and takes actions on those risks and opportunities which are relevant to achieving the intended outcomes of the management system.  There is, however, no requirement for implementing a formal risk management process.

Note: The majority of organizations have chosen to adopt a formal documented risk management approach albeit, typically, of a basic kind.

The organization will, then, need to plan actions to address both risks and opportunities, how to integrate and implement the actions into its management system processes and evaluate the effectiveness. Actions must be monitored, managed and communicated across the organization.

Establishing Quality ObjectivesdeGRANDSON Global's ISO Certifications

Another key element of ISO 9001 Risk and Opportunities as outlined in Clause 6.1 is the need to establish measurable quality objectives. This retains some of the requirements contained in Clause 5.4 of the 2008 version but is more specific.

The main objectives of ISO 9001

  • to provide confidence in the organization’s ability to consistently provide customers with conforming goods and services
  • to enhance customer satisfaction


View our ISO 9001 Courses


What is “risk-based thinking”?

  • risk-based thinking is something we all do automatically and often sub-consciously to get the best result
  • the concept of risk has always been implicit in ISO 9001 – this revision makes it more explicit and builds it into the whole management system
  • risk-based thinking ensures risk is considered from the beginning and throughout the process approach
  • risk is often thought of only in the negative sense. Risk-based thinking can also help to identify opportunities. This can be considered to be the positive side of risk, including exceeding expectations and going beyond stated objectives.


Where is risk addressed in ISO 9001:2015?

The concept of “risk” in the context of ISO 9001 relates to the uncertainty of achieving such objectives.

Risk is addressed in many of the Clauses as well as the Introduction, namely:

  • in the Introduction, the concept of risk-based thinking is explained
  • in Part 4, the Process Approach, the organization is required to determine the risks which can affect its ability to meet these objectives
  • in Part 5, Leadership, top management is required to commit to ensuring Part 4 is followed
  • in Part 6, Planning, the organization is required to take action to identify risks and opportunities
  • In Part 7, Support, the organization is required to determine and provide necessary resources, reducing the risk of producing/delivering defective product or service to an acceptable low level


What are the possible benefits of risk-based thinking?

  • A focus on the more important (“high-risk”) processes and their outputs
  • improved understanding, definition and integration of interdependent processes
  • systematic management of planning, implementation, checks and improvement of processes and the management system as a whole.
  • better use of resources and increased accountability
  • more consistent achievement of the policies and objectives, intended results and overall performance
  • process approach can facilitate the implementation of any management system
  • enhanced customer satisfaction by meeting customer requirements
  • enhanced confidence in the organization.
  • In Part 9, Evaluation, the organization is required to monitor, measure, analyze and evaluate the risks and opportunities
  • In Part 10, Improvement, the organization is required to improve by responding to changes in risk

ISO 9001 Lead Implementer CTA Button


How to Address Risks and Opportunities in ISO 9001

In your ISO 9001 implementation project, there are things you should consider carefully regarding risk and opportunity. For example:

  • Understand the nature of the risk. Use established risk mitigation approaches as the basis of the coming course of action.
  • Base your actions on the potential impact on the conformity of products and services or on customer satisfaction. Make sure to incorporate it into both the quality management system and its processes, as is appropriate. For example, if the organization has a single-source provider of a critical raw material, then it should consider investing in developing a new source.
  • Take note of the various situations where risks and opportunities should be considered. For example, strategy meetings, management reviews, internal audits, different kinds of meetings on quality, meetings to set quality objectives, the planning stages for the design and development of new products and services, and the planning stages for production processes.
  • In terms of opportunity, make use of risk-based thinking to help your organization develop a proactive and preventive culture. Focus on doing things better and improving how work is done in general.
  • Decide which risk management methods or tools to use. Remember that these may well vary from one process to another.
  • Adopt a risk-based approach. Consider applying it to the processes required for your organization's quality management system.
  • Make use of common risk management tools and methods such as:
    • Hazard Analysis and Critical Control Points (HACCP).
    • Failure Mode, Effects and Criticality Analysis (FMECA), and
    • Failure Mode and Effects Analysis (FMEA).
    • PESTLE, which is a concept in marketing principles, for analysis of the business environment under the headings P for Political, E for Economic, S for Social, T for Technological, L for Legal and E for Environmental.
    • SWOT, strengths, weaknesses, opportunities and threats analysis,
  • Use simpler risk management approaches and techniques. Examples include brainstorming, structured what-if technique (SWIFT), and consequences/probability matrices are all acceptable
  • In determining risks and opportunities, select from a wide range of established techniques, including:
    • giving confidence that the quality management system can achieve its intended result(s);
    • enhancing desirable effects, and the creation of new possibilities (by improving the efficiency of its activities, developing or applying new technologies, etc.);
    • preventing or reducing undesired effects (through risk reduction or preventive actions);
    • achieving improvement to ensure product and service conformity and enhancing customer satisfaction.
  • For ISO 9001:2015, 6.1.1, bullets a) to d), in determining its risks and opportunities, make sure to focus on: 
    • avoiding the risk, by no longer performing the process where the risk can be encountered;
    • eliminating the risk, for example, by using documented procedures to assist persons in the organization with less experience;
    • sharing the risk, for example, by working with the customer to facilitate the advance purchase of raw materials when production levels are unknown;
    • taking no action, where the organization accepts the risk itself, based on its potential effect or the cost of the needed action.
    • taking the risk to pursue an opportunity, such as investing in new capital equipment to launch a product line where the return on investment is unknown;


Image showing a checklist of what you'll learn from deGRANDSON's Internal Auditor training courses and a button leading to their overview page


Click on the image thumbnail to see the image in full size or click the button on the other side to go to our ISO auditor overview page to learn more about our courses.


ISO 9001 Certification will only be achieved if you:

  • Do not treat the topic as of minor importance. A risk-based approach should suffuse your QMS with, for example, evidence of decisions being based on consideration of risk to product and service quality and to customer satisfaction.
  • Don’t depend on interview evidence alone to demonstrate compliance. While the Standard does not require formal risk management to be included and/or for formal records to be maintained, your Auditors will be seeking objective evidence of compliance.  And what better evidence than records?
  • Don’t downplay the importance of Opportunity. In the Standard, Opportunity replaces Preventive Action and Auditors will be seeking evidence of actions to prevent process and system failures as well as actions to improve processes (which overlaps with the Improvement requirements in Clauses 10.1 and 10.3.

 Reference: EN ISO 9000:2015 Quality management systems - Fundamentals and vocabulary

ISO 9001:2015 Quality Management System Implementation Handbook (deGRANDSON Global, 2016)

New call-to-action

Note: This post was first published in Oct 2017; revised and updated in Apr 2021.

Related Articles

deGRANDSON Global is an ISO Certified Educational Organization


  • ISO 21001, Educational Organizational Management System,
  • ISO 29993, Learning Services outside formal Education,  and
  • ISO 29994, Learning Services – additional requirements for Distance Learning.

We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.


Written by Dr John FitzGerald

Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
Find me on:

Subscribe to Email Updates

Recent Posts