News & Commentary on ISO Management System Standards

    ISO 9001 Risks and Opportunities - DO's & DON'Ts

    Risk and opportunity-1


    ISO 9001:2015 Clause 6.1, Actions to address risks and opportunities - Practical Advice

    Planning has always been a major element of ISO 9001, and in the 2015 Edition, there is an increased focus on ensuring that Clause 4.1, ‘context of the organisation’ and Clause 4.2 ‘, interested parties’, are considered. Clause 6.1 requires that both the risks and the opportunities arising are addressed. A commonly made mistake is to ignore the opportunities. A risk based approach is essential here.  So make sure you don't get caught out and read on...

    Table of Contents

    Key Elements of ISO 9001 Clause 6.1

    Applying Risk-Based Thinking

    One of the critical purposes of implementing a Quality Management System is to act as a preventive tool, that is, to prevent adverse events. As a result, the formal requirement for preventive action, with perhaps a narrow focus, has been removed. This is being replaced by risk-based thinking, a concept intended to be applied to every aspect of a quality management system.  

    This approach then applies throughout the QMS and requires that each organisation identifies, plans for and takes action on those risks and opportunities relevant to achieving the intended outcomes of the management system.  There is, however, no requirement for implementing a formal risk management process.

    Note: Most organisations have chosen to adopt a formal documented risk management approach, albeit typically of a basic kind.

    The organisation must then plan actions to address risks and opportunities, integrate and implement them into its management system processes, and evaluate the effectiveness. Actions must be monitored, managed and communicated across the organisation.

    Establishing Quality Objectives

    Another key element of ISO 9001 Risk and Opportunities, as outlined in Clause 6.1, is the need to establish measurable quality objectives. This retains some of the requirements contained in Clause 5.4 of the 2008 version but is more specific.

    The main objectives of ISO 9001

    • to provide confidence in the organisation’s ability to provide customers with conforming goods and services consistently
    • to enhance customer satisfaction


    New call-to-action


    What is “risk-based thinking”?

    • risk-based thinking is something we all do automatically and often sub-consciously to get the best result
    • the concept of risk has always been implicit in ISO 9001 – this revision makes it more explicit and builds it into the whole management system
    • risk-based thinking ensures risk is considered from the beginning and throughout the process approach
    • risk-based thinking makes preventive action part of strategic planning
    • risk is often thought of only in the negative sense. Risk-based thinking can also help to identify opportunities. This can be considered to be the positive side of risk, including exceeding expectations and going beyond stated objectives.

    Where is risk addressed in ISO 9001:2015?

    The concept of “risk” in the context of ISO 9001 relates to the uncertainty of achieving such objectives.

    Risk is addressed in many of the Clauses as well as the Introduction, namely:

    • in the Introduction, the concept of risk-based thinking is explained
    • in Part 4, the Process Approach, the organisation is required to determine the risks which can affect its ability to meet these objectives
    • in Part 5, Leadership, top management is required to commit to ensuring Part 4 is followed
    • in Part 6, Planning, the organisation is required to take action to identify risks and opportunities
    • In Part 7, Support, the organisation is required to determine and provide necessary resources, reducing the risk of producing/delivering defective product or service to an acceptable low level

    What are the possible benefits of risk-based thinking?

    • A focus on the more important (“high-risk”) processes and their outputs
    • improved understanding, definition and integration of interdependent processes
    • systematic management of planning, implementation, checks and improvement of processes and the management system as a whole.
    • better use of resources and increased accountability
    • more consistent achievement of the policies and objectives, intended results and overall performance
    • process approach can facilitate the implementation of any management system
    • enhanced customer satisfaction by meeting customer requirements
    • enhanced confidence in the organisation.
    • In Part 9, Evaluation, the organisation is required to monitor, measure, analyse and evaluate the risks and opportunities
    • In Part 10, Improvement, the organisation is required to improve by responding to changes in risk


    Available ISO 9001 Courses image map. Click on any course you are interested in to learn more about it including the course content, learning materials, etc.

    How to Address Risks and Opportunities in ISO 9001

    In your ISO 9001 implementation project, there are things you should consider carefully regarding risk and opportunity. For example:

    • Understand the nature of the risk. Use established risk mitigation approaches as the basis of the coming course of action.
    • Base your actions on the potential impact on the conformity of products and services or on customer satisfaction. Make sure to incorporate it into the quality management system and its processes, as appropriate. For example, if the organisation has a single-source provider of a critical raw material, it should consider investing in developing a new source.
    • Take note of the various situations where risks and opportunities should be considered. For example, strategy meetings, management reviews, internal audits, discussions on quality, meetings to set quality objectives, the planning stages for designing and developing new products and services, and the planning stages for production processes.
    • In terms of opportunity, use risk-based thinking to help your organisation develop a proactive and preventive culture. Focus on doing things better and improving how work is done in general.
    • Decide which risk management methods or tools to use. Remember that these may well vary from one process to another.
    • Adopt a risk-based approach. Consider applying it to the processes required for your organisation's quality management system.
    • Make use of common risk management tools and methods such as:
      • Hazard Analysis and Critical Control Points (HACCP).
      • Failure Mode, Effects and Criticality Analysis (FMECA), and
      • Failure Mode and Effects Analysis (FMEA).
      • PESTLE, a concept in marketing principles, for analysis of the business environment under the headings P for Political, E for Economic, S for Social, T for Technological, L for Legal and E for Environmental.
      • SWOT, strengths, weaknesses, opportunities and threats analysis,
    • Use simpler risk management approaches and techniques. Examples include brainstorming, structured what-if technique (SWIFT), and consequences/probability matrices are all acceptable
    • In determining risks and opportunities, select from a wide range of established techniques, including:
      • giving confidence that the quality management system can achieve its intended result(s);
      • enhancing desirable effects and the creation of new possibilities (by improving the efficiency of its activities, developing or applying new technologies, etc.);
      • preventing or reducing undesired effects (through risk reduction or preventive actions);
      • achieving improvement to ensure product and service conformity and enhancing customer satisfaction.
    • For ISO 9001:2015, 6.1.1, bullets a) to d), in determining its risks and opportunities, make sure to focus on the following: 
      • avoiding the risk by no longer performing the process where the risk can be encountered;
      • eliminating the risk, for example, by using documented procedures to assist persons in the organisation with less experience;
      • sharing the risk, for example, by working with the customer to facilitate the advance purchase of raw materials when production levels are unknown;
      • taking no action, where the organisation accepts the risk itself, based on its potential effect or the cost of the needed action.
      • taking the risk to pursue an opportunity, such as investing in new capital equipment to launch a product line where the return on investment is unknown;

    ISO 9001 Certification will only be achieved if you:

    • Do not treat the topic as of minor importance. A risk-based approach should suffuse your QMS with, for example, evidence of decisions being based on consideration of risk to product and service quality and customer satisfaction.
    • Don’t depend on interview evidence alone to demonstrate compliance. While the Standard does not require formal risk management to be included and/or for formal records to be maintained, your Auditors will seek objective evidence of compliance.  And what better evidence than records?
    • Don’t downplay the importance of Opportunity. In the Standard, Opportunity replaces Preventive Action, and Auditors will seek evidence of actions to prevent process and system failures and actions to improve processes (which overlaps with the Improvement requirements in Clauses 10.1 and 10.3.

     Reference: EN ISO 9000:2015 Quality management systems - Fundamentals and vocabulary

    ISO 9001:2015 Quality Management System Implementation Handbook (deGRANDSON Global, 2016)

    New call-to-action

    Related Articles

    deGRANDSON Global is an ISO Certified Educational Organization

    In October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because it is based on independent third-party assessment, unlike IRCA and Exemplar badges (which we believe are commercially compromised).  It is a ‘university grade’ standard globally by schools, colleges, and universities to demonstrate their competence.


    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts