ISO 9001 Risks and Opportunities: DOs & DON'Ts

risk opportunity-1


An ongoing series of Posts: Practical advice on Clause 6.1 of ISO 9001:2015

Planning has always been a familiar element of ISO 9001, but now there is an increased focus on ensuring that it is considered with Clause 4.1 ‘context of the organization’ and Clause 4.2 ‘interested parties’.

Key Elements of ISO 9001 Clause 6.1

Applying Risk-Based Thinking

One of the key purposes of implementing a Quality Management System is to act as a preventive tool, that is, to prevent adverse events. As a result, the formal requirement for preventive action, with perhaps a narrow focus, has been removed. This is being replaced by risk-based thinking, a concept intended to be applied to every aspect of a quality management system.  

This approach then applies throughout the QMS and requires that each organization identifies, plans for and takes actions on those risks and opportunities which are relevant to achieving the intended outcomes of the management system.  There is, however, no requirement for implementing a formal risk management process.

Note: The majority of organizations have chosen to adopt a formal documented risk management approach albeit, typically, of a basic kind.

The organization will, then, need to plan actions to address both risks and opportunities, how to integrate and implement the actions into its management system processes and evaluate the effectiveness. Actions must be monitored, managed and communicated across the organization.

Establishing Quality Objectives

Another key element of ISO 9001 Clause 6.1 is the need to establish measurable quality objectives. This retains some of the requirements contained in Clause 5.4 of the 2008 version but is more specific.

The main objectives of ISO 9001

  • to provide confidence in the organization’s ability to consistently provide customers with conforming goods and services
  • to enhance customer satisfaction


Train your Internal Auditors online - easy & inexpensive


What is “risk-based thinking”?

  • risk-based thinking is something we all do automatically and often sub-consciously to get the best result
  • the concept of risk has always been implicit in ISO 9001 – this revision makes it more explicit and builds it into the whole management system
  • risk-based thinking ensures risk is considered from the beginning and throughout the process approach
  • risk is often thought of only in the negative sense. Risk-based thinking can also help to identify opportunities. This can be considered to be the positive side of risk, including exceeding expectations and going beyond stated objectives.


Where is risk addressed in ISO 9001:2015?

The concept of “risk” in the context of ISO 9001 relates to the uncertainty of achieving such objectives.

Risk is addressed in many of the Clauses as well as the Introduction, namely:

  • in the Introduction, the concept of risk-based thinking is explained
  • in Part 4, the Process Approach, the organization is required to determine the risks which can affect its ability to meet these objectives
  • in Part 5, Leadership, top management is required to commit to ensuring Part 4 is followed
  • in Part 6, Planning, the organization is required to take action to identify risks and opportunities
  • In Part 7, Support, the organization is required to determine and provide necessary resources, reducing risk of producing/delivering defective product or service to an acceptable low level


What are the possible benefits of risk-based thinking?

  • A focus on the more important (“high-risk”) processes and their outputs
  • improved understanding, definition and integration of interdependent processes
  • systematic management of planning, implementation, checks and improvement of processes and the management system as a whole.
  • better use of resources and increased accountability
  • more consistent achievement of the policies and objectives, intended results and overall performance
  • process approach can facilitate the implementation of any management system
  • enhanced customer satisfaction by meeting customer requirements
  • enhanced confidence in the organization.
  • In Part 9, Evaluation, the organization is required to monitor, measure, analyse and evaluate the risks and opportunities
  • In Part 10, Improvement, the organization is required to improve by responding to changes in risk

ISO 9001:2015 Lead Implementer

Risk and Opportunity – What to Do

In your ISO 9001 implementation project, there are things you should consider carefully regarding risk and opportunity. For example:

  • The actions that an organization can take to address risks will depend on the nature of the risk and should be based on established risk mitigation approaches. 
  • The actions should be based on the potential impact on the conformity of products and services or on customer satisfaction, and need to be incorporated into both the quality management system and its processes, as is appropriate. For example, if the organization has a single-source provider of a critical raw material, then it should consider investing in developing a new source.
  • There are various situations where risks and opportunities should be considered, for example, strategy meetings, management reviews, internal audits, different kinds of meetings on quality, meetings to set quality objectives, the planning stages for the design and development of new products and services, and the planning stages for production processes.
  • Regarding Opportunity, the application of risk-based thinking can also help an organization to develop a proactive and preventive culture focused on doing things better and improving how work is done in general.
  • It is for the organization to decide which methods or tools it should use and these may well vary from one process to another.
  • This is adopting an approach of risk-based thinking, the organization should consider the application of this approach to the processes required for its quality management system.
  • Among the tools and methods commonly used you will find are: 
    • Hazard Analysis and Critical Control Points (HACCP).
    • Failure Mode, Effects and Criticality Analysis (FMECA), and
    • Failure Mode and Effects Analysis (FMEA).
    • PESTLE, which is a concept in marketing principles, for analysis of the business environment under the headings P for Political, E for Economic, S for Social, T for Technological, L for Legal and E for Environmental.
    • SWOT, strengths, weaknesses, opportunities and threats analysis,
  • Simpler approaches and techniques such as brainstorming, structured what-if technique (SWIFT), and consequences/probability matrices are all acceptable
  • In determining risks and opportunities, the organization can select from a wide range of established techniques, including:
    • giving confidence that the quality management system can achieve its intended result(s);
    • enhancing desirable effects, and the creation of new possibilities (by improving the efficiency of its activities, developing or applying new technologies, etc.);
    • preventing or reducing undesired effects (through risk reduction or preventive actions);
    • achieving improvement to ensure product and service conformity and enhancing customer satisfaction.
  • For ISO 9001:2015, 6.1.1, bullets a) to d), in determining its risks and opportunities, the organization should focus on: 
    • avoiding the risk, by no longer performing the process where the risk can be encountered;
    • eliminating the risk, for example, by using documented procedures to assist persons in the organization with less experience;
    • sharing the risk, for example, by working with the customer to facilitate the advance purchase of raw materials when production levels are unknown;
    • taking no action, where the organization accepts the risk itself, based on its potential effect or the cost of the needed action.
    • taking the risk to pursue an opportunity, such as investing in new capital equipment to launch a product line where the return on investment is unknown;


Risk and Opportunity – What Not to Do

ISO 9001 Certification will only be achieved if you:

  • Do not treat the topic as of minor importance. A risk-based approach should suffuse your QMS with, for example, evidence of decisions being based on consideration of risk to product and service quality and to customer satisfaction.
  • Don’t depend on interview evidence alone to demonstrate compliance. While the Standard does not require a formal risk management to be included and/or for formal records to be maintained, your Auditors will be seeking objective evidence of compliance.  And what better evidence than records?
  • Don’t downplay the importance of Opportunity. In the Standard, Opportunity replaces Preventive Action and Auditors will be seeking evidence of actions to prevent process and system failures as well as actions to improve processes (which overlaps with the Improvement requirements in Clauses 10.1 and 10.3.

 Reference: EN ISO 9000:2015 Quality management systems - Fundamentals and vocabulary

ISO 9001:2015 Quality Management System Implementation Handbook (deGRANDSON Global, 2016)

e-Book Implementing ISO 9001

Note: This post was first published in Oct 2017; revised and updated in Apr 2021.

Written by Dr John FitzGerald

Director & Founder of deGRANDSON Global. He spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems

Subscribe to Email Updates


Recent Posts

Posts by Topic