ISO 9001 Clause 6.1 – Actions to Address Risks and Opportunities

risk or opportunity road street direction signs to stop or move forward

The latest clause to come under the spotlight in this series of How to Guides for ISO 9001 is ISO 9001 Clause 6.1 – Actions to Address Risks and Opportunities.

We take a look at what it is, and where it fits in the greater scheme of the ISO family. But first, let’s briefly set the scene with regards to the ISO 9001 standard.

In December 2021, the International Organisation for Standardisation (the main ISO body) reported “over one million companies and organizations in over 170 countries” certified to ISO 9001:2015. This number continues to increase year on year, for many and varied good reasons.

Yet there’s one not-so-small catch…

ISO 9001 might just be the most confusing document in business history!

The good news is this series of articles and accompanying free factsheets are purpose designed to:

  • Cut through the jargon
  • Debunk the myths
  • Make smoother sailing of your journey to certification

What is the Intent of this Clause?

ISO 9001 Clause 6.1 – Actions to Address Risks and Opportunities, is a significant requirement, which was introduced in the 2015 release of the standard. Most businesses address risk, although it might not be part of a formal process or may happen unconsciously. ISO 9001 requires a planned approach to risk management, and when implemented correctly it can become one of the most powerful processes for a business.

The intent of this clause is to ensure that when you plan your quality management system (QMS), you determine the risks and opportunities and plan actions to address them. Its purpose is to prevent non-conformities, including undesired outputs, and to determine opportunities that could enhance customer satisfaction or achieve your business’s objectives.

The standard does not formally require a full risk assessment or that the business maintain a risk register. It does, however, say that you must monitor, measure, analyse and evaluate the risks and opportunities. In my opinion, intelligent businesses will document their process for determining and rating their risks and opportunities and will keep records of what they have learnt. That provides a wealth of information, and why would a business not want to keep a record?

What is Risk Based Thinking?

Risk-based thinking is something we do every day, automatically and often unconsciously. Take the example of crossing a street – we look both ways to make sure it is safe to cross the road and not step into moving traffic. But how does this relate to ISO 9001?

ISO 9001 defines a risk as “the effect of uncertainty on an expected result”.  Risk is inherent in all aspects of a QMS as well as a business. There are risks in all systems, processes, and functions.  Risk-based thinking ensures that these risks are identified, considered and controlled throughout the design and use of the QMS.

By using risk-based thinking, the management of risk becomes proactive, rather than reactive. It prevents, or at least reduces, undesirable impacts through early identification and action.  Plus it ensures that risk is considered from the beginning of, and throughout the process. This approach means risk-based thinking can help identify opportunities.

risks written on a file label in multicolour card index

How is Risk Incorporated in ISO 9001?

Risks and opportunities have the most interactions of any clause in ISO 9001, and it’s important to understand how it links to the other clauses.

In Clause 4.1 (Understanding the organisation and its context) the business is required to determine the risks that can affect its ability to meet the system objectives.

Clause 4.2 (Understanding the needs and expectations of interested parties) is another key input to risks and opportunities. Customers, employees, suppliers – they all come with inherent risks and opportunities.

Clause 4.4 (Quality management system and its processes) requires you to determine your QMS processes, and address risks and opportunities that are applicable to those processes.

Clause 5.1.1 (Leadership and commitment) requires top management to promote risk-based thinking as well as to demonstrate leadership. You will need to commit to ensuring that risks and opportunities that can affect the conformity of a product or service are determined and addressed.

Clause 5.2 (Customer focus) requires appropriate actions and implementation to address risks and opportunities relating to product conformity and customer satisfaction.

Clause 8 looks at operational planning and control.  The business is required to plan, implement and control its processes to address the risks and opportunities identified.

Clause 9.1.3 (Analysis and evaluation) requires that you analyse and evaluate the effectiveness of the actions taken to address risks and opportunities.

Clause 9.3.2 (Management review).  An input to management review is an evaluation of the effectiveness of actions taken to address risks and opportunities (almost an exact repeat of the requirement in clause 9.1.3).

Clause 10.2.1 (Corrective action). When something is fixed through corrective and preventative actions, the risk is reduced, and by responding to changes in risk, the business improves.

Building a Risk and Opportunity Register

As mentioned previously, the standard does not require you to develop a risk register. You do however need to monitor, measure, analyse and evaluate the risks and opportunities in your business. So it is my recommendation that you have a register in place, and use it to proactively manage the business and QMS risks.

If you have worked through my other ‘ISO How to Guides’ you would have already done a lot of the heavy lifting in determining the business risks and opportunities. In Clause 4.1 we identified internal and external issues relevant to your business’s strategy in a SWOT and PESTLE analysis. The weaknesses and threats identified equate to risks. And the strengths and opportunities identified are just what they say.

When developing the interested parties register in clause 4.2, we considered what each interested party requires of the business. Each of these requirements can constitute a risk, an opportunity, or both. In clause 4.4, the concept of risk-based thinking was considered in relation to the extent to which the process affects the business’s ability to:

  • achieve its intended results
  • the likelihood of problems occurring and
  • the potential consequences of any resulting issues.

 These are all risks which should be captured and controls applied.

The fourth input when developing your register is corrective actions. Any action taken to correct an issue reduces risk so those actions you have taken can be included in your register. And lastly, brainstorm with your colleagues. There will be other risks and opportunities present, such as operational risks or opportunities to improve.

Once your list has been built, you need to evaluate the risks and opportunities, as not all risks and opportunities are equal, and we don’t have the time or resources to act on all of them.  ISO 9001 says that the business shall “determine risks and opportunities that need to be addressed”. By giving the risks and opportunities a rating, you can them determine which ones need to be addressed first. Here, I like to use a risk assessment, similar to a health and safety assessment: severity x likelihood. If you would like an example of such an assessment, download my free guide here.

risk management concept in wooden blocks with the words avoid reduce mitigate actions control transfer accept with a red block stating risk management being pulled out

Actions to Address Risks and Opportunities

Clause 6.1.2 requires you to plan actions to address risks and opportunities – it leaves this up to you.  Your actions could be simple or complex, costly or inexpensive, short or long term. There are though four requirements – they are planned, integrated into the QMS, proportional and evaluated for effectiveness.

The actions you take to address the risk will also depend on the nature of the risk, and could include:

  • Avoiding the risk
  • Eliminating the risk source
  • Take the risk to pursue an opportunity
  • Changing the likelihood or consequence
  • Sharing the risk
  • Retaining the risk by informed decision

When planning your actions, you must consider the context of the organisation. Planning actions to mitigate a potential fault in an electrical system will be far more thorough than changing the brand of coffee in the staff kitchen.

Checking the Effectiveness of the Actions

In simple terms, this means checking whether the actions to address the risks and opportunities are effective. Just ask “do they work?” There are various ways you can do this – audits, internal reviews, reviewing KPI’s or project evaluations.

The one main point to bear in mind is to ensure you have the right data available to make an informed decision. By improving how you assess the risk data – stronger and better decisions can be made, which means you become more efficient, and ultimately increase profits.

Moving Forward

If you found this blog post useful, and would like an example of the template I use with my clients to develop their risk registers, download my free guide here.

Leave a Reply

Your email address will not be published. Required fields are marked *

ISO How to Guides


Join Our Mailing List

Get regular access to exclusive content and insights about the latest developments in ISO management standards, tips to make the journey to certification easier and freebies!

Make your ISO certification less painful and more beneficial

Ten Most Common Mistakes


Download my free guide to avoid the 10 most common mistakes organisations make when implementing a QMS.