Management system guidance

6.1 Address Risks and Opportunities

ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.

Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.

6.1.1 Actions to Address Risks and Opportunities

Although risks and opportunities have to be determined and addressed, there is no requirement for a formal, documented risk management process or risk matrix. Confirm that your organization has a methodology in place that enables them to effectively identify risks and opportunities with respect to the planning of its quality management sytem.

Reference to risk-based thinking is present in the following clauses of the standards:

  1. Determine and address risks (Clause 4.4.1);
  2. Promote risk-based thinking (Clause 5.1.1);
  3. Ensure risks determined and addressed (Clause 5.1.2);
  4. Determine risks that need to be addressed to achieve intended results (Clause 6.1.1);
  5. Plan actions to address risks; integrate into processes; evaluate effectiveness of actions (Clause 6.1.2);
  6. Control those risks identified (Clause 8.1);
  7. Evaluate effectiveness of actions on risks (Clause 9.1.3);
  8. Review effectiveness of actions on risks (Clause 9.3.2);
  9. Improve the quality management sytem responding to risk (Clause 10.3).

The risks and opportunities should be relevant to the context of your organization (Clause 4.1), as well as, any interested parties (Clause 4.2). You should ensure that your organization has applied this risk identification methodology consistently and effectively. What process has been developed to identify risks and opportunities?

In the absence of documented processes or procedures, you may need to use observations and interviews (and a review of the process output, which may contain documented evidence) to assess the processes that determine whether or not undocumented processes are being carried out as planned.

External and internal issues, and relevant needs and expectations of relevant interested parties may be sources of risks. Objective evidence may be in the form of a dedicated risk matrix, risks added to other forms such as an aspect register, corrective action log and forms, etc.

All of the processes of a QMS do not represent the same level of risk in terms of your organization’s ability to meet its objectives. Due to this reason, the consequences of failures or non-conformities in relation to processes, systems, products and/or services will not be the same for all organizations.

When deciding how to plan and control the quality management sytem, including its component processes and activities, your organization needs to consider both the type and level of risk associated with them.

Ensure that your organization is taking a planned approach to addressing risks and realizing opportunities, and that any actions taken have been recorded. Options to address risks and opportunities can include:

  1. Avoiding risk;
  2. Taking risk in order to pursue an opportunity;
  3. Eliminating the risk source;
  4. Changing the likelihood or consequences;
  5. Sharing the risk;
  6. Retaining risk by informed decision;
  7. SWOT analysis by the organization as part of its business strategy to identify the external risk and opportunities and action plans to address them;
  8. Formal business risk assessment performed by the organization talking into consideration its context, associated risk and opportunities and mitigation plan;
  9. Use of process approach by organization to identify sources of input, activities, output, receiver of output, performance indicators to control and monitor processes, the risks and opportunities associated with them and action plan to address them.

Formal business risk assessment performed by the organization talking into consideration its context, associated risk and opportunities and mitigation plan. The use of the process approach by your organization to identify sources of input, activities, output, end-user/customer, performance indicators to control and monitor processes and the risks and opportunities associated with them, and action plans to address them:

  1. Meeting minutes;
  2. SWOT analysis;
  3. Planning, analysis and evaluation activities;
  4. Risk determination or evaluation records.

More information on PDCA


4.1 Understanding Context 4.2 Interested Parties 4.3 Determining Scope
4.4 Management System Processes  
5.1 Leadership and Commitment 5.2 Policies 5.3 Roles, Responsibility and Authority
6.1 Address Risk and Opportunity 6.2 System Objectives and Planning 6.3 Planning for Change


7.1 Resources 7.2 Competence 7.3 Awareness
7.4 Communication 7.5 Documented Information
8.1 Operational Planning and Control 8.2 Requirements for Products and Services 8.3 Design & Development
8.4 Externally Provided Products and Services 8.5 Product and Service Provision 8.6 Release of Products and Services
8.7 Non-conforming Outputs 8.8 Emergency Preparedness 8.9 Accident and Incident Investigation


9.1 Monitor, Measure, Analyse and Evaluate 9.2 Internal Audit 9.3 Management Review


10.1 Improvement - General 10.2 Non-Conformity and Corrective Action 10.3 Continual Improvement

Free internal audit checklists

Check out our free internal audit checklists. The audit checklist template is just one of the many tools which are available from the auditor’s toolbox that help ensure your audits address the necessary requirements.

Client list

Over 8,000 companies and globally recognized brands have relied on our templates to provide a path to improve, collaborate, and to enhance their operations to achieve certification, please see our client list for more information.