6.1 Address Risk & Opportunity

ISO Navigator Pro

ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret the fundamentals of ISO 9000:2015 to help understand, and better implement, the requirements of ISO 9001:2015, ISO 14001:2015 and OHSAS 18001:2007. The ISO Navigator Pro™ database divides the requirements into four sequential stages; Plan, Do, Check and Act.

If you're looking for integrated ISO 9001:2015 and ISO 14001:2015 EQMS documentation, please click here.


Step 3Plan: Planning. Planning for the management system. Define objectives and plan for the effects of and change. Assess impacts, hazards and risks. Deploy and monitor plans that adapt to changing circumstances.


6.1.1 General - Risks & Opportunities

Although risks and opportunities have to be determined and addressed, there is no requirement for a formal, documented risk management process. Confirm that your organization has a methodology in place that enables them to effectively identify risks and opportunities with respect to the planning of its quality management sytem. Reference to risk-based thinking is present in the following clauses of the standards:

  1. Determine and address risks (Clause 4.4.1);
  2. Promote risk-based thinking (Clause 5.1.1);
  3. Ensure risks determined and addressed (Clause 5.1.2);
  4. Determine risks that need to be addressed to achieve intended results (Clause 6.1.1);
  5. Plan actions to address risks; integrate into processes; evaluate effectiveness of actions (Clause 6.1.2);
  6. Control those risks identified (Clause 8.1);
  7. Evaluate effectiveness of actions on risks (Clause 9.1.3);
  8. Review effectiveness of actions on risks (Clause 9.3.2);
  9. Improve the quality management sytem responding to risk (Clause 10.3).

The risks and opportunities should be relevant to the context of your organization (Clause 4.1), as well as, any interested parties (Clause 4.2). You should ensure that your organization has applied this risk identification methodology consistently and effectively. What process has been developed to identify risks and opportunities? In the absence of documented processes or procedures, you may need to use observations and interviews (and a review of the process output, which may contain documented evidence) to assess the processes that determine whether or not undocumented processes are being carried out as planned.

External and internal issues, and relevant needs and expectations of relevant interested parties may be sources of risks. Objective evidence may be in the form of a dedicated risk matrix, risks added to other forms such as an aspect register, corrective/preventive action log and forms, etc. All of the processes of a QMS do not represent the same level of risk in terms of your organization’s ability to meet its objectives. Due to this reason, the consequences of failures or non-conformities in relation to processes, systems, products and/or services will not be the same for all organizations.

When deciding how to plan and control the quality management sytem, including its component processes and activities, your organization needs to consider both the type and level of risk associated with them. Ensure that your organization is taking a planned approach to addressing risks and realizing opportunities, and that any actions taken have been recorded. Options to address risks and opportunities can include:

  1. Avoiding risk;
  2. Taking risk in order to pursue an opportunity;
  3. Eliminating the risk source;
  4. Changing the likelihood or consequences;
  5. Sharing the risk;
  6. Retaining risk by informed decision;
  7. SWOT analysis by the organization as part of its business strategy to identify the external risk and opportunities and action plan to address them;
  8. Formal business risk assessment performed by the organization talking into consideration its context, associated risk and opportunities and mitigation plan;
  9. Use of process approach by organization to identify sources of input, activities, output, receiver of output, performance indicators to control and monitor processes, the risks and opportunities associated with them and action plan to address them.

Demonstrating compliance

Formal business risk assessment performed by the organization talking into consideration its context, associated risk and opportunities and mitigation plan. The use of the process approach by your organization to identify sources of input, activities, output, end-user/customer, performance indicators to control and monitor processes and the risks and opportunities associated with them, and action plans to address them:

  1. Meeting minutes;
  2. SWOT analysis;
  3. Planning, analysis and evaluation activities;
  4. Risk determination or evaluation records.

Management system templates

Our range of ISO 9001 quality manual templates and integrated manual templates offer an easy way to document and communicate risk management policies and targets to ensure effective implementation of risk and opportunity management principles. The quality and integrated manual templates include the 'Control of Risks & Opportunities' procedure that defines the risk management process, and a 'Risk & Opportunity Register' that captures and records decisions relating risk and opportunity management..


6.2 System Objectives & Planning
6.3 Planning for Change

Free internal audit checklists

Check out our free internal audit checklists. The audit checklist is just one of the many tools which are available from the auditor’s toolbox that help ensure your audits address the necessary requirements.

Client list

Over 8,000 companies and globally recognized brands have relied on our templates to provide a path to improve, collaborate, and to enhance their operations to achieve certification, please see our client list for more information.