Risks and Opportunities: Requirements under ISO 9001

There’s no requirement under ISO 9001 for a formal, documented risk management process.

However, the standard now requires that risk-based thinking be built into an organization’s quality management system.

This includes having a clear and proactive system for managing risks and opportunities.

Risk-based thinking in ISO 9001:2015

Risk management has always been covered by the ISO 9001 standard. In the past, it was addressed as “preventative actions”.

The 2015 revision makes risk-based thinking integral to the entire quality management process. It replaces preventative actions with “actions to address risks and opportunities”.

Risks exists in all systems, processes, and functions within an organization. ISO 9001 defines a risk as “the effect of uncertainty on an expected result”.

Risk-based thinking in ISO 9001:2015
Image source: The 9000 Store

Systematic risk-based thinking ensures that risks are identified, considered and controlled.

Under ISO 9001: 2015, risk-based thinking should be integrated into the design of a quality management system (QMS) from the start.

What’s meant by risks and opportunities?

Risks and opportunities are often discussed as if they were opposites.

A risk is a potential for a loss. An opportunity is a potential for a gain. However, these aren’t separate or opposing concepts.

Instead, an opportunity is inherently a risk as well.  Taking – or not taking – the opportunity can present risk depending on the circumstances.

Likewise, a risk can result in a valuable opportunity. Both can have a positive or a negative outcome.

ISO 9001 clause 6.1

Clause 6.1 of ISO 9001 requires organizations to implement a process to identify, determine, and evaluate risks and opportunities related to quality.

The process must include how to take appropriate actions to address these risks and opportunities.

ISO 9001 clause 6.1
Image source: ISO DOCS

An organization should understand the requirement and be prepared to explain how risks and opportunities are managed within its quality system.

An organization must be able to:

  • determine risks;
  • plan actions to address risks;
  • integrate risk management into processes;
  • and evaluate the effectiveness of risk mitigation actions.

Other ISO 9001 clauses that require risk management

The requirements for addressing risks and opportunities are spread throughout the ISO 9001:2015 standards.

Clause 4: The organization is required to determine its processes and address its risks and opportunities.

Clause 5: Top management is required to promote risk-based thinking and determine and address risks and opportunities that can affect product/service conformity.

Clause 8: The organization is required to plan, implement and control its processes to manage the risks identified.

Clause 9: The organization is required to monitor, measure, analyze, evaluate and review the effectiveness of actions on risks.

Clause 10: The organization is required to improve by responding to changes in risk.

How to document risk and opportunities under ISO 9001

While an organization is required to identify risks and opportunities and make decisions on what actions to take, this doesn’t need to be documented within the QMS.

However, risk registers are valuable. They log information about both risks and opportunities.

They make it easier to record, track, manage, and evaluate the risks and opportunities. They also aid in ISO 9001 compliance.

risk register can be a simple document, spreadsheet, or database. The most effective format is usually a table. A table can encapsulate a great deal of information in just a few pages.

For each risk, a risk register typically records the following information:

  • a description of the risk
  • the risk type (business, project, stage)
  • likelihood of occurrence
  • severity of effect
  • measures taken to prevent, mitigate, or transfer the risk
  • the risk owner (individual or department responsible for managing the risk)
  • the current status of the risk
  • when possible, quantitative values.

Advantages of integrating risk management in your QMS

Understanding and managing the risks your business faces results in better decision making. It makes it more likely that you’ll achieve business objectives.

Integrating risk-management into your QMS helps ensure consistency and quality of products and services.

It can also:

  • help establish a proactive culture of improvement
  • provide flexibility to respond to unexpected threats
  • help businesses exploit suitable opportunities and gain competitive advantage
  • improve customer confidence and satisfaction
  • improve governance
  • provide assurance to management and stakeholders that critical risks are being managed
  • assist quality auditing and compliance.

isoTracker’s risk management software and ISO 9001 compliance

isoTracker offers modular, subscription-based quality management software that’s secure, cloud-based and affordable. This includes a risk management module.

The module makes it easy (and affordable) to ensure compliance with ISO 9001 requirements for managing risks and opportunities. Using the module, you can:

  • record risks in a way that’s fast, accurate, and central
  • use automated notifications and workflows to assign and track risk mitigation tasks
  • benefit from up-to-date risk analysis and reporting.

The risk management module can stand alone or integrate with isoTracker’s other quality management software.

Sign up for a free 60-day trial of isoTracker’s quality management software or contact us to discuss your needs.