Show me desktop version
CALL US 1-888-553-2256
United States

ISO 9001 Blog

How to address risks and opportunities in ISO 9001

When using the ISO 9001:2015 requirements as a basis for your Quality Management System (QMS), you will find that risk-based thinking is an important new concept that has been brought into the forefront of quality planning. Along with this notion that it is important to think about risk, there are also requirements to identify and address risks and opportunities within the Quality Management System, but how do you do this? Here is a bit more about what the standard requires and how you can address these requirements within your QMS.

What do the ISO 9001:2015 requirements actually specify?

The requirements for addressing risks and opportunities are spread throughout the ISO 9001:2015 standard, starting at the beginning in section 4.4.1, where the organization is required to determine the processes needed to address risks and opportunities that are determined. This is reinforced in section 5.1.2, where top management needs to ensure that risks and opportunities that affect product and service conformity are determined and addressed.

The real meat of the requirements for risks and opportunities is in section 6.1 on actions to address risks and opportunities. This section discusses the need to plan the actions needed to address the risks and opportunities, integrate these actions into the QMS, and evaluate the actions for effectiveness. These actions need to be in proportion to the potential impact on product and service conformity, and there are many ways to address risk, from avoiding it to accepting it.

The last mentions of risk and opportunities are in section 9.1.3 that talks about analyzing the information necessary to determine if actions were effective, and section 9.3.2, which specifies that management review will look at the effectiveness of the actions taken to address risks and opportunities. There is also mention that risks and opportunities should be updated when a non-conformity occurs (section 10.2).

How can you address these requirements?

It is important to note that there are no requirements for a formal process to monitor and control risks and opportunities within the Quality Management System. Just like risk-based thinking, there is not a requirement for full risk management, only the identification of the risks and opportunities and decisions on what action to take. This does not even need to be maintained as documented information within the QMS.

As with any new requirements for ISO 9001:2015, it is a good practice to look at what you already do within your organization to see if you address these requirements with your current business practices. For instance, many companies have business planning processes that look at the risks to the business and the opportunities that could be present, such as the use of a SWOT analysis (strengths, weaknesses, opportunities, and threats).

The use of a SWOT analysis in business planning will also include making plans to address the risks and opportunities identified, which is also required by the ISO 9001:2015 standard requirements. For instance, if you identify a risk that a key component in your product or service will become obsolete, you can make the plans necessary to find a replacement before your customers are impacted by your product becoming unavailable.

If you already do this as part of your business capture strategy, then you are already meeting the requirements of the ISO 9001:2015 standards; if not, then this is certainly an industry best practice that you could be adopt. Remember, the format of this identification is not mandated, so you can look at these risks and opportunities in any fashion you wish.

Why look at risks and opportunities?

As has been said before, the ISO 9001 standard is intended to be a set of requirements that represent the good practices that form the basis of a Quality Management System, and companies that want to survive will be assessing and addressing risks and opportunities to their businesses as a standard course of action. In order for a business to thrive, you need to identify in some manner what risks you have and how they can affect you.

However, as always, it is important that you find the best way for your organization to do this activity to address your risks and opportunities. This can be as simple as brainstorming for your SWOT analysis and then deciding if you need to do anything about the risks that are identified. This process is there to benefit your business, so do not take extremely expensive steps to implement this system if it is not required for you.

Always remember, a Quality Management System is there to benefit your business, not to cost you excessive amounts of money to run. So, always do what is best for your business.

For a more thorough understanding of the ISO 9001:2015 requirements, check out this free online training: ISO 9001:2015 Foundations Course.

16 responses to “How to address risks and opportunities in ISO 9001”

  1. Elizabeth Kiniiya says:

    I work in tea industry and even though i have done lead audit in 9001:2015 i need exposure how do i sign for course to improve on my understanding for the same.Currently am trying to come up with a plan for risk and opportunities in our company can you help on how i can come up with one? I have already identified external and internal issues that affects our company.


    • Strahinja Stojanovic says:

      Dear Elizabeth,

      I suggest you to take a look at our free ISO 9001:2015 Internal Auditor Course it can be very useful for refreshing knowledge.

      As far as a plan for addressing risks and opportunities goes, you need to identify risks and opportunities first, determine what risks and opportunities need to be addressed and plan actions to address the risks and opportunities. Planning actions to address risks and opportunities means defining what needs to be done, who will do it, what resources are needed and what is the deadline. All this can be documented on in the same record and one piece of paper.

  2. Shabbir Shahid says:

    Sir, in ISO 9001-2008 there is a requirement which is “What are the associated risks and control points against the risks?”
    How does this statement apply on HR. What could be the associated risks and control points in Roles & Responsibilities of HR ?

  3. Nori says:

    Can anyone help me with ISO 9001:2015 risk assessment?

  4. Ashraf says:

    Should i carry out risk assessment for all ISO procedures like internal audit, management review and so on or just for the activities and process ?

    • Strahinja Stojanovic says:

      Dear Ashraf,

      The identification and addressing of risks and opportunities should be done for entire context of the organization including the processes.

      Best regards,


  5. samuel jegatheesh says:

    Hi my self samuel from madurai.

    I have one doubt. We identified the risks in our process and entered in a sheet but for the oppurtunities what should we do because it looks just opposite to the risk. In that case shall we combine both in one sheet?

    • Strahinja Stojanovic says:

      Dear Samuel,

      The standard doesn’t define how to document risks and opportunities, so you can do it in any way you find he most appropriate for you company. If you are using different methodologies for identification and evaluation of risks and opportunities, it is reasonable to document them in separate records.

      Best regards,


  6. Sami says:

    We newly implemented the QMS in our company, and have been audited against the ISO 9001: 2015 standard. We identified the risks for each procedure and define the actions to eliminate or mitigate the causes. We used the PFMEA for this purpose. The auditor consider our implementation very weak, as the risk addressing ‘ as he said’ means that the actions are completed and done, besides the effectiveness was assessed for each action. I have a
    doubt, as I may define an action needs long time to be done (maybe months). Could you please explain to me where is the non-compliance in this issue

    • Strahinja Stojanovic says:

      Dear Sami,

      There is no room for non-compliance here because the standard doe not defines the number of risks or actions you need to have. You established the process, conducted the assessment and defined the actions.

      I would suggest you to ask the auditor what is the exact requirements against which the nonconformity will be issued, and how he defends his findings. Nobody should force the companies to have additional risks or actions to address the risks.

      Feel free to contact me for any further assistance.

      Best regards,


Leave a Reply

Your email address will not be published. Required fields are marked *



  • Exemplar Global (formerly RABQSA) is leading international authority in certification of training providers.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.
Request callback
Request callback

Or call us directly

International calls
+1 (646) 759 9933