Show me desktop version
CALL US +1 (646) 759 9933

ISO 9001 Blog

How to address risks and opportunities in ISO 9001

When using the ISO 9001:2015 requirements as a basis for your Quality Management System (QMS), you will find that risk-based thinking is an important new concept that has been brought into the forefront of quality planning. Along with this notion that it is important to think about risk, there are also requirements to identify and address risks and opportunities within the Quality Management System, but how do you do this? Here is a bit more about what the standard requires and how you can address these requirements within your QMS.

What do the ISO 9001:2015 requirements actually specify?

blogpost-banner-9001-en

The requirements for addressing risks and opportunities are spread throughout the ISO 9001:2015 standard, starting at the beginning in section 4.4.1, where the organization is required to determine the processes needed to address risks and opportunities that are determined. This is reinforced in section 5.1.2, where top management needs to ensure that risks and opportunities that affect product and service conformity are determined and addressed.

The real meat of the requirements for risks and opportunities is in section 6.1 on actions to address risks and opportunities. This section discusses the need to plan the actions needed to address the risks and opportunities, integrate these actions into the QMS, and evaluate the actions for effectiveness. These actions need to be in proportion to the potential impact on product and service conformity, and there are many ways to address risk, from avoiding it to accepting it.

The last mentions of risk and opportunities are in section 9.1.3 that talks about analyzing the information necessary to determine if actions were effective, and section 9.3.2, which specifies that management review will look at the effectiveness of the actions taken to address risks and opportunities. There is also mention that risks and opportunities should be updated when a non-conformity occurs (section 10.2).

How can you address these requirements?

It is important to note that there are no requirements for a formal process to monitor and control risks and opportunities within the Quality Management System. Just like risk-based thinking, there is not a requirement for full risk management, only the identification of the risks and opportunities and decisions on what action to take. This does not even need to be maintained as documented information within the QMS.

As with any new requirements for ISO 9001:2015, it is a good practice to look at what you already do within your organization to see if you address these requirements with your current business practices. For instance, many companies have business planning processes that look at the risks to the business and the opportunities that could be present, such as the use of a SWOT analysis (strengths, weaknesses, opportunities, and threats).

The use of a SWOT analysis in business planning will also include making plans to address the risks and opportunities identified, which is also required by the ISO 9001:2015 standard requirements. For instance, if you identify a risk that a key component in your product or service will become obsolete, you can make the plans necessary to find a replacement before your customers are impacted by your product becoming unavailable.

If you already do this as part of your business capture strategy, then you are already meeting the requirements of the ISO 9001:2015 standards; if not, then this is certainly an industry best practice that you could be adopt. Remember, the format of this identification is not mandated, so you can look at these risks and opportunities in any fashion you wish.

Why look at risks and opportunities?

As has been said before, the ISO 9001 standard is intended to be a set of requirements that represent the good practices that form the basis of a Quality Management System, and companies that want to survive will be assessing and addressing risks and opportunities to their businesses as a standard course of action. In order for a business to thrive, you need to identify in some manner what risks you have and how they can affect you.

However, as always, it is important that you find the best way for your organization to do this activity to address your risks and opportunities. This can be as simple as brainstorming for your SWOT analysis and then deciding if you need to do anything about the risks that are identified. This process is there to benefit your business, so do not take extremely expensive steps to implement this system if it is not required for you.

Always remember, a Quality Management System is there to benefit your business, not to cost you excessive amounts of money to run. So, always do what is best for your business.

For a more thorough understanding of the ISO 9001:2015 requirements, check out this online course:  ISO 9001:2015 Foundations Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 9001 standard.

100% privacy respected. Unsubscribe at any time with a single click.

  • Elizabeth Kiniiya

    I work in tea industry and even though i have done lead audit in 9001:2015 i need exposure how do i sign for course to improve on my understanding for the same.Currently am trying to come up with a plan for risk and opportunities in our company can you help on how i can come up with one? I have already identified external and internal issues that affects our company.
    Regards

    Elizabeth

    • Strahinja Stojanovic

      Dear Elizabeth,

      I suggest you to take a look at our free ISO 9001:2015 Internal Auditor Course https://training.advisera.com/course/iso-90012015-internal-auditor-course/ it can be very useful for refreshing knowledge.

      As far as a plan for addressing risks and opportunities goes, you need to identify risks and opportunities first, determine what risks and opportunities need to be addressed and plan actions to address the risks and opportunities. Planning actions to address risks and opportunities means defining what needs to be done, who will do it, what resources are needed and what is the deadline. All this can be documented on in the same record and one piece of paper.

  • Shabbir Shahid

    Sir, in ISO 9001-2008 there is a requirement which is “What are the associated risks and control points against the risks?”
    How does this statement apply on HR. What could be the associated risks and control points in Roles & Responsibilities of HR ?

    • Strahinja Stojanovic

      I’m not aware of such requirement in ISO 9001:2008, could you please refer to the exact clause of the standard so I can provide you with an answer.

      • Shabbir Shahid
        • Strahinja Stojanovic

          This is not a requirement of the standard and neither is this the text of the standard. This looks more like set of questions related to the clause 5.3.

          Risks associated with responsibilities and authorities can be ambiguously defined roles and responsibilities and employees are not certain who is responsible for what which leads to noncompliance with company’s procedures and the standard. TH control for this risk can be to document the roles and responsibilities.

  • Yolo

    great

  • Nori

    Can anyone help me with ISO 9001:2015 risk assessment?

FREE ISO 9001 CONSULTATION
Strahinja Stojanovic
Lead ISO 9001 Expert,
Advisera

GET FREE ADVICE

ISO 9001
FREE DOWNLOADS

 

Upcoming free webinar
How to implement risk management in ISO 9001:2015
Wednesday - September 6, 2017

OUR PARTNERS


  • Exemplar Global (formerly RABQSA) is leading international
    authority in certification of training providers.

  • ITIL® is a registered trade mark of AXELOS Limited.
    Used under licence of AXELOS Limited. All rights reserved.

  • DNV GL Business Assurance is one of the leading providers of
    accredited management systems certification.
Request callback
Request callback

Or call us directly

International calls
+1 (646) 759 9933