CALL US +61 3 4000 0020

ISO 9001 Blog

Mark Hammar

How to address risks and opportunities in ISO 9001

When using the ISO 9001:2015 requirements as a basis for your Quality Management System (QMS), you will find that risk-based thinking is an important new concept that has been brought into the forefront of quality planning. Along with this notion that it is important to think about risk, there are also requirements to identify and address risks and opportunities within the Quality Management System, but how do you do this? Here is a bit more about what the standard requires and how you can address these requirements within your QMS.

What do the ISO 9001:2015 requirements actually specify?

The requirements for addressing risks and opportunities are spread throughout the ISO 9001:2015 standard, starting at the beginning in section 4.4.1, where the organization is required to determine the processes needed to address risks and opportunities that are determined. This is reinforced in section 5.1.2, where top management needs to ensure that risks and opportunities that affect product and service conformity are determined and addressed.

The real meat of the requirements for risks and opportunities is in section 6.1 on actions to address risks and opportunities. This section discusses the need to plan the actions needed to address the risks and opportunities, integrate these actions into the QMS, and evaluate the actions for effectiveness. These actions need to be in proportion to the potential impact on product and service conformity, and there are many ways to address risk, from avoiding it to accepting it.

The last mentions of risk and opportunities are in section 9.1.3 that talks about analyzing the information necessary to determine if actions were effective, and section 9.3.2, which specifies that management review will look at the effectiveness of the actions taken to address risks and opportunities. There is also mention that risks and opportunities should be updated when a non-conformity occurs (section 10.2).

How can you address these requirements?

It is important to note that there are no requirements for a formal process to monitor and control risks and opportunities within the Quality Management System. Just like risk-based thinking, there is not a requirement for full risk management, only the identification of the risks and opportunities and decisions on what action to take. This does not even need to be maintained as documented information within the QMS.

As with any new requirements for ISO 9001:2015, it is a good practice to look at what you already do within your organization to see if you address these requirements with your current business practices. For instance, many companies have business planning processes that look at the risks to the business and the opportunities that could be present, such as the use of a SWOT analysis (strengths, weaknesses, opportunities, and threats).

The use of a SWOT analysis in business planning will also include making plans to address the risks and opportunities identified, which is also required by the ISO 9001:2015 standard requirements. For instance, if you identify a risk that a key component in your product or service will become obsolete, you can make the plans necessary to find a replacement before your customers are impacted by your product becoming unavailable.

If you already do this as part of your business capture strategy, then you are already meeting the requirements of the ISO 9001:2015 standards; if not, then this is certainly an industry best practice that you could be adopt. Remember, the format of this identification is not mandated, so you can look at these risks and opportunities in any fashion you wish.

ISO 9001:2015 – How to address risks and opportunities

Why look at risks and opportunities?

As has been said before, the ISO 9001 standard is intended to be a set of requirements that represent the good practices that form the basis of a Quality Management System, and companies that want to survive will be assessing and addressing risks and opportunities to their businesses as a standard course of action. In order for a business to thrive, you need to identify in some manner what risks you have and how they can affect you.

However, as always, it is important that you find the best way for your organization to do this activity to address your risks and opportunities. This can be as simple as brainstorming for your SWOT analysis and then deciding if you need to do anything about the risks that are identified. This process is there to benefit your business, so do not take extremely expensive steps to implement this system if it is not required for you.

Always remember, a Quality Management System is there to benefit your business, not to cost you excessive amounts of money to run. So, always do what is best for your business.

For a more thorough understanding of the ISO 9001:2015 requirements, check out this free online training: ISO 9001:2015 Foundations Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 9001 standard.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

25 responses to “How to address risks and opportunities in ISO 9001”

  1. Elizabeth Kiniiya says:

    I work in tea industry and even though i have done lead audit in 9001:2015 i need exposure how do i sign for course to improve on my understanding for the same.Currently am trying to come up with a plan for risk and opportunities in our company can you help on how i can come up with one? I have already identified external and internal issues that affects our company.


    • Strahinja Stojanovic says:

      Dear Elizabeth,

      I suggest you to take a look at our free ISO 9001:2015 Internal Auditor Course it can be very useful for refreshing knowledge.

      As far as a plan for addressing risks and opportunities goes, you need to identify risks and opportunities first, determine what risks and opportunities need to be addressed and plan actions to address the risks and opportunities. Planning actions to address risks and opportunities means defining what needs to be done, who will do it, what resources are needed and what is the deadline. All this can be documented on in the same record and one piece of paper.

  2. Shabbir Shahid says:

    Sir, in ISO 9001-2008 there is a requirement which is “What are the associated risks and control points against the risks?”
    How does this statement apply on HR. What could be the associated risks and control points in Roles & Responsibilities of HR ?

  3. Nori says:

    Can anyone help me with ISO 9001:2015 risk assessment?

  4. Ashraf says:

    Should i carry out risk assessment for all ISO procedures like internal audit, management review and so on or just for the activities and process ?

    • Strahinja Stojanovic says:

      Dear Ashraf,

      The identification and addressing of risks and opportunities should be done for entire context of the organization including the processes.

      Best regards,


  5. samuel jegatheesh says:

    Hi my self samuel from madurai.

    I have one doubt. We identified the risks in our process and entered in a sheet but for the oppurtunities what should we do because it looks just opposite to the risk. In that case shall we combine both in one sheet?

    • Strahinja Stojanovic says:

      Dear Samuel,

      The standard doesn’t define how to document risks and opportunities, so you can do it in any way you find he most appropriate for you company. If you are using different methodologies for identification and evaluation of risks and opportunities, it is reasonable to document them in separate records.

      Best regards,


  6. Sami says:

    We newly implemented the QMS in our company, and have been audited against the ISO 9001: 2015 standard. We identified the risks for each procedure and define the actions to eliminate or mitigate the causes. We used the PFMEA for this purpose. The auditor consider our implementation very weak, as the risk addressing ‘ as he said’ means that the actions are completed and done, besides the effectiveness was assessed for each action. I have a
    doubt, as I may define an action needs long time to be done (maybe months). Could you please explain to me where is the non-compliance in this issue

    • Strahinja Stojanovic says:

      Dear Sami,

      There is no room for non-compliance here because the standard doe not defines the number of risks or actions you need to have. You established the process, conducted the assessment and defined the actions.

      I would suggest you to ask the auditor what is the exact requirements against which the nonconformity will be issued, and how he defends his findings. Nobody should force the companies to have additional risks or actions to address the risks.

      Feel free to contact me for any further assistance.

      Best regards,


  7. prince jose says:

    Would risk assessment register, aspect impact register, legal register qualify as an evidence to show the risks and opportunities having been identified.

    • Strahinja Stojanovic says:

      Dear Prince,

      Risk register would be enough if it also covers the opportunities. Legal register can contain information about the sources of risks, for example some new legal requirement can be hard or costly to comply and this can lead to fines, but the legal requirement itself is not a risk.

      Best regards,


      • Azo says:

        Can you give me some example for more understanding on it.

        • Strahinja Stojanovic says:

          Dear Azo,

          For example, the company might have problems to find competent staff, and this can cause risk of not delivering products or services compliant with customer requirements. As an action to address this risk, the company can define training programs for existing staff or to develop training for the new staff.

          Other example can be old equipment that can cause halt in production, this risk can be addressed by more frequent preventive maintenance activities.

          The key is to focus on the elements of the context that can cause risk to product or service quality and customer satisfaction and take actions to prevent or mitigate those risks.

          Best regards,


          • Azo says:

            Thanks for your explanation.

          • Azo says:

            I would like to get example of Opportunities Plan for SWOT analysis.

            Thanks And Best Regards

          • Iciar Gallo says:

            When performing a SWOT analysis you need to brainstorm and record the strengths, weaknesses, opportunities and threats which concern a task, individual, or organization. It is a management activity that takes into account internal resources and capabilities (strengths and weaknesses) but also external resources and capabilities (opportunities and threats). This means that opportunities are focused on external issues so you need to consider those arising from: legal, technological, competitive, market, cultural, social and economic environments, whether international, national, regional or local.

            That said, opportunities can include, for instance: new markets, new business development, high demand for product , prevention based quality, etc.

            For more information you can see this article “ISO 9001:2015 case stydy context of the organization as a success factor in manufacturing company”:

            Best regards


  8. Houssem says:

    Good morning,
    Thanks a lot!

    Is it relevant to proceed an opportunity assessment? if yes, I am considering: Feasibility, Return/Gain, Likelihood…? What do you think about that?

    • Iciar Gallo says:

      Dear Houssem,

      As mentioned in the article, there are no requirements in ISO 9001:2015 for a formal process to monitor and control risks and opportunities. You are just required to identify the risks and opportunities and then decide what actions to take. So it is up to the organization to develop an opportunity assessment in order to identify your opportunities and take the appropriate actions.

      Best regards

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.