Risks and Opportunities

ISO 9001:2015, clause 6, describes these planning requirements:

6.1 Actions to address risks and opportunities
6.2 Quality objectives and planning to achieve them
6.3 Planning of changes

This article is about:

ISO 9001:2015, 6.1, Actions to address risks and opportunities

6.1.1 When planning for the quality management system (QMS), the organization must consider the issues referred to in 4.1 (relevant to its purpose and strategic direction), and the requirements referred to in 4.2 (regarding interested parties), and determine the risks and opportunities that need to be addressed to:

a) give assurance (confidence) that the QMS can achieve its intended results;

b) enhance desirable effects (by improving the efficiency of its activities and developing or applying new technologies);

c) prevent, or reduce, undesired effects (through risk reduction or preventive actions);

d) achieve improvement (to ensure product and service conformity and enhancing customer satisfaction).

According to ISO/TS 9002:2016, the purpose of this sub-clause is to prevent nonconformities, including nonconforming outputs, and to determine opportunities that might enhance customer satisfaction or achieve the organization’s quality objectives.

Examples of risks that the QMS will not achieve its objectives include the failure of processes, products, and services to meet their requirements, or the organization not achieving customer satisfaction.

Examples of opportunities include the potential to identify new customers, to determine the need for new products or services and to bring them to market, or to determine the need for revising or replacing a process by the introduction of new technology for it to become more efficient.

When examining opportunities, determine and assess the potential risks to the QMS. The results should be used when making the decisions on whether to implement them or not.

There is not a requirement in ISO 9001:2015 to use formal risk management, e.g., in accordance with ISO 31000:2018, for determining and addressing risks and opportunities. An organization can choose the methods that best suit its needs.

ISO/TS 9002 states that organizations can consider using the outputs of techniques such as:

  • SWOT: Strengths-Weaknesses-Opportunities-Threats
  • PESTLE: Political-Economic-Social-Technological-Legal-Environmental
  • FMEA: Failure Mode and Effects Analysis
  • FMECA: Failure Mode, Effects, and Criticality Analysis
  • HACCP: Hazard Analysis and Critical Control Points

Simpler approaches include methods such as brainstorming, Structured What IF Technique (SWIFT), and risk matrix (consequences and probability).

The application of risk-based thinking can also help an organization to develop a proactive and preventive culture focused on doing things better and improving how work is done in general.

There are various situations where risks and opportunities should be considered, e.g., strategy meetings, management reviews, internal audits, quality meetings, objective-setting meetings, the planning stages for design and development of new products and services, as well as, the planning stages for production processes.

6.1.2 The planning for an organization must include:

a) actions to address these risks and opportunities;
b) how to:

1) integrate and implement the actions into its QMS processes;
2) evaluate the effectiveness of these actions.

Actions taken to address risks and opportunities must be proportionate to the potential impact on the conformity of products and services.

This sub-clause includes a NOTE that options to address risks can include:

  • avoiding the risk (e.g., not starting or continuing the process);
  • taking risk to pursue an opportunity (e.g., equipment investment);
  • eliminating the risk source (e.g., using documented procedures);
  • changing the likelihood or consequences of the risk;
  • sharing the risk (e.g., working with customer to facilitate advance purchase of raw materials when production levels are unknown);
  • retaining risk by informed decision (e.g., accepting risk based on its potential effect or the cost of the needed action).

Another NOTE is that opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing new customers, building partnerships, using new technology, and other desirable and viable possibilities to address the organization’s or its customers’ needs.

According to ISO/TS 9002, the intent of 6.1.2 is to ensure that the organization plans actions to address its risks and opportunities, implements the actions, and analyzes and evaluates the effectiveness of the actions taken.

These actions should be based on the potential impact on the conformity of products and services, or on customer satisfaction, and need to be incorporated into both the QMS and its processes, as appropriate. For example, if the organization has a single-source provider of a critical raw material, then it should consider investing in developing a new source.

The organization should consider the need for documented information on risks and opportunities, both for its QMS and for its processes.