Looking to Integrate 9001+14001+27001+45001+50001? Click here!

ISO 9001:2015 Risk Management

Risks and Opportunities 

Risk-based thinking is presented within the introduction of the ISO 9001:2015 standard. ISO 9001 has always advocated mitigating and avoiding risk; it has implicitly addressed the issue through “preventative actions” in previous revisions. ISO 9001:2015 replaced the term preventative actions with Clause 6.1 “actions to address risks and opportunities”.

A risk is a positive or negative deviation from the expected. Addressing a risk could mean pursuing a new opportunity. The better your organization manages risks, the better prepared you are to face uncertainties. Organizations are required during the planning of their QMS, to address both risks and opportunities. Opportunities can include the adoption of new customers, products, technology, or practices.

There are several requirements around risks and opportunities throughout the ISO 9001:2015 standard. The examples in the table below are just some of the clauses that in effect mandate risk management.

ISO 9001:2015 clauses Comments
4.4 Quality management system and its processes The overall quality management system (QMS) must consider both risks and opportunities as part of its core planning process.
5.1 Leadership and Commitment Those who lead the organization must promote risk-based thinking.
5.1.2 Customer focus Ensure risks and opportunities that affect customers are determined and addressed.
6.1 Actions to address risks and opportunities  When planning for the QMS, determine and address risks and opportunities.
9.1.3 Analysis and Evaluation  Evaluate the effectiveness of actions taken to address risks and opportunities.
10.2 Nonconformity and corrective action Update risks and opportunities determined during planning, if necessary.

How to address risks and opportunities?

The ISO 9001:2015 requirements around risks and opportunities do not require a formal risk management system. However, it does require that you determine what they are and how they will be addressed. When evaluating risk, it is helpful to use two metrics or parameters:

  1. Severity (If the risk occurs, how serious is it?)
  2. Probability (What is the probability of the risk occurring?)

Common methods for identifying and addressing risk include maintaining a risk register, performing FMEA (Failure Mode Effects Analysis) or FTA (Fault Tree Analysis), using a Probability and Impact Matrix, or other risk management exercises.

When addressing risks and opportunities, these are key steps:

  1. Define the risk and opportunity type: i.e. whether it derives from context, process, and products/ services
  2. Define the activity/source from where the risk or opportunity comes from.
  3. Determine what category the risk falls under.
  4. Thoroughly describe the risk.
  5. Define the impact and the probability of occurrence.
  6. Establish how you the organization will treat the risk and create a predefined list of treatments.
  7. Define the acceptable action to treat the risk.
  8. The organization should identify opportunities and describe ways in which it will capitalize on them via documentation of an action plan.
  9. Regularly review risks and opportunities.
  10. Procedures and forms related to risk and opportunity can be described in a documented information module.

In effect, 9001:2015 risk management asks the organization to establish an end-to-end process for risk management and then execute that process consistently, carefully, and widely. While the process for creating and applying risk management may never be overly specific because of the need to apply it in so many different situations, ISO has already provided a fairly rich reference set in this area including:

  • ANSI/ASSE Z690.1-2011 Vocabulary for Risk Management (U.S. Adoption of ISO Guide 73:2009),
  • ANSI/ASSE Z690.2-2011 Risk Management Principles and Guidelines (U.S. Adoption of IEC/ISO 31000:2009)
  • ANSI/ASSE Z690.3-2011 Risk Assessment Techniques (U.S. Adoption of IEC/ISO 31010:2009

We’re here to help you address ISO 9001:2015 risk management requirements. Since we are in the business of helping companies quickly and cost-effectively gain and maintain ISO 9001 certification, we have made major revisions of our document templates, training, software, and registration relationships to accommodate risk planning. We are also preparing additional education and updates on specific areas of the standard. If you have not done so already, we encourage you to sign up for our newsletter series to stay abreast of these important changes.

Risk is Addressed in Other ISO Standards 

ISO has essentially built whole standards around the concept of planning for and responding to risk. Key examples are ISO 14001 which in effect is a blueprint for dealing with environmental problems before, during, and after their inception. The same goes for AS9100 which requires identification, assessment, and communication of risks throughout product realization, implementation, and management of actions to mitigate risks that exceed the defined risk.

The ISO 31000 standard provides an organizational-level risk management approach. ISO 31000 deals with crucial risk management concepts like:

  • Avoiding activities associated with a given risk
  • When to or not to accept risk when taking advantage of a key opportunity
  • Acceptable ways to remove a risk source entirely

ISO 9004 also addresses many aspects of risk management including risk’s impact on strategy and innovation.

A Giant Risk That ISO 9001:2015 Could Have Mitigated

The Northeast region of Japan has been the major supplier of key auto components, not only for Japanese car companies, but other automakers worldwide. After the 2011 earthquake/tsunami hit the area, Toyota, Nissan and many other producers were forced to halt production with resulting sales declines of almost 20% for some. Dependence upon a small, but vital set of suppliers would be a major risk that the new ISO 9001:2015 emphasis on risk mitigation would have required addressing.

Please note that certain text from the ISO 9001 standard is only used for instructional purposes. Standard Stores recognizes and respects the International Organization for Standardization (ISO) copyright and intellectual property guidelines.


Our All-in-One Certification Package is a proven, efficient system. It gives you all you need to prepare for registration – in one simple to use package.

Buy the Standard

9100 Store Logo ISO 9001:2015

Customer Review:

"I have just passed my ISO-9001 Audit with zero non-conformances for the second year in a row using your ISO products to write my entire QMS. Thank you for producing documents of this quality"

Bettye Patrick

United Plating, Inc

9000 Store
Average rating:  
 0 reviews