How to address risks and opportunities in ISO 9001?

Risk-based thinking is a concept that has been brought to the forefront of quality planning in ISO 9001 requirements. When executing a Quality Management System (QMS) based on the requirements of ISO 9001:2015, you will notice that in addition to identifying and addressing risks, the standard recommends you to appropriately explore opportunities.

Now, what exactly does this mean? In this article, we will converse about how to appropriately address risks and opportunities in your organisation based on the recommendations of the ISO 9001 standard.

ISO 9001 requirements

In the ISO 9001:2015 standard, clause 4.4.1 is where organisations are recommended to determine the processes needed to address risks and opportunities. This requirement is reinforced again in section 5.1.2, where the standard urges the top management to ensure that risks and opportunities that affect the conformity of their service or product should be determined and appropriately addressed.

However, the actual flesh of the requirements for risks and opportunities is outlined in section 6.1, where actions to address risks and opportunities are delineated. This clause discusses the need to plan the actions required to address the risks and opportunities, integrate these steps into the QMS and evaluate the effort for effectiveness.

These steps must be proportional to the potential impact on the product or service conformity, and there are many ways to mitigate risks according to the standard, including avoiding or accepting them. Here, avoiding risk means putting controls in place so the risk can be averted entirely.

On the other hand, risk acceptance occurs when a business acknowledges that the potential loss from risk is not that great, and spending money to avoid it would be counterproductive. The type of risk response depends upon the unique circumstances of the organisation.

The last mention of risk and opportunity is in clause 9.1.3 of the ISO 9001 standard, which talks about analysing the information necessary to determine if the actions taken were adequate. Similarly, clause 9.3.2 specifies that management reviews are essential to examine the effectiveness of the actions taken to address risks and opportunities. you can learn more on ISO 9001 internal audit page. 

How to address the ISO 9001 requirements regarding risks and opportunities?

The standard does not require a formal process to monitor and control risks and opportunities within the QMS. It instead suggests adopting risk-based thinking at every level of the organisation. Hence, there is no formal requirement to maintain documented information within the QMS about risk management.

However, looking at what you already do within your organisation is good practice to see if you address these requirements within your existing business practices. For example, many organisations look at their risks and opportunities by utilising a Strengths, Weaknesses, Opportunities and Threats (SWOT) analysis.

Utilising SWOT analysis in business planning helps to make plans which address the risks and opportunities identified in the planning stages, helping the organisation align to the requirements of the ISO 9001:2015 standard. If you are already doing this as a part of your business capture strategy, then you are already adhering to the ISO 9001:2015 standard.

ISO 9001 risks

Any component that can impact the business’s growth is classified as a risk by the ISO 9001 standard. A risk is a possibility of a loss. To address risk in ISO 9001, it is essential to identify the risk, plan your response, integrate the response into your QMS and eventually evaluate its effectiveness. The four central risk management or risk treatment options include acceptance, transparency, avoidance and reduction.

ISO 9001 opportunities

Even though risk can be described as a potential for a loss, and an opportunity can be defined as a potential for a gain, they should not be discussed as antagonists. Risks and opportunities are not separate from each other and should not be considered opposing concepts. Instead, think of an opportunity as a set of circumstances that makes it possible for an organisation to do something. Choosing to explore or choosing to ignore an opportunity then presents different levels of risk.

How to document risks and opportunities under ISO 9001?

While a business must identify risks and opportunities and decide what actions to take, there is no mandate to maintain these steps as documented information within the QMS. However, recording risk management is valuable as it allows the organisation to track, manage and evaluate the risks and opportunities it comes across and achieves compliance.

A valuable instrument for recording risks is a risk register, a simple document, database or spreadsheet that organisations utilise to encapsulate their risk management strategies and actions. A risk register typically records the description of the risk, risk type, likelihood of occurrence, severity, measures taken to mitigate the risk, risk owners, current status of the risk and quantitative values.

Conclusion

Risks and opportunities should not be thought of as opposites. Even though the risk is a potential for a loss and an opportunity is a potential for a gain, they are not separate or opposing concepts. To appropriately address risks and opportunities in ISO 9001, you must begin by identifying risks and opportunities, planning your response, integrating the response into your QMS and evaluating its effectiveness.