How To Address Risk in ISO 9001 [with Procedure]

How To Address Risk in ISO 9001

  1. Identify the risks and opportunities
  2. Plan your response
  3. Integrate the response into your quality management system (QMS)
  4. Evaluate effectiveness


Risk-based thinking has been given a far more prominent role in the ISO 9001:2015 standard than it’s received in the past.

This process largely falls in line with the principles of the ISO 9001 standard as applied to risk and opportunity.

risk reward in ISO

1 Identify the Risks and Opportunities

A lot will go into the identification of potential risks for a company. There are two distinct kinds of risk that a company may encounter: external and internal.

External risk is risk incurred from the environment in which the company operates. These can be legal, regulatory, financial, and cultural risks.

Internal risk is risk incurred from within an organization. This can be caused by an organization’s structure, resource deficiencies or allocation, and hierarchy.

Risk and opportunity need to be determined within the context of the business, something that will lead to different definitions of each term for different organizations.

Additionally, in many cases, risk will also bring opportunity. Companies need to properly assess where risk ends and opportunity begins, and how they can reduce one while capitalizing on the other.

2 Plan Your Response

As with any other part of the ISO 9001 standard, companies are required to develop a plan for addressing the risk and opportunities they’ve identified.

A company will need to do an in-depth assessment of the possible risks for this part. How likely are these risks? How disruptive would they be if they were to happen? What amount of resources is your company willing to dedicate to mitigating these risks?

Similarly, what is the potential for capitalizing on the opportunities? Can their likelihood be increased while mitigating the risk? Is the potential risk worth incurring for a chance at capitalizing on the opportunity?

Once these assessments have been made, an organization can develop a plan for addressing the risks and opportunities based on their stated strategies for both. Without properly assessing their appetite for risk, an organization cannot properly plan to either mitigate it or capitalize on the opportunities it presents.

In accordance with the ISO 9001 standard, these plans need to be clearly laid out, with a plan for documenting the process and keep clear records on it.

3 Integrate the Response into Your QMS

This step requires a company to insert the plan they’ve developed for addressing risk and opportunity into the greater framework of the QMS that they already have in place. This step is critical, in that the plan needs to allow for the rest of a company’s QMS to remain seamless.

As a standard that emphasizes universal application, the nature of ISO 9001 will require that the process developed for addressing risk and opportunity be compatible with all other procedures in the company.

For this reason, keeping a company’s QMS in mind as it goes through the process of developing a plan for addressing risk and opportunity can prove to be helpful. Developing a plan only to find that it doesn’t integrate well into the larger process means time and energy has been wasted.

4 Evaluate Effectiveness

This step in the process is also in lockstep with the core principles of the ISO 9001 standard. As with any other procedure in a company operating under ISO 9000 standards, proper documentation and record keeping processes will need to be put in place.

This is where a company can record the outcomes and measure the effectiveness of their efforts. This stage in the process is also why it is crucial to develop a comprehensive assessment of the company’s willingness to take on risk and pursue potential opportunities.

Without a detailed understanding of the company’s aims in regards to both risk and opportunity, it will be all but impossible to properly assess the effectiveness of the process that’s been implemented.

As with any procedure in a company operating under ISO 9001 standards, this step allows for the constant scanning of potential inefficiencies that can be improved upon.

It should be noted that context is also a key factor in any risk assessment process. Risk at one juncture of the process might look different than the same risk at another juncture. This is why having a comprehensive strategy for risk assessment is critical. Preparing for and thinking about all the possibilities will help better prepare your company.

The ISO 9001 standard is an all-encompassing standard, and its principles will guide any plan a company designs for addressing potential risks and opportunities. Following the guiding principles of the ISO 9001 standard will help a company ensure the plan they implement for risk and opportunity is a success.

danger risk

How Does ISO 9001 Define Risk?

ISO 9001 rather obliquely defines risk as the “effect of uncertainty.” The standard goes on to outline that risk is the “deviation from the expected,” and can come in both positive and negative forms.

Additionally, the standard notes that risk largely pertains to potential events, and is expressed primarily as the likelihood and consequence of such potential events.

For most organizations, this definition leaves a lot to be desired.

While this will sound like an incredibly open-ended and vague definition of a crucial term, this is in line with what the ISO 9001 standard is meant to be. As an internationally recognized standard, ISO 9001 needs to be applicable to as many industries and organizations as possible. Hence the vague definition of a term as important as risk.

Because of the broad definition, it is up to an organization to define what risk means for their business. This needs to be a comprehensive assessment and will be tailored to that company. Any organization that operates under the ISO 9001:2015 standard will have a definition of risk that is specific to their business.

For this part, many companies will build what is known as a “risk taxonomy.” This is designed to help a company better define the term risk while also outlining what risks look like for their specific context.

The first step in this process involves interrogating current procedures. What could go wrong at each step? What things could arise that are not currently accounted for? How likely are they to occur, and what impact would they have on the business if they did?

This will require both a high-level view of risk, but also more drilled down definitions of specific risks.

At this point, a company will likely have a long list of potential risks. Some patterns will appear among the list, allowing an organization to group similar risks with each other. In addition to grouping similar types of risk, an organization can also break the possible risks into groups based on the likelihood of occurrence, or the organizations willingness to incur the risk.

Included in this taxonomy will be the opportunities that are included with these potential risks. A company will also want to group these into various subcategories based on likelihood, the potential outcomes of the opportunity, and the company’s willingness to take on the associated risks to try and capitalize on the opportunity.

What is Risk-based Thinking?

In the ISO 9001:2015 update, there is a greater emphasis put on risk-based thinking and understanding how risk affects an organization.

Remember, risk can be both mitigated and leveraged into opportunity.

In the past, the ISO 9001 system treated risk as a separate component to quality management, focusing on prevention instead. In the 2015 update, the idea of risk-based thinking is meant to be addressed with a more systematic approach.

While risk-based thinking will sound like a new concept, its already something that most people engage with on a day to day basis. Any individual who is asked to make decision in their day to day life, i.e. everyone, is constantly weighing the risks associated with those decisions and working to mitigate that risk.

The idea behind the 2015 update is to infuse that thought process into the entire quality management system. To make risk assessment a main component of the process at each level of the system.


risk assesment

Should You Focus On Risk Assessment?

In short, Yes. Improved risk assessment and an emphasis on it will help to improve your company. While not an end in itself, risk assessment adds another tool to an organization’s decision-making toolkit.

In the context of the ISO 9001 standard, risk assessment is an objective, evidence-based process for making decisions. Because it is standardized and evidence-based, it’s also repeatable. For this same reason, it can be easily understood and picked up by members of an organization, even if it’s not a main focus in their current role.

Similar to the rest of the ISO 9001 system, risk assessment puts a premium on improvement and growth. For an organization that puts a focus on risk assessment, they are actively measuring the potential for growth and new opportunities as part of a standardized, repeatable system.

Where Does Risk Assessment Appear In ISO 9001?

Risk assessment appears in two main ways:

  • Leadership Directives
  • Planning

It’s important to recognize that the ISO 9001 system is not so much a set of requirements as much as a set of principles that, when applied to an organization, will help an organization to improve quality in their everyday activities.

With that in mind, the same concept should be applied to risk assessment. ISO does not offer a specific checklist to be marked off in order to implement risk-based thinking into your business. Rather, the idea of risk-based thinking should permeate throughout all of a business’s practices.

Learn about Risk Assessment in ISO 45001.

Leadership Directives

As with anything that goes on in a company, leadership will play an out-sized role in the implementation of a quality management system. Because of this, an organization’s leaders will need to be properly versed in the concept of risk-based thinking.

As the primary decision makers in an organization, leaders will already have a general awareness of risk-based thinking and probably already use it to some extent in their day to day activities.

By focusing on leadership directives, the standard is putting an emphasis on how these directives can and should be influenced by a risk-based approach. This shift replaces an emphasis on preventive measures in previous versions of the standard.


The planning section is where the preventive action is removed from the old standard and replaced with an emphasis on managing risks and opportunities at every step of the process.

This is another example of the standard asking organizations to approach risk and opportunity in the same way they would approach any other problem that needed to be solved. The standard is not asking companies to go out and add new steps to their current quality management systems.

Instead, the standard is asking for a more risk-based approach to every step and process in the system. This will look different for each company that applies the standard to their processes.

With this in mind, addressing risk and opportunity as an organization appear in every clause in ISO 9001. While the leadership directives and planning sections feature it most prominently, an organization should be careful to not let risk-based thinking fall to the wayside at other junctures in the process.


The Benefits of Risk-Based Thinking

In many ways, risk-based thinking helps to highlight and add to many of the benefits that a good quality management system will bring to an organization. These benefits include:

  • improved governance
  • improved work environment
  • improved compliance practices
  • improved customer satisfaction

Again, many of these benefits are already the benefits a company will experience from operating under a quality management system that meets the high standards of the ISO 9001 standard.

This is to be expected, based on the way ISO 9001 treats risk and opportunity. Because the standard does not create a new set of structures or requirements for addressing risk and opportunity, instead opting for an integration of risk-based thinking into the current system, the benefits will largely remain the same.

That said, by adopting a more risk-based approach, an organization can increase the effect of those benefits while also increasing their frequency. Nevertheless, companies who adopt this approach into their current system will no doubt see the returns for their organization.

Risk-based thinking is more an enhancement on previous versions of the ISO 9001 standard, than an addition of anything new to the standard. Adding it to the toolkit is simply a way for companies to improve their decision-making with a new line of information and inquiry on existing processes.

The likelihood of meeting stated objectives will be increased, as will the engagement of employees as they are empowered with a new way of assessing their processes. These effects will impact the quality of the product or service a company is providing, which will in turn improve the customer experience and satisfaction.

The argument for embracing risk-based thinking, is largely the same argument for implementing a quality management system that meets the ISO 9001 standard. The question is not one of kind, but rather of degree. Adding risk-based thinking to an organization’s approach will help it to maximize these benefits.

Video — RISK MANAGEMENT IN ISO 9001:2015

Related Information You Might Find Useful

Next ISO 9001 Clause

Each ISO 9001 Clause Explained

Updated: 26th February 2022
Author: Richard Keen

Richard Keen

Richard Keen

Richard is our Compliance Director, responsible for content & product development.
But most importantly he is ISO's biggest fanboy and a true evangelist of the standards.
Learn more about Richard

ISO templates

Don’t Try to Manage It All Alone!

Our ISO Auditors and Quality Manager Trainers have been in this industry for years, and since 2002 we’ve been providing thousands of small businesses and large corporations with the tools they need to get certified.

Instead of trying to create everything you need to follow this process from scratch, use ours. We have procedures, templates, checklists, process maps, forms and gap analysis tools to help you control your documented information without missing a single input or output.

Before you invest all the hours reinventing the wheel, before you spend countless dollars outsourcing the task — try our templates.

ISO 9001
ISO 14001
ISO 45001

Risks & Opportunities Procedure

The purpose of this procedure is to outline your organization’s the risk and opportunity management framework and the activities within.

The risk and opportunity management framework defines our current risk management process, which includes; methodology, risk appetite, methods for training and reporting.


Forms & Reports also included:

  • Control of Risks & Opportunities Process Activity Map
  • Risk Register
  • SWOT Template
  • PESTLE Template
  • Compliance Obligation Register (ISO 14001 version only)
  • Environmental Aspect & Impact Register (ISO 14001 version only)
  • Interested Party Analysis (ISO 14001 version only)

Free Download - Control of Calibrated Equipment Procedure - this will give you a good idea of what to expect when you purchase the procedure and the current level of documentation required for ISO.

$19 USD

add to cart

$19 USD

add to cart

$19 USD

add to cart

  • Written in International English
  • Fully-editable MS Word or Excel files, compatible with Google Docs and Apple Pages
  • All the templates use styles – making reformatting and rebranding a breeze
  • Immediate download

Pay by Credit Card, Debit Card, PayPal or Apple Pay.
Credit card, PayPal or ApplePay

money back guarantee

We are 100% confident in the quality and contents of our products. Used by thousands of organizations around the world, our templates have been sold online since 2002.

Please read our Money Back Guarantee.


Are The Templates Suitable For You?

Bought by Small Businesses and Large Corporations our templates have been sold online and CD since 2002.

Used by:

  • Small Businesses – dentists, accountants, engineers
  • Large organizations – hospitals, power plants, aircraft manufacturers

The Templates are used by first-timers following our step-by-step, clause-by-clause guidance documents; and experienced Quality Managers wishing to streamline and improve their existing documentation.

The application of our templates is scalable and generic; regardless of the size and type of organization. The elements that form the quality management system are the same.


Five Reasons To Choose Our Templates

1. Our customizable templates save you time and money by offering a streamlined process to create your quality documentation

2. They’ve got everything you need in one simple template

3. Proven to work our templates have helped thousands of businesses big and small achieve certification

4. Documents use styles to make reformatting and rebranding a breeze

5. Our templates are generalizable for any industry or sector. The application of our templates is scalable and generic; regardless of the size and type of organization.


FAQs About Our Templates

Ask Us a Question

More Information


ISO 9001 Client images