Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

How do you address Risk and Opportunity in ISO9001?

 

The ISO9001 quality management standard is one of the most established management system standards around, and it’s incredibly popular with over one million organizations certified to it. In its last update in 2015, ISO9001 became more focussed around the management of risk and its more positive twin, opportunity. But what do these concepts have to do with quality and how does an organization wanting to become certified address them effectively? In this blog we look at risk and opportunity in ISO9001 and clarify what you need to do to meet the requirements correctly.

What does ISO9001 say about risk and opportunity?

For the purposes of our discussion, the interesting clause in the ISO9001 standard is 6. Planning and specifically its sub-clause 6.1 Actions to address risks and opportunities. In the context of the ISO9001 document, this part is relatively brief (in contrast to the seemingly never-ending clause 8. Operation) and gives a clear and concise description of what is required.

First, we’re asked to think about the external and internal issues we identified in the earlier Clause 4.1. These could be a wide variety of items from the prevailing economic environment through to a lack of investment in machinery on the shop floor. Secondly, we are also asked to bring in the requirements of the interested parties we identified in Clause 4.2. These could be employees, customers, shareholders, regulators or similar people or organizations who are, or could be, affected by our QMS.

With these two lists in hand, ISO9001 now wants us to consider the risks and opportunities that could arise from them in order to increase the chances of things going smoothly with respect to the QMS. We then need to work out what to do about them and check that our actions have worked.

Lastly, there’s a reminder that we need to be sensible and not go crazy with the actions when the impact of the risk wasn’t that big.

So where to start?

Before deciding where to start, let’s talk about what we need to end up with. When you’re at your ISO9001 certification audit sitting opposite the auditor and she asks you how you have addressed the requirements of these clauses, what are you going to show her? From experience, she is likely to want to see the following items:

  1. A list of external and internal issues
  2. A list of interested parties and their requirements
  3. A risk assessment and action plan
  4. An opportunity assessment and action plan

I’m going to assume you have items 1 and 2 from your earlier work on Clause 4 Context of the organization, so let’s focus on items 3 and 4.

Identify the risks

A risk is something bad that hasn’t happened yet (just to clarify – it could have happened before, but not in the current period of time under consideration). The first step is to identify what the risks are. One way to do this (there are many possible ways) is to look at each of the items on the list of issues and the list of interested parties and their requirements and think “what could go wrong that would affect this item?”. Let’s try an example. One of the internal issues we mentioned before was a lack of investment in machinery on the shop floor. What could happen that would make this a problem?

Assess the risks

Perhaps a key piece of machinery could break down and stop production of product completely. Or perhaps the machine could go out of line and produce products that are out of specification. Both of these items could be risks that go onto our risk assessment. Once they are on there, we then consider how likely these risks are to happen, and what the impact would be if they did. We could use a scale of one to five to represent likelihood and impact. Multiplying these figures together gives us a score which is then classified via a matrix as low, medium or high risk (this is just one of many ways of assessing risks).

So taking the risk of a key item of machinery breaking down completely, we might say the likelihood of that happening (perhaps based on past maintenance records) is 4 out of 5 (pretty likely) and if it did happen then the impact would be a 4 out of 5 (very bad – production of a key product or component would cease). Multiplying 4 by 4 gives a risk score of 16 which our classification scheme might define as a high risk.

Actions to address risks

We therefore have a high risk which we are likely to want to do something about. Options could include buying or leasing a new machine, having the existing machine refurbished or buying spare parts in advance. Remember that the action we take has to be justified by the potential impact on what we’re trying to achieve, so it could be that buying a new machine is far too expensive compared to what we’d lose in production if the risk happened.

Once we have identified all of the risks we feel are relevant, assessed them and decided on what to do about them, we then have a risk assessment and an action plan – that’s item 3 on our list for the auditor.

What about opportunities?

Just as a risk is something bad that hasn’t happened yet, so an opportunity is something good that hasn’t happened yet. The process of identifying opportunities has a lot in common with that of risks; again we start with the lists of issues and interested parties’ requirements and we think “what else could happen that might have a positive impact on our organization and our QMS?”.

Continuing with our machinery example, it could be that a development fund becomes available that fully or partially funds the replacement of this type of machinery. If that happened then perhaps a new machine would be able to produce twice as much product as the old one. So we go through a similar process to score the likelihood of this happening and the impact if it were to happen. We might then identify an action to take that would make it more likely to happen (such as actively looking for development funds) and perhaps one that would increase the positive impact (such as investigating pricing and supply of new machines).

We then have the fourth item on our list for the auditor – the opportunity assessment and action plan.

What does this look like in documentation terms?

All of the above can be achieved using a spreadsheet and this is a common way to do it. Online tools can also be used, particularly for a more complex risk assessment. As we alluded to earlier there are many, many ways to conduct risk assessment and no one way is the right way.

Last words

Risk and opportunity assessment is an important part of the ISO9001 standard and one which is absolutely necessary for certification. But it doesn’t have to be complicated; the benefit is in the action lists that are produced which will have a positive effect both in reducing risk and making opportunity more likely.

And that has to be a good thing.

 


More ISO9001 Resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO9001:2015 standard, we’ve put together a list of our best free resources including sample documents, blogs and downloadable documents.

Free ISO9001 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

Compared to competing toolkits, your ISO27001 document structure was very good. The provided "Introduction" of each was useful (I have moved those out of the core documents and into a more comprehensive manual) for the general audience vs security staff. The inclusion of references to 27017 and 27018 were appreciated. You provided more "ISMS-C" oriented artefacts than competitors.

Trusted By Design Inc.
Canada

View all Testimonials