Clause 6.1 of ISO 9001:2015 is one of those requirements that generates more questions than answers: How formal does the process need to be? How many risks should we identify? What’s the practical difference between a risk and an opportunity? The standard is deliberately flexible here — which can be frustrating when you’re trying to turn requirements into a real process your team will actually use.
This guide gets straight to the point: what clause 6.1 actually requires, how to build a risk and opportunity management process that works without turning into a paperwork exercise, and what documented evidence your auditor will expect to see.
Table of Contents
What Clause 6.1 Actually Requires
ISO 9001:2015 clause 6.1 is part of the Planning section and has two core requirements:
- Identify the risks and opportunities that could affect the conformity of your products and services, customer satisfaction, or your QMS performance.
- Plan actions to address those risks and opportunities, and integrate them into your QMS processes.
What the standard does not require: a specific methodology, dedicated software, a standard form, or a minimum number of risks. The flexibility is by design — but it doesn’t mean you can skip the requirement.
Consultant’s note: Many companies build enormous risk registers that nobody updates. An auditor would rather see 10 well-managed risks than 80 identified and forgotten. Quality over quantity applies to risk management too.
Starting Point: Your Organizational Context
ISO 9001 risk management doesn’t exist in isolation — it flows from your context analysis (clause 4). If you’ve already identified your internal and external factors, and the needs of your interested parties, you have the raw material to determine what could go wrong — or right.
Common internal factors that drive risks:
- High staff turnover in critical processes.
- Dependency on a single supplier for key inputs.
- Equipment without an updated maintenance schedule.
External factors that generate risks or opportunities:
- Regulatory changes in your industry.
- New competitors or technologies affecting demand.
- Market growth that opens expansion opportunities.
How to Identify Risks and Opportunities
There’s no single correct technique. Most effective QMS teams combine two or three methods:
Process-by-process brainstorming
Gather the responsible parties for each process and ask: “What could prevent this process from delivering what’s expected?” and “What could happen that benefits us if we prepare for it?” Capture everything without filtering at first.
Historical incident analysis
Review your nonconformances, customer complaints, and corrective actions from the past two years. These are risks that already materialized — guaranteed to be real.
Quality-focused SWOT
Take your context SWOT analysis and translate each element into specific risks or opportunities for your QMS. Weaknesses and threats typically map to risks; strengths and opportunities map to QMS opportunities.
How to Evaluate Risks
Once identified, you need to prioritize. The most practical and audit-accepted tool is a risk matrix with two axes: likelihood and impact.
Simple scale (sufficient for most SMEs):
- Likelihood: 1 (unlikely) · 2 (possible) · 3 (likely).
- Impact: 1 (minor) · 2 (moderate) · 3 (severe).
- Risk level = Likelihood × Impact. Score from 1 to 9.
Classification:
- 1–2: Low. Monitor, no urgent action required.
- 3–4: Medium. Define preventive actions.
- 6–9: High. Immediate action and close monitoring.
Risk Treatment Options
For each medium or high risk, you need to define what you’re going to do about it. Standard options:
- Avoid: eliminate the activity generating the risk.
- Mitigate: reduce likelihood or impact (the most common choice).
- Transfer: share the risk with a third party (insurance, subcontracting).
- Accept: acknowledge the risk when the cost of treating it outweighs the benefit.
For each action, assign a responsible person, a deadline, and a tracking indicator. That’s what turns a register into a real plan.
Opportunities: The Side Most QMS Teams Neglect
Clause 6.1 addresses “risks and opportunities” — but in practice, most QMS teams only fill the risk column. That’s a double mistake: you lose value, and auditors notice the gap.
An opportunity in ISO 9001 terms is any circumstance that, if proactively pursued, can improve your performance, increase customer satisfaction, or strengthen the QMS. Examples:
- A new geographic market where you have the capacity to compete.
- A regulatory change that, anticipated early, gives you a competitive edge.
- Digitizing a manual process that would reduce errors and cost.
What to Document (and What You Can Skip)
ISO 9001 doesn’t require a “risk management procedure” or a specific format. What you do need to retain as documented information:
- The list or matrix of identified risks and opportunities.
- The planned actions to address them.
- Evidence that actions were carried out and their effectiveness evaluated.
A well-structured spreadsheet is compliant. A module in your quality management software is better — it lets you link risks to corrective actions, KPIs, and the management review in one place.
Risks and the Management Review Cycle
Identified risks aren’t static. The standard expects you to review and update them periodically — and the natural moment to do so is the management review (clause 9.3), which explicitly includes the results of risk and opportunity analysis as an input.
A practical cycle: identify risks at the start of the year → execute actions → review effectiveness quarterly → update the matrix at the annual management review.
Frequently Asked Questions about Clause 6.1
How many risks do I need to identify to comply with ISO 9001?
The standard sets no minimum. What matters is that you’ve systematically analyzed your context factors and that the risks identified are the ones that can genuinely affect your QMS, product conformity, or customer satisfaction. For a typical SME, 10–25 risks is a reasonable range. Fewer than 5 usually signals insufficient analysis; more than 50 makes meaningful follow-up difficult.
Is a risk matrix required by ISO 9001?
No. ISO 9001 doesn’t prescribe any specific format. You can use a simple table, specialized software, or even a narrative process if it’s well-documented. The likelihood × impact matrix is the most widely used because it’s visual, easy to communicate to management, and universally accepted by auditors.
What’s the difference between a risk and a nonconformance?
A risk is something that could happen and negatively affect your operations. A nonconformance is something that has happened — a requirement that wasn’t met. Risk management (clause 6.1) is proactive; corrective actions (clause 10.2) are reactive. A strong QMS works both simultaneously: manage risks to reduce future nonconformances, and analyze past nonconformances to identify risks you hadn’t yet recognized.
How often should I update my risk register?
At minimum, once a year during the management review. In practice, review it whenever significant changes occur: a new process, a critical new supplier, a regulatory change, a serious incident. Mature QMS organizations review it quarterly as part of their performance management cycle.
What happens if the auditor doesn’t find actions for my high-rated risks?
That’s the most common clause 6.1 finding: risks identified with no planned actions, or planned actions with no evidence of execution. It can result in a nonconformance finding, especially for significant risks. The practical rule: every risk classified as “high” must have at least one documented action with an owner, deadline, and follow-up.
Manage Your Risks Without Scattered Spreadsheets
If your risk matrix lives in a spreadsheet nobody updates, or in a document buried in shared drives, the problem isn’t the method — it’s the tool. QualityWeb 360 includes a dedicated Risk and Opportunity Management module where you can register, evaluate, and track each risk from the same platform where your processes, corrective actions, and KPIs live.
Want to identify your most critical QMS risks in under 30 minutes? Use the free Quality Risk Minimizer™ — it walks you through the process step by step.
Or see the platform in action: schedule a demo and we’ll show you live, no commitment required.

