Actions to address risks and opportunities

ISO/IEC 20000-1 Clause 6.1 requires you to identify service-management risks and opportunities based on your organizational context and stakeholder requirements, then take planned actions so the Service Management System (SMS) achieves intended outcomes, reduces undesired effects, and improves over time ¹. Operationalize it by tying Clause 4 outputs to a maintained risk/opportunity register, action plans, owners, and evidence.

Key takeaways:

• Clause 6.1 starts with Clause 4: your context and interested-party requirements drive what you treat as risk and opportunity.
• Auditors look for traceability: risk/opportunity → action → owner → timeline → evidence → review outcome.
• “Opportunities” must be real planned improvements (not slogans) with measurable follow-through in SMS governance.

“Actions to address risks and opportunities” is the SMS planning requirement. It sits between your understanding of the organization (Clause 4) and your operational controls (incident, change, supplier, service level, etc.). If you treat it as a one-time risk assessment, you will struggle in audits because Clause 6.1 expects an ongoing planning discipline tied to how services are actually delivered.

For a Compliance Officer, CCO, or GRC lead, the fastest path is to build a simple, auditable chain: capture the issues and requirements you already determined under Clause 4, translate them into a small set of risks and opportunities that matter to service outcomes, and document planned actions that integrate into existing processes (change management, problem management, service continuity, supplier management). The intent is practical: prove the SMS can achieve intended outcomes, prevent or reduce failures, and drive continual improvement ¹.

If you use a GRC platform such as Daydream, the win is control-to-evidence automation: a living risk/opportunity register with linked tasks, approvals, and artifacts that your service owners already produce.

Regulatory text

ISO/IEC 20000-1:2018 Clause 6.1 states: “The organization shall consider the issues and requirements determined in Clause 4 and determine the risks and opportunities that need to be addressed to give assurance that the service management system can achieve its intended outcome(s), prevent or reduce undesired effects, and achieve continual improvement.” ¹

Operator meaning: you must (1) take the Clause 4 outputs seriously (context + interested parties + requirements), (2) decide what could help or harm SMS outcomes, and (3) plan actions that get executed and reviewed. The standard does not prescribe a specific risk methodology; it does require that your planning is systematic, maintained, and connected to service delivery.

Plain-English interpretation

Clause 6.1 is a commitment to managed planning. You are expected to:

• Name what could go wrong in delivering and managing services (risks).
• Name what could go better if you change how the SMS operates (opportunities).
• Do something about both, using planned actions that are owned, tracked, and integrated into normal operations.
• Show the loop closes through review: outcomes, residual risk, and improvement evidence.

A useful mental model for audits: if a risk or opportunity is “real,” it has an owner, planned action(s), and proof that actions happened.

Who it applies to (entity and operational context)

This requirement applies to any organization operating an SMS under ISO/IEC 20000-1, including:

• Internal IT/service organizations delivering services to business units.
• Managed service providers and SaaS providers delivering services to external customers.
• Shared services organizations (IT, HR systems, enterprise platforms) where service performance affects multiple stakeholders.

Operationally, Clause 6.1 touches:

• Service governance: service portfolio, service level management, reporting.
• Run operations: incident, request, problem, event/monitoring.
• Change and release: planned changes, emergency changes, deployment practices.
• Third-party management: suppliers and other third parties that affect service outcomes.
• Continual improvement: improvement registers, corrective actions, retrospectives.

What you actually need to do (step-by-step)

Step 1: Assemble Clause 4 inputs into an “assumptions pack”

Clause 6.1 explicitly depends on Clause 4. Create a single, auditor-friendly pack containing:

• Key internal/external issues that affect services (from your context analysis).
• Interested parties and their requirements (customers, regulators if relevant, internal stakeholders, third parties).
• SMS scope statement and boundaries (what services, teams, locations, and technologies are in scope).

Practical tip: auditors often ask, “Show me how context flows into risk planning.” This pack is your answer.

Step 2: Define a lightweight risk-and-opportunity method that fits your SMS

You need consistency more than complexity. Document:

• Definitions: what counts as a risk vs an opportunity in SMS terms.
• How you capture items (workshops, quarterly reviews, trigger-based reviews after major incidents).
• How you rate and prioritize (qualitative is acceptable if consistent).
• Ownership model (service owner, process owner, supplier manager).
• Review cadence and triggers (for example: major service change, recurring incidents, supplier failure).

Keep the method short. If it’s too heavy, teams stop maintaining it.

Step 3: Build and maintain a single register (risks + opportunities)

Create one controlled register (sheet, database, or GRC system) with these minimum fields:

Field	What auditors expect
Item type	Risk or opportunity
Linked Clause 4 driver	Which issue/requirement drove it
Description in service terms	Concrete scenario, not vague labels
Services/processes affected	Which services, which parts of SMS
Current controls	What already reduces likelihood/impact
Planned actions	What will change, by whom
Owner	A named role/person
Target completion	A date or milestone
Status	Open / in progress / closed
Evidence links	Tickets, CAB records, reports, contracts
Review outcome	Residual risk, decision, next steps

Make traceability unavoidable. If an item cannot be tied back to Clause 4 or to a service/process, it becomes hard to defend.

Step 4: Turn “actions” into executable work inside existing processes

Clause 6.1 fails most often because actions live in a slide deck. Force actions into execution channels:

• Changes go through change management with approvals, testing, and rollback plans.
• Control improvements become tasks with acceptance criteria (for example: “add monitoring alert,” “tighten access review,” “update runbook”).
• Supplier actions map to contract/SLA updates, third-party reviews, or escalation plans.
• Training actions map to training records and updated procedures.

Daydream (or your GRC tool) should link each planned action to: a control owner, a due date, and the artifact that proves completion.

Step 5: Prove the actions support the three Clause 6.1 outcomes

Your evidence should show that actions support:

1. SMS intended outcomes (service performance and management objectives),
2. prevention/reduction of undesired effects (fewer repeats, less impact, faster recovery),
3. continual improvement (documented improvements and governance follow-through), as required by Clause 6.1 ¹.

You do not need invented metrics. You do need a clear narrative with real operational artifacts (incident trends, post-incident actions, change records, customer escalations addressed).

Step 6: Run a recurring review and decision forum

Set a governance routine where you:

• Review top risks and opportunities.
• Decide to accept, treat, transfer (supplier), or retire items.
• Confirm action completion and effectiveness.
• Capture decisions in minutes or a decision log.

Many teams embed this into existing SMS management review or service review meetings to reduce overhead.

Required evidence and artifacts to retain

Maintain artifacts that prove planning, execution, and review:

Planning and method

• Context/issues and interested-party requirements summary (Clause 4 outputs)
• Risk/opportunity methodology document (definitions, scoring, review triggers)
• Risk and opportunity register (version-controlled)

Execution evidence

• Action plans with owners and status
• Change records (CAB approvals, testing evidence, implementation results)
• Problem records and corrective actions
• Updated procedures/runbooks and publication records
• Supplier/third-party communications, SLA changes, meeting notes

Review and effectiveness

• Meeting minutes/decision log showing review of register items
• Evidence that actions reduced undesired effects or improved SMS outcomes (trend reports, service review notes, post-incident follow-ups)

Common exam/audit questions and hangups

Auditors typically probe for traceability and governance. Expect:

• “Show me the issues and requirements from Clause 4 and how they drive your risks/opportunities.”
• “How do you decide what is a top risk? Who approves the rating?”
• “Pick one high risk. Show end-to-end evidence: controls, actions, completion, and effectiveness review.”
• “Where do opportunities come from, and how do you ensure they are implemented?”
• “How do you ensure risks introduced by third parties are included and acted on?”

Hangup: teams present a risk register with no evidence that anything happened. Clause 6.1 is “determine” plus “need to be addressed.” Auditors interpret “addressed” as planned and executed actions, not just awareness ¹.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Clause 4 is disconnected from Clause 6.1.
   Fix: require a “Clause 4 driver” field for every risk/opportunity. No driver, no entry.

2. Mistake: Only risks are tracked; opportunities are ignored.
   Fix: define opportunity categories (automation, monitoring, documentation quality, supplier performance, capacity planning) and require at least some opportunities per review cycle.

3. Mistake: Actions are vague (“improve monitoring”).
   Fix: write actions as deliverables (“deploy alert for X,” “add dashboard,” “update on-call runbook,” “test failover procedure”).

4. Mistake: Register becomes a dumping ground with no ownership.
   Fix: every item has a single accountable owner and a clear decision (treat/accept/transfer/retire).

5. Mistake: Evidence is scattered and can’t be retrieved quickly.
   Fix: store links in the register. A tool like Daydream helps by attaching artifacts directly to the control/action record so evidence collection is not a quarterly scramble.

Enforcement context and risk implications

ISO/IEC 20000-1 is a certifiable standard, not a regulator. Your practical “enforcement” comes from certification audits, customer due diligence, and contractual commitments to maintain an SMS aligned to the standard. Clause 6.1 failures commonly create downstream risk:

• Repeated incidents because corrective actions don’t close.
• Uncontrolled change leading to service disruption.
• Supplier failures not anticipated or managed.
• Weak continual improvement narrative, which raises audit findings and customer trust concerns.

Practical execution plan (30/60/90-day)

First 30 days (Immediate)

• Compile Clause 4 issues/requirements and scope into a single reference pack.
• Choose your risk/opportunity method and document it in plain language.
• Stand up the register with mandatory fields and evidence-linking.
• Run one workshop with service and process owners to populate an initial set of risks and opportunities tied to real services.

Next 60 days (Near-term)

• Convert top items into action plans inside ITSM/GRC tooling (tickets, changes, problem records).
• Establish a review forum and decision log.
• Close at least a few actions end-to-end with evidence, so you can demonstrate the full lifecycle in an audit.

Next 90 days (Operationalize)

• Expand coverage across services and include third-party driven risks.
• Add effectiveness checks to your review: did actions reduce recurrence, shorten recovery, or improve predictability?
• Prepare an audit “walkthrough pack” with two or three representative items showing full traceability from Clause 4 to outcomes.

Frequently Asked Questions

Do we need a formal enterprise risk management (ERM) program to satisfy Clause 6.1?

No. Clause 6.1 requires a consistent way to determine and address SMS risks and opportunities tied to Clause 4 inputs ¹. You can align to ERM, but auditors mainly test traceability and execution.

What counts as an “opportunity” in service management?

An opportunity is a planned improvement that increases the likelihood the SMS meets its outcomes or improves over time, such as better monitoring, clearer runbooks, or improved supplier oversight ¹. It must have an owner, action, and evidence.

Can we keep risks in one tool and actions in another?

Yes, if you can show durable linkage. Auditors will expect to navigate from a risk/opportunity entry to the executed change/problem/task evidence without guesswork.

How do we handle third-party risks under this requirement?

Include third-party-dependent failure scenarios as risks (for example, upstream outages, subcontractor access, missed SLAs) and assign actions through supplier management and service continuity processes. Keep contracts, SLAs, review notes, and escalations linked as evidence.

How often must we review the risk and opportunity register?

ISO/IEC 20000-1 Clause 6.1 does not prescribe a frequency ¹. Set a cadence that matches service criticality and add trigger-based reviews after major incidents, major changes, or supplier events.

What is the minimum evidence set to pass an audit?

A current register with Clause 4 traceability, documented actions with owners and status, and retrieved artifacts (change records, problem/corrective actions, meeting minutes) for a sample of items. The key is showing that risks and opportunities “need to be addressed” and were actually addressed through planned work ¹.

Footnotes

1. ISO/IEC 20000-1:2018 Information technology — Service management