Actions to address risks and opportunities

ISO 22301 Clause 6.1 requires you to identify the BCMS-specific risks and opportunities that could affect business continuity outcomes, decide what actions you will take, embed those actions into BCMS processes, and check whether the actions work. Operationalize it by running a BCMS risk/opportunity assessment tied to objectives, assigning owners and due dates, and tracking effectiveness through measurable BCMS performance results. ¹

Key takeaways:

• Maintain a living register of BCMS risks and opportunities tied to continuity objectives and scope.
• Convert each material item into an action plan with an owner, due date, integration point, and effectiveness metric.
• Keep audit-ready evidence that actions were implemented and reviewed for effectiveness, not just identified.

Clause 6.1 is a planning requirement with teeth: you do not pass by having a generic enterprise risk register or a one-time workshop output. You pass by showing that the BCMS identifies what could help or hinder intended outcomes, then actively drives specific actions into the system that manages continuity. The clause is written in plain language, but auditors will look for operational proof: decisions, ownership, implementation evidence, and follow-through.

For a Compliance Officer, CCO, or GRC lead, the fastest path is to treat “risks and opportunities” as managed work, not a document. Start by anchoring the assessment to BCMS intended outcomes (for example, meeting recovery requirements for prioritized activities), then identify internal and external factors that could affect those outcomes. Next, turn findings into a prioritized action backlog. Finally, tie each action to a BCMS process (training, exercising, supplier continuity, incident response interfaces, change management) and verify effectiveness through management review inputs and continual improvement. ¹

Regulatory text

Requirement (excerpt): “The organization shall determine the risks and opportunities that need to be addressed to give assurance the BCMS can achieve its intended outcomes.” ¹

What the operator must do

You must:

1. Determine BCMS-relevant risks and opportunities (not just enterprise risks in general).
2. Decide actions to address them (avoid, reduce, share, accept; or pursue/enable opportunities).
3. Integrate actions into BCMS processes (so they become standard work).
4. Evaluate effectiveness (so you can show the BCMS remains capable of achieving intended outcomes).
   All four elements are implied by the Clause 6.1 summary expectation that organizations identify items, plan actions, integrate them, and evaluate effectiveness. ¹

Plain-English interpretation (what Clause 6.1 really demands)

Clause 6.1 asks a simple question: What could stop your continuity program from meeting its objectives, and what could make it work better? Then it expects you to act.

A practical interpretation for audits:

• If a risk/opportunity is “material” to BCMS outcomes, there is a named owner and tracked action.
• Actions are not standalone; they land inside existing BCMS mechanics (exercise program, training, supplier continuity, communications, change control, corrective action).
• You can show the loop is closed: identification → action → implemented change → effectiveness check. ¹

Who it applies to (entity and operational context)

Clause 6.1 applies to any organization implementing or certifying to ISO 22301 and to the people accountable for running the BCMS (BCM lead, risk owners, process owners, IT/service owners, site leaders). ¹

Operationally, it matters most when you have:

• Complex dependencies (technology, facilities, key people, utilities, critical third parties).
• Frequent change (new systems, reorganizations, outsourcing, cloud migrations).
• Regulated commitments to customers or regulators on availability and recovery.
• Multi-site operations with shared services and single points of failure.

What you actually need to do (step-by-step)

1) Define BCMS intended outcomes and assessment boundaries

• Confirm BCMS scope and intended outcomes (usually rooted in continuity objectives and recovery requirements).
• Set boundaries: business units, locations, processes, key products/services, and critical dependencies.

Tip: If your outcomes are vague, your risks will be vague. Tighten outcomes first so actions can be measured. ¹

2) Run a BCMS risk and opportunity assessment (purpose-built)

Build a structured method that is repeatable and defensible:

• Inputs to consider:
  • Internal/external context that affects continuity outcomes (organizational change, staffing, facilities constraints, technology posture, supplier stability).
  • Exercise/test results and incident learnings.
  • BIA outputs (prioritized activities and dependencies).
  • Third-party dependency map for continuity-critical suppliers.

Capture both:

• Risks: events/conditions that could prevent meeting recovery requirements.
• Opportunities: changes that could improve resilience, reduce downtime exposure, or simplify recovery.

Example risks (BCMS-specific):

• Recovery strategy relies on a single facility without a workable alternate.
• Backup/restore design exists but has not been proven under realistic conditions.
• A continuity-critical third party has no contractual recovery commitments.

Example opportunities:

• Consolidate runbooks and automate recovery steps to reduce manual error.
• Add alternate workspace capability for a high-priority function.
• Build cross-training to reduce key-person dependency.

3) Decide what needs action (materiality and prioritization)

Not every item needs a project. Define triage criteria such as:

• Impact on achieving recovery requirements.
• Likelihood or fragility indicators (change frequency, known failure history, complexity).
• Time-to-fix and feasibility.
• Dependency concentration (single points of failure, third-party choke points).

Outputs:

• A “needs action” list with rationale.
• A “monitor/accept” list with documented acceptance and review triggers. ¹

4) Build action plans that auditors recognize as real

For each risk/opportunity requiring action, record:

• Action statement: what will change (control, process, technology, contract, training, exercise plan).
• Owner: accountable person, not a team name.
• Integration point: where it lives in the BCMS (exercise program, supplier management, change control, corrective actions).
• Completion criteria: objective proof (policy update approved, runbook published, exercise passed, contract amended).
• Effectiveness metric: what outcome you expect to improve (for example, restore time, exercise pass/fail criteria, reduction in single points of failure).

Good action (auditor-friendly):

• “Update continuity plans for Customer Support to include remote-work fallback; validate via tabletop and a live call-routing failover test; document results and corrective actions.”

Weak action (audit risk):

• “Improve resilience” with no owner, no integration point, no measurement.

5) Integrate actions into BCMS processes (make it stick)

Clause 6.1 fails most often here. Integration means actions are carried by existing governance:

• Change management: continuity impact assessment required for relevant changes.
• Exercise program: tests validate that changes work and uncover new risks.
• Corrective action: findings create tracked remediation.
• Training and awareness: role-based training updated to reflect new procedures.
• Third-party management: continuity requirements embedded in onboarding, contracting, and periodic reviews.
  Integration is the difference between a register and a functioning management system. ¹

6) Evaluate effectiveness and keep it current

Effectiveness is shown through:

• Exercise outcomes, after-action reports, and closure of corrective actions.
• Management review decisions (acceptance, reprioritization, resource decisions).
• Evidence that risk/opportunity identification is revisited after major changes, incidents, or exercise failures. ¹

Required evidence and artifacts to retain (audit-ready)

Keep artifacts that show the full lifecycle:

Core records

• BCMS risks and opportunities register (versioned, dated, with owners and decisions).
• Methodology/procedure describing how you identify, assess, and review risks/opportunities.
• Action plans with accountable owners, due dates, and status.
• Risk acceptance records (including rationale and approval).

Integration and effectiveness records

• Change management records showing continuity impact considered where relevant.
• Exercise schedule, test plans, results, after-action reports, and corrective action tracking.
• Updated continuity plans/runbooks that reflect implemented actions.
• Management review minutes/outputs showing review of risks/opportunities and action effectiveness. ¹

Common exam/audit questions and hangups

Auditors tend to probe in predictable ways:

1. “Show me your top BCMS risks and what you did about them.”
   Hangup: a list exists, but actions are vague or not implemented.

2. “How do you know these actions are effective?”
   Hangup: no acceptance criteria, no exercises mapped to the action.

3. “How do you keep this updated?”
   Hangup: no triggers (organizational change, new systems, supplier change, incident).

4. “How do third parties factor into BCMS risk?”
   Hangup: third-party continuity is treated as procurement paperwork, not a continuity dependency with recovery expectations. ¹

Frequent implementation mistakes (and how to avoid them)

Mistake 1: Using the enterprise risk register as a substitute

Fix: Maintain a BCMS-specific view that ties directly to continuity outcomes and recovery requirements, even if it rolls up into ERM.

Mistake 2: Treating “opportunities” as optional fluff

Fix: Record at least a small set of operational improvements tied to measurable outcomes (exercise performance, plan quality, dependency reduction).

Mistake 3: No integration point, so nothing changes

Fix: Every action must land in a BCMS process: corrective action, exercise program, change management, supplier lifecycle, or training.

Mistake 4: Closing actions without proving effectiveness

Fix: Define completion criteria and require evidence (test results, updated plans, approvals) before closure. ¹

Enforcement context and risk implications

No public enforcement cases were provided for this requirement in the source catalog. Practically, the risk is certification-related (major/minor nonconformities) and operational (continuity failures, missed recovery objectives, unmanaged third-party outages). Clause 6.1 gaps often surface after an incident, when leadership asks why known weaknesses were never turned into funded actions. ¹

Practical 30/60/90-day execution plan

First 30 days (stabilize and baseline)

• Confirm BCMS intended outcomes and scope for assessment.
• Choose a simple assessment method and templates (register, action plan, acceptance record).
• Run an initial workshop with continuity, IT, facilities, and key business owners to capture a first-cut risk/opportunity register.
• Triage and identify which items “need action” versus “monitor/accept.”

By 60 days (convert into execution)

• Write action plans for all material items; assign accountable owners.
• Embed actions into governance: corrective action tracking, change management gates, and exercise planning.
• Address quick wins (plan fixes, communications trees, dependency documentation).

By 90 days (prove effectiveness)

• Execute at least one exercise/test aligned to a top risk action to generate effectiveness evidence.
• Hold a formal review with leadership to approve acceptances, reprioritize, and commit resources.
• Operationalize triggers for updates (significant change, incident, supplier changes, exercise failures).
• If you need a system of record, Daydream can centralize the BCMS risk/opportunity register, action tracking, evidence collection, and review workflows so Clause 6.1 stays auditable without spreadsheet sprawl. ¹

Frequently Asked Questions

Do we need a separate “BCMS risk register” if we already have ERM?

You need a demonstrable BCMS view of risks and opportunities tied to BCMS intended outcomes. That can be a dedicated register or a clearly scoped ERM subset, but it must show actions, integration, and effectiveness. ¹

What counts as an “opportunity” under Clause 6.1?

Any improvement that increases confidence the BCMS will achieve intended outcomes, such as reducing single points of failure or improving recoverability through tested procedures. Track it with the same discipline as risks: owner, action, and effectiveness check. ¹

How do we prove actions are integrated into the BCMS?

Show where each action lives in normal BCMS operations: linked corrective actions, updated plans/runbooks, change management records, training updates, and exercises that validate the change. Auditors look for traceability from register item to implemented artifact. ¹

How often should we review risks and opportunities?

ISO 22301 Clause 6.1 requires that you determine what needs to be addressed, and operators typically review on a recurring cadence plus after major changes, incidents, and exercise results. Pick a cadence you can sustain and document the triggers that force an out-of-cycle review. ¹

Are third-party risks in scope for this clause?

Yes, if a third party affects your ability to meet continuity outcomes (systems, call centers, cloud, logistics, utilities, critical services). Capture the dependency, define continuity expectations, and track actions such as contract terms, alternate suppliers, or tested failover procedures. ¹

What’s the fastest way to get audit-ready evidence?

Start with a single register that links each risk/opportunity to an action, an owner, and an evidence folder. Then run one targeted exercise to generate effectiveness proof and document management review decisions on priorities and acceptances. ¹

Footnotes

1. ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements