Actions to address risks and opportunities

ISO 9001:2015 Clause 6.1 requires you to identify the risks and opportunities that must be addressed during Quality Management System (QMS) planning, then translate them into controlled actions that protect intended results and drive improvement. To operationalize it, you need a repeatable method to identify, prioritize, assign, act, and review risks and opportunities across QMS processes and third parties. ¹

Key takeaways:

• Treat Clause 6.1 as a planning control: identify risks/opportunities, decide actions, integrate them into process controls, then review effectiveness.
• Auditors will look for traceability: risk/opportunity → action plan → owner → evidence of implementation → evidence of review.
• Keep it simple but complete: a risk register tied to process KPIs, nonconformities, complaints, supplier issues, and change management is usually enough.

Clause 6.1 is easy to “say” and surprisingly easy to fail in an audit. The standard asks you to determine which risks and opportunities need to be addressed when planning the QMS, but auditors expect more than a brainstorming list. They want to see that your organization systematically identifies what could prevent intended results (and what could improve them), makes decisions about what to do, and embeds those decisions into day-to-day operations.

For a Compliance Officer, CCO, or GRC lead, the fastest path is to anchor Clause 6.1 to the work you already run: corrective action, internal audit, management review, supplier management, change control, training, and metrics. Your risks and opportunities should not live in a standalone spreadsheet nobody uses. They should drive tangible actions such as updated procedures, added inspections, supplier controls, capability training, design changes, or measurement upgrades.

This page gives requirement-level implementation guidance: who must comply, what “determine the risks and opportunities” means in plain English, step-by-step execution, required artifacts, common audit traps, and a practical execution plan you can hand to process owners today. ¹

Regulatory text

ISO 9001:2015 Clause 6.1 states: “When planning for the quality management system, the organization shall determine the risks and opportunities that need to be addressed.” ¹

Operator meaning (what you must do)

You must:

1. Identify QMS-relevant risks and opportunities.
2. Decide which ones “need to be addressed” (not every idea makes the cut).
3. Plan actions that prevent undesired effects, support intended results, and drive improvement as part of QMS planning. ¹

Auditors typically interpret “determine” as “use a defined method and show evidence you did it,” not “we talked about it once.”

Plain-English interpretation of the requirement

Clause 6.1 requires a disciplined planning loop:

• Risks: What could cause your processes, products, or services to miss requirements (customer, regulatory, contractual, internal).
• Opportunities: What changes could improve outcomes (fewer defects, faster cycle time, better customer experience, stronger supplier performance).

The key is actionability. If you can’t point to an action, owner, due date (or equivalent planning commitment), and a way to evaluate effectiveness, you have not operationalized the requirement.

Who it applies to (entity and operational context)

Entities

• Any organization implementing or certified to ISO 9001:2015.
• Quality management practitioners who plan, maintain, and audit the QMS. ¹

Operational contexts where Clause 6.1 shows up

• Process ownership: manufacturing, service delivery, engineering, customer support, fulfillment.
• Third party dependencies: outsourced processes, critical suppliers, contract manufacturers, software providers, calibration labs, logistics partners. Use “third party” risk thinking even if procurement owns the relationship.
• Change: new products, new sites, new tools, ERP migrations, staffing shifts, new regulatory/customer requirements.

If you operate in a multi-site or matrix environment, Clause 6.1 becomes a governance requirement: each site/process needs a consistent method, and corporate needs roll-up visibility.

What you actually need to do (step-by-step)

Below is a pragmatic implementation pattern that satisfies auditors and works operationally.

Step 1: Define the scope and risk taxonomy (lightweight)

• List your QMS processes (use your existing process map).
• Define a small set of risk categories you will use consistently, such as: customer requirements, process capability, people/competence, equipment/infrastructure, data/measurement, suppliers/third parties, and change management.
• Define what “opportunity” means for you (examples: defect reduction, yield improvement, reduced rework, shorter lead time, complaint reduction).

Deliverable: a one-page “Risk & Opportunity Method” section in your QMS planning procedure, or an addendum to an existing planning procedure.

Step 2: Identify risks and opportunities using real inputs

Use evidence sources you already have, not workshop opinions alone:

• Internal audit results and trends
• Nonconformities and corrective actions
• Customer complaints/returns and feedback
• Process KPIs (scrap, rework, on-time delivery, first pass yield)
• Supplier/third party performance issues
• Significant changes (design, tooling, software, staffing, facilities)

Practical tip: run identification at the process level. “The organization could have quality issues” is not usable. “Incoming inspection misses counterfeit components from third parties” is usable.

Step 3: Evaluate and prioritize (pick a method and stick to it)

ISO 9001 does not mandate a scoring system. Auditors do expect a rationale for prioritization. Common workable methods:

• Severity / Likelihood / Detectability (FMEA-style)
• High/Medium/Low with defined criteria
• Risk acceptance criteria tied to customer impact, regulatory impact, and rework cost (qualitative is fine)

Minimum bar: document why certain risks/opportunities were selected for action and others were monitored.

Step 4: Decide actions and integrate them into QMS controls

For each selected risk/opportunity:

• Define the action (control improvement, training, inspection step, supplier requirement, process change, automation, poka-yoke, etc.).
• Assign an owner (single accountable person).
• Define when it will be implemented (tie to a project milestone, management review commitment, or CAPA due date).
• Define how you will know it worked (a metric, audit check, reduction in NCRs, improved supplier rating).

Integration examples auditors like:

• Updating a procedure/work instruction to add a verification step.
• Adding a supplier control (qualification, incoming inspection changes, tighter specs).
• Updating training matrices and competence checks.
• Adding monitoring/measurement points to a control plan.

Step 5: Track execution (no orphan action items)

Maintain a living tracker:

• Risks/opportunities register with links to actions
• Action plan status (open/in progress/closed)
• Evidence links (procedure revision, training record, inspection records, supplier scorecards)
• Effectiveness review date and outcome

If you already use a GRC platform, connect the register to corrective actions, audits, and management review agendas. If you want a single operational hub, Daydream can centralize the register, action workflows, and evidence collection so Clause 6.1 does not become a quarterly spreadsheet scramble.

Step 6: Review effectiveness and refresh during planning cycles

Build review into existing rhythms:

• Management review: top risks/opportunities and action status
• Internal audits: verify controls were implemented and are followed
• CAPA: confirm the corrective action reduced recurrence
• Supplier reviews: confirm supplier controls reduced issues

Auditors will ask: “How do you know your actions address the risk?” Make sure the answer is evidence-based.

Required evidence and artifacts to retain

Keep artifacts that prove method + execution + review:

Core artifacts (typical minimum set)

• Documented method for determining risks/opportunities in QMS planning (procedure, SOP section, or process description)
• Risk & opportunity register (version-controlled)
• Prioritization criteria (even if simple)
• Action plans with owners and status
• Evidence of integration into QMS processes (revised procedures, control plans, inspection plans, supplier requirements)
• Effectiveness review records (KPI trend, audit results, CAPA verification notes)
• Management review minutes showing risks/opportunities discussed and decisions made

Third party-related artifacts (if applicable)

• Supplier/third party evaluation and monitoring records
• SLAs/quality clauses and change notifications
• Supplier corrective actions and follow-up verification

Common exam/audit questions and hangups

Auditors tend to probe the same failure points:

1. “Show me your risks and opportunities, and how you decided what to address.”
   Hangup: you have a list but no selection rationale.

2. “Pick one top risk. Show the action, where it is implemented in the process, and proof it’s followed.”
   Hangup: actions exist as tasks but did not change real controls.

3. “How do you review effectiveness?”
   Hangup: actions are marked “closed” without verification.

4. “How do you capture risks from change?”
   Hangup: no tie-in to change control or project gating.

5. “How do suppliers/third parties factor into your planning?”
   Hangup: procurement owns suppliers, but QMS planning ignores them.

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails	Fix
Risk register created once for certification	Becomes stale; no planning linkage	Tie updates to management review, audit cycle, CAPA closure, and major changes
Risks written too broadly	Not actionable; no clear owner	Write risks at the process step level (who/what/where)
No documented prioritization	Auditor cannot see decision logic	Define simple criteria and apply consistently
Actions tracked outside QMS	No traceability; “closed” means nothing	Link actions to procedure revisions, training, inspection, supplier controls
Opportunities ignored	Clause requires both	Maintain at least a small, active set of improvement opportunities with owners

Enforcement context and risk implications

ISO 9001 is a consensus standard, not a regulator, so “enforcement” usually occurs through certification audits, customer audits, contract requirements, and internal governance. The operational risk is real: if you cannot demonstrate risk-based planning, you increase the likelihood of nonconformities, customer dissatisfaction, and supplier-related failures, and you can fail audits that affect sales or contractual standing. ¹

Practical 30/60/90-day execution plan

Time-bound plans can drift into fake precision. Use phases aligned to your planning and audit cycle.

Immediate phase

• Name an executive sponsor and a QMS owner for Clause 6.1 execution.
• Publish a short method: scope, categories, prioritization approach, review cadence.
• Stand up a single register and load known issues from audits, complaints, NCRs, and supplier problems.

Near-term phase

• Run process-level risk/opportunity sessions with each process owner.
• Prioritize and select the items that “need to be addressed.”
• Convert selections into action plans and embed them into procedures, control plans, training, and supplier controls.

Ongoing phase

• Add effectiveness review checkpoints to management review agendas.
• Bake Clause 6.1 checks into internal audits (trace one risk end-to-end).
• Update the register on triggers: major changes, recurring NCRs, supplier escapes, new customer requirements.

If you need tighter control over evidence and cross-functional ownership, set up Daydream workflows for action assignment, reminders, and audit-ready evidence linking so the register stays current without manual chasing.

Frequently Asked Questions

Do we need a formal risk management standard (like ISO 31000) to satisfy Clause 6.1?

No. Clause 6.1 requires a defined method to determine risks and opportunities in QMS planning, but it does not prescribe a specific external standard. Your method must be consistent, documented, and evidenced. ¹

Are “opportunities” mandatory, or can we focus only on risks?

Opportunities are part of the Clause 6.1 requirement, so you should identify and address opportunities that matter to QMS outcomes. Keep the opportunity set small and action-oriented if resourcing is tight. ¹

How detailed does the risk register need to be?

Detailed enough to show traceability from risk/opportunity to action, owner, and effectiveness check. If the entry cannot drive a concrete action or monitoring plan, rewrite it at the process-step level.

What’s the difference between Clause 6.1 actions and corrective actions (CAPA)?

CAPA reacts to detected nonconformities; Clause 6.1 focuses on planning actions to prevent undesired effects and improve outcomes. In practice, CAPA trends are a major input into Clause 6.1 planning. ¹

How do we handle third party risks under Clause 6.1?

Treat critical third parties as process dependencies and include them in risk identification and action planning. Actions usually appear as qualification, monitoring, tighter acceptance criteria, clearer quality clauses, or verification steps at receiving.

What evidence is strongest during an audit?

End-to-end traceability: a risk entry tied to a specific control change (procedure/control plan), proof people were trained, proof the control operates (records), and proof you reviewed effectiveness in management review or audits.

Footnotes

1. ISO 9001:2015 Quality management systems — Requirements