Actions to address risks and opportunities — Determination

ISO 9001:2015 Clause 6.1.1 requires you to determine which risks and opportunities must be addressed so your quality management system (QMS) achieves its intended results. Operationally, that means running a documented, repeatable method to identify QMS-impacting risks/opportunities from your context and interested parties, then recording which ones you will act on and why. ¹

Key takeaways:

• You must decide what risks/opportunities “need to be addressed,” not just brainstorm a list. ¹
• Your inputs should trace to organizational context and interested party requirements, and your outputs must be actionable and retained as evidence. ¹
• Auditors look for consistency: the same logic applied across functions, tied to QMS results, with clear ownership and review triggers.

Clause 6.1.1 is easy to misunderstand because it does not mandate a specific risk framework, scoring model, or tool. It mandates a determination: you must decide what risks and opportunities the organization needs to address so the QMS works as intended. ¹

For a CCO, GRC lead, or quality leader, the fastest path to compliance is to treat this as a governance requirement. Define inputs (context and interested parties), define a method to identify and evaluate QMS-relevant risks/opportunities, and define decision criteria for what “needs to be addressed.” Then produce artifacts you can defend in an audit: a current register (or equivalent), documented rationale for inclusion/exclusion, assigned owners, and review cadence tied to change.

This page gives requirement-level implementation guidance you can put into operation immediately: who must participate, what decisions to document, what evidence to keep, common audit hangups, and a practical execution plan. Where helpful, it also calls out third-party and supply chain examples, since external providers are a frequent source of quality and delivery risk even when the QMS scope is internal.

Regulatory text

Clause 6.1.1 (excerpt): “The organization shall determine the risks and opportunities that need to be addressed to give assurance that the quality management system can achieve its intended results.” ¹

What the operator must do:
You must (1) identify risks and opportunities that could affect QMS intended results and (2) determine which of those must be addressed. “Determine” is the operative word: you need a decision record that shows what you considered, what you selected for action, and the basis for that decision. ¹

Plain-English interpretation

• Risk here means anything that could prevent the QMS from achieving intended results (quality objectives, consistent conformity, customer satisfaction, process performance).
• Opportunity means conditions you can act on to improve outcomes (better process capability, fewer defects, improved supplier performance, reduced variation).
• Need to be addressed means you made a call that the item warrants planned action, not just awareness. ¹

If you can’t show how you decide what matters, you will struggle to defend why your QMS controls are appropriately targeted.

Who it applies to

Entity scope: Any organization with a QMS aligned to ISO 9001:2015, regardless of industry or size. ¹

Operational context: Applies wherever decisions are made that can affect QMS results, including:

• Core operational processes (design, production, service delivery)
• Support processes (training, document control, maintenance)
• Third-party dependence (outsourced processes, contract manufacturers, calibration labs, SaaS platforms supporting quality records, logistics providers)

If you rely on third parties for product conformity or delivery performance, they belong in your risk/opportunity determination because they can directly affect intended results.

What you actually need to do (step-by-step)

The goal is a repeatable pipeline from “inputs” to “determinations” to “ready for action planning.”

Step 1: Define QMS intended results (so you can test relevance)

Document, in one place, the intended results you are assuring. Typical categories:

• Meeting customer, statutory, and regulatory requirements (as applicable to your products/services)
• Achieving quality objectives and process performance targets
• Maintaining conformity of outputs and stability of processes

Artifact: “QMS intended results statement” (often embedded in quality objectives and scope documentation).

Step 2: Establish inputs: context + interested parties (minimal but explicit)

Clause 6.1.1 expects your determination to be grounded in reality, not generic lists. Capture:

• Internal context: org changes, staffing, capacity constraints, process maturity, system changes
• External context: market expectations, supply chain volatility, technology changes, external provider stability
• Interested parties and needs: customers, regulators (if applicable), employees, owners, key third parties

Artifacts:

• Context and Interested Parties memo (or equivalent section in management review inputs)
• Change log triggers (what changes force re-evaluation)

Step 3: Choose a simple method to identify risks and opportunities

ISO 9001 does not prescribe FMEA vs. SWOT vs. a risk register. Pick one method and apply it consistently. Practical options:

• Process-based risk review: each process owner identifies top risks/opportunities against inputs/outputs and controls
• Event-based review: use incidents, nonconformities, complaints, supplier issues, audit findings as prompts
• Third-party review: map outsourced processes and critical suppliers to failure modes (late delivery, poor quality, record integrity)

Decision point: Define what counts as a “QMS risk/opportunity” (in-scope) vs. a general business risk (out-of-scope unless it affects QMS outcomes).

Artifact: Risk & Opportunity Identification Procedure (short, usable, owned).

Step 4: Evaluate and “determine what needs to be addressed”

This is the core requirement. Define decision criteria such as:

• Severity of impact on conformity/customer satisfaction
• Likelihood or exposure (qualitative is acceptable)
• Detectability/lead time
• Regulatory/customer contractual sensitivity (where applicable)
• Current control strength (are existing controls adequate?)

Then decide one of these outcomes for each item:

1. Address (requires planned action under Clause 6.1.2 and integration into processes)
2. Monitor (track indicators; no immediate action beyond current controls)
3. Accept (explicit acceptance with rationale; typically low impact/low likelihood)
4. Out of scope (document why it does not affect QMS intended results)

Artifact: Risk & Opportunity Register with a “determination” field and rationale.

Step 5: Assign owners and integration points

Each “Address” item needs:

• A named owner (process owner, quality leader, supplier manager)
• Where it will be managed (CAPA system, supplier management, design control, training plan, maintenance plan)
• How progress is tracked (KPIs, audits, management review)

Artifact: Ownership matrix (RACI-style is fine) linked to the register.

Step 6: Set review triggers and governance

Auditors expect this to be living, not annual theater. Define:

• Regular review forum (management review input, quality council, ops review)
• Trigger events (major process change, new product/service, major supplier change, repeated nonconformities, significant customer complaint trend)

Artifact: Management review agenda includes risk/opportunity determination status and changes.

Step 7: Keep it audit-ready (traceability)

Traceability is what makes determination defensible:

• Context/interested party input → identified items → evaluation → determination decision → action plan reference (if addressed)

If you use a platform like Daydream, configure it to enforce required fields (source, process, determination, rationale, owner, review date) and to link items to evidence (complaints, audit findings, supplier scorecards, CAPAs). That reduces “spreadsheet drift” and makes auditor sampling faster.

Required evidence and artifacts to retain

Minimum set that typically satisfies Clause 6.1.1 in practice:

• Documented method/procedure for determining risks and opportunities (owned and current)
• Context and interested parties inputs (or clear references to where these are maintained)
• Risk & opportunity register (or equivalent) with:
  • item description and scope (process/product/site)
  • source (context, audit, complaint, supplier issue)
  • evaluation criteria used
  • determination outcome (address/monitor/accept/out of scope)
  • rationale for determination
  • owner and review trigger/date
• Records showing reviews and updates (meeting minutes, management review outputs)
• For third-party-related items: supplier/third-party evaluation outputs tied to QMS impacts (e.g., performance monitoring, qualification outcomes)

Common exam/audit questions and hangups

Auditors often probe these points:

• “Show me how you decide what needs to be addressed versus monitored.”
• “What inputs do you use from context and interested parties, and where are they documented?”
• “Pick a high-impact risk. Where is the evidence that you determined it and assigned ownership?”
• “How do outsourced processes and external providers show up in your risk determination?”
• “What changed recently, and how did your risk/opportunity determination change with it?”

Hangups that cause nonconformities:

• Lists with no decision logic (“we have a register” but no determinations)
• No linkage to QMS intended results (risks are generic enterprise risks)
• No evidence of update after change (new supplier, new ERP/QMS tool, new product line)

Frequent implementation mistakes (and how to avoid them)

1. Mistake: treating this as a one-time workshop.
   Fix: Add review triggers and embed it into management review inputs/outputs.

2. Mistake: scoring everything, deciding nothing.
   Fix: Add a required “determination” field and a one-sentence rationale. Force a decision.

3. Mistake: excluding third-party dependencies.
   Fix: Maintain an outsourced process / critical third-party list and require risk entries for each where failure affects conformity.

4. Mistake: “address” items with no owner or integration point.
   Fix: No owner = not determined in a meaningful way. Require assignment before closing a review cycle.

5. Mistake: no evidence trail.
   Fix: Store supporting inputs (complaints, audit findings, supplier performance issues) with links or references from the register.

Enforcement context and risk implications

No public enforcement cases are provided for this requirement in the supplied sources. Practically, the risk is certification-related: weak determination leads to audit findings because the QMS cannot show it is designed and managed to achieve intended results. ¹

The operational risk is more direct: without a clear determination method, your CAPA backlog, supplier actions, and improvement projects skew toward whoever shouts loudest, not what threatens conformity and customer satisfaction.

Practical execution plan (30/60/90-day)

Specific day counts are guidance for sequencing work, not a claim about required duration.

First 30 days (Immediate)

• Confirm QMS intended results and scope boundaries.
• Draft a one-page procedure for risk/opportunity determination (inputs, evaluation, decision outcomes, required fields).
• Build a single register format (spreadsheet or system) with mandatory fields: source, process, determination, rationale, owner, review date.
• Run one pilot determination session on a critical process and one key third party.

By 60 days (Near-term)

• Expand determination sessions across all core processes and outsourced/third-party-supported processes.
• Standardize decision criteria (keep qualitative if needed, but consistent).
• Train process owners on what “needs to be addressed” means and what evidence must be retained.
• Add the register to management review inputs and define trigger events.

By 90 days (Stabilize and prove it works)

• Complete the first full-cycle review: demonstrate updates based on changes, incidents, supplier performance, or audits.
• Sample-test traceability: pick several “address” items and confirm they map to action planning and process integration.
• Internal audit a slice of Clause 6.1.1: verify determinations are consistent and evidence is complete.
• If using Daydream or another GRC/QMS tool, enforce required fields and link evidence to reduce manual chasing during audits.

Frequently Asked Questions

Do we need a formal risk scoring model for ISO 9001 Clause 6.1.1?

No specific scoring method is required, but you do need a consistent method to determine which risks and opportunities must be addressed to assure QMS intended results. Document your criteria and apply them consistently. ¹

What’s the difference between “determine” (6.1.1) and “plan actions” (6.1.2)?

6.1.1 is the decision step: identify and decide what needs attention so the QMS achieves intended results. 6.1.2 is where you define actions and integrate them into processes. ¹

Can we keep risks and opportunities in separate documents?

Yes, as long as you can show a coherent determination method and evidence that both risks and opportunities were considered and decisions were made about what needs to be addressed. Consolidation usually makes audit response easier. ¹

How deep do we need to go on third-party risks?

Go deep where third parties affect conformity, delivery, calibration, quality records, or outsourced processes. Your register should show you determined which third-party issues need action, not just that you have suppliers. ¹

What evidence is enough to show we “determined” what needs to be addressed?

Auditors typically want to see your inputs (context/interested parties), your list of identified items, and a clear determination outcome with rationale and ownership. Meeting minutes that show review and updates help prove it’s active. ¹

We’re a small organization. Can this be lightweight?

Yes. Clause 6.1.1 does not require complex tooling; it requires a defensible determination that supports QMS intended results. Keep the method short, but keep decisions and rationales explicit. ¹

Footnotes

1. ISO 9001:2015 Quality management systems — Requirements