Actions to address risks and opportunities — Planning

ISO 9001:2015 Clause 6.1.2 requires you to turn identified risks and opportunities into planned actions, embed those actions into day-to-day QMS processes, and verify the actions work. To operationalize it, maintain a risk/opportunity register tied to process owners, define actions with measurable outcomes, and review effectiveness through internal audits, KPIs, and management review. ¹

Key takeaways:

• Plan specific actions for each prioritized risk and opportunity, with owners, due dates, and expected outcomes.
• Integrate actions into existing QMS processes (design, purchasing, production, CAPA, change control), not a standalone “risk project.”
• Evaluate effectiveness using objective evidence (metrics, audits, management review decisions) and adjust actions when results fall short.

Clause 6.1.2 is where “risk-based thinking” becomes auditable execution. Auditors do not only want to see that you can list risks. They expect to see that you decided what to do about them, built those decisions into the QMS, and then checked whether the decisions produced the intended effect. The clause is short, but it drives real operational discipline: clear ownership, traceability from risk to action, and proof of follow-through.

For a Compliance Officer, CCO, or GRC lead supporting an ISO 9001 program, the fastest path is to treat this requirement like a planning-and-assurance loop. First, connect risks and opportunities to the processes that create customer outcomes. Next, define actions that change how work is done (procedures, controls, training, supplier requirements, inspection points). Finally, verify effectiveness with evidence that stands up in an audit: trends, results, decisions, and corrective actions when actions miss the mark.

This page gives requirement-level guidance you can implement quickly without overbuilding. Everything maps back to ISO 9001:2015 Clause 6.1.2. ¹

Regulatory text

Requirement (Clause 6.1.2): “The organization shall plan actions to address risks and opportunities; how to integrate and implement the actions into its quality management system processes; and how to evaluate the effectiveness of these actions.” ¹

What the operator must do (in one view):

1. Plan actions for identified risks and opportunities (not just identify them).
2. Integrate and implement those actions into the QMS processes where work happens.
3. Evaluate effectiveness with objective evidence and adjust when needed. ¹

Plain-English interpretation (what auditors look for)

Clause 6.1.2 expects a closed loop:

• You identified risks/opportunities (typically in Clause 6.1.1 activity).
• You decided concrete actions proportional to priority.
• You embedded those actions into normal operations (procedures, controls, roles, workflows).
• You can show whether the actions worked (metrics, audits, management review outputs) and what you did if they did not. ¹

A practical way to phrase the audit expectation: “Show me the risk, show me the action, show me where it lives in the process, and show me evidence it improved outcomes or prevented issues.”

Who it applies to (entity and operational context)

This clause applies to any organization operating a QMS aligned to ISO 9001:2015, regardless of size or industry. ¹

Operationally, it applies wherever you make planning decisions that affect quality outcomes, including:

• Product/service design and development
• Sales/order intake and contract review
• Purchasing and third-party (supplier) management
• Production/service delivery and process control
• Inspection, testing, release, and nonconformance handling
• Change management (process, supplier, material, software, tooling)
• Training and competence management
• Customer complaint handling and CAPA (corrective actions)

If you outsource work, this clause still bites. Risks and opportunities tied to third parties must translate into supplier controls, acceptance criteria, monitoring, and escalation paths that are part of the QMS. ¹

What you actually need to do (step-by-step)

Step 1: Set a simple method to translate risk/opportunity into action

Define a consistent template so planning decisions are comparable. Keep it lightweight but auditable.

Minimum fields to capture:

• Risk/opportunity statement (cause–event–impact format helps)
• Related QMS process (e.g., Purchasing, Production, Design)
• Owner (process owner, not “Quality” by default)
• Planned action(s)
• Due date and required resources (people/tools/training)
• Expected result (what will be different)
• Effectiveness check method (metric, audit check, review cadence)
• Status and outcome notes (what happened)

This can live in a spreadsheet, a GRC tool, or a QMS platform. If you need it to tie into third-party workflows, tools like Daydream can keep the record of decisions and evidence aligned to process owners without turning it into a separate bureaucracy.

Step 2: Prioritize what you will act on

ISO 9001 does not prescribe a scoring model, but you need a rational way to decide what gets action now versus later. Common approaches:

• Severity × likelihood (simple risk matrix)
• Customer impact and regulatory impact as explicit factors
• Past performance (complaints, scrap, audit findings) to guide focus

Operator tip: Document the decision rule, even if it is simple. Auditors accept simple approaches if they are consistent and tied to outcomes. ¹

Step 3: Define actions that change the system, not just reminders

Actions should either:

• Reduce the likelihood of a failure mode,
• Reduce the impact,
• Improve detection before release, or
• Capture an opportunity to improve performance or customer outcomes.

Examples that usually satisfy auditors:

• Add incoming inspection for a high-risk material and define acceptance criteria.
• Update supplier qualification steps for a critical third party.
• Implement a poka-yoke (mistake-proofing) step in production.
• Add a design review checkpoint for a high-change product line.
• Train and authorize operators on a new critical procedure with competence sign-off.

Weak actions auditors challenge:

• “Remind staff to be careful.”
• “Monitor more closely” with no metric, owner, or trigger.
• “Discuss in a meeting” without minutes, decisions, or follow-up.

Step 4: Integrate actions into QMS processes (show where the action lives)

Clause 6.1.2 explicitly requires integration into QMS processes. ¹

Integration means updating the artifacts people actually use, such as:

• Procedures/work instructions (new steps, checks, acceptance criteria)
• Forms/templates (supplier evaluation form, inspection record, change request)
• System workflows (ERP/QMS hold points, required fields, approval routing)
• Training matrices and competence records
• Supplier contracts/quality agreements and purchase order quality clauses
• Control plans, test plans, sampling plans, calibration plans

Integration test: If you remove the risk register, would the control still operate? If not, you have not integrated it.

Step 5: Implement with ownership and change control

Assign the action owner to the process owner and make Quality/Compliance a challenger and verifier, not the doer of everything.

Implementation controls that create evidence:

• Approved document revisions (procedure/work instruction change)
• Training completion and competence sign-off
• System configuration change records
• Supplier communications and acknowledgments
• Updated control plans and inspection records showing the new check occurred

Step 6: Evaluate effectiveness (define “worked” before you start)

Clause 6.1.2 requires you to plan how you will evaluate effectiveness. ¹

Choose one or more effectiveness methods per action:

• Operational metrics: defect rate trends, rework, scrap, on-time delivery, complaint volume, first-pass yield
• Audit verification: internal audit checklist verifying the process change is followed and records exist
• Outcome-based checks: reduction in nonconformities tied to the risk, improved supplier performance, fewer escapes to customer
• Management review decisions: documented review of outcomes and decisions to continue/adjust/replace actions

Set triggers for escalation:

• If the metric worsens or does not improve, open a corrective action.
• If the action is not implemented as planned, treat it as a breakdown in process control (also corrective action territory).

Required evidence and artifacts to retain (audit-ready checklist)

Keep evidence in a way that supports traceability from risk/opportunity to action to outcome:

Core planning records

• Risk and opportunity register with owners, actions, and evaluation method ¹
• Documented prioritization rationale (matrix, notes, or criteria)

Integration evidence

• Revised procedures/work instructions and change approvals
• Updated forms/templates/control plans
• Training records and competence verification
• Supplier qualification records, third-party monitoring records, quality agreements changes (if applicable)

Effectiveness evidence

• KPI dashboards or metric extracts showing before/after or ongoing monitoring
• Internal audit results tied to the implemented change
• Management review minutes showing effectiveness review and decisions
• Corrective action records for actions that failed or were not followed through

Common exam/audit questions and hangups

Auditors typically probe these points:

1. “Show me how you decided what actions to take.”
   Hangup: no prioritization logic, or “everything is high risk.”

2. “Where is this action embedded in the process?”
   Hangup: action exists only in a risk log; procedures and workflows remain unchanged.

3. “How do you know it worked?”
   Hangup: no defined effectiveness criteria; only anecdotal statements.

4. “Who owns this risk and the action?”
   Hangup: Quality owns all actions; process teams are not accountable.

5. “How do you handle risks from suppliers/third parties?”
   Hangup: supplier risks identified but not translated into qualification, monitoring, or controls.

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails in audits	Fix
Risk register becomes a quarterly paperwork exercise	No operational integration or outcomes	Tie each action to a process artifact (procedure, form, system workflow) and keep the change record
Actions are vague (“monitor”, “improve”)	Not verifiable	Write actions with observable output: “add inspection step X with record Y”
No effectiveness plan	Clause requires evaluation planning	Define metric/audit check and the owner who reviews it 1
Over-centralized ownership	Process owners do not execute	Make process owners accountable; Quality verifies and escalates
Opportunities ignored	Clause requires both risks and opportunities	Track opportunities with expected benefit and outcome checks, same rigor

Enforcement context and risk implications

ISO 9001 is a standard used for certification rather than a regulator-issued rule. The practical “enforcement” mechanism is certification findings: weak planning, poor integration, or lack of effectiveness evidence commonly drives nonconformities against Clause 6.1.2. ¹

Risk implications of weak execution:

• Repeat nonconformities and corrective action backlog
• Quality escapes to customers (complaints, returns)
• Supplier-driven disruptions if third-party risks are not translated into controls
• Management review becomes retrospective reporting instead of forward control

Practical 30/60/90-day execution plan

First 30 days: Stand up the planning loop

• Confirm scope: which sites, processes, and product lines are in the QMS.
• Standardize the risk/opportunity-to-action template and ownership rules.
• Build or clean up the register: ensure each item has a process, owner, action, and effectiveness method. ¹
• Pick a small set of high-priority items and drive them to integrated changes (procedure/workflow/training).

Next 60 days: Integrate into process governance

• Embed risk/opportunity review into existing routines (process reviews, CAPA triage, change control, supplier reviews).
• Update internal audit checklists to verify the new controls exist and operate.
• Train process owners on how to write measurable actions and define effectiveness checks.
• Start reporting effectiveness in management review inputs with clear decisions captured. ¹

By 90 days: Prove effectiveness and tighten feedback

• Compile objective evidence for implemented actions (records, metrics, audit results).
• Identify actions that did not work and open corrective actions with root cause.
• Validate third-party controls for supplier-related risks: qualification, monitoring, acceptance checks.
• If tooling helps, configure Daydream (or your chosen system) so each action links to evidence, owners, and review outcomes without manual chasing.

Frequently Asked Questions

Do we need a formal risk scoring method to meet Clause 6.1.2?

ISO 9001:2015 Clause 6.1.2 does not require a specific scoring model. You do need a consistent way to decide actions and priorities, and you must be able to explain and evidence how actions were planned, integrated, and evaluated. ¹

What is the difference between Clause 6.1.1 and 6.1.2 in practice?

Clause 6.1.1 is about determining risks and opportunities; Clause 6.1.2 is about planning actions, integrating them into QMS processes, and evaluating effectiveness. Auditors often accept your identification method if 6.1.2 execution is strong and traceable. ¹

Can “management review” be our effectiveness evaluation method?

Yes, if management review includes objective inputs (metrics, audit results, nonconformities) and produces recorded decisions about whether actions are effective and what changes are required. Keep minutes that show outcomes and follow-ups. ¹

How do we show integration into QMS processes without rewriting every procedure?

Integrate where it matters: add or modify the control point, record, approval, or acceptance criterion that mitigates the risk. If the action changes behavior and produces records in the normal workflow, that is usually sufficient integration evidence. ¹

Do supplier and other third-party risks need to be included?

If third parties affect your ability to conform to requirements and deliver quality outcomes, they belong in your risks/opportunities planning and must translate into supplier controls in purchasing and acceptance processes. Keep traceability from the risk to the supplier management artifact. ¹

What evidence is most persuasive to an auditor for “effectiveness”?

Objective evidence tied to the expected result: trend data, reduced nonconformities, internal audit verification that the control operates, and management review decisions that confirm the action worked or required adjustment. Assertions without records usually fail. ¹

Footnotes

1. ISO 9001:2015 Quality management systems — Requirements