Deconstructing ISO 9001:2015 Part 3: Section 6.1: Evaluating Risk and Opportunities

ISO 9001:2015 Risk Management

Whether at home, on the road or at work, risk and opportunities are part of life.  Some risks have a higher probability of occurring than others, and we evaluate each of these risks either actively (planning ahead) or passively (as they come).  In business, the proactive evaluation of risk is a key component of success or failure of a project, program, invention, product design or of the business itself.  Proactive methods for looking for opportunities is a skill demonstrated by successful people and businesses as well.

Risk Prevention

Risk prevention has been a component of the ISO 9001 Standard since its inception, but was only inferred through the requirements of continual improvement activities —  most specifically, the Preventive Action Process.  The ISO 9001:2015 version now specifically brings “risk based” thinking into the forefront of your quality management system in a way that is much more representative of how businesses actually function.  In fact, risk is mentioned 50 times and is included in Sections 4 (context of the organization), 5 (Leadership), 6 (Planning), 9 (Performance Evaluation) and 10 (Improvement), so there really is a heavy focus on this activity.

Not all risks are equal in their impact on an organization, nor do they always stay the same from year to year.  Some are short term and others are long term.  Either way, successful managers, informally or formally evaluate risk every day to keep the business moving forward and to reduce unnecessary costs and inefficiencies.

Just like anything else in life, there is no “one size fits all” with risk management and, as a result, the standard has no requirement on how you define, evaluate, and manage your risks, but because successful businesses consistently evaluate and mitigate risks, it requires that you develop a process to ensure that you do it in a consistent, reliable and person-independent manner.  A good management system is process-based, not people/individual-based.

Opportunities – take them or leave them

But wait — the standard also identifies the need to have a formal process for determining, evaluating, and acting on opportunities for the business.

Opportunities are there for the taking.  Sometimes, we just need to stop, ask and listen to the stakeholders associated with our organizations to see them.  Who doesn’t want to gain the benefits from unrealized opportunities?

Some of the products and services we all consume have seen increased sales by the manufacturer or service provider simply changing their packaging or marketing – causing us to use and buy more of the product or service.  Packaging/marketing changes are great examples of opportunities to be had with a little creative thinking.

Reduce Risk and Excel through Opportunities:  Using the Organization’s Brains

It may sound overly simplistic, but following the steps below, you can put these requirements in perspective, and integrate processes in your management system to ensure that your business doesn’t get caught out or miss a money maker.

  • Brainstorm: Management systems are only as good as the knowledge and investment of the people who develop and implement them.  It’s probable that the process for identification of risks does not happen at the same time you identify opportunities.  When and how do you or will you brainstorm to determine risks and opportunities?
  • Record: Write the risks and opportunities down in a place or places defined in your business management system.
  • Advise: Tell stakeholders about the risks and opportunities that you have identified. Work with them to evaluate the likelihood of occurrence and their tolerance of risks. Consider the costs and benefits of risk prevention and the costs and advantages of opportunities not yet realized.
  • Investigate: Work with personnel to determine methods to mitigate risks and grab opportunities.
  • Negotiate: Determine what management and stakeholders feel are the best use of resources and what they want to act on. Remember, it’s okay to have a tolerance for risk.  You don’t have to, probably can’t and won’t eliminate all risks or act on all opportunities.
  • Summarize your planned actions somewhere in your management system. This doesn’t have to be anything elaborate, there are no requirements to assign levels of risk, but identify the risks and opportunities and your planned actions related to them.  Don’t forget to address how you will incorporate your actions into your management system and then how you will review your progress and the effectiveness of the actions taken.


This entry was posted in Articles, ISO 9001:2015 and tagged , , . Bookmark the permalink.