Step 9

Risks and Opportunities

To conform to the requirements of this International Standard, an organization needs to plan and implement actions to address risks and opportunities. Addressing both risks and opportunities establishes a basis for increasing the effectiveness of the quality management system, achieving improved results and preventing negative effects.

ISO 9001 More Info
More information on this implimentation...
Scroll down

Why you need to define Risk and Opportunities for your ISO Management System (MS)

6.1 Actions to address risks and opportunities

6.1.1 When planning the quality management system, the organization shall consider issues referred to in 4.1 and the requirements referred to in 4.2 and determine risks and opportunities that need to be addressed to:

a) give assurance that the quality management system can achieve its intended result(s);

b) enhance desirable effects.

c) prevent, or reduce, undesired effects.

d) achieve improvement.

6.1.2 The organization shall plan:

a) actions to address these risks and opportunities.

b) how to:

1) integrate and implement the actions into its quality management system processes 

2) evaluate the effectiveness of these actions.

How ISOvA MS software helps you determine Risk & Opportunities  

The ISOvA IMS Toolbox provides you with a template list of risks to evaluate. Lookup columns to add context to those risks from your controls (Step 3), Interested Parties (Step 5), Performance Evaluation (Step 7) and to the high-end risks, add your objectives (Step 9). This section of the software brings all the steps together and is the hub of the system.  

ISOvA IMS Toolbox Online Demo - Risks and Opportunities
Risk & Opportunities on the ISOvA IMS Toolbox 

The headings below match the columns provided in your IMS Toolbox:

The majority of this exercise is choosing the relevant information you have inputted from Steps 1 to 7.

Once you have become familiar with this process, it is up to you to add other associated risks to your business, including risks on operations, interested parties, infrastructure and competencies.


This section is for the risks that have been included with the Toolbox. You need to choose whether this risk is relevant to your business.


By assessing the risk, you must choose whether this is an internal or an external issue. An example of an internal issue is employee competencies, and an example of an external issue is if a supplier has not delivered a quality product.


This section is where you communicate the headline of the risk.


This section is where you put the explanation (Scope) into the headline. Remember that a third party should understand your description.


From the dropdown, selection chooses what could be the consequence of the risk. An example of this would be a delay caused by a supplier that can cause poor service delivery consequently. You can choose multiple consequences if needed.

Risk Implications

Give a scoring (1 is Low Risk, and 4 is High Risk) of the impact of the risk on your business should this happen.


From following Step 3 of the “How To Guide”, allocate the controls, you have in your business to minimise this risk. To be honest, this step is important, as if you don’t have controls in place, you have found your business objectives (which is your opportunity).

Risk Probability

Give a scoring (1 is Low Risk, and 4 is High Risk) of the probability that this risk will happen in your business.

Risk Rating

From issuing scores for the Risk Implications (I) and the Risk Probability (P), the Toolbox automatically calculates the Risk Rating (R) by using the formula I x P = R. 

The score of the risk or opportunity will determine the type of actions that will be implemented to address it:

ISOvA IMS Toolbox Online Demo - Rating and Classification Table


Any risk scoring of 10 and above requires an objective (this will be communicated in Step 9 Objectives). For now, choose from the selected categories that this objective falls under.

Please do not forget this Risk for Step 9. 

Interested Parties

By following Step 5 Interested Parties, allocate the relevant interested party that this Risk would affect. You can choose more than 1.

Legal Categories

By following Step 2 Legal register, allocate the relevant statutory and regulatory legislation to this individual risk. It is not easy, so try and think from a top-level perspective. Alternatively, please speak to one of our ISOvA assistants, who will be happy to help. 

Performance Evaluation 

By following Step 7 Performance Evaluation, allocate the relevant KPI that will help to monitor and evaluate the risk. Potentially this could alter the scoring.

The risk and opportunities register does change throughout the year, so we advise you to review on a quartile basis and re-evaluate the scoring based on the controls you have in place or the objectives you have completed. Also, your business changes, and with that, you will encounter new risks. It is advisable to use the Toolbox to assess these unknown risks and what controls you have in place to minimise the impact.

Line Breaker

Next Step…

Having determined roles, responsibilities, and authorities for your ISO MS, you can now move to the next step:

Step Implementation Guides:

1: Roles & Responsibilities
2: Aims and objectives
3: Controls
4: SWOT Analysis
5: Interested Parties
10: Audit Programme
Request a Demo

If you would like a demo of the ISOvA (Risk Compliance Software and) Integrated Management System (IMS) software fill out our form below:

By filling out this form, you agree to the terms laid out in our privacy policy
Thank you!
Your submission has been received, one of our team members will be in touch soon.
Oops! Something went wrong while submitting the form.
Ask a Question
By clicking “Continue To Site”, you agree to the storing of cookies on your device to enhance site navigation, analyse site usage, and assist in our marketing efforts. View our Privacy Policy for more information.