ISO 9001

ISO 9001:2015 – How to Apply Clause 6.1 Risk-Based Thinking in Your QMS

July 10, 2025

ISO 9001:2015 – How to Apply Clause 6.1 Risk-Based Thinking in Your QMS

What you’ll find on this page

  • What Clause 6.1 of ISO 9001:2015 actually requires
  • What risk-based thinking looks like in practice
  • How to identify and prioritise risks and opportunities
  • Common challenges when applying Clause 6.1
  • How software can simplify risk-based thinking
  • Examples of Clause 6.1 in a small or medium-sized business
  • How to link risk-based thinking with objectives and planning
  • Using risk reviews to drive continual improvement
  • How our ISOvA software can help

What Clause 6.1 of ISO 9001:2015 actually requires

Clause 6.1 of ISO 9001:2015 asks organisations to identify and address risks and opportunities that could affect the performance of the quality management system (QMS).

These actions must be proportionate to their potential impact on the conformity of products and services. The aim is to support the QMS in delivering consistent results, improving outcomes, and preventing undesirable effects.

Clause 6.1 should be considered alongside Clause 4.1 (context of the organisation), Clause 4.2 (needs and expectations of interested parties), and Clause 5 (leadership and planning). Together, they ensure the QMS reflects the reality of how the organisation operates and where improvement is needed.

What risk-based thinking looks like in practice

Risk-based thinking should be embedded in how decisions are made, how priorities are set, and how performance is measured.

In practical terms, this means asking focused questions such as:

  • What could disrupt our ability to deliver products or services on time or to standard?
  • What are the consequences of errors, delays, or failures?
  • Are we dependent on specific people, systems, or suppliers?
  • Where can we improve outcomes by managing uncertainty or acting early?

These questions are not theoretical. They must inform planning, action, and review across all functions of the business.

How to identify and prioritise risks and opportunities

There is no single mandated method, but consistency is key. A structured approach typically involves:

Analysing each process

Identify inputs, outputs, equipment, people, and dependencies. Map areas of uncertainty or known problems.

Assessing risk level

Score risks based on likelihood and impact. Consider opportunities for improvement alongside threats.

Deciding on action

High-impact or high-likelihood risks should receive priority attention. Opportunities should be acted on if they support business or quality objectives.

Recording rationale

Keep brief notes on decisions. This aids audits and future reviews.

Common challenges when applying Clause 6.1

Organisations often misinterpret Clause 6.1 as requiring a standalone risk register. Others may record risks but fail to act.

Typical problems include:

  • Creating long lists of risks with no prioritisation
  • Recording but not reviewing or updating assessments
  • Focusing only on threats, without considering opportunities
  • Failing to involve operational teams who understand day-to-day risks

The result is a QMS that appears compliant but does not inform real decisions or drive improvement.

How software can simplify risk-based thinking

Using software (such as ISOvA) provides structure, consistency, and visibility. It removes the inconsistencies that arise from ad hoc risk logs or disconnected spreadsheets.

Digital tools help:

  • Apply consistent scoring to risk likelihood and impact
  • Track actions taken and evaluate their effectiveness
  • Link risks to processes, objectives, and audits
  • Set review dates and assign responsibility

This makes risk-based thinking visible across the organisation, not just confined to one individual or a single audit folder.

Examples of Clause 6.1 in a small or medium-sized business

  • A commercial cleaning company identified the risk of staff absences disrupting site coverage. It added cross-trained backup staff for each location.
  • A precision manufacturer recognised that delays in supplier deliveries caused production stoppages. It introduced supplier performance tracking and dual sourcing.
  • An IT consultancy saw a risk in having only one person managing client handovers. It implemented a shared knowledge base and role shadowing.

In each of these cases, the action taken was proportionate, linked to performance, and led to stronger consistency and customer satisfaction.

How to link risk-based thinking with objectives and planning

Risk-based thinking should feed directly into objective setting (Clause 6.2) and operational planning.

For example:

  • A risk of late delivery may result in an objective to reduce lead time.
  • An opportunity to expand services may lead to an objective around training or recruitment.

Actions should be integrated into process planning and include resource allocation, timelines, and monitoring. Use performance data (from Clause 9.1) to evaluate whether risks are being managed effectively and whether actions need adjustment.

Using risk reviews to drive continual improvement

Clause 10.3 requires continual improvement. Risk reviews offer a simple and effective route for this.

Regular review of known risks can show:

  • Whether risk likelihood or impact has changed
  • Whether actions taken have worked
  • Whether new risks or opportunities have emerged

For example, if a mitigation measure reduces the likelihood of an issue occurring, that is improvement.  It also strengthens audit evidence.

The review process does not need to be lengthy. It just needs to be structured, recorded, and relevant.

How we can help

ISOvA software makes Clause 6.1 more manageable for small and medium-sized businesses.  It allows you to assess, record, and review risks and opportunities in a structured and auditable way.

Each risk can be linked directly to a process, objective, or area of responsibility. Actions can be tracked, deadlines monitored, and reviews scheduled. Notifications help ensure nothing gets missed.

Unlike static spreadsheets, ISOvA keeps everything live and visible. This supports better decisions and clearer accountability, and helps you demonstrate to auditors that risk-based thinking is embedded in your QMS.

Whether you are preparing for certification or maintaining compliance, ISOvA provides a consistent way to make risk-based thinking part of everyday management.

Request a demo
Ask a Question
Request a Demo

If you would like a demo for ISO 9001 Software – Quality Management System, fill out our form below:

Request a Demo
By filling out this form, you agree to the terms laid out in our privacy policy
Thank you!
Your submission has been received, one of our team members will be in touch soon.
Oops! Something went wrong while submitting the form.
By clicking “Continue To Site”, you agree to the storing of cookies on your device to enhance site navigation, analyse site usage, and assist in our marketing efforts. View our Privacy Policy for more information.