What you’ll find on this page
- What Clause 6.1 of ISO 9001:2015 actually requires
- What risk-based thinking looks like in practice
- How to identify and prioritise risks and opportunities
- Common challenges when applying Clause 6.1
- How software can simplify risk-based thinking
- Examples of Clause 6.1 in a small or medium-sized business
- How to link risk-based thinking with objectives and planning
- Using risk reviews to drive continual improvement
- How our ISOvA software can help
What Clause 6.1 of ISO 9001:2015 actually requires
Clause 6.1 of ISO 9001:2015 asks organisations to identify and address risks and opportunities that could affect the performance of the quality management system (QMS).
These actions must be proportionate to their potential impact on the conformity of products and services. The aim is to support the QMS in delivering consistent results, improving outcomes, and preventing undesirable effects.
Clause 6.1 should be considered alongside Clause 4.1 (context of the organisation), Clause 4.2 (needs and expectations of interested parties), and Clause 5 (leadership and planning). Together, they ensure the QMS reflects the reality of how the organisation operates and where improvement is needed.
What risk-based thinking looks like in practice
Risk-based thinking should be embedded in how decisions are made, how priorities are set, and how performance is measured.
In practical terms, this means asking focused questions such as:
- What could disrupt our ability to deliver products or services on time or to standard?
- What are the consequences of errors, delays, or failures?
- Are we dependent on specific people, systems, or suppliers?
- Where can we improve outcomes by managing uncertainty or acting early?
These questions are not theoretical. They must inform planning, action, and review across all functions of the business.
How to identify and prioritise risks and opportunities
There is no single mandated method, but consistency is key. A structured approach typically involves:
Analysing each process
Identify inputs, outputs, equipment, people, and dependencies. Map areas of uncertainty or known problems.
Assessing risk level
Score risks based on likelihood and impact. Consider opportunities for improvement alongside threats.
Deciding on action
High-impact or high-likelihood risks should receive priority attention. Opportunities should be acted on if they support business or quality objectives.
Recording rationale
Keep brief notes on decisions. This aids audits and future reviews.
Common challenges when applying Clause 6.1
Organisations often misinterpret Clause 6.1 as requiring a standalone risk register. Others may record risks but fail to act.
Typical problems include:
- Creating long lists of risks with no prioritisation
- Recording but not reviewing or updating assessments
- Focusing only on threats, without considering opportunities
- Failing to involve operational teams who understand day-to-day risks
The result is a QMS that appears compliant but does not inform real decisions or drive improvement.
How software can simplify risk-based thinking
Using software (such as ISOvA) provides structure, consistency, and visibility. It removes the inconsistencies that arise from ad hoc risk logs or disconnected spreadsheets.
Digital tools help:
- Apply consistent scoring to risk likelihood and impact
- Track actions taken and evaluate their effectiveness
- Link risks to processes, objectives, and audits
- Set review dates and assign responsibility
This makes risk-based thinking visible across the organisation, not just confined to one individual or a single audit folder.
Examples of Clause 6.1 in a small or medium-sized business
- A commercial cleaning company identified the risk of staff absences disrupting site coverage. It added cross-trained backup staff for each location.
- A precision manufacturer recognised that delays in supplier deliveries caused production stoppages. It introduced supplier performance tracking and dual sourcing.
- An IT consultancy saw a risk in having only one person managing client handovers. It implemented a shared knowledge base and role shadowing.
In each of these cases, the action taken was proportionate, linked to performance, and led to stronger consistency and customer satisfaction.
How to link risk-based thinking with objectives and planning
Risk-based thinking should feed directly into objective setting (Clause 6.2) and operational planning.
For example:
- A risk of late delivery may result in an objective to reduce lead time.
- An opportunity to expand services may lead to an objective around training or recruitment.
Actions should be integrated into process planning and include resource allocation, timelines, and monitoring. Use performance data (from Clause 9.1) to evaluate whether risks are being managed effectively and whether actions need adjustment.
Using risk reviews to drive continual improvement
Clause 10.3 requires continual improvement. Risk reviews offer a simple and effective route for this.
Regular review of known risks can show:
- Whether risk likelihood or impact has changed
- Whether actions taken have worked
- Whether new risks or opportunities have emerged
For example, if a mitigation measure reduces the likelihood of an issue occurring, that is improvement. It also strengthens audit evidence.
The review process does not need to be lengthy. It just needs to be structured, recorded, and relevant.
How we can help
ISOvA software makes Clause 6.1 more manageable for small and medium-sized businesses. It allows you to assess, record, and review risks and opportunities in a structured and auditable way.
Each risk can be linked directly to a process, objective, or area of responsibility. Actions can be tracked, deadlines monitored, and reviews scheduled. Notifications help ensure nothing gets missed.
Unlike static spreadsheets, ISOvA keeps everything live and visible. This supports better decisions and clearer accountability, and helps you demonstrate to auditors that risk-based thinking is embedded in your QMS.
Whether you are preparing for certification or maintaining compliance, ISOvA provides a consistent way to make risk-based thinking part of everyday management.