Management system guidance

6.0 Planning

ISO Navigator Pro™ is a free tool that provides practical, expert guidance for businesses wishing to interpret and better implement the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018.

Our range of templates cover the requirements of ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018, and offer an easy way to implement your next management system.

6.1 Actions to address risks and opportunities

|

6.1.1 Determine the risks and opportunities to be addressed

Although risks and opportunities have to be determined and addressed, there is no requirement in ISO 9001:2015 for a formal, documented risk management process or risk matrix. Confirm that your organization has a methodology in place that enables them to effectively identify risks and opportunities with respect to the planning of its management sytem. Reference to risk-based thinking is present in the following clauses of the standards:

  1. Determine and address risks (Clause 4.4.1);
  2. Promote risk-based thinking (Clause 5.1.1);
  3. Ensure risks determined and addressed (Clause 5.1.2);
  4. Determine risks that need to be addressed to achieve intended results (Clause 6.1.1 - this page);
  5. Plan actions to address risks; integrate into processes; evaluate effectiveness of actions (Clause 6.1.2 - this page);
  6. Control those risks identified (Clause 8.1);
  7. Evaluate effectiveness of actions on risks (Clause 9.1.3);
  8. Review effectiveness of actions on risks (Clause 9.3.2);
  9. Improve the quality management sytem responding to risk (Clause 10.3).

The risks and opportunities should be relevant to the context of your organization (Clause 4.1), as well as, any interested parties (Clause 4.2). You should ensure that your organization has applied this risk identification methodology consistently and effectively. What process has been developed to identify risks and opportunities?

In the absence of documented processes or procedures, you may need to use observations and interviews (and a review of the process output, which may contain documented evidence) to assess the processes that determine whether or not undocumented processes are being carried out as planned.

External and internal issues, and relevant needs and expectations of relevant interested parties may be sources of risks. Objective evidence may be in the form of a dedicated risk matrix, risks added to other forms such as an aspect register, corrective action log and forms, etc.

All management system processes represent differing levels of risk in terms of your organization’s ability to meet its objectives. Due to this reason, the consequences of failures or non-conformities in relation to processes, systems, products and/or services will not be the same for all organizations.

Risk and opportunity register

While not mandated by ISO 9001, ISO 14001 or ISO 45001, risk and opportunity registers can help identify and record the risks and opportunities facing different areas of the business and identifying risk is a critical step in managing it. Risk and opportunity registers will allow your organization to assess the risk in context with the overall context of your organization, and will help to record the controls and treatments of those risks. Risk and opportunity registers can be developed in tiers:

  1. Strategic level - risks and opportunities associated with the local, regional, and global economic, social, political, cultural, regulatory and competitiveness, key stakeholder strategies or strengths and weaknesses in attaining objectives.
  2. Operational level - organizational structure and culture, existence of any operational constraints, business resilience vulnerabilities, issues relating to recent change management, stakeholder community concerns, regulatory and contractual requirements and constraints
  3. Process level - stability of I.T. systems, human error, measurement and inspection failures, environmental or workplace safety, mechanical failure, process quality, internal controls and compliance errors, ineffective processes with poor performance metrics, or process controls not functioning

The risk and opportunity register or risk log becomes essential as it records identified risks and opportunity, their severity, and the actions and steps to be taken. It can be a simple document, spreadsheet, or a database system, but the most effective format is a table. A table presents a great deal of information in just a few pages. As the register is a living document, it is important to record the date that risks are identified or modified. Optional dates to include are the target and completion dates.

  1. Description of the risk;
  2. Risk Type (business, project, stage);
  3. Likelihood of occurrence which provides an assessment on how likely it is that this risk will occur;
  4. Severity of effect which provides an assessment of the impact that the occurrence of this risk would have on the project;
  5. Countermeasures and actions taken to prevent, reduce, or transfer the risk. This may include production of contingency plans;
  6. Risk owner who is responsible for ensuring that risks are appropriately engaged with countermeasures undertaken;
  7. Current status of whether this is a current risk or if risk can no longer arise and impact;
  8. Other columns such as quantitative value can also be added.

Risk and opportunity identification

Risk identification should be carried out with the full involvement of the relevant parties to ensure the relevant perspectives and expertise should be represented (e.g. appropriately qualified representatives from various functions, contractors, stakeholders, suppliers and specialists as appropriate.

Risk and opportunity identification is a critical activity at both a strategic and operational level. It needs to include all significant sources of risk, including those beyond our organization’s control. If a risk, threat, or opportunity is not identified, there can be no strategy to address it.

The objective of this step is not to create an onerous and lengthy list of all possible risks, but to identify all significant risks that could impact our organization. Risks and opportunities are identified through the use of:

  1. Workshops and focus groups, using brainstorming approaches;
  2. SWOT Analysis Template to identify and analyse strengths, weaknesses, opportunities and threats;
  3. PESTLE Analysis Template to identify and analyse external context issues from local, regional, national and international perspectives;
  4. Context & Interested Parties Analysis matrix to identify and list the needs and expectations of any interested parties and the risks or opportunities arising from them;
  5. Interviews with respective management;
  6. The intranet as a means of reporting incidents or risks for consideration.

|

More information on PDCA

Planning

Context

ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
4.1 Organizational Context 4.1 Organizational Context 4.1 Organizational Context
4.2 Relevant Interested Parties 4.2 Relevant Interested Parties 4.2 Relevant Interested Parties
4.3 Management System Scope 4.3 Management System Scope 4.3 Management System Scope
4.4 QMS Processes 4.4 EMS Processes 4.4 OH&S Management System

Planning

ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
5.1 Leadership & Commitment 5.1 Leadership & Commitment 5.1 Leadership & Commitment
5.2 Quality Policy 5.2 Environmental Policy 5.2 OH&S Policy
5.3 Roles, Responsibilities & Authorities 5.3 Roles, Responsibilities & Authorities 5.3 Roles, Responsibilities & Authorities
    5.4 Consultation & Participation

Support

ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
6.1 Address Risks & Opportunities 6.1.1 Address Risks & Opportunities 6.1.1 Address Risks & Opportunities
6.2.1 Quality Objectives 6.1.2 Environmental Aspects 6.1.2 Hazard Identifcation
6.2.2 Planning to Achieve Objectives 6.1.3 Compliance Obligations 6.1.3 Legal & Other Requirements
6.3 Planning for Change 6.1.4 Planning Action 6.1.4 Planning Action
  6.2.1 Environmental Objectives 6.2.1 OH&S Objectives
  6.2.2 Planning to Achieve Objectives 6.2.2 Planning to Achieve Objectives 
 

Doing

Support

ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
7.1 Resources 7.1 Resources 7.1 Resources
7.2 Competence 7.2 Competence 7.2 Competence
7.3 Awareness 7.3 Awareness 7.3 Awareness
7.4 Communcation 7.4.1 Communcation - General 7.4.1 Communcation - General
7.5 Documented Information 7.4.2 Internal Communcation 7.4.2 Internal Communcation
  7.4.3 External Communcation 7.4.3 External Communcation
  7.5 Documented Information 7.5 Documented Information

Operations

ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
8.1 Operational Planning & Control 8.1 Operational Planning & Control 8.1.1 General
8.2 Customer Requirements 8.2 Emergency Preparedness 8.1.2 Eliminating Hazards
8.3 Design & Development   8.1.3 Management of Change
8.4 Purchasing   8.1.4 Outsourcing
8.5 Product & Service Provision   8.2 Emergency Preparedness
8.6 Release of Products & Services    
8.7 Nonconforming Outputs     
 

Checking

Monitoring, measurement, analysis and evaluation

ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
9.1 Monitoring & Measurement 9.1.1 Performance Evaluation 9.1.1 Performance Evaluation
9.2 Internal Audit 9.1.2 Evaluation of Compliance 9.1.2 Evaluation of Compliance
9.3 Management Review 9.2 Internal Audit 9.2 Internal Audit
  9.3 Management Review 9.3 Management Review 
 

Acting

Improvement

ISO 9001:2015
ISO 14001:2015
ISO 45001:2018
10.1 Improvement - General 10.1 Improvement - General 10.1 Improvement - General
10.2 Nonconformity & Corrective Action 10.2 Nonconformity & Corrective Action 10.2 Incident, Nonconformity & Corrective Action
10.3 Continual Improvement 10.3 Continual Improvement 10.3 Continual Improvement 
 

Want to know more?

SSL certification

A certificate guarantees the information your internet browser is receiving now originates from the expected domain - https://www.iso9001help.co.uk. It guarantees that when you make a purchase, sensitive data is encrypted and sent to the right place, and not to a malicious third-party.

Free PDCA guidance

ISO Navigator™ is our FREE online training tool that shows you how to apply the principles of PDCA to your operations. We also offer many helpful templates that get you on the road to documenting your management system, please visit the download page.