Understanding Section 6.1

Actions to address risks and opportunities


This is an educational article on Section 6.1 of ISO 9001. Section 6.1 is the last of what I call “the Strategic Planning sections,” which also includes sections 4.1 and 4.2. This article covers only section 6.1 – “Actions to address risks and opportunities.”

The purpose of this article is to give you an understanding of what Section 6.1 requires.

This article is directed towards:

  • Those responsible for compliance to section 6.1.
  • Those responsible for strategic or risk planning activities generally.
  • Others interested in understanding sections 4.2.

Section 6.1 is entitled “Actions to address risks and opportunities.” This section requires you to consider:

  • The internal and external issues referred to in 4.1.
  • The stakeholder requirements referred to in 4.2.

And then in light of those considerations, make plans to: 

a) Ensure that the QMS achieves the intended results.
b) Enhance desirable effects.
c) Prevent or reduce undesirable effects.
d) Achieve improvement.

So what is a risk or an opportunity?

When you identify an issue, it is easy to think of an issue as presenting a risk or opportunity for you to respond to. For example, lack of a trained workforce is an issue. Most would coin this issue as a risk. An optimist might coin it as an opportunity to outshine competitors facing the same challenge. For another example, new cutting edge innovations within your company are easily coined as an opportunity. A pessimist might coin it as a risk, because you are not sure how the market will respond to new things.

Each issue or requirement is really a double sided coin, presenting both risks and opportunities depending on how you look at it. 

Which is why section 4.1, on determining internal and external issues, and section 4.2, on determining stakeholder requirements, so naturally feed into section 6.1 on risk planning. If each issue or requirement can be viewed as presenting a risk or opportunity, then the outputs of sections 4.1 and 4.2 are natural inputs for section 6.1.

Does this mean that every issue or requirement has to have a corresponding identified risk or opportunity, and action plan? No, not necessarily. Only some issues or requirements represent risks or opportunities great enough to justify some action to be taken. You are at liberty to create your own system for filtering through the issues to decide which risks and opportunities are worth taking action. The main thing is that you have a system.

By now you have probably gathered that ISO uses the term “risk” to connote both the positive and negative possibilities.  So when we speak of risk planning – we are speaking of planning for risks and opportunities.

One way to manage all of these risks and opportunities would be by using a Risk Register. With a Risk Register you could log risks and opportunities and then proceed to assess the magnitude of the risk or opportunity (such as by determining the likelihood and degree of impact it will have on your company), and then apply your own criteria to decide whether action should be taken to treat the risk, or exploit the opportunity.   

Note 1 of section 6.1 discusses risk treatment options. If risk treatment is necessary, you might choose between:

  • Avoiding the risk,
  • Accepting the risk,
  • Mitigating the risk, or
  • Transferring the risk.

Again, sometimes the risk level may be low enough that no action is necessary, so ignoring the risk is also an option.  

Note 2 of section 6.1 discusses actions in response to an opportunity. If you decide to act on an opportunity, you might choose between:

  • Exploiting the opportunity,
  • Sharing the opportunity,
    • (If you don’t have resources to exploit it yourself for example.)
  • Enhancing the opportunity, or
    • (For example, by taking actions to make the realization of the opportunity more likely.)
  • Monitoring the opportunity.
    • (For example, to watch for the right time to exploit the opportunity.)

Sometimes, the cost of exploiting an opportunity may outweigh the benefit, in which case, ignoring the opportunity would also be an option.

For significant risks and opportunities, that is, for opportunities that meet your criteria for taking action, Section 6.1 requires you to make plans to:

  • Integrate and implement your risk actions, as necessary, into your quality management system processes. (see 4.4)
  • Evaluate your actions for effectiveness.

In other words, you are planning, in light of your risks and opportunities, what you are going to do about it, and how you are going to follow up to ensure your success.

For example, you already saw how a Risk Register could be enhanced from more than a mere register, into a living document that would help you go the distance, from planning, to implementing, to maintaining, and on to controlling and evaluating how your requirements are met. This single document, properly used, could fulfill all of your risk planning requirements.

The bottom line for strategic planning is this:  You are expected to determine your context, and then constantly monitor your context, so you can plan and take action to meet the demands of that ever-changing context. This is the short of what sections 4.1, 4.2, and 6.1 (and 8.1) of ISO 9001 require of your company. 

For more information on how to meet the strategic planning requirements of ISO 9001, watch our implementation videos for sections 4.1, 4.2, and 6.1, and review template library for some examples.