ISO 9001:2015 Clause 6.1 Explained: Proactive Planning for QMS Success
Introduction
Navigate the complexities of ISO 9001:2015 Clause 6.1, a pivotal guide to risk-based thinking. This clause goes beyond compliance—it helps organizations proactively address risks and opportunities to ensure their quality management system (QMS) achieves its goals. By integrating this approach, businesses can anticipate challenges, prevent undesired effects, and create a framework for continuous improvement. With Maxicert’s guidance, organizations gain the expertise and structured support needed to identify risks, optimize planning, and turn uncertainties into opportunities that drive long-term success.
6.1 Actions to address risks and opportunities
6.1.1 When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
- give assurance that the quality management system can achieve its intended result(s),
- enhance desirable effects,
- prevent, or reduce, undesired effects:
- achieve improvement.
6.1.2 The organization shall plan:
- actions to address these risks and opportunities
- how to:
- integrate and implement the actions into its quality management system processes (see 4.4);
- evaluate the effectiveness of these actions.
Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.
-
NOTE I: Options to address risks can include avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision.
- NOTE 2: Opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing new customers, building partnerships, using new technology and other desirable and viable possibilities to address the organization's or its customers' needs.
ISO 9001:2015 Clause Guide Panel
- Clause 1
- Clause 2
- Clause 3
- Clause 4 – Sub-clause 1
- Clause 4 – Sub-clause 2
- Clause 5 – Sub-clause 1
- Clause 5 – Sub-clause 2
- Clause 5 – Sub-clause 3
- Clause 6 – Sub-clause 1
- Clause 6 – Sub-clause 2
- Clause 7 – Sub-clause 1
- Clause 7 – Sub-clause 2
- Clause 7 – Sub-clause 3
- Clause 7 – Sub-clause 4
- Clause 8 – Sub-clause 1
- Clause 8 – Sub-clause 2
- Clause 8 – Sub-clause 3
- Clause 8 – Sub-clause 4
- Clause 8 – Sub-clause 5
- Clause 8 – Sub-clause 6
- Clause 8 – Sub-clause 7
- Clause 8 – Sub-clause 8
- Clause 8 – Sub-clause 9
- Clause 8 – Sub-clause 10
- Clause 8 – Sub-clause 11
- Clause 8 – Sub-clause 12
- Clause 9 – Sub-clause 1
- Clause 9 – Sub-clause 2
- Clause 9 – Sub-clause 3
- Clause 9 – Sub-clause 4
- Clause 10
Explication and Commentary (What to look for as an auditor)
All organizations need to develop a QMS that is appropriate for the type of product and services they provide. In planning this, it is important to consider the current context and the needs and expectations of interested parties. This should identify key issues that need to be considered when planning the QMS. The planning at this stage is at a strategic level and consideration of these issues by top management of the organization should result in the development of a quality policy setting out purpose of the organization as well as the strategic direction for the next 3-5 years, the scope of the QMS as well as the a determination of the processes needed. Planning for the delivery of these QMS processes can then begin.
The purpose of planning is to anticipate potential scenarios and consequences, and as such is preventive in addressing undesired effects before they occur. Similarly, it looks for favourable conditions or circumstances that can offer a potential advantage or beneficial outcome and includes planning for those worthy of pursuit.
Planning also includes determining how to incorporate the actions deemed necessary or beneficial into the MS, either through objective setting (6.2), operational control (8.1) or other specific clauses of the MS. e.g. resource provisions (7.1). competence (7.2).
The mechanism for evaluating the effectiveness of the action taken is also planned, and can include monitoring. measurement techniques (9.1), internal audit (9.2) or management review (9.3).
This is generally what is involved in risk assessment
Risk is defined as the effect of uncertainty on an expected result (3.09). The establishment of the QMS is to focus on achieving the expected results.
The risks will vary depending on what the types of products and services offered as well as the nature of the business itself
For example, a business that seils office stationery may offer a range of “off the shelf products. The business may have a one shop that offers a “walk in service”. Products are purchased from a wholesaler and offered for sale in the shop. Product are low risk themselves and but there are perhaps risks regarding supply of product, range of products offered, lack of repeat customers etc. If they are to remain competitive and continue to grow some “market analysis” may be needed to determine the what are competitors doing, are there alternative suppliers, should the model change from walk-in to on-line etc. Top management have a role here in reviewing the output of any such analysis and determining the strategic direction for the organization. The QMS then needs to be planned to meet this.
A medical centre offering a range of medical services to referred patients will have many parties that are more interested, and context issues to consider in the development of their QMS. There are patient safety issues to address as well as having sufficient expertise in house, insurance claims, public vs private funding etc.
There is no requirement in ISO 9001 to use a formal risk assessment method however, there needs to be some consideration of risk qualitatively. The extent and level of risk assessment will depend on the nature and type of business. ISO 31010 provides information of risk assessment techniques That can be used but it is down to the organization to determine the best way to evaluate risk and opportunities for themselves, depending on the nature and complexity of the organizations processes and operations, size, resources available etc
In determining the risk there needs to be decision taken what to dois action required? Options for dealing with risk can include avoiding the risk, taking the risk to pursue an opportunity, eliminating the risk source, changing the likelihood or consequence, sharing the risk or retaining the risk by informed decision. Where there is a risk that that could impact on conformity of products or service the action taken should be sufficient to address the risk i.e, remove, eliminate or change the likelihood or consequence and indeed priority should be given to risks that impact on conformity of goods and services
During process determination and definition of criteria of its effectiveness the risk that these criteria will not be met and opportunities for improvement of the process effectiveness should be considered.
The risks identified can be prioritized to determine, which of them are acceptable or not. For this can be used mathematical methods, for example FMEA, or acceptability of risks can be determined through consultation with interested parties.
The organization can use following risk treatment methods:
a) Risk avoidance. Waiver of processes associated with the occurrence of risk, considered unacceptable. For example, if as a result of customer requirements review, the organization identified an unacceptable risk, and opt not to tender of fulfil this contract.
b) Taking risk in order to pursue an opportunity. As mentioned above, a risk can be positive. Positive risk can be enhanced by increasing of the probability or consequences of it. Positive risk treatment i.e. opportunities for process effectiveness treatment allows us to improve the quality management system as a whole. For example, in the process of internal audit have been identified opportunities for improvement. Top management can prioritize these opportunities according to the likelihood and magnitude of the positive consequences and take action to introduce/pursue of this opportunity to increase the probability and/or positive consequences of these risks.
c) Elimination of the risk source. Risk cause determination and elimination. Often to eliminate the risk source the process should be significantly changed. For example, the risk of mix-up of connectors and slots during assembling electronic devices was eliminated by developing a unique configuration of connectors and slots of each type.
d) Changing the likelihood. Organization should treat a risk by reducing them for the negative risk and increase for positive. For example, the risk of nonconforming output of the manufacturing process due to inhomogeneity of the material is a negative risk and its probability can be reduced by purchasing a more homogeneous material.
e) Changing the consequences. The consequences can be also treated by reducing the negative and enhance the positive. Can be related to changes in the process itself or related processes. For example, a car tire puncture is a negative risk, and the introduction in the car design of a tires self-swapping system aimed to changing the consequences of such a risk.
f) Sharing the risk. Shifting of the responsibility for the risk to other interested parties. For example, a travel agency responsibility insurance to the travelers in the event of cancellation of flights, etc.
g) Retaining the risk by informed decision. If as a result of risk prioritization negative risk was found not large enough, or there are no cost-effective measures for treating the risk, the organization may decide to retain risks. Risk retention includes informing stakeholders of a risk and monitoring in order to timely detect unacceptable increase of the risk. For example, there is a negative risk to aviation operations and bad weather in the flight area. It is impossible to eliminate the source of the risk, to change the likelihood and consequences. Consequently, the aeronautical authorities monitor this risk, and if it changes, immediately inform all interested parties.
Risk treatment does not have to be documented. This is firstly an approach, a way of thinking.
Assessment of risk can be subjective so it is good practice to agree the final decisions on risk with input from at least three individuals from different areas of the organization, e.g. Management team.
Conclusion
Embracing the requirements of ISO 9001:2015 Clause 6.1 transforms a reactive system into a proactive, forward-thinking one. It shifts the focus from simply meeting requirements to strategically managing uncertainty. By systematically identifying and addressing risks, organizations can prevent negative outcomes and ensure the integrity of their QMS. Simultaneously, by seizing opportunities, they can foster innovation and achieve sustainable growth. With Maxicert as a trusted ISO certification partner, organizations can confidently embed risk and opportunity management into their processes, building a resilient, effective, and continuously improving quality management system.
Free 60–90 day implementation plan available after consultation.
Client Testimonials
What Our Clients Say About Us?
We are trusted by thousands of clients belonging from technology, manufacturing, healthcare and various sectors
FAQ
What does Clause 6.1 mean by “risk-based thinking”?
Clause 6.1 asks organizations to look ahead and plan for things that might go wrong or right, so they can avoid problems and make the most of good opportunities. This helps keep the quality management system working well at all times.
Does ISO 9001:2015 require formal risk assessment tools in Clause 6.1?
No, Clause 6.1 does not force organizations to use detailed risk management tools. Each business can choose an approach that fits its size and needs, whether it’s simple discussions, job experience, or formal methods.
How do organizations show they address risks and opportunities?
Organizations plan actions, add these solutions to their processes, and keep track to see if the plans work. Common ways include job instructions, regular meetings, or monitoring results to prevent issues and improve quality.
Why is planning for risks and opportunities important?
Proactive planning keeps the quality system strong and helps prevent surprises. It leads to better decisions and supports long-term improvement by actively aiming to meet customer needs and company goals.
Their presence in Oman made us even better to accomplish our goal of achieving ISO certificates on time, we will definitely recommend their services.
Mr. Sailesh Mohanakrishnan Division Manager – Khimji Ramdas, Oman