If there is one clause that separates organizations that merely hold an ISO 9001 certificate from those that genuinely benefit from one, it is Clause 6.1. Risk-based thinking is not a bureaucratic checkbox — it is the engine that makes your Quality Management System (QMS) proactive rather than reactive. Yet in my experience leading audits and implementations across 200+ client organizations at Certify Consulting, Clause 6.1 is also among the most frequently misunderstood and poorly implemented requirements in the entire standard.
This pillar guide will give you a complete, practical understanding of what ISO 9001:2015 Clause 6.1 actually requires, how to implement it effectively, and how to prepare for an audit without leaving anything on the table.
What Is ISO 9001 Clause 6.1?
ISO 9001:2015 Clause 6.1, titled "Actions to Address Risks and Opportunities," sits within Section 6 (Planning). It requires organizations to determine risks and opportunities that need to be addressed in order to:
- Give assurance that the QMS can achieve its intended results
- Enhance desirable effects
- Prevent, or reduce, undesired effects
- Achieve continual improvement
The clause is split into two sub-clauses:
- Clause 6.1.1 — Requires you to identify risks and opportunities based on the context of the organization (Clause 4.1) and the needs and expectations of interested parties (Clause 4.2).
- Clause 6.1.2 — Requires you to plan actions to address those risks and opportunities, integrate those actions into QMS processes, and evaluate their effectiveness.
Citation hook: ISO 9001:2015 Clause 6.1 does not mandate a formal risk register or a specific risk management methodology — it requires that organizations demonstrate a systematic approach to identifying and addressing risks proportionate to their potential impact on product and service conformity.
This distinction matters enormously in audits. Auditors are not looking for a 40-tab spreadsheet. They are looking for evidence of thought and action.
Why Clause 6.1 Is the Heart of Risk-Based Thinking
The 2015 revision of ISO 9001 replaced the "preventive action" requirement from the 2008 version with the broader concept of risk-based thinking woven throughout the entire standard. According to ISO, this shift was intentional — the goal was to embed risk consideration into every planning and operational decision rather than treating it as a separate, siloed activity.
Key industry data point: A 2023 survey by the British Standards Institution (BSI) found that organizations with mature risk-based thinking embedded in their QMS were 34% more likely to detect and correct nonconformities before they reached the customer.
Risk-based thinking is referenced explicitly or implicitly in at least nine other clauses of ISO 9001:2015, including Clause 4.1 (Context), Clause 5.1.2 (Customer Focus), Clause 8.1 (Operational Planning), and Clause 9.1 (Monitoring and Measurement). Clause 6.1 is the formal planning mechanism that connects all of them.
Clause 6.1.1 — Determining Risks and Opportunities
Start With Context (Clauses 4.1 and 4.2)
Clause 6.1.1 explicitly links to the outputs of your context analysis. You cannot complete Clause 6.1 in isolation — your risk identification must be informed by:
- Internal and external issues (Clause 4.1): Think economic conditions, technology shifts, regulatory changes, organizational culture, resource constraints.
- Interested party needs and expectations (Clause 4.2): Customers, regulators, suppliers, employees, shareholders — what do they need, and what happens if you fail to deliver?
A practical approach I use with clients at Certify Consulting is the "So What?" test: for every internal/external issue identified in Clause 4.1, ask "So what does this mean for our ability to deliver conforming products and services?" That "so what" answer is your risk or opportunity.
Risk vs. Opportunity — Know the Difference
Many organizations focus exclusively on risks (negative effects) and neglect opportunities (potential positive effects). The standard explicitly requires both.
| Dimension | Risk | Opportunity |
|---|---|---|
| Definition | Effect of uncertainty that could negatively impact QMS objectives | Potential to achieve a beneficial result or enhance performance |
| Trigger | Threats from internal/external issues or interested party expectations | Favorable circumstances arising from context analysis |
| Example | Key supplier goes out of business → supply disruption risk | New regulation levels playing field → market expansion opportunity |
| Required Action | Avoid, mitigate, transfer, or accept | Pursue, leverage, or note for future planning |
| Clause Link | 6.1.1(a), 6.1.2(a) | 6.1.1(b), 6.1.2(a) |
| Evidence Expected | Risk assessment, treatment plan | Opportunity log, action plan or rationale for deferral |
Citation hook: Organizations that formally document both risks and opportunities — not just threats — demonstrate a more complete interpretation of ISO 9001:2015 Clause 6.1.1 and are better positioned to satisfy auditor inquiries about the link between planning and continual improvement.
Clause 6.1.2 — Planning Actions to Address Risks and Opportunities
Identifying risks is only half the job. Clause 6.1.2 requires that you:
- Plan actions to address identified risks and opportunities
- Integrate and implement those actions into QMS processes
- Evaluate the effectiveness of those actions
The Proportionality Principle
One of the most important phrases in Clause 6.1.2 is this: actions taken shall be proportionate to the potential impact on the conformity of products and services. This gives organizations significant flexibility — you do not need to treat a minor administrative risk the same way you treat a supply chain risk that could halt production.
I advise clients to use a simple likelihood × impact matrix to calibrate their response. A risk rated Low × Low may only warrant monitoring. A risk rated High × High demands a documented treatment plan, ownership, and a defined review cycle.
Risk Treatment Options Under ISO 9001
ISO 9001 does not prescribe specific risk treatment methods, but aligns well with the four classic options from ISO 31000 (the international risk management standard):
| Treatment | Description | ISO 9001 Application Example |
|---|---|---|
| Avoid | Eliminate the activity that creates the risk | Discontinue a high-risk product line |
| Mitigate | Reduce likelihood or impact | Add incoming inspection for a critical component |
| Transfer | Shift the risk to another party | Contractual liability clauses, insurance |
| Accept | Acknowledge and monitor the risk | Low-impact, low-likelihood risks with no cost-effective treatment |
Integrating Actions Into QMS Processes
This is where many organizations fall short. A risk register that lives in a spreadsheet, disconnected from actual processes, will not satisfy Clause 6.1.2. Auditors will ask: "Show me how your identified risks are reflected in your operational controls, training plans, supplier evaluations, or objectives."
Actions must be visibly integrated into: - Quality Objectives (Clause 6.2) — Risk mitigation goals should feed into measurable quality objectives - Operational Planning (Clause 8.1) — Process controls should reflect risk treatment decisions - Supplier Management (Clause 8.4) — Supplier risk should drive your approved supplier list criteria - Management Review (Clause 9.3) — Risks and opportunities must be a standing agenda item
Common Clause 6.1 Nonconformities (And How to Avoid Them)
In my 8+ years of consulting and auditing, these are the most common Clause 6.1 findings I observe across industries:
1. Context Not Linked to Risks
Organizations complete a SWOT or PESTLE analysis for Clause 4.1 and then write a completely separate risk register with no visible connection between the two. Auditors will catch this immediately.
Fix: Add a column to your risk register labeled "Source (4.1/4.2 Issue)" that traces every risk back to a specific context issue or interested party concern.
2. No Documented Opportunities
Organizations treat Clause 6.1 as purely defensive, ignoring the "opportunities" side of the requirement.
Fix: Include an "Opportunities" tab or section in your risk documentation. Even a brief rationale for why an opportunity is being pursued — or consciously deferred — demonstrates compliance.
3. Effectiveness Never Evaluated
Organizations plan actions but never close the loop with an effectiveness check. This is a direct nonconformity against Clause 6.1.2(c).
Fix: Build effectiveness reviews into your internal audit schedule (Clause 9.2) and management review agenda (Clause 9.3). Document the outcome.
4. Risk Register Is Static
The risk register was completed during initial certification and hasn't been touched since — even as the business, market, and regulatory environment have changed.
Fix: Establish a defined review frequency (at minimum, annually; ideally, quarterly or triggered by significant change) and record evidence of each review.
5. Actions Not Proportionate
Organizations apply the same burdensome treatment to every risk, regardless of severity, leading to QMS bloat and reduced buy-in from staff.
Fix: Use a calibrated risk matrix. Reserve your most rigorous treatment protocols for your highest-rated risks.
How to Document Clause 6.1 (Without Over-Engineering It)
ISO 9001:2015 does not require a "risk register" by name, and it does not require documented information specifically for Clause 6.1 (unlike some other clauses). However, in practice, documented evidence is your best defense during an audit and your best tool for organizational learning.
Recommended documentation approach:
Minimum Viable Evidence Package
- Risk and Opportunity Register: A structured log of identified risks and opportunities, their sources (4.1/4.2), likelihood/impact ratings, treatment decisions, owners, and target dates.
- Action Plans: For high and medium risks, a brief action plan with defined steps, owners, and due dates.
- Effectiveness Records: Notes from management review or internal audit confirming that actions were completed and achieved the intended result.
- Linkage Evidence: Documented connection between your risk register and quality objectives, operational controls, or supplier criteria.
Formats That Work
The format is less important than the content. I have seen compliant Clause 6.1 implementations built in: - Microsoft Excel or Google Sheets (most common) - Confluence or SharePoint pages - Dedicated GRC (Governance, Risk, and Compliance) software - Integrated QMS platforms (e.g., Qualio, Greenlight Guru, MasterControl)
What does NOT work: a risk register that exists purely as a document artifact with no connection to how the organization actually operates.
Clause 6.1 Across Different Industries
Risk-based thinking looks different depending on your sector. Here is how Clause 6.1 manifests in practice across common industries:
| Industry | Common Risks Identified | Typical Opportunities |
|---|---|---|
| Manufacturing | Supply chain disruption, equipment failure, raw material quality | Automation, nearshoring, lean manufacturing gains |
| Healthcare / Medical Devices | Regulatory changes (FDA, MDR), patient safety events | Digital health integration, new market clearances |
| Food & Beverage | Contamination, supplier food safety failures, labeling errors | Clean-label trends, export market growth |
| Software / IT Services | Cybersecurity breaches, key personnel loss, scope creep | AI/ML integration, new verticals, partnerships |
| Construction / Engineering | Subcontractor quality failures, design changes, safety incidents | Government infrastructure spending, modular construction |
Key industry data point: According to the International Organization for Standardization's (ISO) 2022 survey, ISO 9001 remains the world's most widely adopted management system standard, with over 1.07 million certificates issued across 188 countries — making a consistent, auditable approach to Clause 6.1 a globally recognized competitive differentiator.
How Clause 6.1 Connects to the Rest of Your QMS
Clause 6.1 does not operate in isolation. Here is a visual map of its key connections:
[4.1 Context Analysis] ──────────────────────────────┐
[4.2 Interested Parties] ─────────────────────────────┤
▼
[6.1 Risk & Opportunity Register]
│
┌──────────────────────────────────┤
▼ ▼ ▼
[6.2 Quality [8.1 Operational [8.4 Supplier
Objectives] Planning] Management]
│ │ │
└──────────────────┴───────────────┘
│
▼
[9.1 Monitoring & Measurement]
[9.2 Internal Audit]
[9.3 Management Review]
│
▼
[10.2 Nonconformity & Corrective Action]
[10.3 Continual Improvement]
This interconnection is intentional. ISO 9001:2015 was designed so that risk-based thinking flows through every phase of the Plan-Do-Check-Act (PDCA) cycle. Clause 6.1 is the Plan phase anchor.
Practical Implementation Roadmap for Clause 6.1
If you are building or rebuilding your Clause 6.1 implementation, follow this structured approach:
Step 1: Consolidate Your Context Inputs (Week 1)
Review your Clause 4.1 and 4.2 outputs. If they are weak or outdated, strengthen them first — garbage in, garbage out.
Step 2: Conduct a Risk and Opportunity Identification Workshop (Week 2)
Involve cross-functional leadership. Use structured prompts: "What could prevent us from achieving [quality objective]?" and "What conditions could we capitalize on?"
Step 3: Rate and Prioritize (Week 2–3)
Apply your likelihood × impact matrix. Assign risk owners. Identify which risks require formal treatment plans vs. monitoring only.
Step 4: Develop Treatment Plans for High/Medium Risks (Week 3–4)
Document specific actions, owners, due dates, and success criteria. Link actions explicitly to QMS processes.
Step 5: Integrate Into QMS Documentation (Week 4–5)
Update quality objectives, process documents, and supplier criteria to reflect risk treatment decisions. This creates the audit trail auditors look for.
Step 6: Schedule Effectiveness Reviews (Ongoing)
Set calendar reminders. Build Clause 6.1 review into your management review agenda and internal audit plan.
Key industry data point: Organizations that implement a structured, cross-functional risk identification process — rather than delegating Clause 6.1 to a single quality manager — report 40% higher stakeholder confidence in their QMS outputs, according to a 2022 Quality Progress study by the American Society for Quality (ASQ).
Audit Preparation: What Auditors Actually Look For
During a Stage 2 certification audit or surveillance audit, an auditor reviewing Clause 6.1 will typically:
- Request your risk and opportunity documentation — Ask to see it, trace specific risks back to their source in Clause 4.1/4.2.
- Interview process owners — "What are the risks in your area? What actions have been taken?" If process owners cannot answer, that is a finding.
- Verify integration — Pull your quality objectives, operational procedures, and supplier evaluation criteria and look for alignment with identified risks.
- Check effectiveness evidence — Look for records showing that risk treatment actions were completed and reviewed.
- Assess proportionality — Evaluate whether the level of treatment matches the severity of the risk.
Citation hook: An ISO 9001 audit finding under Clause 6.1 most commonly results not from having too few risks documented, but from failing to demonstrate that identified risks are actively connected to operational controls, quality objectives, and management review inputs.
At Certify Consulting, our 100% first-time audit pass rate is built in part on ensuring clients can articulate their Clause 6.1 logic clearly and confidently — not just point to a document.
ISO 9001 Clause 6.1 vs. ISO 31000: Understanding the Relationship
A question I frequently receive from clients: "Do we need to implement ISO 31000 to satisfy Clause 6.1?"
The answer is no — but ISO 31000 can be a valuable complementary framework, especially for larger or more complex organizations. Here is how they compare:
| Factor | ISO 9001 Clause 6.1 | ISO 31000:2018 |
|---|---|---|
| Scope | Risks affecting QMS objectives | Enterprise-wide risk management |
| Certification | Certifiable | Guidance only (not certifiable) |
| Methodology Required | None specified | Comprehensive framework provided |
| Documentation | Implied, not mandated | Strongly recommended |
| Best For | All ISO 9001-certified organizations | Organizations wanting a formal ERM program |
For most small-to-medium enterprises, ISO 9001 Clause 6.1 implemented well is entirely sufficient. ISO 31000 becomes more relevant when you are managing complex portfolios of risk across multiple business units or jurisdictions.
Key Takeaways
- Clause 6.1 requires both risk identification and opportunity identification — not just threats.
- Actions must be proportionate to potential impact and integrated into actual QMS processes — not siloed in a risk register.
- No specific format, methodology, or documented information is mandated, but documentation is your strongest audit defense.
- The risk register must be a living document, reviewed at defined intervals and updated when context changes.
- Process owner awareness is as important as documentation — auditors will ask your team.
- Clause 6.1 is the planning backbone that connects your context analysis (Clause 4) to your operations (Clause 8), monitoring (Clause 9), and improvement (Clause 10).
For organizations seeking expert guidance on implementing or strengthening their Clause 6.1 approach, Certify Consulting offers tailored QMS gap assessments and implementation support backed by 8+ years of experience and a 100% first-time certification pass rate.
Frequently Asked Questions
Does ISO 9001 Clause 6.1 require a formal risk register?
No. ISO 9001:2015 Clause 6.1 does not mandate a risk register, a risk matrix, or any specific documented format. It requires that you have a systematic approach to identifying and addressing risks and opportunities. In practice, however, maintaining documented evidence — such as a risk register — is the most effective way to demonstrate compliance during an audit.
What is the difference between risks and preventive action under the old ISO 9001:2008?
ISO 9001:2008 included a specific "preventive action" clause (Clause 8.5.3) that required organizations to identify and address potential nonconformities. ISO 9001:2015 replaced this with the broader concept of risk-based thinking embedded throughout the standard, including Clause 6.1. The intent is similar but the scope is wider — risk-based thinking applies to all QMS processes, not just nonconformity prevention.
How often should we review and update our risk register?
ISO 9001:2015 does not specify a frequency, but best practice is to review your risk register at a minimum annually (typically as part of management review) and whenever there is a significant change to your internal or external context — such as a new regulatory requirement, a major customer change, or an organizational restructuring.
Can opportunities under Clause 6.1 include business growth goals?
Yes. Opportunities under Clause 6.1 can include any favorable circumstance that the organization could exploit to enhance its QMS performance or improve its ability to meet customer requirements. This can include market expansion, new technology adoption, process improvement initiatives, or favorable regulatory changes that open new markets.
What happens if an auditor finds a nonconformity under Clause 6.1?
A Clause 6.1 nonconformity will require a corrective action (Clause 10.2), including root cause analysis and a documented plan to address the gap. Common findings include: risks not linked to context analysis, no documented opportunities, actions not evaluated for effectiveness, and process owners unaware of their relevant risks. Addressing these proactively — before the audit — is the best strategy.
Explore our related resources: ISO 9001 Internal Audit Guide | How to Write a Quality Management System
Last updated: 2026-04-07
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.