In this article, I’m going to cover clause 6.1 Actions to address risks and opportunities. I’m going to break this clause down and turn it into something you can all understand. You’ll then be able to apply this to your own organization's system and understand what the requirements will look like for you. No more guessing!
Clause 6.1 Actions to address risks and opportunities is the first clause in the Planning section of ISO 9001. There are quite a few different elements to this clause so I will break them down into smaller chunks and explain each part as I go.
Now, this is an interesting clause as I think it’s actually pulling everything that you’ve learned and applied in two previous clauses to now take action – do something about it. ISO 9001 isn’t just all talk and no action!
The sub-clause 6.1.1 starts off by stating that
When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed.
I want to reflect back on exactly what this statement is saying. What I do want to point out, is that this is referring back to Clause 4.1 Understanding the organization and its context, and Clause 4.2 Understanding the needs and expectations of interested parties. Now of course before you can action any of these requirements you should have implemented the requirements for clauses 4.1 and 4.2 so you DO have an understanding of the issues or requirements identified. As a result of completing the requirements for clauses 4.1 and 4.2, you will have identified risks and opportunities to the business and to the quality management system.
So now clause 6.1 wants you to recognize those risks and opportunities and put some actions in place to manage them so as to (as per the rest of this clause):
These actions we put in place are so we can improve our performance within the quality management system and manage risks to mitigate any impacts but also leverage the opportunities.
This clause then goes on to say that ..
6.1.2 The organization shall plan:
a) actions to address these risks and opportunities
b) how to:
1) integrate and implement the actions into its quality management system processes
2) evaluate the effectiveness of these actions
My favourite here is the requirement to integrate and implement the actions into its quality management system processes.
So these risks and opportunities that you identified as a result of clauses 4.1 and 4.2 now need actions to address them, which may look like new processes, new products, new customers or clients, new technology, setting objectives, and putting on new team members or contractors. Whatever is needed to action these risks and opportunities will just be a part of your business and quality systems. The actions aren’t a separate item that needs to be referred to separately as ‘oh that’s quality over there’. NO! these actions become your system.
And part of this system is to evaluate how it’s going. Are you achieving what you set out to? Now this evaluation will also come into play as a part of clause 9.1 Monitoring, measurement, analysis, and evaluation, so be sure to check those requirements out as well.
Remember that the higher risks should get the most attention from you. The opportunities that have the potential for the biggest growth or improvement of the system should get the most attention from you.
This is clearly stated in the final sentence of this clause where it states that
Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.
So spend your time on the highest risks and most productive opportunities. Do a risk assessment even.
Which leads me to ask the questions ... What would this look like in your quality management system? Now that I’ve broken this clause down, what are we looking for?
Interestingly enough there is no requirement in this clause for documented information so as auditors we have to be careful of this as we wouldn’t be able to raise a nonconformance stating that there was no documented information regarding the actions taken to address risks and opportunities.
However, we still need to see evidence of what these actions are. I mentioned some of these actions earlier on as examples and this clause also has some within
NOTE 2 which states
Opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing new customers, building partnerships, using new technology, and other desirable and viable possibilities to address the organization’s or its customers’ needs.
So as auditors, we would see these new products, associated procedures, partnerships, and the implementation of new technology so we would see the changes within the organization as a result of the actions taken.
Now, is that normally all that you would see? To be honest no. What is quite common to see is a risk register of some description. The risks and opportunities identified as part of the output from clauses 4.1 and 4.2 could be documented in the risk register and then a risk assessment completed in the register followed by the planned actions.
I did mention a risk assessment earlier so that you could define the highest risks and the most productive opportunities to focus your time and effort on. And interestingly enough in
NOTE 1 of this clause it states that
Options to address risks can include avoiding risk, taking risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision.
These are all recommended risk treatments so these can influence the types of actions you decide to take – again I normally do see these in a risk register for the majority of clients that I do audits for.
If you’re not keen on a risk register, another option is to document the planned actions in your management review meeting as there is a requirement to review the effectiveness of actions taken to address risks and opportunities in this clause. Clause 9.3 is Management Review and there is a requirement to retain documented information as evidence of the results of management review – so you’re killing 2 birds with one stone!
Now that I’ve explained all of these requirements, can you see more clearly how you could action and demonstrate these actions in your management system? Most importantly - keep it real. Follow a process that aligns most with how your business works currently.
Learn even more by completing a qualification in one of our ISO 9001 courses.