What Is Clause 6.1 and Why Does It Matter?
If you have spent any time working with ISO 9001:2015, you will know that Clause 6.1 sits right at the heart of the planning section. It is titled Actions to Address Risks and Opportunities, and it is one of the clauses that auditors pay close attention to during certification audits. Yet it is also one of the most misunderstood requirements in the entire standard.
On this page
Many businesses treat Clause 6.1 as a box-ticking exercise. They create a risk register, list a handful of generic risks, and consider the job done. That approach will get you through a poorly run audit, but it will not give your business any real value, and a thorough auditor will see through it quickly.
This guide breaks down exactly what Clause 6.1 requires, what it means in practice, and how to implement it in a way that genuinely strengthens your quality management system. Whether you are preparing for your first certification audit or trying to improve a system that has been coasting along, this is worth reading carefully.
The Full Text of Clause 6.1 Explained
Clause 6.1 has two sub-clauses. Understanding both is important before you start building your approach.
Clause 6.1.1: Identify Risks and Opportunities
The standard requires your organisation to consider the issues identified in Clause 4.1 (context of the organisation) and the requirements identified in Clause 4.2 (needs and expectations of interested parties). Based on those inputs, you need to determine the risks and opportunities that need to be addressed.
The purpose of doing this is threefold. The standard says you need to:
- Give assurance that the QMS can achieve its intended results
- Enhance desirable effects
- Prevent or reduce undesired effects and achieve improvement
That third point is often overlooked. Clause 6.1 is not just about preventing bad things from happening. It is equally about identifying and acting on opportunities that could improve your quality outcomes, customer satisfaction, or business performance.
Clause 6.1.2: Plan Actions
Once you have identified your risks and opportunities, the standard requires you to plan actions to address them. Specifically, you need to:
- Determine how to integrate and implement those actions into your QMS processes
- Evaluate the effectiveness of those actions
The standard also notes that actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services. This is an important qualifier. You do not need to build an elaborate risk management framework for a low-risk administrative process. The response should match the severity of the risk.
What Counts as a Risk Under ISO 9001?
ISO 9001:2015 does not define risk in the body of the standard, but it references ISO 31000 as a guiding framework. ISO 31000 defines risk as the effect of uncertainty on objectives. That definition is broader than most people expect.
In the context of a quality management system, risks are things that could prevent you from consistently delivering conforming products or services to your customers. They can be internal or external, operational or strategic.
Here are some practical examples across different industries:
- Manufacturing: A single-source supplier for a critical component goes out of business, causing production delays and non-conforming product substitutions
- Construction: Subcontractor quality varies significantly between projects, creating inconsistent outcomes that affect client satisfaction
- Healthcare services: Staff turnover in a specialised clinical role creates gaps in competency that affect service quality
- IT services: Rapid changes in client requirements outpace internal documentation and testing processes, leading to defects at delivery
- Food production: Seasonal fluctuations in raw material quality affect product consistency and require more frequent process adjustments
Notice that none of these are abstract. They are grounded in the specific context of the business. That is exactly what auditors want to see. Generic risks like “economic downturn” or “staff leaving” without any connection to your actual processes and quality outcomes will not satisfy a competent auditor.
What Counts as an Opportunity?
This is where many businesses fall short. They focus almost entirely on risks and treat opportunities as an afterthought. The standard explicitly requires you to address both.
Opportunities are circumstances that could be exploited to improve quality outcomes, increase customer satisfaction, or enhance the performance of the QMS. They often emerge from the same context analysis that surfaces risks.
Some practical examples:
- A new technology platform that could reduce defect rates in your production process
- A shift in customer expectations toward faster delivery, which you could meet by redesigning your fulfilment process
- A regulatory change that creates demand for a service your business is already well-positioned to provide
- A competitor exiting the market, creating an opportunity to attract new clients who have higher quality expectations
- Feedback from a key customer that reveals an unmet need you could address with a process improvement
Opportunities should be treated with the same rigour as risks. Identify them, assess their potential value, plan actions to pursue them, and evaluate whether those actions worked.
How to Build a Practical Risk and Opportunity Register
The standard does not require a specific format or document. It does not even require a formal risk register as such. What it requires is evidence that you have identified risks and opportunities, planned actions, integrated those actions into your QMS, and evaluated their effectiveness.
That said, a well-structured risk and opportunity register is the most practical way to demonstrate compliance and actually manage the process. Here is what a useful register should include:
Key Columns for a Risk Register
- Risk or opportunity description: Be specific. Reference the process or activity affected.
- Source: Where did this come from? Internal context, external context, interested party requirement?
- Likelihood: How probable is this? Use a simple scale such as low, medium, high.
- Impact: What is the consequence if it occurs? Again, low, medium, high works fine.
- Risk rating: Combine likelihood and impact to get an overall rating.
- Planned action: What will you do about it? Be specific about the action, not just the intent.
- Owner: Who is responsible for implementing the action?
- Due date: When will the action be completed?
- Effectiveness review: Did the action work? What evidence do you have?
Keep the register proportionate. A small business with 15 employees does not need a 50-row risk register filled with hypothetical scenarios. Five to ten well-considered, specific risks and opportunities with genuine actions attached will serve you far better.
Linking Clause 6.1 to the Rest of Your QMS
One of the most common gaps I see during audits is a risk register that exists in isolation. It sits in a folder, gets updated once a year before the surveillance audit, and has no visible connection to anything else in the management system. That is a problem.
Clause 6.1 is designed to feed into other parts of the system. Here is how the connections should work:
Connection to Clause 4: Context and Interested Parties
Your risk and opportunity identification must be informed by your context analysis. If your Clause 4 context analysis identifies that your industry is facing increased regulatory scrutiny, that should appear as a risk in your Clause 6.1 register. The two clauses must be consistent with each other.
Connection to Clause 6.2: Quality Objectives
Your quality objectives should be informed by your risk and opportunity analysis. If you have identified a significant risk around supplier quality, one of your objectives might be to improve supplier evaluation scores by a specific percentage within a defined timeframe.
Connection to Clause 8: Operational Planning
Actions to address risks and opportunities need to be integrated into your operational processes. If a risk is identified in your design and development process, the control for that risk needs to appear in how that process is actually run, not just in a separate risk document.
Connection to Clause 9.3: Management Review
Risks and opportunities, and the effectiveness of actions taken, should be a standing agenda item in your management review. This is where leadership demonstrates that they are actively engaged with the risk profile of the business, not just delegating it to a quality manager.
Common Mistakes Auditors Find in Clause 6.1
Having conducted and reviewed many ISO 9001 audits over the years, there are patterns that come up repeatedly. Here are the mistakes worth avoiding:
Risks Are Too Generic
Listing “fire” or “economic recession” as quality risks without any connection to your QMS processes is not meaningful. Every risk should be traceable to a specific process, product, service, or customer outcome.
No Opportunities Are Identified
A register that contains only risks suggests the organisation has not genuinely engaged with the requirement. Opportunities must be present and must be specific.
Actions Are Vague
Writing “monitor the situation” or “raise awareness with staff” as actions for a high-rated risk is not acceptable. Actions need to be specific, assigned, and time-bound.
No Evidence of Effectiveness Review
The standard requires you to evaluate whether your actions worked. If your register has no column for effectiveness review, or if that column is consistently blank, you have a gap. This is one of the most frequently raised nonconformances in surveillance audits.
The Register Is Not Reviewed Regularly
A risk register dated 18 months ago with no evidence of review will raise immediate concerns. Risks change as your business context changes. The register needs to be a living document, not a static artefact.
Does ISO 9001 Require a Formal Risk Management System?
This is a question that comes up constantly. The short answer is no. ISO 9001:2015 deliberately does not require a formal risk management methodology. It does not require you to implement ISO 31000, conduct a formal risk assessment using a specific matrix, or produce a documented risk management plan.
The standard uses the term risk-based thinking rather than risk management. The intent is that consideration of risk becomes embedded in how you plan and operate your QMS, rather than being a separate formal discipline.
That said, for larger or more complex organisations, adopting a more structured approach aligned with ISO 31000 risk management principles can add significant value and make your Clause 6.1 implementation far more robust.
Clause 6.1 and the 2026 Revision
ISO 9001 is currently under revision, with the updated standard expected to be released in 2026. Based on what is known about the direction of the revision, risk-based thinking is expected to remain a core requirement. There may be additional emphasis on how organisations address emerging risks such as climate change and supply chain disruption, but the fundamental structure of Clause 6.1 is unlikely to change dramatically.
If you are building your QMS now, implementing Clause 6.1 properly under the current standard will put you in a strong position for the transition. You can read more about what is expected in ISO 9001:2026 to stay ahead of those changes.
A Practical Implementation Checklist
If you are implementing Clause 6.1 for the first time, or reviewing an existing implementation, here is a practical checklist to work through:
- Review your Clause 4.1 context analysis and Clause 4.2 interested party register. These are the mandatory inputs for your risk identification.
- Identify at least five to ten specific risks that could affect your ability to deliver conforming products or services. Each risk must reference a specific process or outcome.
- Identify at least three to five opportunities that could improve your QMS, customer satisfaction, or business performance.
- Rate each risk and opportunity for likelihood and impact. Keep the scale simple.
- Assign specific, time-bound actions to each risk and opportunity. Name the person responsible.
- Integrate high-priority actions into your operational processes, quality objectives, or documented procedures.
- Schedule a review of the register at least annually, or whenever there is a significant change in your business context.
- Document evidence of effectiveness reviews for completed actions.
- Include risks and opportunities as a standing agenda item in management review meetings.
Getting Expert Help With Clause 6.1
Clause 6.1 is one of those requirements that looks simple on paper but takes genuine thought and business knowledge to implement well. The difference between a risk register that satisfies an auditor and one that actually helps your business manage quality is significant.
If you are preparing for ISO 9001 certification and want to get Clause 6.1 right from the start, working with an experienced ISO consultant can save you considerable time and prevent costly nonconformances during your audit. The challenge is finding a consultant who understands your industry and will build a system that works for your business rather than a generic template.
That is exactly the problem CertBetter was built to solve. Submit one form and receive up to three competing quotes from vetted ISO consultants and certification bodies who have been assessed for experience and industry knowledge. The service is completely free for businesses seeking certification help, and it takes the guesswork out of finding someone you can actually trust.




