Risks and opportunities are important parts of ISO 9001, but they are also widely misunderstood.
Some organisations create a large risk register containing every possible problem they can imagine.
Others complete a simple SWOT analysis before the certification audit and rarely look at it again.
Some businesses treat risk-based thinking as the responsibility of the Quality Manager, while the people making operational, commercial and strategic decisions remain completely disconnected from it.
None of these approaches necessarily demonstrates that risks and opportunities are being managed effectively.
ISO 9001 does not require an organisation to eliminate every risk.
It also does not require one particular risk-management procedure, scoring system, matrix or register.
The organisation needs to understand the uncertainties that could affect its Quality Management System and take proportionate action to help achieve its intended results.
In simple words:
Risk-based thinking means considering what could prevent or help a process achieve its intended result and using that information when planning and controlling the process.
This guide explains what ISO 9001 means by risks and opportunities, how Clause 6.1 should be applied and how organisations can build risk-based thinking into their existing processes without creating unnecessary paperwork.
Building or reviewing an ISO 9001 Quality Management System?
Use the practical checklist to review Clauses 4 to 10, identify gaps and plan the next steps towards implementation or certification.
What is risk-based thinking in ISO 9001?
Risk-based thinking is a way of making decisions that considers uncertainty and its possible effect on results.
A process is rarely guaranteed to achieve its intended outcome.
Customer requirements may be incomplete.
A supplier may fail.
Equipment may break down.
Employees may leave.
Information may become outdated.
Demand may increase unexpectedly.
A new technology may create a better way of working.
Risk-based thinking asks the organisation to recognise these uncertainties and decide whether action is needed.
The objective is to:
- Increase confidence that the Quality Management System can achieve its intended results.
- Increase desirable effects.
- Prevent or reduce undesirable effects.
- Achieve improvement.
Risk-based thinking should influence how processes are planned, operated, monitored and improved.
It is not intended to be a separate exercise completed once per year.
A well-designed Quality Management System applies different levels of control according to the significance of the risk.
A high-risk supplier, safety-critical component or complicated design process will normally require more control than a routine low-risk purchase.
This connects risk-based thinking with the process approach explained in the guide to ISO 9001 requirements and Clauses 4 to 10.
What is a risk?
Risk is commonly understood as the effect of uncertainty on an expected result.
In practical quality-management terms, a risk is something uncertain that could affect the organisation’s ability to meet requirements and achieve its objectives.
Examples include:
- Unclear customer requirements.
- Failure of a critical supplier.
- Inadequate employee competence.
- Equipment breakdown.
- Incorrect information.
- Design errors.
- Software failure.
- Poor change control.
- Incomplete inspections.
- Loss of organisational knowledge.
- Supply-chain disruption.
- Late delivery.
- Repeated defects.
- Uncontrolled outsourced processes.
A risk is not necessarily an event that has already happened.
If a supplier has already delivered defective material, that is an existing problem or nonconformity.
The risk may be that the same supplier failure could happen again, affect other orders or reach the customer without being detected.
Existing problems should be controlled through the organisation’s arrangements for nonconformity and corrective action.
What is an opportunity?
An opportunity is a circumstance that could lead to a desirable result or improvement.
Examples include:
- Automating a repetitive verification.
- Introducing digital inspection records.
- Standardising frequently used templates.
- Improving collaboration with key suppliers.
- Simplifying an approval process.
- Training employees in additional skills.
- Introducing earlier design reviews.
- Using performance data to identify recurring failures.
- Improving customer communication.
- Adopting more reliable monitoring technology.
- Sharing lessons between projects.
- Entering a new market.
- Reducing unnecessary process stages.
An opportunity is not simply the opposite wording of a risk.
For example:
Risk: A key supplier may fail to deliver a critical component on time.
Opportunity: Develop a second qualified source and improve supply resilience.
The second qualified source is not merely a positive version of the original risk.
It is a potential improvement that may reduce dependency and create additional business benefits.
Risks and opportunities should both be connected to the organisation’s context, objectives and processes.
What does ISO 9001 Clause 6.1 require?
Clause 6.1 requires the organisation to consider the issues and requirements identified when understanding its context and interested parties.
It must then determine the risks and opportunities that need to be addressed to:
- Give assurance that the QMS can achieve its intended results.
- Increase desirable effects.
- Prevent or reduce undesirable effects.
- Achieve improvement.
The organisation must plan:
- Actions to address the selected risks and opportunities.
- How those actions will be integrated into QMS processes.
- How the effectiveness of the actions will be evaluated.
The actions should be proportionate to the potential effect on the conformity of products and services.
That last point is important.
ISO 9001 does not expect every risk to receive the same treatment.
The response to an uncertain minor administrative issue should not necessarily be the same as the response to a risk affecting a critical product, statutory requirement or important customer.
Risk-based thinking is not limited to Clause 6.1
Although risks and opportunities are explicitly addressed in Clause 6.1, risk-based thinking appears throughout the Quality Management System.
Context and interested parties
The organisation needs to understand the internal and external issues and interested-party requirements that could affect its QMS.
QMS processes
Processes need suitable controls, responsibilities, resources, measures and improvement arrangements. These should reflect the associated risks.
Leadership
Top management should ensure that risks and opportunities affecting product and service conformity are identified and addressed.
Risk ownership should not automatically be transferred to the Quality Manager.
Quality objectives
Risks may affect whether objectives can be achieved. Opportunities may help the organisation improve performance or reach objectives more efficiently.
Planning changes
Changes should be planned so that potential consequences, resources and QMS integrity are considered.
Resources and competence
The organisation should consider the risks created by insufficient resources, competence gaps, outdated technology or loss of organisational knowledge.
Operational control
The level of control should reflect the complexity and consequences of the work.
Design and development
Design planning, reviews, verification, validation and change control should consider the consequences of failure.
External providers
Supplier and subcontractor controls should reflect the potential effect of the externally provided product, service or process.
Release
Products and services should not be released until planned verification has been completed.
Internal audits
Audit programmes should consider process importance, changes and previous results. Higher-risk or poorly performing areas may require greater audit attention.
Management review
Management review should consider the effectiveness of actions taken to address risks and opportunities.
Corrective action
When a nonconformity occurs, the organisation may need to update risks and opportunities identified during planning.
A structured Root Cause Analysis can help determine why an important control failed and whether similar risks exist elsewhere.
Continual improvement
Performance data, audit findings, complaints and nonconformities can reveal new risks and improvement opportunities.
This is why risk-based thinking cannot be meaningfully audited as one isolated activity.
The auditor should be able to follow risks and opportunities into the organisation’s decisions, controls and results.
Does ISO 9001 require a risk register?
No.
ISO 9001 does not require every organisation to maintain a document called a risk register.
It also does not prescribe:
- A risk-management procedure.
- A probability-and-impact matrix.
- A particular scoring system.
- Formal risk owners.
- A separate register for every process.
- The use of ISO 31000.
- Failure Mode and Effects Analysis.
- SWOT or PESTLE analysis.
The organisation needs evidence that relevant risks and opportunities have been determined and addressed.
A register can be extremely useful, especially where several actions, responsibilities and review dates need to be controlled.
However, it is a tool—not the requirement itself.
A small company may address risks through:
- Business planning.
- Process reviews.
- Project meetings.
- Contract reviews.
- Supplier evaluations.
- Internal audits.
- Action trackers.
- Management review.
- A simple combined register.
A larger or higher-risk organisation may need:
- Strategic risk registers.
- Process-level assessments.
- Project risk registers.
- Supplier risk classifications.
- Design-risk reviews.
- Formal scoring criteria.
- Software-based action tracking.
- Specialist risk methods.
The appropriate approach depends on the organisation’s size, activities, complexity, context and potential consequences of failure.
A beautifully formatted register does not demonstrate effective risk-based thinking if the listed actions are not implemented.
How to apply risk-based thinking
A practical risk-based-thinking process can be completed through six connected stages.
1. Understand the context
Begin with what the organisation and its processes are trying to achieve.
Consider:
- Products and services.
- Customer requirements.
- Applicable legislation.
- Interested-party requirements.
- Business objectives.
- QMS objectives.
- Process inputs and outputs.
- Process interactions.
- Available resources.
- Previous performance.
- Internal and external issues.
- Planned changes.
A risk makes sense only in relation to an objective or intended result.
For example:
The supplier may be late.
This is incomplete.
A clearer statement is:
There is a risk that the only approved supplier of the specified component may deliver after the required production date, preventing the organisation from meeting the customer’s agreed completion date.
This statement connects uncertainty with a specific result.
2. Identify uncertainties
Ask what could prevent the intended result and what could help the process perform better.
Sources of information include:
- Customer feedback.
- Complaints.
- Audit findings.
- Nonconformities.
- Supplier performance.
- Process data.
- Employee experience.
- Lessons learned.
- Industry changes.
- New legislation.
- Technology developments.
- Competitor activity.
- Market conditions.
- Business-continuity reviews.
- Project reviews.
- Management meetings.
Questions may include:
- What could go wrong?
- What has gone wrong previously?
- What could change?
- Where do we depend on one person, supplier or system?
- Which information could be incorrect or late?
- Which controls could fail?
- What work cannot be inspected later?
- What assumptions are we making?
- Where could a problem reach the customer?
- What could improve speed, consistency or customer satisfaction?
Avoid identifying risks in isolation without speaking to the people who operate the process.
They often understand practical weaknesses that are invisible in high-level management documents.
3. Evaluate significance
Not every identified issue needs a formal action.
Evaluate whether the risk is significant enough to require additional control.
A simple evaluation may consider:
- Likelihood.
- Potential impact.
- Existing controls.
- Detectability.
- Speed of onset.
- Extent of possible consequences.
- Legal or contractual implications.
- Customer effect.
- Cost and programme effect.
A common approach is to score likelihood and impact.
For example:
Likelihood:
- Rare.
- Unlikely.
- Possible.
- Likely.
- Almost certain.
Impact:
- Insignificant.
- Minor.
- Moderate.
- Major.
- Severe.
The organisation may multiply likelihood by impact to produce a score.
However, risk scoring should support judgement rather than replace it.
A low-likelihood failure with catastrophic consequences may still require strong controls.
Similarly, two managers may give the same risk different numerical scores. Discussion and evidence are more important than pretending the number is scientifically precise.
Existing controls should also be considered.
The initial or inherent risk is the exposure before controls.
The residual risk is what remains after current controls are applied.
If the residual risk remains unacceptable, additional action may be needed.
4. Plan proportionate action
Possible responses to a risk include:
Avoid
Stop or change the activity so the exposure no longer exists.
Example: Do not use a supplier that cannot demonstrate the required technical capability.
Reduce
Introduce controls that lower the likelihood or consequence.
Example: Add technical verification before a purchase order is released.
Share or transfer
Allocate some consequences or responsibilities through insurance, contractual arrangements or specialist providers.
Responsibility for meeting customer and ISO 9001 requirements cannot simply be transferred away.
Accept
Take no additional action because the remaining exposure is understood and considered acceptable.
Acceptance should be a conscious decision, not the result of ignoring the issue.
Prepare a contingency
Plan what will happen if the risk occurs.
Example: Identify an alternative testing laboratory if the primary laboratory becomes unavailable.
Pursue an opportunity
Invest resources to achieve a potential benefit.
Example: Introduce digital inspections to improve traceability and identify incomplete records earlier.
Experiment or pilot
Test an opportunity on a limited scale before wider implementation.
Example: Trial a standardised digital ITP on one project before adopting it across the business.
5. Integrate the action into the process
A risk action should not remain only in the risk register.
It needs to become part of the process.
Integration may involve:
- Assigning responsibility.
- Updating process criteria.
- Revising a procedure.
- Changing a software workflow.
- Adding an approval stage.
- Introducing an inspection.
- Improving purchasing information.
- Changing supplier controls.
- Adding competence requirements.
- Introducing monitoring.
- Updating contingency arrangements.
- Allocating resources.
- Revising project programmes.
- Updating quality objectives.
For example, if an organisation identifies a risk that obsolete drawings could be used, the action should influence the actual document-control and distribution process.
Simply recording “ensure current drawings are used” in a risk register adds very little value.
6. Review effectiveness
The organisation needs to evaluate whether the action worked.
This could involve:
- Monitoring process performance.
- Reviewing complaints.
- Sampling records.
- Conducting an internal audit.
- Checking inspection results.
- Reviewing supplier data.
- Monitoring recurring NCRs.
- Evaluating customer feedback.
- Reviewing achievement of objectives.
- Checking whether the risk occurred.
- Checking whether the opportunity delivered the expected benefit.
An action can be completed without being effective.
For example, an organisation may introduce a new supplier checklist.
If purchasers continue selecting suppliers based only on price, the checklist has not changed the actual process.
The review may lead to:
- Closing the action.
- Maintaining the existing control.
- Adding another control.
- Changing the treatment.
- Reassessing the risk.
- Updating the process.
- Identifying a new opportunity.
Examples of quality risks
Customer and contract risks
- Requirements are incomplete or misunderstood.
- Delivery dates are unrealistic.
- Contract changes are not communicated.
- Customer expectations are not translated into process controls.
Design risks
- Inputs are incomplete.
- Interfaces are not coordinated.
- Reviews occur too late.
- Design changes are not controlled.
- Verification or validation is inadequate.
Supplier risks
- The supplier lacks technical capability.
- A critical component has only one source.
- Certificates or traceability records are incomplete.
- Supplier changes are not communicated.
- Poor performance is not detected early.
People risks
- Competence requirements are unclear.
- Experienced employees leave.
- Responsibilities overlap or remain unassigned.
- Workload increases the likelihood of error.
- Temporary workers do not understand the process.
Information risks
- Outdated documents remain available.
- Customer data is entered incorrectly.
- Electronic records are lost.
- Software permissions allow unauthorised changes.
- Important information is communicated informally.
Operational risks
- Equipment breaks down.
- Inspection stages are skipped.
- Measuring equipment is unsuitable.
- Products are released without verification.
- Process changes are introduced without review.
- Nonconforming outputs are mixed with acceptable products.
Performance risks
- Data is inaccurate.
- Measures do not reflect actual performance.
- Complaints are not analysed.
- Corrective actions are closed without effectiveness review.
- Management does not act on poor results.
Examples of quality opportunities
Opportunities may include:
- Digital inspections and automatic record checks.
- Standardised procedures and templates.
- Earlier customer involvement.
- Better supplier collaboration.
- Alternative qualified suppliers.
- Improved employee cross-training.
- Automated document approval.
- Data dashboards that reveal trends.
- Simplified workflows.
- Earlier design coordination.
- Remote inspections where appropriate.
- Improved lessons-learned processes.
- Modular or standard designs.
- Predictive maintenance.
- Improved customer-feedback methods.
Opportunities should be evaluated realistically.
Not every new technology or improvement idea should be pursued.
Consider:
- Expected benefit.
- Required resources.
- Implementation risks.
- Competence needs.
- Effect on existing processes.
- Customer impact.
- Time required.
- How success will be measured.
Construction example: concrete-pour risk review
Consider a construction team preparing for a structural concrete pour.
The intended result is:
Concrete placed in the correct location, using the approved mix, in accordance with the drawings and specification, with complete inspection and testing evidence.
Possible risks include:
- The latest reinforcement drawing is not available.
- The concrete mix ordered differs from the approved mix.
- Embedded items are missing or incorrectly positioned.
- Required Hold Points are not released.
- The concrete pump is unavailable.
- Weather affects placement or curing.
- Testing equipment is not calibrated.
- The testing technician is unavailable.
- Access prevents proper placement.
- Concrete delivery times exceed acceptable limits.
- Inspection records are incomplete.
- Handover evidence cannot be traced to the pour.
Possible opportunities include:
- Using a digital pre-pour checklist.
- Linking the concrete order directly to the approved mix register.
- Reviewing embedded-item coordination using the model.
- Inviting the Client through an automatic inspection notification.
- Capturing photographs against the pour location.
- Using a live delivery tracker.
- Compiling handover records immediately after the pour.
- Analysing testing results across several pours.
Risk-based actions might include:
- Confirming current drawings before the pre-pour inspection.
- Introducing a technical check of the concrete order.
- Holding a coordination inspection for embedded items.
- Confirming laboratory and technician availability.
- Checking calibration before the activity.
- Preparing weather and equipment contingencies.
- Assigning responsibility for progressive handover records.
These actions should be reflected in the Method Statement, programme, procurement process and Inspection and Test Plan.
They should not exist only in a separate risk spreadsheet.
For more industry-specific guidance, see ISO 9001 for construction companies and the Construction Quality Management Hub.
Need practical construction quality documents?
The Construction Quality Pack includes an ITP, NCR form, NCR register, corrective-action report, audit report, construction audit checklist, RFI template, Quality Policy and quality dashboard.
Other practical risks and opportunities examples
Small consultancy
Risk: One senior consultant holds most of the technical knowledge required for a key service.
Possible consequences:
- Work cannot be completed during absence.
- Reviews are delayed.
- Knowledge is lost if the consultant leaves.
Actions:
- Document critical technical knowledge.
- Cross-train another employee.
- Introduce peer review.
- Establish secure access to technical references.
Opportunity: Create a standard review checklist and shared knowledge base that improves consistency across all consultants.
Manufacturing company
Risk: A critical measuring instrument may produce inaccurate results between calibration dates.
Actions:
- Review measurement risk and stability.
- Introduce intermediate verification.
- Use a reference standard.
- Define action when verification fails.
- Assess whether previous results may have been affected.
Opportunity: Introduce automated measurement capture to reduce transcription errors and improve trend analysis.
Service business
Risk: Customer requirements recorded during a telephone conversation may not be transferred accurately into the service order.
Actions:
- Send customers a written confirmation.
- Use a structured requirements form.
- Require review before accepting the order.
- Control later changes.
Opportunity: Introduce an online customer portal that improves requirement capture and provides a complete communication record.
Supplier-management example
Risk: A subcontractor is approved once but its performance is not monitored.
Possible consequences:
- Repeated defects.
- Late delivery.
- Incomplete records.
- Increased rework.
- Customer dissatisfaction.
Actions:
- Define performance measures.
- Review NCRs, delivery and responsiveness.
- Introduce risk-based re-evaluation.
- Increase verification for poorly performing suppliers.
- Suspend approval where necessary.
Opportunity: Work collaboratively with important suppliers to standardise technical submissions and identify problems earlier.
How to write a useful risk statement
Weak risk statement:
Supplier failure.
Stronger risk statement:
There is a risk that the only approved supplier of the specified façade component may not meet the procurement programme, which could delay installation and the building-weatherproofing milestone.
A useful risk statement normally identifies:
- The uncertain event or condition.
- The reason or source.
- The result that may be affected.
- The possible consequence.
A simple structure is:
There is a risk that [uncertain event] because of [source or condition], which could affect [objective or requirement] and result in [consequence].
Opportunity statements can follow a similar structure:
There is an opportunity to [improvement] by [action or change], which could improve [result or objective].
Practical risk and opportunity register
A simple register may contain:
- Reference number.
- Process or objective.
- Risk or opportunity statement.
- Source.
- Potential consequence or benefit.
- Existing controls.
- Likelihood.
- Impact.
- Current rating.
- Additional action required.
- Responsible person.
- Target date.
- Status.
- Evidence of completion.
- Residual rating.
- Review method.
- Effectiveness result.
- Next review date.
The organisation should include only fields that help it make and follow decisions.
A complicated register containing several scoring columns, colour codes and calculations may discourage people from using it.
Risk matrices: useful tool or false precision?
Risk matrices are useful for creating a consistent starting point.
They can help organisations:
- Compare issues.
- Prioritise action.
- Escalate significant risks.
- Communicate exposure.
- Review changes over time.
However, they have limitations.
Scores are based on judgement.
A risk rated 12 is not scientifically twice as serious as a risk rated 6.
A matrix can also hide important information when managers focus on the colour rather than the consequence.
Use the matrix as a decision-support tool.
Do not allow the score to overrule professional, technical, legal or customer considerations.
Risk-based thinking and internal audits
Internal audits should examine how risks and opportunities influence the process.
Useful audit questions include:
- What is this process expected to achieve?
- What could prevent it from achieving that result?
- How were significant risks identified?
- What controls were selected?
- Why are those controls considered proportionate?
- Which opportunities were considered?
- Who is responsible for the actions?
- Are actions integrated into the process?
- How is performance monitored?
- Has the risk changed?
- Did the actions work?
- Have complaints, failures or changes created new risks?
An auditor should not automatically raise a nonconformity because the organisation does not have a traditional risk register.
The auditor should evaluate whether risk-based thinking is evident within the process and whether the requirements of the QMS are being achieved.
The ISO 9001 internal audit guide and checklist explains how to follow audit trails, collect evidence and report findings.
Construction organisations can also use construction quality audits to review project-level risks involving documents, subcontractors, inspections, NCRs and handover records.
Common mistakes with ISO 9001 risks and opportunities
Creating a register only for the auditor
The register should support decisions, not become audit decoration.
Identifying generic risks
Statements such as “competition,” “staff shortages” or “supplier failure” need context and consequences.
Recording risks without actions
If a significant risk requires additional control, the action needs an owner, deadline and follow-up.
Treating every risk equally
Resources should focus on issues with the greatest potential effect.
Using scoring without evidence
A precise-looking number does not make an unsupported assessment reliable.
Ignoring existing controls
The organisation should understand what already reduces the exposure and whether those controls work.
Failing to integrate actions
Risk controls need to become part of the operational process.
Confusing problems with risks
An event that has already occurred may require correction and corrective action. The future uncertainty created by that event may also need to be assessed as a risk.
Ignoring opportunities
Some registers contain hundreds of negative risks and no meaningful opportunities.
Making the Quality Manager responsible for every action
Risks should normally be owned by the people responsible for the affected processes.
Never reviewing the register
Risks and opportunities change as customers, suppliers, technology, employees and business conditions change.
Treating low-scored risks as automatically acceptable
A low-likelihood event may still need control where consequences are severe or requirements are mandatory.
How often should risks and opportunities be reviewed?
ISO 9001 does not prescribe one review frequency.
Review should be based on the nature of the process and the speed at which conditions change.
Reviews may be triggered by:
- Management review.
- Process-performance meetings.
- Contract acceptance.
- New projects.
- Design changes.
- New products or services.
- Supplier changes.
- Organisational restructuring.
- New software.
- Complaints.
- Nonconformities.
- Internal audits.
- Changes in legislation.
- Changes in customer requirements.
- Significant external events.
A stable process may need periodic review.
A rapidly changing or poorly performing process may need much more frequent attention.
The results should also be connected with relevant quality metrics and performance information.
Risk-based thinking for small businesses
A small business does not need to reproduce the risk-management system of an international company.
A practical approach might include:
- Identify the main business and QMS processes.
- Define what each process should achieve.
- Ask what could prevent or improve the result.
- Record only the significant issues.
- Assign practical actions.
- Review actions during normal management meetings.
- Update the assessment when something changes.
The process can be maintained in one straightforward spreadsheet.
The important point is that the identified actions influence how the business operates.
For organisations starting from the beginning, the guide on how to implement ISO 9001 step by step explains how risk-based thinking fits into the wider implementation process.
ISO 9001:2026 and risk-based thinking
ISO 9001:2015 remains the current published edition, including Amendment 1:2024.
A revised edition is expected in September 2026 and has reached the Final Draft International Standard stage.
Until the final Standard is published, organisations should avoid changing their risk processes based on unofficial lists of new requirements.
The sensible approach is to make sure the current arrangements are effective:
- Risks and opportunities are connected to context and processes.
- Actions are proportionate.
- Responsibilities are assigned.
- Controls are integrated.
- Results are monitored.
- Lessons are used to update the system.
The ISO 9001:2026 revision guide explains the current status and how organisations can prepare without rewriting their systems prematurely.
Frequently asked questions
What does ISO 9001 mean by risks and opportunities?
Risks and opportunities are uncertainties that could affect the QMS and its intended results. Risks may create undesirable effects, while opportunities may support desirable results or improvement.
Does ISO 9001 require a risk register?
No. A register can be useful, but ISO 9001 does not prescribe one particular document, format or risk-management method.
Does ISO 9001 require a risk-management procedure?
No. The organisation needs to determine and address relevant risks and opportunities, integrate actions into its processes and evaluate effectiveness. It does not have to create a separate procedure unless it decides one is necessary.
Does every identified risk need an action?
No. The organisation should decide which risks and opportunities need to be addressed. Existing controls may already reduce some risks to an acceptable level.
Does every risk need a numerical score?
No. Risks can be assessed qualitatively or quantitatively. The method should be appropriate to the organisation and potential consequences.
What is the difference between a risk and a nonconformity?
A risk is uncertainty about a future result. A nonconformity is a requirement that has not been met. A nonconformity may reveal risks that were not previously identified or adequately controlled.
What is the difference between a risk and an opportunity?
A risk may prevent or reduce achievement of an intended result. An opportunity may increase desirable effects or lead to improvement. They may be related, but an opportunity is not always the positive wording of a risk.
Who should own quality risks?
The people responsible for the affected processes should normally own the associated risks and actions. The Quality Manager may coordinate the system but should not automatically own every business and operational risk.
How can an auditor verify risk-based thinking?
An auditor can follow how the organisation identifies uncertainty, selects controls, assigns actions, operates processes, monitors results and responds to change or failure. A risk register alone is not sufficient evidence.
How do you evaluate whether a risk action was effective?
Review process results, complaints, audit findings, inspections, supplier performance, objectives or other relevant evidence to determine whether the action reduced uncertainty or achieved the expected benefit.
Final thoughts
Risk-based thinking should help an organisation make better decisions.
It should not create a separate management system made entirely from spreadsheets, scores and coloured boxes.
Start with the result the organisation or process needs to achieve.
Identify what could prevent or support that result.
Evaluate what matters.
Take action proportionate to the potential effect.
Build the action into the process.
Then monitor whether it worked.
A useful risk register can support that process, but it cannot replace it.
At the end of the day, the strongest evidence of risk-based thinking is not a perfect spreadsheet.
It is a Quality Management System that anticipates significant problems, responds intelligently to change and consistently improves its ability to meet requirements.