This post is part of our practical series on ISO 9001 certification for SMEs — a step-by-step guide for small and medium-sized businesses navigating the certification process without bureaucratic overhead. You’ve already covered the quality policy and quality objectives. Now ISO 9001 asks you to do something that most SMEs find abstract at first: think systematically about what could go wrong — and what could go better. That’s Clause 6.1 in a nutshell.
The good news: you don’t need a complex risk management system. You need a practical process that your team will actually use.
What ISO 9001 Actually Requires (Clause 6.1)
ISO 9001:2015 Clause 6.1 requires your organization to:
- Identify risks and opportunities relevant to your QMS and business context
- Plan actions to address them
- Integrate these actions into your QMS processes
- Evaluate their effectiveness
Importantly, the standard does not require a formal risk register, a specific methodology, or documented risk scores. It requires evidence that you’ve thought about it and acted on it.
Two Levels of Risk ISO 9001 Addresses
One thing that trips up many SMEs: ISO 9001 actually addresses risks at two distinct levels, covered by different clauses. Understanding this distinction helps you build a risk approach that is both complete and proportionate.
Level 1 — Business and Strategic Risks (Clause 6.1)
These are organization-wide risks that affect whether your QMS can achieve its intended outcomes. They stem directly from your business context (Clause 4.1) and the requirements of interested parties (Clause 4.2). Examples include: market shifts, regulatory changes, dependency on key personnel, strategic supplier failure, or new competitive threats. This is where your SWOT analysis lives, and where top management needs to be actively involved.
Level 2 — Process-Inherent Risks (Clause 4.4 and Clause 8.1)
These are risks within specific operational processes — the things that can go wrong in how you actually deliver your products or services. ISO 9001 Clause 4.4 requires you to address risks when designing and managing your processes. Clause 8.1 extends this to operational planning.
The most effective approach here is process-by-process: go through each of your relevant processes and ask, “What could go wrong here, and what would the impact be?” This is where ISO 9001’s process orientation pays off — because you already have a defined process landscape, you can systematically walk through it as a risk checklist.
| Process | Risk Example | Potential Impact |
|---|---|---|
| Order intake | Customer requirements misunderstood or not documented | Rework, complaints, delivery delays |
| Procurement | Single-source supplier fails or delivers late | Production stop, missed delivery commitments |
| Production / Service delivery | Untrained operator performs critical step | Non-conforming product, warranty costs |
| Quality inspection | Inspection step skipped under time pressure | Defective product reaches customer |
| Complaint handling | Root cause not identified, issue recurs | Customer dissatisfaction, repeat nonconformities |
For processes with high criticality or complexity — for example, a core production step or a safety-relevant inspection — a structured FMEA (Failure Mode and Effects Analysis) may be appropriate. FMEA goes deeper than a standard risk register: it systematically identifies every possible failure mode in a process step, evaluates severity, probability, and detectability, and prioritizes which failure modes need preventive action first. ISO 9001 does not mandate FMEA, but it is a recognised and audit-friendly tool when process complexity justifies it.
In practice, both levels feed into the same risk register — but the inputs come from different sources. Business risks lead to strategic decisions and updated quality objectives. Process risks lead to updated work instructions, additional controls, or changed process flows.
Step 1: Identify Your Risks and Opportunities
Start with a simple SWOT analysis — most SMEs already know how to do one. Map the results directly to your QMS:
| SWOT Element | ISO 9001 Lens | Example (SME) |
|---|---|---|
| Strength | Opportunity | Loyal customer base → upsell services |
| Weakness | Risk | One key person knows all processes → knowledge loss risk |
| Opportunity | Opportunity | New regulation creates demand for certified suppliers |
| Threat | Risk | Key supplier could fail → delivery bottleneck |
Involve your team leads in this step. They know where the real pain points are.
Step 2: Assess and Prioritize
For each identified risk, assess two dimensions:
- Probability: How likely is it? (Low / Medium / High)
- Impact: If it happens, how bad? (Low / Medium / High)
A simple 3×3 matrix is enough for most SMEs. High probability + high impact = act immediately. Low probability + low impact = monitor only. Everything else falls in between.
No elaborate software required — a shared Excel sheet or even a one-page table in your quality manual works fine.
Step 3: Plan Actions
For each significant risk or opportunity, define:
- What action will you take? (Avoid, reduce, accept, or transfer the risk)
- Who is responsible?
- By when?
- How will you know it worked?
These actions should feed directly into your quality objectives or process descriptions — not live in a separate document that no one reads.
Common Mistakes SMEs Make
- Listing risks without actions: A risk register that just identifies risks without planned responses won’t satisfy an auditor.
- Confusing operational risks with strategic ones: ISO 9001 is about QMS risks — things that affect your ability to deliver conforming products and satisfied customers.
- Treating it as a one-time exercise: Risks change. Review your risk assessment at least annually, or when significant changes occur.
- Overcomplicating it: A 5-page Excel sheet with 47 risks that no one maintains is worse than a focused list of 8-10 real risks with clear owners.
What the Auditor Will Look For
During your certification audit, expect questions like:
- “How do you identify risks in your QMS?”
- “Can you show me an example of a risk you identified and what you did about it?”
- “How do you know if your actions were effective?”
You need real examples with evidence — a meeting minute, an updated process, a supplier evaluation change. Not just a completed template.
Practical Template for SMEs
A minimal risk register for ISO 9001 needs only these columns:
| Risk/Opportunity | Category | Probability | Impact | Action | Owner | Due | Status |
|---|---|---|---|---|---|---|---|
| Key employee leaves | Risk | Medium | High | Document critical processes | QM Manager | Q2 2026 | In progress |
| New ISO regulation drives demand | Opportunity | High | High | Develop new service offering | Sales | Q3 2026 | Planned |
Where This Fits in Your Certification Journey
Risks and opportunities planning is part of the Planning phase (Clause 6) — it builds directly on the context analysis (Clause 4) and feeds into your quality objectives (Clause 6.2). Once you’ve completed this step, you’re ready to move into the Support phase: defining your processes, competence requirements, and documented information.
This is part of our practical series on ISO 9001 certification for SMEs. Previous posts covered the quality policy and quality objectives. Next up: defining and documenting your core processes.
How We Implement This for Your Business
Risk and opportunity management sounds straightforward in theory — but in practice, most SMEs either over-engineer it into a compliance exercise no one uses, or skip it entirely. At Sternberg Consulting, we work through both levels of risk with you. For business and strategic risks, we look at your market, your context, and your key dependencies. For process-inherent risks, we take a close look at each of your relevant processes — where the real failure points are, what the actual impact would be, and what a proportionate mitigation looks like. Where a process is complex or safety-critical, we perform a structured FMEA to identify and prioritize failure modes before they become nonconformities. We then support implementation: updating process descriptions, adding controls, building the evidence trail your auditor will expect. The result is a risk approach that is genuinely embedded in how you operate, not a document that gets dusted off once a year. Get in touch to discuss how this fits into your certification project.
Frequently Asked Questions
Do I need a formal risk register for ISO 9001?
No. ISO 9001 does not require a specific format or tool. You need to demonstrate that you’ve identified, assessed, and acted on relevant risks and opportunities. A simple table or even a documented SWOT discussion is sufficient.
What’s the difference between risk-based thinking and a risk management system?
Risk-based thinking (ISO 9001 Clause 6.1) is a mindset embedded in your QMS — it means you proactively consider what could prevent you from achieving quality objectives. A formal risk management system (like ISO 31000) goes much further. ISO 9001 only requires the former.
How often should we review our risk assessment?
At minimum, once a year — typically as part of your management review. Also review when significant changes occur: new products, key personnel changes, new suppliers, or market shifts.
Can opportunities be included alongside risks?
Yes, and they should be. ISO 9001 explicitly requires you to address both risks and opportunities. Opportunities might include market changes, new technologies, or process improvements that could enhance customer satisfaction.
About the Author
Jonathan Sternberg is a certified internal auditor and external quality management representative with experience in automotive, semiconductor, laser optics, and medical technology. With Sternberg Consulting, he supports small and medium-sized enterprises in the DACH region in implementing ISO 9001, ISO 14001, ISO 45001, and ISO 13485. As a BAFA-approved consultant, he also supports funding applications. Contact us for a non-binding initial consultation.
