Risk management in ISO 9001 without drowning in bureaucracy

ISO 9001:2015 replaced "preventive actions" from the 2008 version with "risk-based thinking." Many companies interpreted this as needing a full ERM system. Not so. Clause 6.1 requires identifying risks relevant to QMS objectives and acting on them.

What clause 6.1 actually requires

Two sub-requirements:

6.1.1 Determine risks and opportunities to address
6.1.2 Plan actions to address them and integrate into the QMS

The standard doesn't require a probability-vs-impact matrix, ERM software, or a specific methodology. It requires evidence that risks are identified and actions planned.

Three useful risk levels

For an industrial SMB, three levels cover 90% of what's auditable:

Strategic QMS risks. Loss of certification, loss of key customer, regulatory change.
Process risks. Production errors, delivery delays, critical-equipment failure.
Compliance risks. Applicable regulations, Tier 1 customer requirements, environmental compliance.

Don't mix levels. A process risk escalated to management review becomes noise.

Minimum viable matrix

Recommended columns:

Risk	Context	Probability	Impact	Action	Owner	Date
Turnover > 20% in production	Cl. 4.1	High	High	Retention plan H1	HR	2026-03-31
CNC press failure	Cl. 7.1.3	Medium	High	Maintenance plan	Maintenance	2026-02-15

Probability and impact can be qualitative (high/medium/low). The auditor doesn't require a numeric scale; they require consistency.

Opportunities: the forgotten side

The clause also requires identifying opportunities. Typical examples:

New export market opened by IATF certification
Automation that cuts cost of poor quality
Additional certification (ISO 14001) enabling more bids

A matrix listing only threats is incomplete.

Integration with other QMS elements

Clause 6.1.2 requires integrating actions into the QMS. It's not a parallel list. Risks must appear in:

Quality objectives (6.2)
Operational controls (8.1)
Performance indicators (9.1)
Corrective actions and improvement (10.2)

If the matrix lives in a standalone spreadsheet, integration fails.

Mistakes that cost findings

Copying matrices from other clients or consultancy templates
Updating only before the external audit
Not connecting the risk to a measurable indicator
Listing 200 risks instead of the 15 that actually move the business

What to do this week

Review your current risk matrix. When was the last update? How many risks have an overdue date with no closure? Do any appear as quality objectives? If any answer makes you uncomfortable, spend 90 minutes fixing those three points. Passing the audit is a consequence, not the goal.

What clause 6.1 actually requires

Two sub-requirements:

6.1.1 Determine risks and opportunities to address
6.1.2 Plan actions to address them and integrate into the QMS

The standard doesn't require a probability-vs-impact matrix, ERM software, or a specific methodology. It requires evidence that risks are identified and actions planned.

Three useful risk levels

For an industrial SMB, three levels cover 90% of what's auditable:

Strategic QMS risks. Loss of certification, loss of key customer, regulatory change.
Process risks. Production errors, delivery delays, critical-equipment failure.
Compliance risks. Applicable regulations, Tier 1 customer requirements, environmental compliance.

Don't mix levels. A process risk escalated to management review becomes noise.

Minimum viable matrix

Recommended columns:

Risk	Context	Probability	Impact	Action	Owner	Date
Turnover > 20% in production	Cl. 4.1	High	High	Retention plan H1	HR	2026-03-31
CNC press failure	Cl. 7.1.3	Medium	High	Maintenance plan	Maintenance	2026-02-15

Probability and impact can be qualitative (high/medium/low). The auditor doesn't require a numeric scale; they require consistency.

Opportunities: the forgotten side

The clause also requires identifying opportunities. Typical examples:

New export market opened by IATF certification
Automation that cuts cost of poor quality
Additional certification (ISO 14001) enabling more bids

A matrix listing only threats is incomplete.

Integration with other QMS elements

Clause 6.1.2 requires integrating actions into the QMS. It's not a parallel list. Risks must appear in:

Quality objectives (6.2)
Operational controls (8.1)
Performance indicators (9.1)
Corrective actions and improvement (10.2)

If the matrix lives in a standalone spreadsheet, integration fails.

Mistakes that cost findings

Copying matrices from other clients or consultancy templates
Updating only before the external audit
Not connecting the risk to a measurable indicator
Listing 200 risks instead of the 15 that actually move the business

Risk management in ISO 9001 without drowning in bureaucracy

What clause 6.1 actually requires

Three useful risk levels

Minimum viable matrix

Opportunities: the forgotten side

Integration with other QMS elements

Mistakes that cost findings

What to do this week

Keep reading

Process approach: from diagram to day-to-day

Operational control: from SOP to automated record

Clause 4: understand your organization's context

Risk management in ISO 9001 without drowning in bureaucracy

What clause 6.1 actually requires

Three useful risk levels

Minimum viable matrix

Opportunities: the forgotten side

Integration with other QMS elements

Mistakes that cost findings

What to do this week

Keep reading

Process approach: from diagram to day-to-day

Operational control: from SOP to automated record

Clause 4: understand your organization's context