All you need to know…Planning – Clause 6 of ISO 9001:2015


Risk Management Shows Identifying, Evaluating And Treating Risks

Risk Management: Identifying, Evaluating And Treating Risks

Clause 6 has a number of new requirements, but you’re already doing some of them. For example, if you have an estimating department, they are already practicing ‘risk management’. If you have project managers, they are following the path of a project and trying to anticipate what could go wrong. Letting Top Management in on this fact will help them meet their requirements for ‘…promoting the use of risk-based thinking and the process approach…’ (5.1.1 d). More importantly, your organization will be demonstrating that they are proactive in their approach to preventing non-conformances. You probably already know that the clause on preventive action (8.5.3 in ISO 9001:2008) has been removed. Your entire management system is your preventive action tool!

Other examples of managing risk could be your environmental aspect matrix, your OHS hazard identification, WHMIS training, supplier evaluations (supply chain management) and any other activities you engage in to prevent problems.

By identifying your internal issues, external issues and interested parties (4.1 and 4.2) you are demonstrating risk-based thinking, too. Even doing root cause analysis after a non-conformance (NC) demonstrates that you are considering various risks. In fact, if it’s not possible to completely eliminate the cause of the NC, you’ll probably make a statement something along the lines of ‘…lowering the risk to an acceptable level…’ or words to that effect.

The flip side of risk is ‘opportunity’. When most of us spot an opportunity we almost immediately calculate the risk. This happens constantly in our organizations when we assess the credit worthiness of a potential new client – will we have to add staff? New competencies? Larger work spaces? Normal production has risks associated with it, and we manage those every day. We’re doing a lot of risk-based thinking, we just may not always recognize it!

If you use Deming’s Plan-Do-Check-Act cycle as part of your processes, you’re demonstrating risk-based thinking. Pretty much any method you use to manage the process flows in your organization will fit the bill. Tie them into your interested parties and you’re good to go!

Quality Objectives

The other ‘new’ section of this clause is the beefing up of the action plan to hit targets. There isn’t a requirement to document the plan, but it sure makes it easier to monitor the results and review them at Management Review time (9.3). We’ll be talking about the new review requirements in clause 9, but this risk-based thinking idea has further implications. If you use the model in 6.2.2, you’ll be demonstrating the use of a solid framework for managing risk while trying to hit quality objectives – a fine bonus, indeed.

Managing Change

For the ‘Managing changes’ clause, you’re probably doing most of it already. Just be aware that change can happen anywhere, but it occurs in 5 major areas, often connected. Clause 6.3 talks about changes to the management system itself, very high level. Working our way down into the system we may find that customers request a change in their order (8.2.4). This may result in a change to the design (8.3.6) which could lead to new requirements for suppliers (8.4.3) and even a new way of providing the process, product or service to our clients (8.5.6). Finally some of these changes will mean updates to documented information (7.5).

Managing all these changes (rather than crossing our fingers and hoping for the best) is likely happening in your organization right now and you may not have to add anything. Or, this is a chance to tighten up this part of your organization for better results, and lower risk.

To find out if your ISO life can be simpler…

[separator icon=”icon-chevron-down” hex_color=”a1a1a1″]

Here’s the link to our Youtube channel:


  1. adi on August 22, 2016 at 12:02 am

    hi, thank you for this subject. since preventive action is eliminated how to capture potential nonconformity ? how to capture risks and opportunities? how to tie risks to interested parties? please provide a documentation example on risk and opportunity? a bit confused on how can we achieve. this? in clause 10.2 corrective action there is a requirement to determine situation where similar nonconformity exist or could potentially occur and update risks during planing if necessary? how to achieve this? if you find during ur root cause analysis that similar nonconformity is exist somewhere else or could potentially happen, what should you do ?

    • Jim Moran on August 23, 2016 at 10:50 am

      Adi – this is a great question. The philosophy of this revision of the Standard is to think of you ENTIRE SYSTEM as your ‘preventive action’ tool. When we implement ‘risk-based thinking’ and ‘the process approach’ we are practicing ‘preventive action’. We are considering what could go wrong and then following the effects through the workflow. At this point, you can see if any potential issues will impact Interested Parties. It will, because one of those parties is your employee base! Shareholders will be impacted if the preventive action is not implemented and further NCs occur. You may even be violating a regulation, depending on the nature of your organization.

      When we assess the cause of a NC (for example using the Ishikawa Fishbone), we typically look for other similar situations so we can prevent them from happening other places in our organization. This demonstrates risk-based thinking and proactive preventive action.

      As for documented examples, just google FMEA and you’ll see over 5 million hits showing how to use it, explaining what it is and so on. It is not the ‘best practice’ necessarily, but it could be a great place to start if you’re looking for some structure. It will help you uncover ‘opportunities’ as well.

      Thanks for you comment – I hope this helps…