Let’s talk about Risks and Opportunities…. and of course this applies to ISO 9001 Risks and Opportunities as well.

Have you every been in a situation, either good or bad, when you realize that something you previously thought impossible happened – and now looking back, you wonder “how did I not see that coming?

Me too! In both my personal and professional life!

When negative surprises happen in the business world, the consequences can range from inconvenient to extremely damaging. This is why I tell my clients to always beware of considering anything impossible unless you’re willing to accept the day when that very thing seems as though it was inevitable. This is also why for years quality management systems like ISO 9001 have focused on preventing these surprises.

When it comes to the positive opportunities that go undiscovered or addressed, the consequences can be just as significant. After all, opportunities are never really lost, they are just pick up by someone else – likely your competition.

But heres the deal….the requirements of ISO 9001 for detecting risks and opportunities in the past have left a lot to be desired.

Let’s take a look at the the gap between intention and results and you’ll quickly see what I’m talking about….

THE INTENTION (a common example)

Here’s what is planned:

The organization creates two “lists” or “logs”. One list of is for possible opportunities – often titled “Continual Improvement Log“.

The other list is for potential risks, and is titled “Preventive Action Log“.

The idea is that when an employee sees something in their day-to-day work that constitutes a potential problem or an opportunity for improvement (or both since they’re really two sides of the same coin), they would notify leadership. This typically happens in the way of a Preventive Action Request Form or Improvement Project Request Form. Call it what you want, right?

From there, management reviews the multitude of great ideas and decides a course of action – or lack thereof. These ideas and actions are then be placed on the appropriate list/log for monitoring and review – you know…. accountability.

That’s the idea anyway. But as the wise Mike Tyson once said, “everyone has. a plan until they get punched in the face”.

Ahhh, Mike. Truer words have never been spoken.

So how did it really work in a lot of places?

“beware of considering anything impossible unless you’re willing to accept the day when that very thing seems as though it was inevitable.”

THE REALITY (the common example)

The reality of the process of uncovering risks and opportunities was not so effective. Typically both of these logs would go relatively untouched for the better part of the year. Then without fail, the third-party auditor would schedule their visits, and…well…uh oh.

In preparation for the visit, the quality manager would check the logs to make sure everything was in order. Seeing that nothing had been entered in either the Preventive Action or the Continuous Improvement logs – they would scramble around to see what had been accomplished over the past year. They would then fill the log – not with forward-looking ideas, but with things already done…made to look as if they were planned improvements or proactive risk mitigation. This was a common misstep with companies dealing with ISO 9001 Risk and Opportunities requirements.

Not really effective at all. Turns out Mr. Tyson was spot on.


This scenario, in some form happens often. And it’s not because of bad people doing bad things, or incompetence, or even laziness. It typically happens for one or more of the following reasons:

1. A Lack of Risk Based Thinking

Many employees don’t understand exactly what a risk really is, never-mind the proper way to look at risks.

Is it a nonconformance?

Is it bad product or service?

Is is when something bad happens?

Many people simply don’t understand risk based thinking and what to even submit….so they don’t.

2. The Menu is Too Big

It’s kind of like when you go to a restaurant and the waitress hands you a massive 30 page menu…and you end up ordering something you don’t really want just to get it over with! (by the way, did you know the Cheesecake Factory makes their menu ridiculously large so that people have to take longer to make a decision?)

The menu for risks and opportunities are like a Cheesecake Factory menu on steroids!

And since we can’t possibly address them all at once, overwhelm sneaks into the mindset and we just go back to doing the work at hand. Add to this the perception that “if if you find it, you fix it” – and the number of ideas brought to the forefront sinks astronomically.

3. There’s a black hole somewhere that eats ideas.

If you ever want employees to STOP contributing ideas, just let their input disappear without feedback or status.

Too often these “logs” become the place where ideas simply go to die. The ideas get submitted, but nothing is ever heard of them again. It’s like Jimmy Hoffa himself is in charge of the decision making and implementation processes. In the eyes of the employees, the logs may as well be buried under Yankee Stadium right along with….well….never mind. Anyways…


The good news is we can get this right…and we should!

When we move consistently and steadily without the unexpected challenges that come with unaddressed risks, we experience less regrets and second-guessing as we approach our work. And best of all, we significantly reduce the odds of something major happening that may be unrecoverable. And when we keep a lookout for opportunities, we can increase efficiency, effectiveness, and even create a competitive advantage in the industry we serve.

A solid Quality Management System keeps this in the forefront of the agenda.

So What is Risk Management in ISO 9001 Quality Management Systems? And by the way, risks and opportunities are opposite sides of the same coin – so please don’t think I’m excluding either here.

Contrary to popular belief, risk management in ISO 9001 does not involve high-level statistics, complex analysis or a degree in actuary sciences. It simply requires the adoption of a certain mindset throughout the organization when it comes to awareness of the environment, or the context in which we work.


In order to really build a solid foundation for risk management, it’s important that we have a “meeting of the minds” throughout the organization. When people at all levels engage their work with a risk-based (or opportunity-based) mindset, great things can happen – and bad things can be avoided.

So what is risk-based thinking?

Quite simply risk-based thinking is observing the circumstances and setting (the context) around you and asking yourself three basic questions:

  1. What could go wrong
  2. How bad would it be
  3. How likely are we to catch whatever is causing the problem

what is risk based thinking diagram

That’s it. But heres’ the thing…

It’s important that we focus our sites around risks and opportunities in specific areas so we can be systematic and consistent in our approach – and so our people don’t feel like they are looking at a Cheesecake Factor Menu!


In an ISO 9001 Quality Management System, we look at risk and opportunities in four different ways….

…using what I call The Four Critical Conversations.

Put together, these conversations along with their output create a comprehensive look at the organization from a big picture view all the way down to the line level view.

So let’s take a look:

ISO 9001 Risks and Opportunities Model

ISO 9001 Risk and Opportunities

1. Internal Issues:

Every organization has strengths and weaknesses. The key is to look closely and determine which of these strengths and weaknesses can affect the ability to meet customer or internal requirements. It’s important here to not paint the organization in rose-colored glasses. There’s nothing wrong with weaknesses in the organization – only ignoring them.

The output of this discussion is a list of risk and opportunities.

2. External Issues:

External issues refer to the issues outside the organization that are typically out of the organization’s control, but can be account and adjusted for. Examples of the types of issues are:

  1. Political
  2. Economical
  3. Social
  4. Technological

In an ISO 9001 Quality Management system, leadership would identify and discuss of these types of issues to uncover which could impact the ability to meet customer or internal requibments.

The output of this discussion is a list of risk and opportunities

3. Important Stakeholders

No business operates in a bubble. There will always be relationships that have to be monitored and maintained. Of course, these relationships differ from business to business. In order to determine which relationships are critical to your organization, just ask yourself:

“who cares about what we’re doing, and what do they want”.

You can then prioritize these stakeholders based upon how that relationship can affect your ability to meet customer and internal requirements.

The output of this discussion? ….you guessed it – a list of risks and opportunities.

You can probably see where this is going, right? Let’s continue on to the final Critical Conversation

4. Process Level

If you’ve read the blog post “What is a Quality Management System Anyway?” you know that a business is a series of processes linked to together to deliver a defined outcome. The processes that work together to deliver customer satisfaction make up your Quality Management System.

In this critical conversation, the people who work in each of these processes discuss the risk and opportunities within that could impact their ability to meet internal and customer requirements.

The output of the discussion…..YES….a list of risks and opportunities.

ISO 9001 Risks and Opportunities image


So now you can see that obtaining an ongoing list of risks and opportunities doesn’t have to be (and shouldn’t be) so random. Scheduling these conversations on an ongoing basis removes overwhelm and replaces it with directed conversations.

As these critical discussion occur and risks and opportunities are identified, they can then be prioritized and action times can created for those items where action is appropriate.

I’ll be posting another articles on how that part of the process can best be handled, but for now I think I should mention something that could make the difference between success and failure in this process….

Always follow up with those who submit ideas. Taking no action IS a valid action as long as the decision is a result of some sort of analysis. But the decision should be communicated to those who submitted the idea in order to close the communication loop. The failure to do so could lead people to believe their ideas are being ignored – leading to employees dropping out of the system altogether.

Thanks for reading!

Kevin Shabaar Smith

Subscribe To Receive The Latest News

Subscribe now to be notified when we write more awesome stuff!

Add notice about your Privacy Policy here.