Ecesis EHS Software

ISO 9001
Risks, Opportunities
and Change

Risk-based thinking is one of the most significant changes introduced in ISO 9001:2015. Clause 6.1 requires organizations to consider risks and opportunities when planning the QMS, while Clause 6.3 addresses changes that need to be carried out in a planned manner. Together, these clauses replace the former concept of “preventive action” with a more proactive, systematic approach.

Clause 6.1: Actions to Address Risks and Opportunities

When planning the QMS, consider the issues from Clause 4.1 and the requirements from Clause 4.2, and determine risks and opportunities that need to be addressed to give assurance the QMS can achieve its intended results, enhance desirable effects, prevent or reduce undesired effects, and achieve improvement.

Important: ISO 9001:2015 does not require a formal risk management methodology or a documented risk register. However, most organizations find a structured approach (such as a risk register with likelihood and severity scoring) produces the most auditable and useful results.

Best Practices for Risk-Based Thinking

  • Use a risk register linking risks to specific processes and objectives
  • Consider both threats (risks) and positive possibilities (opportunities)
  • Integrate risk thinking into process planning, not as a separate exercise
  • Review risks when context, processes, or products change
  • Proportionate approach: complex risk methods for high-risk processes, simpler methods for lower risk

Clause 6.3: Planning of Changes

When the organization determines the need for changes to the QMS, changes must be carried out in a planned manner, considering the purpose of the changes and potential consequences, QMS integrity, availability of resources, and allocation or reallocation of responsibilities and authorities.

Best Practices for Change Planning

  • Implement a formal management of change process
  • Assess the impact of changes on QMS processes, products, and services
  • Communicate changes to affected personnel before implementation
  • Verify the QMS remains effective after changes are implemented

Common Pitfalls

  • Over-complicating risk assessment with enterprise-level methodologies when simpler approaches suffice
  • Focusing only on risks and ignoring opportunities for improvement
  • Treating risk assessment as a one-time exercise
  • Making changes to processes or the QMS without assessing consequences
How Ecesis Helps: Ecesis provides risk register tools with scoring matrices and change management workflows to ensure risks are tracked and changes are properly evaluated before implementation.

Related Ecesis Solutions

Document Management

Version-controlled procedures and records

Audits & Inspections

Schedule, conduct, and track audit findings

Nonconformity Tracking

Report, investigate, and resolve nonconformities

Training Management

Track competence requirements and records

Change Management

Structured review of planned changes

Compliance Obligations

Track requirements and evaluation schedules
Related Resources
Implementation Guide Context of the Organization Leadership & Policy Quality Objectives Customer Requirements Design & Development External Providers

What Is Ecesis?

Ecesis is a leading EHS Software Solution that has been helping companies around the world reach their EHS goals since 1993.

Get in Touch

1499 West 120th Avenue
Suite 110
Westminster, CO 80234
(720) 547-5102 (866) 733-6912 Click To Email Us

Connect With Us

EHS Software on LinkedIn EHS Software on Facebook EHS Blog

Copyright © 2026 EnviroData Solutions, Inc.

Terms of Use    Privacy Statement    Cookies