This Month’s Question

ISO 9001:2015 clause 6—Planning indicates that it is necessary to consider issues identified under clauses 4.1 and 4.2 when determining risks and opportunities, and clause 4.4.1(f) indicates the necessity to identify risks and opportunities at the process level. What is the best method of incorporating the risks and opportunities identified at macro and micro levels in the ISO 9001 quality management system (QMS)?

Our Response

Risk-based thinking should exist at all levels and permeate the organization. Sometimes, it is helpful to think of risks and opportunities on two levels—enterprise and operational.

Examples of risks and opportunities at the enterprise level include entering new global markets, currency fluctuations, changes in consumer preferences, off-shore competition and access to capital.

Risks and opportunities at the operational level include raw material shortages, excessive machinery downtime, excessive employee absenteeism and the opportunity to invest in new manufacturing technologies, among others.

At the enterprise level, it might be appropriate to use a strengths, weaknesses, opportunities and threats (SWOT) analysis to support strategic planning. Because most quality practitioners work at the operational level, however, that is where we will focus.

Best practice

At the operational level, ISO 9001 requires risks and opportunities to be evaluated for each key business process. Therefore, using a flowchart is better than a SWOT analysis because it allows you to consider risks and opportunities at each step in the process.

Flowcharts are the preferred method for managing processes because human beings are visual learners. Flowcharts also provide a map to help navigate through a complex QMS. If an organization adopts a true process approach, flowcharts (or a suppliers, inputs, process, outputs, customers diagram or similar means of depiction) should become the architecture of its QMS.

After flowcharts have been created for each key business process, it is easy to build the QMS around that set of flowcharts. Think of a flowchart as a tree with many branches, and from each branch a wide variety of information can be hung. A flowchart can reference ISO 9001 requirements, and customer, regulatory and company requirements, among other things. It can refer by name to relevant procedures and forms used in the process, and even refer to risks and opportunities.


Although not a requirement of ISO 9001, it might be useful to list interested parties and their needs at the process level. Clause 7.1.6 (organizational knowledge) of the standard requires you to determine what knowledge is appropriate to support the organization.

It also would make sense to think about knowledge at the process level: What knowledge is required to successfully execute the process, and how will that knowledge be obtained, maintained and shared across the organization?

Based on 15 years of applying risk-based thinking to internal auditing, this is my approach to incorporating risks into a process flowchart:

  • Define a process, along with its inputs and outputs, in about five to eight steps. A higher-level view works best.
  • Identify the risks associated with each step in the process.
  • Consider the management controls (such as operator training and product inspections, for example) that are already in place for each process.
  • Assess the suitability of those current controls for managing the risks in that process step. Where a current control is deemed to be too weak to sufficiently manage a risk, create an action to address that risk in accordance with clause 6.1.2, and submit those actions for management’s review in accordance with clause 9.3.2.

There are a variety of tools to address risks and opportunities in an organization at the macro and micro levels. SWOT is often used at the macro level, and a flowchart can be a versatile and effective tool for identifying risks and integrated risk mitigation strategies at the individual process level.

This month’s response was written by Denis J. Devos, an ASQ fellow and a professional engineer at Devos Associates Inc. in Toronto. Visit them at www.devosassociates.com.

--Jón Bergsson, 05-03-2018

Use of ISO Standard 31000 in Risk Analysis is very important. This article seems to avoid mentioning ISO 31000 based approach!
--Vijay G. Ruikar, 01-26-2018

Average Rating


Out of 2 Ratings
Rate this article

Add Comments

View comments
Comments FAQ

Featured advertisers