Mastering Clause 6: Planning for Risk and Opportunity in ISO Certification
Clause 6 focuses on planning for risk and opportunity. Clause 6 is key in ISO certification, in that it requires organisations not only protect against possible loss through preventive action, but also to find ways to add value.
There is consistency in Clause 6 across the Management System Standards and that is due to the High-Level Structure (HLS), or Harmonised Approach as it is now known.
Risk management is one of the key elements in ISO Standards, stating that organisations need to identify, assess, and manage the risks that could affect the achievement of their objectives.
Be it in ISO 9001 (Quality Management), ISO 14001 (Environmental Management), or ISO 45001 (Occupational Health and Safety Management Systems), Clause 6 makes certain that organisations apply risk-based thinking when establishing their objectives and plans to achieve them.
This method is not only about conformance but also about good governance. It assists organisations with aligning their strategies with possible risks and opportunities.
The general idea of Clause 6 is the same, but the actual planning can be different, depending on the nature of the standard. Such as in ISO 9001, risk management may deal with product quality, but in ISO 27001 it may be about information security.
Whether it’s a quality, environmental, health and safety, or any other ISO management system standard, all of them require the identification of risks and opportunities and the implementation of corrective action. This means that preventive actions must be built into the plan.
This blog post focuses on Clause 6 of ISO Management System Standards and how organisations must effectively plan for risks and opportunities to improve their governance and further continual improvement, simultaneously improving their ISO Certification outcome.
What is Clause 6: Planning
Planning is a crucial part of ISO management system standards. It is a framework for companies to establish goals, recognise threats and advantages, and create plans to realise those goals. Basically, it’s all about taking control of an organisation’s future.
At the heart of Clause 6 lies the concept of risk management. When companies can recognise these threats or opportunities, they can in turn do something to eliminate or minimise the threats or exploit the opportunities, which will mean the business can maintain competitive advantage.
More info on Risk Management
For a more comprehensive approach to risk management, companies can refer to ISO 31000: Risk Management – Guidelines, which offers detailed insights into effective risk assessment and mitigation strategies.
ISO offers a free brochure which gives an overview of the standard and how it can help organisations implement an effective risk management strategy: https://www.iso.org/publication/PUB100426.html
Benefits of Clause 6
Proactive management: By planning, organisations can foresee their problems and work around them instead of merely responding to them.
ISO Certification: A well-structured plan is essential for achieving and maintaining ISO certification. It shows to auditors and stakeholders that the organisation is committed to continual improvement.
Organisational resilience: A strong plan allows companies to weather unexpected happenings and adjust to changing conditions.
Continual improvement: Clause 6 encourages organisations to regularly review their plans and adjust as needed, fostering a culture of continual improvement.
However, the level of planning may vary according to the type of organisation and the risks that the organisation takes on. For instance, a company that builds aeroplanes would probably require a more detailed risk assessment and risk register than an online training company. But even in smaller organisations, planning is necessary.
How Clause 6 ties in with other Clauses
Clause 6 is a related clause to other important clauses in ISO standards. Here’s how:
Clause 4: Context of the Organisation: Understanding the organisation’s external and internal context is crucial for effective planning and addressing the potential risks and opportunities resulting from these factors.
Clause 4.1 and 4.2 set the groundwork for planning in that they state the bounds of the organisation and who the organisation’s interested parties are, as well as what the interested parties require or expect from the organization.
Clause 8.1: Operational Planning and Control: This clause is essential for ensuring that the operational processes—such as manufacturing in a Quality Management System (QMS) or service delivery in a service-based organization—are planned, controlled, and monitored effectively.
By addressing Clause 6 requirements, organizations can implement preventive actions that mitigate potential errors in their processes. For instance, in manufacturing, controls and monitoring improve assurance that the quality of products meets relevant standards, while in services, these actions ensure consistent delivery of high-quality service.
Clause 9: Performance Evaluation: Planning and performance evaluation are closely linked. And plans should be in line with organisational goals and performance should be evaluated by those goals.
Clause 9.1.3: Performance appraisal of the management system should also consist of a review of how well the actions taken to counteract the risks and opportunities were.
Clause 9.3.2: Management review: This should include the appropriateness, sufficiency and effectiveness of actions taken to risks and opportunities.
Clause 10.2.1: Nonconformities and Corrective Actions: When a nonconformity does occur, it could be that the risk assessment would need to be revised to prevent the nonconformity from happening again.
Organisations can then see how clause 6 is linked to other clauses and know that their planning efforts are part of their total management system.
Download our FREE GUIDE “How to Optimise ISO Certification with Risk-Based Thinking,” and learn how to strengthen your business resilience. This guide covers aligning risk-based thinking with ISO Management Systems, mitigating risks, seizing opportunities, and ensuring continual improvement.
Clause 6.1 Actions to address risks and opportunities
Sub-clause 6.1 highlights the importance of recognizing and taking advantage of both risks and opportunities.
Risk can lead to either positive or negative outcomes and is determined by the likelihood and severity of an event’s impact on objectives. It is essential for organizations to systematically identify, evaluate, and manage certain risks and opportunities as part of their planning process.
The concept of risk management in ISO Management System Standards is not just for conformance but also offers a helpful strategy for securing continual improvement, ensuring smooth operations, and building a more sustainable business.
Organizations must prioritize issues and minimize non-conformities. They will improve stakeholder trust by embracing this approach.
What is Risk-based Thinking?
Risk-based thinking is a methodical technique for detecting, evaluating, and minimising risks as well as discovering and seizing opportunities. Risk-based thinking highlights the importance of taking risk into account when making decisions. It directs businesses to strategically consider opportunities and risks in all facets of their business operations. Risk-based thinking entails assessing uncertainty and coming to well-informed decisions that strategically support organisational objectives.
The importance of risk-based thinking is found in its capacity to promote ongoing development by motivating companies to take proactive measures to mitigate risks and seize opportunities. This kind of thinking fosters organisational resilience and adaptability, which eventually results in long-term success in the sectors in which they operate.
See, for example: ISO 9004:2018, Quality Management — Quality of an Organization — Guidance to Achieve Sustained Success, which expands significantly on this concept and provides comprehensive guidance on achieving excellence in quality management.
Differences in Clause 6.1 between the ISO standards
Quality Management: Sub-clause 6.1 in ISO 9001 focuses on recognising risks and opportunities related to quality in the context of quality management. Ensuring that goods and services satisfy customers’ needs and raise satisfaction levels is the aim. This entails figuring out preventive measures to stop non-conformities and continually improving the quality management system.
Environmental Management: This sub-clause in ISO 14001 concentrates on enhancing sustainability and reducing environmental impact. Risks and opportunities pertaining to an organisation’s environmental setting, important environmental aspects (the factors that contribute to environmental consequences), and compliance requirements must be addressed. Protecting the environment while taking advantage of chances to enhance environmental performance is the goal.
Occupational Health & Safety Management: In ISO 45001, sub-Clause 6.1 targets the protection of workers by addressing health and safety risks and opportunities. This includes managing risks associated with the organisation’s context, significant hazards (the causes of potential harm), and legal and other requirements. The objective is to ensure a safe and healthy workplace while identifying opportunities to enhance safety practices.
Each standard tailors Clause 6.1 to address the specific context of the management system it governs. This ensures that organisations can effectively plan for risks and opportunities in areas critical to their operations and conformity, supporting the continual improvement of their systems.
Benefits and importance of Clause 6.1
Better decision-making: Organisations are better able to make strategic decisions based on a complete understanding of the possible outcomes of their activities when risks and opportunities are identified and evaluated. Due to the decreased probability of costly errors or lost opportunities, this can result in more effective and efficient decision-making – especially when considering a cost-benefit ratio.
Enhanced adaptability: Businesses can become more adaptable and better equipped to handle unforeseen circumstances by being aware of the risks and opportunities that may affect their operations. With less influence on their company and stakeholders, they will be able to respond to emergencies more swiftly and efficiently.
Continual improvement: Repeat assessment and enhancement of management systems is encouraged. Organisations can find areas for improvement and take proactive measures to address them by recognising risks and opportunities.
Methodology of work
Actions to address Risk and Opportunity
Risks and opportunities must be identified and addressed to establish a robust management system in conformance with ISO Standards. This involves analysing both internal and external factors using tools such as SWOT analysis and risk assessment metrices, which consider factors such as laws, technology, and customer desires.
After the risks have been identified, the impact and likelihood of that risk must be assessed, and if it is high enough priority, then appropriate strategies (tolerance, transfer, treatment, termination) can be developed.
Documenting Evidence
Proper documentation guarantees accountability and transparency and offers proof of risk management actions.
ISO 9001 does not necessitate documented procedures or paperwork, but it does require identifying risks and opportunities and organizing responses to them. In high-risk industries a risk register should be kept.
ISO 14001 and ISO 45001 on the other hand, require extensive documentation of the identification and management of risks and opportunities, particularly as they relate to environmental factors, hazards, and legal compliance obligations.
Useful advice for recording evidence
- Keep a risk register where you record risks and opportunities that have been recognised, as well as the steps you plan to or have taken to address them.
- Create thorough action plans that specify what must be performed, along with deadlines, materials, and key performance metrics.
- Include risk-based thinking across every element of your management system, including quality plans, environmental plans, and safety protocols.
Maintaining a Risk Register
A risk register is a dynamic record that can be updated frequently, to take advantage of evolving risks and opportunities. It should include:
- Risks and opportunities identified: a description of every risk and opportunity, including information on the likelihood and possible consequences.
- Actions performed: a log detailing the steps required to address each risk or opportunity.
- Responsibilities: The people or groups responsible for managing the ensuring risk management process and required actions.
Creating Action Plans
Key risks and opportunities should be considered while creating action plans. The more details your action plan includes, the easier it is to assess and measure progress.
Use the SMART method for planning and ensure that you clearly indicate:
- Timelines required for the planned risk management actions.
- Resources required to carry out risk management activities.
- Responsibilities and Actions must be assigned to those who will be responsible for each action to ensure accountability.
- Performance indicators or metrics are required for appropriately assessing the success of the risk management initiatives.
Examples of application in Quality Management
Risk identification in quality management is centred around supply chain disruptions, customer dissatisfaction, regulatory noncompliance, and poor-quality levels. To ensure that goods and services meet requirements, process risks must be recognised as a preventative action.
Action plans should be centred around customer service, elimination of defects, and process streamlining. Documentation is key, especially in the areas of traceability, accountability, and providing evidence of corrective action taken to resolve nonconformities.
Examples of application in Environmental Management
Environmental risks are around issues of depletion of resources and pollution and climate change. It is about understanding the environmental factors and the associated risks and opportunities or rather the root causes of possible impact.
The first things that should be addressed is minimising environmental impacts, ensuring compliance with regulations, and the support of sustainable activities. There should be some kind of record proving consistent environmental responsibility, sustainability reporting, legal compliance tracking, and environmental performance monitoring.
Examples of application in Occupational Health and Safety Management
Occupational health and safety risk identification is the process of recognising any health and safety hazard that could harm an employee while at work. For example ergonomic hazards, hazardous substances, etc.
To ensure safe working conditions, “action plans” should be made to avoid any accidents, illnesses, or injuries. This part of the document should be proof of health and safety audits, safety training, incident investigations, compliance with and continual improvement of the health and safety policies and procedures.
For more information on integrating a process-based approach to managing enterprise-wide risk, check out our article on Corporate Sustainability and Nonfinancial Risk.
Download our FREE GUIDE “How to Optimise ISO Certification with Risk-Based Thinking,” and learn how to strengthen your business resilience. This guide covers aligning risk-based thinking with ISO Management Systems, mitigating risks, seizing opportunities, and ensuring continual improvement.
Clause 6.2 Objectives & Planning to Achieve Them
Clause 6.2 addresses the creation of quantifiable goals and the scheduling of actions necessary to reach them. This subclause is essential for ensuring that an organisation’s objectives and management system are in sync, which promotes continual improvement.
Establishing objectives encourages organisations to concentrate on areas that require improvement and to be proactive in resolving possible issues (like risks).
Setting objectives in ISO management systems is directly related to spotting and seizing opportunities. For instance, identifying possibilities inside the organisation’s processes and operations frequently leads to improvements in quality, environmental performance, and occupational health and safety.
A forward-thinking strategy is encouraged by clause 6.2, where opportunities are actively incorporated into strategic planning rather than just being acknowledged.
It’s also critical to observe the subtle phrasing variations among the three primary ISO standards. For instance, ISO 9001 places a strong emphasis on establishing goals at pertinent levels, functions, and processes, but ISO 14001 and ISO 45001 place a broader emphasis on the system without specifically addressing processes.
Key components of Clause 6.2
Clause 6.2 emphasises the significance of establishing SMART (Specific, Measurable, Achievable, Relevant, and Time-bound) objectives. For these goals to be meaningful and to back up the organisation’s strategic goal, they must be consistent with the general policy of the organisation and the nature of the organisation’s environment.
For example, a company whose focus is improving customer satisfaction would have a quality management objective to reduce product defects by x number of percent in y amount of time. This ensures that the objectives not only conform to the overall corporate objectives, but also to the exact specifications of the ISO standard.
What's the difference between business and ISO management system objectives?
Business objectives:
Generally speaking, business objectives centre around more general corporate objectives like the triple bottom line, customer satisfaction, profitability, or market expansion. These goals should be incorporated into the overall business plan even though they might not immediately relate to the requirements for ISO certification.
ISO management system objectives:
The objectives of the ISO management system specifically address topics like quality, environmental performance, and safety that are connected to the corresponding ISO standard. These goals, which include lowering non-conformities, limiting environmental impact, or enhancing workplace safety, are typically more focused on conformance.
Comparison:
When ISO objectives align with more general company objectives, there is frequently overlap. For example, raising customer satisfaction (a business target) can be directly impacted by enhancing product quality (an ISO objective). While business objectives may cover a wider strategic vision, ISO objectives assist with achieving business objectives, through a more concentrated focus on conformance, risk management, and continual improvement within the framework of the management system.
Differences in Clause 6.2 between the ISO standards
Clause 6.2 in ISO 9001:2015:
In the Quality Management System standard, clause 6.2 talks about planning so that customer requirements are met, and their satisfaction increased. That is about established goals for product and service quality, process efficiency and continual improvement.
Clause 6.2 in ISO 14001:2015:
Clause 6.2 of the Environmental Management System (EMS) standard in ISO 14001 focuses on setting and planning environmental objectives. These objectives should address the risks and opportunities associated with significant environmental aspects and applicable compliance obligations. This may include goals such as pollution prevention, resource conservation, or ensuring compliance with environmental regulations.
Clause 6.2 in ISO 45001:2018:
Occupational Health Safety Management System Standard’s Clause 6.2 emphasizes the need to set objectives that prevent work-related injuries and illnesses through comprehensive planning. These objectives should take into account applicable requirements, the needs and expectations of interested parties, the results of risk and opportunity assessments (both related to OH&S hazards and the OH&S management system), as well as consultation with workers and, where applicable, workers’ representatives (see Clause 5.4). This ensures the implementation of effective control measures and fosters a safer workplace.
What actions need to be planned?
Quality Management Objectives:
To achieve quality management goals, objectives must be specific, measurable, and aligned with the organization’s overall strategy. Effective planning, resource allocation, operational processes, measurement, analysis, and continual improvement activities must be established. For both product and service-based organizations, maintaining efficient communication between staff members is essential to consistently meeting customer needs and delivering high-quality outputs.
When planning to achieve quality management objectives, the organization must determine:
- What will be done to meet the objectives,
- What resources will be required to execute the actions,
- Who will be responsible for implementing the actions,
- When the actions will be completed within the timeline, and
- How the results will be evaluated, ensuring that progress aligns with the set objectives.
Environmental Management Objectives:
Setting goals, putting procedures in place, recognising environmental factors, and incorporating environmental concerns into the organisation’s general management are all necessary to achieve environmental management objectives. This guarantees regulatory compliance and reduces environmental impact.
For environmental management objectives, the organization must determine:
- What actions will be taken to achieve its environmental goals,
- What resources will be required to implement the actions,
- Who will be responsible for executing these actions,
- When the objectives will be completed, and
- How the results will be evaluated, including indicators for monitoring progress toward the achievement of measurable environmental objectives.
Additionally, the organization must integrate these actions into its overall business processes to ensure regulatory compliance and minimize environmental impact.
Occupational Health and Safety Objectives:
OHS management objectives need to be achieved by setting defined goals, risk assessment, and the recognition of hazards in the workplace. It is necessary to establish procedures for risk assessment, hazard identification, emergency readiness, and health and safety training. The OHSMS must aim to provide a safe and healthy workplace.
When planning to achieve OH&S objectives, the organization must determine:
- What actions will be taken to address workplace risks and hazards,
- What resources will be required to ensure the success of these actions,
- Who will be responsible for implementing the health and safety plans,
- When the actions will be completed within the established timeframe,
- How the results will be evaluated, including indicators for monitoring progress, and
- How the actions will be integrated into the organization’s business processes.
The organization must maintain and retain documented information on OH&S objectives and the plans to achieve them, ensuring a proactive approach to workplace safety.
Benefits and importance of Clause 6.2
- Proactive management: Helps anticipate and address challenges before they occur.
- Clear objectives: Provides a roadmap for achieving desired outcomes.
- Improved efficiency: Enhances processes, reduces waste, and minimises errors.
- Regulatory compliance: Ensures alignment with standards, regulations, and legal requirements.
- Continual improvement: Supports a culture of ongoing improvement and innovation.
- Strategic alignment: Makes sure that the goals are significant and helps achieve business objectives and intended outcomes.
Download our FREE GUIDE “How to Optimise ISO Certification with Risk-Based Thinking,” and learn how to strengthen your business resilience. This guide covers aligning risk-based thinking with ISO Management Systems, mitigating risks, seizing opportunities, and ensuring continual improvement.
Clause 6.3 Planning of Changes
Clause 6.3 of the ISO 9001:2015 standard specifies the Planning of Changes. It requires organizations to systematically plan any modifications that could affect the outcomes of their Quality Management System (QMS). The key objective is to ensure that the integrity of the QMS is upheld during any changes.
This involves considering:
- The changes of objectives and any possible repercussions.
- The accessibility of the resources required to put the transformation into action.
- The distribution of authority and tasks within an organisation.
The clause underscores the importance of careful planning to avoid disruptions or negative impacts on the QMS, which could hinder the organization’s ability to meet customer requirements.
While the concept of change management is introduced explicitly in ISO 9001’s Clause 6.3, it is addressed in different parts of other standards like ISO 14001 and ISO 45001, even though it doesn’t appear as a distinct sub-clause in those standards.
What is Change Management?
Change management is the structured approach to ensuring that changes—whether organizational or technical—are effectively planned, implemented, and sustained. It involves preparing, supporting, and guiding individuals and teams through transitions to minimize resistance and achieve successful outcomes.
While change management often focuses on broad organizational transformations, it is equally critical for managing smaller, technical, or engineering changes.
Effective change management encompasses several key steps:
- Identifying the Need for Change: Recognize when a change is necessary, driven by factors such as new technology, regulatory requirements, safety improvements, or efficiency enhancements. Clearly define the objectives of the change.
- Assessing the Impact: Evaluate how the change will affect existing systems, processes, and personnel. This includes assessing risks, costs, compatibility with current infrastructure, and overall impact on performance and safety.
- Stakeholder Involvement: Engage all relevant stakeholders, including engineers, operators, workers’ representatives, management, suppliers, and, where applicable, customers. This helps ensure the change meets the needs of all affected parties and reduces resistance.
- Detailed Planning: Develop a comprehensive plan that outlines:
- Scope: Define what will change.
- Resources: Determine required tools, personnel, time, and budget.
- Timeline: Establish a realistic schedule with milestones.
- Risk Management: Identify potential risks and create mitigation strategies.
- Testing and Validation: Before full implementation, test changes in a controlled environment to verify they work as expected. This helps prevent unforeseen issues during broader application.
- Training and Communication: Ensure all personnel understand the change and receive training on new processes or systems. Clear communication helps reduce confusion and resistance.
- Implementation and Monitoring: Execute the change according to the plan. Monitor progress to ensure the change is working as intended and address any issues promptly. (Refer to requirements of ISO 9001 Clause 8.5.6 for detailed guidelines.)
- Review and Continuous Improvement: After implementation, review the change’s effectiveness by gathering feedback, measuring performance against objectives, and identifying areas for further improvement.
By addressing both macro-level and micro-level changes, organizations can enhance reliability, safety, and performance, ensuring that all modifications are integrated seamlessly into their systems and processes.
For further insights, read our article on Models in Change Management and Their Role in Your Organization.
Why is Clause 6.3 included in ISO 9001?
ISO 9001 includes clause 6.3 because changes are inevitable in any company. These adjustments may be the result of a few factors, including improvements to internal processes, market demands, or technology breakthroughs. Organisations may reduce risks, guarantee continuity, and preserve the integrity of their processes and output by planning changes ahead of time. It is consistent with the more general idea of risk-based thinking that is supported all management system standards.
Benefits and importance of Clause 6.3
- Risk mitigation: By carefully planning changes, possible risks can be recognised and preventative action taken against them.
- Resource allocation: Lessens the possibility of disruptions by guaranteeing that there are enough resources available to support the management system at all times.
- Smooth transition: Assists in upholding process integrity, guaranteeing that modifications do not adversely affect the calibre of the product or service.
- Conformance: Guarantees that the company continues to meet ISO 9001 standards, which keeps it certified.
- Continual improvement: Because improvements are methodically planned and carried out, this approach supports the idea of continual improvement.
Example of use
A manufacturing business intends to add a new piece of equipment to its line of production. Clause 6.3 guarantees that the business evaluates the possible influence on product quality, gives operators proper training, and updates the QMS documentation accordingly.
Download our FREE GUIDE “How to Optimise ISO Certification with Risk-Based Thinking,” and learn how to strengthen your business resilience. This guide covers aligning risk-based thinking with ISO Management Systems, mitigating risks, seizing opportunities, and ensuring continual improvement.
The role of Planning - Risk & Opportunity in ISO Certification
Organisations that master Clause 6: Planning for Risk and Opportunity benefit from improved adaptability, proactive management, and continual improvement. This clause is essential for recognising opportunities and dangers, ensuring that your procedures are robust, and coordinating them with your strategic objectives.
Integrating these techniques improves your company’s overall performance and satisfies guidelines for organisations pursuing or looking to maintain ISO certification.
Get in touch with us at +44 (0) 203 926 6507 or +27 (0) 31 941 4790, or email us at info@wynleigh.com to lead your company’s continual improvement efforts and obtain ISO certification.