Free ISO 9001 Risk & Opportunity Register
Excel template with likelihood × severity scoring, auto risk level, conditional formatting, and a filled-in example from ABC Precision Manufacturing.
ISO 9001 Compliance
ISO 9001 Risk Register Template: Clause 6.1 Made Practical
Risk-based thinking is one of the most significant changes in ISO 9001:2015 — and one of the most misunderstood. This guide explains what Clause 6.1 actually requires, how to build a risk and opportunity register that satisfies auditors, what scores mean, and how to make the register a living management tool rather than a compliance exercise.
1. What Is Risk-Based Thinking in ISO 9001?
ISO 9001:2015 replaced the old “preventive action” requirement with something broader: risk-based thinking. The idea is that instead of reacting to problems after they happen, your quality management system should proactively identify what could go wrong — and what could go right — and build responses into how you operate.
This is not a requirement to implement a formal risk management program like ISO 31000. It is a requirement to think systematically about the conditions that could affect your ability to deliver conforming products and services — and to do something about the significant ones.
“Risk-based thinking enables an organization to determine the factors that could cause its processes and its quality management system to deviate from the planned results.”
— ISO 9001:2015 Introduction, Section 0.3.3
In practice, the risk register is how most organizations document that they have done this. It is the evidence that risks have been identified, evaluated, and that actions have been assigned to address the significant ones.
2. What Clause 6.1 Actually Requires
Clause 6.1 requires the organization to consider the issues from its context analysis (Clause 4.1) and the needs of interested parties (Clause 4.2), then determine the risks and opportunities that:
- Need to be addressed to ensure the QMS can achieve its intended results
- Need to be addressed to prevent or reduce undesired effects
- Could help achieve continual improvement
The organization must then plan actions to address these risks and opportunities, integrate those actions into QMS processes, and evaluate their effectiveness.
What Clause 6.1 does NOT require:
- ✗ A formal risk management methodology (no FMEA required)
- ✗ A specific document format or tool
- ✗ Quantitative probability calculations
- ✗ A risk register (although it is the best practice approach)
- ✗ Risk scoring — qualitative assessment is acceptable
That said, auditors expect to see documented evidence that you have thought about risk systematically. A risk register is the most practical way to provide that evidence.
3. Risks vs. Opportunities — The Difference
ISO 9001:2015 pairs risks and opportunities — a deliberate choice. Organizations that only manage risks become defensive and reactive. The standard pushes you to also identify conditions that could benefit the business if acted upon.
Risk (R)
A potential negative event or condition that could affect quality objectives, customer satisfaction, or QMS effectiveness.
Manufacturing examples:
- • Single-source critical supplier
- • Key operator knowledge concentration
- • Aging equipment nearing end of service life
- • Revenue concentration in 1–2 customers
- • Sole internal auditor — no backup
Opportunity (O)
A positive condition that, if pursued, could improve quality, expand the business, or enhance QMS performance.
Manufacturing examples:
- • ISO 9001 cert unlocks new customer segments
- • Lean cell redesign reduces setup time ~35%
- • IATF 16949 opens automotive Tier 1/2 market
- • Automation investment removes bottleneck
- • New ERP system improves traceability
Opportunities do not get scored on the same likelihood × severity matrix as risks. They are typically evaluated qualitatively on probability and potential benefit, assigned an owner, and reviewed at management review. In our template, the risk score column shows “N/A” for opportunities.
4. How to Score Risks: Likelihood × Severity
The most widely used scoring method is a 5×5 likelihood × severity matrix. Rate each risk independently on both dimensions, then multiply to get a risk score. The score drives prioritization and the urgency of action.
Likelihood Scale (1–5)
| Score | Level | Description |
|---|---|---|
| 1 | Rare | Highly unlikely to occur in the next year |
| 2 | Unlikely | Could occur but has not happened in recent years |
| 3 | Possible | Has occurred occasionally; a realistic possibility |
| 4 | Likely | Occurs regularly or several times per year |
| 5 | Almost Certain | Expected to occur; happens frequently |
Severity Scale (1–5)
| Score | Level | Description |
|---|---|---|
| 1 | Negligible | Minimal impact on quality, delivery, or cost |
| 2 | Minor | Small impact; easily corrected internally |
| 3 | Moderate | Noticeable impact; customer awareness possible |
| 4 | Significant | Major impact; customer complaint likely; NCM possible |
| 5 | Critical | Severe impact — potential product recall, audit failure, or business loss |
Risk Score = Likelihood × Severity
Low
1–4
Monitor during routine reviews
Medium
5–9
Action plan required; monitor monthly
High
10–14
Immediate action; escalate to management
Critical
15–25
Stop — executive notification required
5. What Belongs in a Risk Register
A well-designed risk register captures enough information to manage the risk — not so much that it becomes a burden to maintain. Our template includes these columns:
6. Risk Register Examples (Manufacturing)
Here are four of the 10 entries from our filled-in example for ABC Precision Manufacturing, a CNC machining company pursuing ISO 9001:2015 certification. Download the full example to see all rows.
Description
Single-source supplier for 304 stainless bar stock — no approved alternate
Potential Cause
Sole supplier relationship; no qualification of alternates completed
Potential Consequence
Production stoppage if supplier fails; 2–4 week lead time to qualify alternate
Current Controls
90-day safety stock; monthly supplier scorecard
Action Required
Qualify one alternate supplier for 304 SS bar stock
Owner
Purchasing Mgr
Status
In ProgressResidual
10
Description
Outdated work instructions found at 3 workstations (Rev B vs current Rev D)
Potential Cause
No controlled distribution system — paper copies not replaced on revision
Potential Consequence
Operators working to wrong spec; nonconforming parts; audit finding
Current Controls
Master document list; document control SOP in place
Action Required
Implement QR-code document access at all workstations; retire paper copies
Owner
Quality Mgr
Status
In ProgressResidual
4
Description
CMM calibration overdue for 2 probes — measurement uncertainty unknown
Potential Cause
Calibration schedule not integrated with production scheduling
Potential Consequence
Nonconforming product shipped undetected; potential Clause 7.1.5 finding
Current Controls
Annual calibration schedule; certificates on file
Action Required
Recalibrate probes; integrate cal due dates into monthly quality calendar
Owner
Quality Mgr
Status
ClosedResidual
3
Description
ISO 9001:2015 certification opens access to 3 target OEM customers requiring certified suppliers
Potential Cause
OEM customers now require QMS certification as prerequisite
Potential Consequence
Estimated $400K additional revenue if 2 of 3 OEM accounts convert post-certification
Current Controls
Certification audit scheduled; internal audit complete
Action Required
Complete certification audit; update capability statement and website
Owner
Quality Mgr
Status
In ProgressResidual
N/A
Download the full 10-row example
Includes 7 risks and 3 opportunities across Supplier, Production, HR, Document Control, and Sales processes. Includes Summary tab and Legend tab.
7. What Auditors Check For
Clause 6.1 is one of the areas where auditors probe most deeply in 2015 audits, because risk-based thinking is the conceptual backbone of the whole standard. Here is what they look for:
Is the register connected to your context analysis?
Clause 6.1 requires that risks and opportunities be determined considering the issues from Clause 4.1 (internal/external context) and Clause 4.2 (interested parties). Auditors will ask: how did you identify these risks? If your register appears disconnected from your business context, expect a finding.
Are the risks plausible and organization-specific?
A generic list of risks downloaded from the internet and renamed with your company logo is a red flag. Auditors want to see risks that clearly reflect your specific processes, suppliers, markets, and workforce. If every company in your industry would have the exact same list, yours is probably not specific enough.
Do the actions match the risk level?
A Critical risk with no action, or a Low risk with an elaborate mitigation program, both raise questions. Actions should be proportionate. A Critical risk should have an assigned owner, a concrete action, and a near-term due date.
Is the register actually being maintained?
A risk register dated 18 months ago with every status still showing "Open" and the same due dates from a year ago is evidence of a dormant process. Auditors want to see that the register is reviewed and updated — at least annually, and more often for high-rated items.
Does management review include risk information?
Clause 9.3.2(e) requires that management review inputs include information on the effectiveness of actions taken to address risks and opportunities. If your management review minutes do not mention the risk register, that is a gap.
8. Risk Register and Management Review
The risk register is not a one-and-done exercise. It is designed to feed into your annual management review (Clause 9.3) — and to be updated throughout the year as new risks emerge and existing actions are completed.
A good cadence for most small and mid-size manufacturers:
Review status of High/Critical items; update action progress; add any new risks that have emerged
Review Medium items; update residual scores for closed actions; flag any items overdue
Full register review at management review; evaluate whether the register still reflects the current business context; add new risks from business planning
After any significant nonconformity, customer complaint, supplier failure, process change, or audit finding — review whether existing risks need updating or new risks should be added
Connect Risk Management to Training in Training Tiger
Many risks in a manufacturing QMS are training risks — operators working to outdated work instructions, key knowledge concentrated in one or two people, no documented evidence of competency verification. Training Tiger's Skills Matrix shows you exactly where training gaps exist across your workforce — so you can close them before an auditor finds them.
9. Frequently Asked Questions
Does ISO 9001 require a risk register?
ISO 9001:2015 Clause 6.1 requires organizations to determine risks and opportunities and plan actions to address them. The standard does not mandate a "risk register" by name or format — but a risk register is the most common and practical way to provide auditable evidence that you have done this. In practice, auditors expect to see it.
What is the difference between a risk and an opportunity in ISO 9001?
A risk is a potential negative event or condition that could affect quality objectives or QMS effectiveness — for example, a sole-source supplier or aging critical equipment. An opportunity is a positive condition that, if acted upon, could benefit the organization — for example, a certification that unlocks new customers, or a process improvement that reduces defects. ISO 9001 requires both to be addressed.
How do you score risks in ISO 9001?
The most common approach is likelihood × severity on a 1–5 scale for each dimension. The product gives a risk score from 1–25. Scores of 1–4 = Low, 5–9 = Medium, 10–14 = High, 15–25 = Critical. ISO 9001 does not mandate a specific scoring method — qualitative assessment is acceptable — but a quantitative approach makes prioritization and management review easier.
How often should the risk register be reviewed?
At minimum, annually as part of management review (Clause 9.3). Most organizations also review High/Critical items monthly and trigger an ad hoc review after significant events: customer complaints, nonconformities, supplier failures, or major process changes.
Do opportunities need to be scored like risks?
No. Opportunities are evaluated on likelihood and potential benefit, not on a severity scale. In our template, opportunities are marked N/A in the risk score column. They still need an owner, an action plan, and a due date — and they should appear in management review.
Can the risk register be a spreadsheet?
Yes. ISO 9001 does not require a specific tool. An Excel spreadsheet is the most common format and works well for most small and mid-size organizations. The key requirements are that it is maintained, reviewed, and that actions are tracked to completion.