Clause 6 Planning brings riskbased thinking to the front. Once the organization has highlighted risks and opportunities in clause 4, it needs to stipulate how these will be addressed through planning. The planning phase looks at what, who, how, and when these risks must be addressed. This proactive approach replaces preventative action and reduces the need for corrective actions later on. Particular focus is also placed on the objectives of the management system. These should be measurable, monitored, communicated, aligned to the policy of the management system, and updated when needed. After much deliberation, the decision to make risk explicit has been made – here it is in clause 6. Having highlighted the issues and requirements in clause 4, now it is time to address the risks and opportunities the organization faces through planning. How will the organization prevent, or reduce, undesired effects? How will the organization ensure that it can achieve its intended outcomes and continual improvement? It will do it here in planning. Planning will address what, who, how, and when. Not difficult. This proactive approach is easier to understand than preventive action and should reduce the need for correction and corrective action at a later date. The requirements around the Quality objectives have also been made more detailed. They are to be consistent with the Quality policy, measurable (if practicable), monitored, communicated, and updated as appropriate. They have to be established at relevant functions and levels. Clause 6 puts a greater emphasis on the organization’s Planning which is integral to the business. Auditors should be familiar with risk – the consequences of an event and the associated likelihood of occurrence – and how to avoid, eliminate, minimize or mitigate it. They also need to focus on the positive aspect – opportunities for the business and how to optimize them. The risks and opportunities identified will lead to policies and objectives. Auditors should be able to identify and follow a clear path from issues and requirements through risks and opportunities, policies, and objectives.


Planning Process

The “Planning” clause has three sub-clauses ie

6.1 Actions to address risks and opportunities

When planning for the quality management system, the organization shall consider the issues referred to in Understanding the organization and its context (4.1) and the requirements referred to in Understanding the needs and expectations of interested parties(4.2) and determine the risks and opportunities that need to be addressed to give assurance that the quality management system can achieve its intended result(s); prevent, or reduce, undesired effects; and to achieve continual improvement.


The organization must plan actions to address the risks and opportunities determined in clause 6.1.1. The organization must also plan on how to integrate and implement the actions into its quality management system processes and evaluate the effectiveness of these actions. Actions taken to address risks and opportunities must be proportionate to the potential impact on the conformity of products and services. Options to address risks can include but not limited to avoiding, risk, taking the risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, retaining risk by informed decision, or implementing standards like ISO 31000. It is the prerogative of the management to adopt any one of the practices. Opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing new customers, building partnerships, using new technology, and other desirable and viable possibilities to address the organization’s or its customer’s needs. 

It is the responsibility of top management to provide direction, authorization and, resources, and review for QMS planning. When developing your QMS process controls for determining customer requirements, design, development, manufacture, delivery, and customer support, you must focus on meeting customer and regulatory requirements as well as the planned QMS objectives established in clause 6.2.  QMS planning requires you to identify all your QMS processes and describe their sequence and interaction. The criteria and methods for planning, operation, and control of these processes come from the rest of the ISO requirements as well as your customer and your own organization.  When planning its QMS, the top management must implement and promote a culture of risk-based thinking throughout the organization to determine and address the risks and opportunities associated with providing assurance that the QMS can achieve its intended result(s); provide conforming products and services, enhance customer satisfaction; promote desirable effects and improvement; and prevent, or mitigate, undesired effects. The organization must integrate the actions to address these risks and opportunities into its QMS processes using the PDCA cycle. Not all processes of a quality management system represent the same level of risk in terms of the organization’s ability to meet its objectives and the effects of uncertainty are not the same for all organizations. Each organization is therefore responsible for the extent it applies risk-based thinking and the actions it takes to address risk, including whether or not to retain documented information as evidence of its determination of risks.  Planning also requires monitoring and measuring these actions and gathering, analyzing, and evaluating appropriate data and information to determine the effectiveness of such actions. This planning must be periodically reviewed and updated as necessary when taking corrective actions or at management reviews. These actions must be proportional to the potential impact on the conformity of products and services.  When planning its QMS, the organization must consider the risks and opportunities presented by external and internal issues as well as the needs and expectations of interested parties, relevant to its purpose and strategic direction. Risk Management should be implemented at all levels of an organization, from the strategic to the operational level. The result of risk assessment should be considered in documenting the plans for process operation and risk control.

At the business and QMS planning stage, the organization should:

1. Determine the categories of risk from – strategic, operational, environmental legal, social, and financial points of view that the organization may be exposed to – that could impact its ability to conduct its business operations without disruption and to provide customer satisfaction and achieve sustained success.

2. The risk management methodology must be appropriate to the size and complexity of the organization. Establish a comprehensive list of risks under each of the categories described above, that might influence the achievement of process, product and service objectives;

3. The methodology should include the following steps to:

  • Identify each potential risk;
  • Describe the potential outcome of the risk;
  • Identify the potential cause(s) of risk outcome
  • Rate the consequence or severity of the outcome;
  • Rate the likelihood of the cause occurring;
  • Rate the probability of early detection of the outcome should it occur;
  • Establish risk tolerance criteria;
  • Categorize each risk into critical, high, medium or low based on using a combination of severity, occurrence, detection ratings, and other relevant factors to establish an overall risk score to all risks listed; Use the risk score to establish priority in addressing identified risks.
  • Identify and determine the adequacy of any existing control to address the identified  risk;
  • Determining appropriate controls to respond to each identified risk (process control plans). These controls should preferably prevent the potential cause of the risk from occurring and secondly at least be able to detect the cause and/or outcome of the risk.
  • Determine compliance with predetermined tolerance criteria for acceptability of risk
  • Provide and use risk management information for strategic decision-making and managing operations.

4.) Methods to identify risks

  • Look at the past history of performance, lessons learned, current operations and planned future activities to identify potential risks or undesirable outcomes.
  • Look at current activities and problems encountered, current and planned future activities – TGW (things going wrong)
  • Apply TGW (Things Gone Wrong) for past activities and a contingency or “what if’ approach to identifying current and future risks.
  • Apply these approaches to the full spectrum of risk categories listed in 1 above.
  • Use various tools such as cross-functional teams, flow charts, checklists, risk analysis diagrams  to brainstorm and facilitate risk identification, analysis, and evaluation
  • Ask when, where, why, who and how type questions to identify past, current, and future risks

5.) As indicated earlier the purpose of risk management controls is manifold and could  include:

  • Avoiding the risk, where the only option is not to go forward with an activity or to withdraw from it
  • Taking the risk, where risks have desirable potential consequences
  • Altering  risk, to optimize potential opportunities and minimize threats
  • Transferring risk by measures including insurance, contractual arrangements, trade unions, partnerships, and joint ventures
  • Retain risk, where no worthwhile controls actions are feasible and the risk is within the organization’s risk tolerance
  • Removing the source of the risk by perhaps using alternate or new technology.
Example of Determining Risk and Opportunity:
Issues (internal) Expected Results Uncertainty Risk(-Ve)
Availability of reliable, qualified, competent  and multi-skilled workforce Workforce is Competent Existing Workforce not all skilled M Opportunity to multi-skilled installation teams — impact on installation times
 The culture within the organization – work quality Workforce is motivated  Unacceptable quality of work  H  Opportunity for top Managers to lead.
 WorkForce retention- Wage  The workforce is loyal to the organization  Workforce leaving for better-paid work  H  Opportunity to benchmark our Competitors wages
Issues (External) Expected Results Uncertainty Risk (-Ve)
Client working environment
– other trades working
alongside us
Integrated is protected Damage to our installation H Opportunity to place barriers, floor
markers,  signs for clear identification
Standardization and
certification within the
industry – not conforming
Being up to date and informed on standards Code of practices are changing all the time  L Opportunity for designers to attend free
update the trade body conference (0.5 days)
 Client Consideration – bringing expertise in-house  Workforce remain  loyal to the organization Workforce for managed
on-site contracts being
employed direct by clients
 H Opportunity for a new contract clause
prohibiting employment (time-bound)
Example of template for the procedure of Risk and opportunities

6.2 Quality Objectives and Planning to Achieve Them

The organization must establish quality objectives at relevant functions, levels, and processes. The quality objectives must be consistent with the quality policy. If practicable it must be measurable. It must be based on application requirements. It must be relevant to the conformity of products and services and the enhancement of customer satisfaction. It must be monitored and communicated. It must be updated as appropriate. The organization should maintain a documented information on the quality objectives.


When planning how to achieve the quality objectives, the organization must determine what will be done; what resources will be required; who will be responsible; when it will be completed; how the results will be evaluated.

The purpose of quality objectives is to determine conformity to (customer, regulatory and relevant stakeholders ) requirements, and effective deployment and improvement of the QMS. Clause 6.2 sets out specific requirements for the planning of quality objectives. This  Clause requires you to document it. This Clause also requires you to monitor and measure and evaluate results to your planned objectives. Top management must provide the leadership, organization, and resources to deploy and achieve planned quality objectives. The process and the responsible personnel needed to achieve the Quality objective must be determined.  The quality policy provides the framework for establishing quality objectives in order to be consistent with it and provided examples of such consistency. In this clause, the Organization must ensure that specific quality objectives are established at relevant functions, levels, and processes needed for QMS. The quality objective should be relevant to meeting the requirements of your products and services and enhancing customer satisfaction. Quality objectives are used to measure the performance of products, Service processes, customer satisfaction, suppliers, use of resources, and the overall performance and effectiveness of the QMS. Quality objectives may be established for all QMS processes.

Examples of quality objectives:

  • Product – reduction in defect rates, PPM’s (defective parts per million), scrap rates, rework; improvement in on-time delivery.
  • Process – objectives generally focus on improving process productivity through the elimination or reduction of variation and waste in process – inputs, outputs, conversion activity and related use of resources.
  • Monitor and improve the process – productivity, reduction of cycle time, errors, omissions, and failures; etc. Examples could include objectives for – set-up time, run rates, process cycle time, etc.
  • Customers – reduction in # of complaints, improvement in customer satisfaction rating, on-time delivery, service, support, etc,.
  • Suppliers – material defects, on-time delivery, no of complaints with supplier.
  • Resources include facility, equipment, labour, etc.- objectives could be established based on availability, capability, maintenance, personnel competency, absenteeism, production rates; efficiency; safety; etc.
  • For the QMS – customer satisfaction feedback, internal audit results, # of improvement opportunities; etc.

Quality objectives may be set at various functional levels of the organization – top management, departments, processes, functional groups, work cells, project teams, individuals, etc. It would be useful to cover these levels as they add value and contribute to the customer or organizational objectives.  Employees at all of these levels must be made aware of the importance of and how they must contribute to the achievement of these objectives. Quality objectives must be measurable. Measurement can be done quantitatively or qualitatively. Quantitative measures are generally more objective in determining whether conformity or effectiveness has been achieved. In some situations, the use of qualitative measurements may be appropriate.  These quality objectives must be deployed and measured and top management must conduct an effective review of the measurement results. These measurement results must also be used for corrective action and continual improvement. The quality objectives must be achieved within a defined time period to ensure accountability i.e reducing customer complaints by 30% by March 2016. This could be determined by your customer, your management, your head office, regulatory bodies, etc. Your business or quality planning process must establish these time periods and include the communication of objectives and timelines to those responsible for achieving them. Quality objectives may be documented in any or all of these documents such as quality manual, QMS processes, procedures, quality plans, etc. The establishment of quality objectives should be part of the business planning or QMS planning processes. A review of the quality objectives should be part of your management review process. After the review, the Quality objectives may be updated as appropriate.  As document information, your documented statement of objectives must be controlled by 7.5.3 control of documented Information. You must be careful not to overwhelm your organization with too many objectives as this may cause more frustration than positive results. Start with objectives that focus on meeting customer requirements and then slowly develop meaningful objectives for key processes and risk-prone processes, as initial targets are achieved.

16.3 Planning of Changes

Where the organization determines the need for change to the quality management system (from 4.4 g) the change must be carried out in a planned and systematic manner. The organization must consider the purpose of the change and any of its potential consequences; integrity of the quality management system; availability of resources; allocation or reallocation of responsibilities and authorities.

The continuity and effectiveness of your QMS must be substantially maintained in the event of significant changes in your QMS or organization, e.g. management, ownership, relocation, technology, product, the shift in customer base, etc. Changes must be carefully planned so as not to disrupt your organizations’ ongoing capability and responsibility to effectively meet customer and regulatory requirements. In such instances, change control would require:

  • careful planning of nature and timeline for the changes;
  • determining the impact or outcome of such changes;
  • ensuring adequate resources are available to implement the change;
  • top management authorization
  • change deployment and follow-up
  • review of the QMS by top management after changes are affected.

The ISO 9001:2015 requirements provide a strong basis for a management system for business that supports the strategic direction of the organization. Once the organization has identified its context and interested parties and then identified the processes that support this linkage. Once processes are determined, an organization will need to identify the risks and opportunities associated with these processes. To achieve the benefits associated with the determination of risks and opportunities, changes may be needed. These changes can be related to any element of the process, such as inputs, resources, persons, activities, controls, measurements, outputs, etc. Changes are intended to be beneficial to the organization and need to be carried out as determined by the organization. In addition, consideration of newly introduced risks and opportunities needs to be taken into account. There may be changes in QMS due to  Customer feedback, Customer complaint,  Product failure,  Employee feedback, Innovation,  Determined risk,  Determined opportunity,  Internal audit results, Management review results, Identified nonconformity.

The changes may occur in for example Processes, Documented information, Tooling, Equipment, employee training, supplier selection, supplier management, and others. To achieve the benefits associated with changes, the organization should consider all types of changes that may need to occur. The successful management and control of these changes have become a core requirement within the organization’s QMS. Some changes need to be carefully managed while others can be safely ignored. In order to sort through this, the organization should consider a method to prioritize. To determine the priority, the organization should consider a methodology that allows them to take into account:

  • Consequences of the change
  • Likelihood of the consequence
  • Impact on customers
  • Impact on interested parties
  • Impact on quality objectives
  • Effectiveness of processes that are part of the QMS
Steps to implement changes
  • Define the specifics of what is to be changed
  • Have a plan (tasks, timeline, responsibilities, authorities, budget, resources, needed information, others)
  • Engage other people as appropriate in the change process
  • Develop a communication plan (appropriate people within the organization, customers, suppliers, interested parties, etc. may need to be informed)
  • Use a cross-functional team review the plan to provide feedback related to the plan and associated risks
  • Train people
  • Measure the effectiveness

Prior to making a change, the organization should consider unintended consequences. After making a change the organization should monitor the change to determine its effectiveness and to identify any additional problems that might be created. Records of some changes may be needed as part of the Quality Management System

Example of change Management procedure

Leave a Reply