Most ISO 9001-certified organisations have a risk register. A spreadsheet listing risks by category, scored for likelihood and impact, with a response column that reads “monitor” or “mitigate.” It was built during implementation, updated before management review, and presented to auditors as evidence of risk-based thinking.
It satisfies none of the ISO 9001 Clause 6.1 requirements it’s supposed to address.
What ISO 9001 Clause 6.1 Actually Requires
ISO 9001:2015 Clause 6.1.2 requires organisations to plan actions to address risks and opportunities — then integrate those actions into QMS processes and evaluate their effectiveness. The clause does not require a risk register. It does not require a risk matrix. It requires that identified risks produce observable downstream effects in how the organisation plans and controls its work.
The operative word is “integrate.” Clause 8.1 makes the connection explicit: organisations must plan, implement, and control processes needed to implement the actions determined in Clause 6. That cross-reference is not editorial — it is the mechanism by which risk planning outputs must reach operational controls.
Clause 6.2 closes the loop on the other side. Quality objectives must respond to the organisation’s context, and the planning to achieve them must specify what will be done, by whom, and how results will be evaluated. A high-rated supply chain risk identified in ISO 9001 Clause 6.1 that produces no corresponding supply chain resilience objective under Clause 6.2 is a risk entry with no operational consequence.
The standard’s architecture is a chain: 6.1 identifies → 6.2 sets objectives → 8.1 implements controls. Break any link and the register becomes a standalone document that satisfies none of them.
Where Organisations Fail the Integration Test
The failure mode is consistent enough to have a name among auditors: the document artifact.
An auditor picks a high-rated entry from the risk register and traces it forward. Where did this risk produce a change? Which work instruction was modified? Which acceptance criterion was tightened? Which Clause 6.2 objective was set in response?
The quality manager retrieves the register, points to the action column — “monitor quarterly” — and cannot identify a single process document that changed because of that entry. The risk was identified, scored, and filed. The process ran unchanged beside it.
Opportunities fare worse. In most registers, they occupy a compliance column alongside risks. Someone needed to fill the field because the standard says “risks and opportunities.” That was the entire rationale. No owner. No completion date. No linkage to improvement planning. Auditor Training Online documents this as a recurring nonconformity pattern: risk logs that are generic, disconnected from Clause 4.1 context analysis and Clause 4.2 interested party requirements.
The auditor’s integration test, as NovelVista frames it: risks must be reflected in quality objectives, operational controls, supplier evaluation processes, and change management practices. A register that feeds none of these is not evidence of ISO 9001 Clause 6.1 conformance — regardless of how carefully it scores likelihood and impact.
What Changes Under ISO DIS 9001:2025
The draft standard targets this pattern structurally. ISO DIS 9001:2025 splits the current Clause 6.1.2 into two independent requirements: Clause 6.1.2 for actions to address risks, and a new Clause 6.1.3 for actions to address opportunities. Both are classified as Major changes by Advisera’s clause-by-clause analysis.
This is not a wording refinement. It is a structural separation that makes it procedurally impossible to satisfy both requirements through a single undifferentiated register. Opportunities will require their own identification process, their own analysis, their own planned actions, and their own effectiveness evaluation — a standalone process obligation, not a column header.
The DIS also raises the evidentiary standard. Organisations must “analyse and evaluate” risks and opportunities — not merely identify them. SGS transition guidance confirms the risk/opportunity split as a top action item, advising organisations to revisit how risks and opportunities are distinguished and addressed in planning. That revisit is not cosmetic.
Notably, Clause 8.1 receives only an editorial change classification in the DIS. The operational planning linkage requirement does not change. The failure mode is entirely owned by current practice — meaning organisations cannot wait for the new edition to fix it. The gap exists now, under ISO 9001:2015, and auditors are already testing for it.
⚠️ ISO DIS 9001:2025 content is draft and subject to change before final publication, currently targeted for Q3–Q4 2026.
The Audit Traceability Gap No Guidance Resolves
No IAF guidance document, UKAS technical note, or major CB publication defines what constitutes sufficient traceability between Clause 6.1 risk/opportunity outputs and Clause 8.1 operational planning inputs. The mechanism by which a risk register entry must connect to a process control change is not specified in any T1 audit checklist identified.
This silence matters practically. It means the sufficiency of your integration evidence is assessed by individual auditors against their interpretation of the clause chain. Some auditors will accept a narrative in the management review minutes. Others will require cross-referenced process documentation. The absence of a defined minimum creates audit variability — and that variability falls on the organisation to manage by building traceability that satisfies the strictest reasonable interpretation.
This gap is not unique to ISO 9001. The Annex SL harmonised structure shares the same 6.1→8.1 architecture across ISO 14001:2015 and ISO 45001:2018. Organisations running an integrated management system face the identical linkage problem three times, with no standard-specific guidance resolving it.
Practical Steps to Close the ISO 9001 Clause 6.1 Gap
- Audit the chain, not the register. For every risk entry rated medium or above, trace it forward to a specific Clause 8.1 process control. If no process document, work instruction, or controlled condition reflects the risk response — the entry is unimplemented regardless of its register status. Document the gap and initiate a Clause 6.3 change plan. A structured gap assessment against the clause chain — not just the register — is the most effective starting point.
- Separate opportunities now. Extract every opportunity entry from the risk register into a dedicated opportunity log. Assign an owner, a planned action, a linkage to a Clause 6.2 objective or improvement initiative, and a review date. An opportunity with no owner and no action does not conform now — and the DIS will make that gap structurally visible.
- Build the cross-reference. Create a traceability document that maps each risk/opportunity to the objective it affected or the process control it changed. Where no change was required, document the rationale. This table — risk/opportunity → objective or process control affected → evidence reference — is the primary audit-defensible integration artefact for Clauses 6.1, 6.2, and 8.1.
Key Takeaway
A risk register that lists risks without changing anything downstream is the most common ISO 9001 Clause 6.1 conformance failure — and most organisations don’t know they have it because the register itself looks complete. The conformance test is not whether you documented risks. It is whether those risks produced observable changes to process controls and quality objectives. ISO DIS 9001:2025 will make this gap structurally visible. Separate, affirmative responses to risks and to opportunities — not a merged register column. The preparation work is not a future task — the integration gap exists under the current edition, and closing it now is both a conformance fix and a transition head start.
Clause references reflect mapped standard requirements. Verify against current edition before audit use.
About AEC International
AEC International provides ISO 9001 certification, training, and consultancy services at the intersection of quality management, risk integration, and management system transition. We support organisations across industries in achieving and maintaining ISO certification — from gap analysis and implementation through audit preparation and continual improvement.
Learn more: www.aec.llc