[This series of articles tries to emphasize the benefits of ISO 9001, and how to yield results from each major clause of the standard.]


Clause 6 of ISO 9001:2015 is called “Planning,” and deals with very high-level planning of your QMS itself. Later in the standard ISO 9001 will deal with planning of operations and planning for actual work; that’s not what is being discussed here.

Essentially, the clause is comprised of three separate requirements, which ISO presumably thinks are important for planning your QMS before you execute it. These are risks, quality objectives and change management.

Clause 6.1

The first sub-clause is called “Actions to Address Risks and Opportunities,” and probably no other clause of ISO 9001 is as controversial. Essentially, ISO did not want to invoke full-blown risk management, so they adopted a “risk lite” approach which has led to a lot of confusion. A reading of the actual words in 6.1 show that it doesn’t have any actual requirements: there is no requirement for any document, record or even a process; everything in the entire clause is entirely optional. Weird.

The good news here, then, is that you have a lot more freedom to interpret 6.1 how you see fit, in order to gain more advantages and benefits. I’ve written at length about implementing this clause (here, and in Surviving ISO 9001), so I won’t repeat that here. The short version is that based on the “Context of the Organization” information you derived from Clauses 4.1 and 4.2 (as discussed in Part 1 here), you will be left with a list of stakeholders and their requirements or issues of concern. You must then analyze each of those requirements/concerns to see if they are primarily a risk or an opportunity, or maybe a little of both. Once that’s done, you must do something to mitigate the risks (reduce their likelihood of occurrence, and/or their negative impact if they occur) and maximize the opportunities (increase their likelihood of happening, and/or the benefit if they do occur.

Because the clause is so loose on requirements, you can be as creative as you like in dealing with risks and opportunities. I recommend my COTO method, but you may have an entirely different approach. You should first list the risks, rank them (FMEA may be useful here), and then address the risks that hit a certain threshold based on the ranking; any below that threshold can be ignored, with justification. Whatever you do, be sure that you are taking a sufficiently detailed look at the risks which may impact on your company, and have plans on how to address each. The goal here should be to never be surprised by anything.

For opportunities, I recommend taking smaller bites; you could drown under a list of 1,000 things you’d like to do, but that’s not realistic. I find companies typically have an initial list of about 100 risks that they are working on, and only 10 — or less — opportunities. That’s fine. Whatever opportunities you are pursuing should be serious, not just fantasies.

Clause 6.2

The next sub-clause is called “Quality Objectives and Planning to Achieve Them,” and gets confusing if you read this without a greater understanding of ISO 9001 and its history. I won’t recap it all here, but suffice to say your process metrics (derived during your process work under clause 4.3) are your quality objectives. The authors just got confused on this point, but if you understand this, it makes things much, much easier.

You should have previously established measurable objectives which indicate when a process is veering out of control; you can now apply the requirements of the bulleted list in 6.2.1 to those objectives. I suspect you will fine they are almost all already met, but this is a great time to double-check. Are the objectives in line with the overall philosophy of the Quality Policy? Are they all measurable, or merely slogans? Do they help ensure product quality?

Clause 6.3

The last sub-clause in this section is called “Planning of Changes,” and seems to represent a jolting forward, as if something was missing between the discussions on risks and objectives; rapidly, the standard starts talking about QMS change management. Maybe in the next edition of ISO 9001 we will get the missing materials.

The requirements here are very, very slim. Essentially, the standard is asking you not to make kneejerk changes to the QMS without due process and thoughtful consideration of the impacts of the changes. ISO 9001 doesn’t invoke full-blown “change management” here, so if you’re doing that, you’re ahead of the game. Consider this “change management lite.”


Clause 6, when implemented properly, should result in the following tangible benefits for your company:

  1. If you have a solid list of risks — whether via the COTO Log or a database, etc. — you can now manage these to ensure either that they never occur, or if they do, the damage is greatly minimized. You’ll never eliminate all risks, and much of risk management is science fiction anyway, but if you make an earnest effort here, you can sleep at night knowing you may be protecting 90% of your company from disaster or ruin. That’s good.
  2. If you have a brief but meaningful list of opportunities you are pursuing, this allows you to track your successes while not merely focusing on the negative (risks). It also becomes an opportunity (pardon the pun) to use a systematic formal approach in chasing down opportunities, rather than either through wishful thinking or scattershot, undisciplined actions.
  3. Extra points: there’s not much downside to opportunities!
  4. You should go back and ensure your process objectives from Clause 4 are meaningful, measurable, and provide some way of ensuring eventual product and service quality, not merely process adherence.
  5. By mentally understanding your process objectives are your quality objectives, you’ve just reduced your workload re: ISO 9001 implementation, too.
  6. By putting rules in place (a procedure?) for how to request, make and verify changes to the QMS, you will ensure the QMS remains flexible and adaptable, but also cannot be changed by any random employee for any minor reason.
  7. All of Clause 6, in general, will help ensure the QMS is properly planned, of course, and not created as some kind of Frankenstein monster hodgepodge.

Click here for the full series of articles on The Benefits of ISO 9001:2015.


About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


ISO Benchmark