ISO Digital Solutions Get the QMS Framework

SGRII Insights  ·  ISO 9001:2015  ·  2026

Planning — Your Risk Register Is Not Your Corrective Action Log

The most damaging structural error in ISO implementation is merging risks with nonconformities. They serve opposite functions. Here’s the architecture that separates them.

The Structural Separation That Defines System Integrity

Clause 6.1 requires the organisation to determine risks and opportunities that need to be addressed. Clause 10.2 requires the organisation to react to nonconformities and take corrective action. These are two fundamentally different activities: one is prospective (what could happen), the other is retrospective (what did happen). They require different inputs, different analysis methods, different decision criteria, and different registers.

Yet across the SME landscape, the single most common structural error is combining these into a single register — often labelled “CAPA” or “Risk and CAPA Log.” This creates an operational confusion that undermines both functions. Risks without treatment plans get lost among closed nonconformities. Nonconformities without root cause analysis get mislabelled as “risks” and monitored rather than corrected. The result is a register that serves neither purpose and passes audit only because the auditor lacks time to interrogate every entry.

The SGRII methodology enforces absolute separation: a Risk & Opportunity Register (Clause 6.1) and an NC & CA Register (Clause 10.2). They never merge. They feed different management review inputs. They serve different governance functions. This isn’t a formatting preference — it’s a system design decision that determines whether the organisation can distinguish between prevention and correction.

Clause 6.1 — Risk-Based Thinking Is Not Risk Management

ISO 9001:2015 does not require a formal risk management framework. It requires risk-based thinking — the integration of risk consideration into process planning and operational decision-making. The standard deliberately avoids prescribing a risk methodology, which gives organisations flexibility but also creates a gap that many fill with disproportionate bureaucracy.

An SME with fifteen employees does not need a five-by-five risk matrix with Monte Carlo simulation. It needs to demonstrate that it has considered what could go wrong in its key processes, what could go right (opportunities), and that it has planned actions to address both. The evidence can be as simple as documented meeting minutes showing risk discussion during process planning — provided the actions are traceable and outcomes are evaluated.

However, “risk-based thinking” without structured capture is just thinking. The SGRII Risk & Opportunity Engine provides the structured mechanism — 32 risks and 26 opportunities per standard, each with treatment or capture plans, KPI linkages, and rating conditionals (CRITICAL / HIGH / MEDIUM / LOW for risks; PURSUE / ACCELERATE / ENHANCE / SHARE-WATCH for opportunities). This gives the organisation a working tool that auditors can trace, leadership can review, and operational staff can act on.

Opportunities — The Neglected Half of Clause 6.1

Clause 6.1.1 explicitly requires the organisation to consider both risks and opportunities. In practice, opportunities receive a fraction of the attention. Most registers contain thirty risks and three opportunities — often generic statements like “opportunity to improve customer satisfaction” or “opportunity to expand into new markets.” These aren’t actionable. They’re placeholders.

The SGRII approach to opportunity identification uses independent identification as the primary method — deriving opportunities directly from process analysis, context review, and performance data. Mirror technique (inverting identified risks) is used as a supplementary method only, with a threshold of at least 50% independent identification to ensure the opportunity register reflects genuine strategic thinking, not mechanical risk inversion.

An organisation that can demonstrate it has identified, evaluated, and captured opportunities — with evidence of actions taken and outcomes evaluated — is operating at a maturity level that most certification bodies will recognise. An organisation that treats opportunities as an afterthought is conforming to the letter of the requirement while missing its purpose.

Clause 6.2 — Quality Objectives That Actually Drive Performance

Clause 6.2 requires quality objectives to be consistent with the quality policy, measurable, take into account applicable requirements, be relevant to conformity of products and services and to enhancement of customer satisfaction, be monitored, be communicated, and be updated as appropriate. That’s seven explicit criteria — and most organisations meet three at best.

The typical failure: objectives are set annually, measured quarterly, and forgotten in between. “Reduce customer complaints by 10%” appears on a quality objectives register with no defined method, no assigned responsibility, no resource allocation, and no evaluation mechanism. When the objective isn’t met, nothing changes — it rolls forward to the next year with a revised target. This isn’t continual improvement. This is target administration.

The SGRII framework links quality objectives directly to process KPIs, management review outputs, and the Risk & Opportunity Register. Each objective has a defined owner, a monitoring frequency, an evaluation method, and a documented link back to the quality policy commitment from which it derives. The chain is traceable: policy → objective → KPI → monitoring → review → action.

Clause 6.3 — Planning of Changes

Often overlooked, Clause 6.3 requires the organisation to plan changes to the QMS in a structured manner — considering the purpose of the change, potential consequences, resource availability, and reallocation of responsibilities. In SMEs, changes happen constantly: new equipment, new suppliers, staff turnover, process modifications. Without a structured change management mechanism, each change introduces uncontrolled variation into a system that was designed for the conditions that existed before the change.

This is where Clause 6 connects directly to operational control (Clause 8.1) and performance evaluation (Clause 9.1). A planned change should trigger a risk assessment, a process review, a resource evaluation, and an effectiveness check. An unplanned change — or a change made without considering its system impact — is a governance failure, not an operational one.