Chapter 15: What Clause 6.1 Really Demands: Beyond the Risk Register Checkbox

Let's start with what ISO 9001:2015 actually says. Clause 6.1 requires your organization to determine risks and opportunities that need to be addressed to give the QMS the ability to achieve its intended results. That language is deliberately open. It doesn't say "create a risk register." It doesn't say "perform FMEA on all processes." It says you need to identify risks, evaluate them, and act on them in a way that's proportionate to your business.

Here's the critical distinction: Auditors in 2026 are looking for evidence that risk thinking happens at three distinct levels—and that these levels talk to each other.

Level 1: Strategic Context (Clause 4)

Your organization faces risks from the external environment: supply chain disruptions (especially post-COVID in North American manufacturing), rising labor costs, changing customer requirements under IATF 16949 if you're automotive, regulatory shifts in provinces like Ontario and Quebec, and market pressure on lead times. These risks shape how you've defined your quality policy, your scope, and your planning horizon.

A plant manager who doesn't consider whether a key supplier could fail—or whether a new customer's inspection protocol demands a new control—hasn't engaged with Clause 4 properly.

Level 2: Operational Processes (Clause 6.1)

This is where most plants focus—and where most also get stuck. Every process in your shop floor has risks: receiving inspection might miss a non-conforming batch, setup might drift out of tolerance, welding might have porosity, assembly might swap parts. The question isn't whether risks exist (they do everywhere); it's whether you've identified the risks that matter to *your* customers and *your* capability, and whether you've built controls that actually catch them.

Level 3: Change Management (Clause 6.3)

When you introduce a new tool, hire an operator, change suppliers, or modify a process, you must evaluate risks *before* you make the change. Too many plants treat Clause 6.3 as a paperwork step. It's actually where your best prevention happens.

The mistake most plants make is treating these three levels as separate silos. They're not. Your strategic risk of "supplier failure" cascades into an operational risk tied to your incoming inspection process, which demands a specific control (perhaps 100% incoming inspection instead of AQL sampling), which requires training and procedures and audit checkpoints.

That connection—from strategy to operation to change—is what separates a QMS that auditors respect from one that's just theater.