ISO 9001 Risk control method - What could be the better way to control risks?

For those fellows who already have managed risks.
What could be the better way to control risks?

E.g. to use a format where risk is identified, is assigned probability and impact, risk value is calculated, also mentioning causes and so on.
It could have a control of the document, like any other control of Changes, for example the control of the procedure of control the documents.
This way, if a change in a risk is nedeed (impact, probability, action plans), by using this format , the document changes in revision, and changes are tracked.

The other way could be a simple spreadsheet where risk are registered, all data related to the risk, is fed.
But... because this control is is "live" document, it could be very easy to change aspects of risk without having evidences, because is a dynamic document.

So, in the way you manage risks, which method you think is best and why?

Thank you for give some light.

John Broomfield

Fully retired...

Why not analyze how risks already are managed?

By respecting how your organization already works as a system to convert customer needs into cash you’ll learn a lot and establish a good working relationship with your colleagues.

Reading the standard and imposing new ways of managing risk are unlikely to win the support of your colleagues.

Listen well to the system of which you are part to see for yourself how risks are identified and dealt with so project and process teams are assured of fulfilling objectives and other requirements.

Focus on what they do to prevent failure and be assured of success starting with top management and then with the project managers and process owners.

When doing this your auditor-style “please show me” questions more readily prompt any necessary improvements.


Joe Cruse

Mopar or No Car
X2 for John.

We did not try to shoe-horn in a SWOT form, or charts, or some other, new/extra form to capture this activity in our QMS when going to 2015. Our organization does this ALL the time, and yours, in like manner, has been too, if it's been around for a while. You just need to take a look at how leadership and the core process (and sub-process) owners are communicating and discussing those risks and opportunities on a regular basis (daily,weekly, etc), and determine a way to capture evidence of that assessment/control activity. No need to have your managers change what they do, for this (unless, of course, it ISN'T happening, lol), just find a way to document it, that makes sense to your organization. And if a formal SWOT form makes sense for your organization, let your freak flag fly with it.

For example, our department heads meet with top mgt 2-3 days per week, and this group are the people responsible for either our QMS' core processes, or the sub-processes that support the core processes. In these meetings, there is TONS of risk/opportunity assessment, and as the person responsible for the QMS, I take notes in these meetings to document that activity, so that it is available for both us and any auditor. Then, when we perform Mgt Review, we look at these same things, in more of an upper level view, and that gets documented too, as part of the Mgt Review requirements of the 2015 revision. No charts or SWOT forms, but fully documented, nonetheless. And NEVER let an auditor TELL you that you MUST be using some SWOT form or other set of forms to document this activity; any method that documents this meets the requirements of the standard. Depending on how you document it, you may have to help an auditor understand it fully, but if it makes sense to you and your organization, that's #1, after meeting the standard's requirements.
Last edited:
Thanks John and Joe for your advise
I understand, regarding that I dont have to worry about the way of documenting

It depends of the organization how to manage this stuff.

But Joe, as you said, people is very interested in the management of risks and you do
the documentation which is reviewed in the MRs.
The ways is being documented, it could be done very simple, (no forms for requirements, no swots, no format, no fishbones), but I think that at least you have a minimal points in control, for example:
Risk detected, process, risk value, actions for mitigations, responsibles of actions, due dates, residual risk evaluation, it isnt so?


Top Bottom