Risk Analysis - Same Risk Treatment for Context and Interested Parties



Hi everybody

In doing the risk analysis in 4.1 and 4.2, following 6.1

I have identified in context people (internal) and competitors (external) but also have found the same for interested parties.

When addressing the risk and opportunities in both, could I apply the same

O could I state that I dont need to analyze risk and opportunities for people and competitors in interested parties, because I have addressed them in Context?.

Please feed me back.


Super Moderator
The way I'm approaching it is that we have a "cloud" of considerations about which we do risk-based thinking; e.g., context, processes, interested parties, etc. Out of that cloud, we identify the actions that we want to take to mitigate risk or take on opportunities (we will not take action on every risk or opportunity). So we could certainly look at and 'combine' considerations.

Haven't been audited yet so I'm not sure how this will fly but it seems to make sense.


Thanks yodon

The standard in 6.1, states to consider issues from 4.1 and requirements from 4.2 and to indentify R & O. However it is valid to not consider risk in processes which may be of very very low impact.

What Im doing regarding R & O it is:

For example some of them:
Int parties:
(external) suppliers, clients, goverment, competitors, (internal) employees, top management.

For Context.
(external)client, economical issues, market , technological issues
(internal) employees competence, processes performance, Top management leadership,etc

For each of them, Im running the Risk analysis by evaluating the risk values PXi and according to a reference table, I define the treatment needed.

That is the methodology Ive implemented, I hope it is worth the effort.

My audit will take place til january 2018.

Thanks for your comments

I hope other members could share their opinions.


Thanks Randy
I dont understand your answer, could you explain it a little bit more? I guess it is a technical issue.
For me it is important your point of view.


Super Moderator
could any body explain requirement of surveillance Audit (up grade Audit) in iso 9001 2015

Seems like you are talking about transition to ISO9001:2015 (Upgradation from ISO9001:2008 to ISO9001:2015). Surveillance audits are smaller (50% of Stage-2 i.e. certification audit). But this audit will be similar to recertification audit. You'll require same data and records as required during recertification audit.
Eg. 12 months KPI data, Internal audit, Management review, etc.

I am considering you know the records required by ISO9001:2015 standard.
Last edited:
Top Bottom