Risk and Opportunity Management in ISO Standards

Risk and Opportunity in Brief

Risk-based thinking required across all modern ISO standards
Identify, assess, treat and review at planned intervals
Opportunities recorded and pursued alongside risks

Risk and opportunity management explained

Risk-based thinking is the principle that ties every ISO management system standard together. ISO 9001, ISO 14001, ISO 45001, ISO 27001, ISO 22301, ISO 37001, ISO 22458 and ISO 42001 all require the organisation to identify what could affect its objectives, assess how serious those things are, decide what to do about them, and act. The discipline differs by standard - quality is concerned with conformity and customer satisfaction, environmental with impacts on the environment, occupational health and safety with harm to workers, information security with confidentiality, integrity and availability of information - but the underlying logic is the same.

The standards are also clear that this is not just about avoiding problems. The clause that introduces the requirement is normally Clause 6.1 - Actions to address risks and opportunities, and the word "opportunities" is there deliberately. A management system that records nothing but threats is missing half the picture. Opportunities to improve products, win new markets, simplify processes or reduce costs are part of risk-based thinking and are required to be identified and acted upon in the same way.

What ISO means by risk and opportunity

ISO defines risk as the effect of uncertainty on objectives - either positive or negative. In practice the registers and processes that make this work treat risk and opportunity as two sides of the same coin: things that could affect the organisation's ability to deliver, where the organisation needs to make a deliberate decision about what to do.

The scope is broad. Strategic risks (loss of a key contract, change of ownership, market shift), operational risks (equipment failure, key person leaving, supply chain disruption), compliance risks (legal change, regulatory action), and external risks (climate change, geopolitical instability, technology change) all sit within scope where they could affect the management system. Opportunities are scoped similarly - new markets, process simplification, technology improvement, better supplier relationships and so on.

Operational hazards and incidents - workplace injuries, environmental aspects, information security events - are also risks, but they are typically managed through specialised assessments rather than the strategic register. The relationship between strategic and operational risk is covered later in this category.

Strategic and specialised risk

An effective management system distinguishes between two layers of risk work.

The first is the strategic risk and opportunity register - a single register held at the top of the management system that captures the headline risks and opportunities facing the organisation as a whole. This is where top management can see what could materially affect the business, what is being done about each, and where attention is needed. It is what most ISO standards have in mind when they refer to addressing risks and opportunities at the level of the whole organisation.

The second is a specialised or topic-specific risk assessment. Workplace hazards may be included on their own register and individual risk assessments due to health and safety law and the requirements of ISO 45001. Information security risk uses a confidentiality, integrity and availability approach with a risk treatment option selected because that is how information security is structured under ISO 27001. Business continuity uses business impact analysis with concepts like recovery time objective and maximum tolerable period of disruption. Environmental aspects are assessed for significance using emergency potential, impact and legislation rather than likelihood and consequence. Bribery risk has its own due diligence approach. Consumer vulnerability uses risk factors and triggers tied to customer-facing touchpoints.

These specialised approaches are not separate management systems - they are part of the same one - but they are structured differently because the discipline requires it. The strategic register and the specialised assessments work together. A workplace injury hazard is recorded once in the workplace hazard register and assessed at the operational level; a recurring injury type that reflects a wider issue is escalated to the strategic register. An information security threat is assessed in the security register against specific assets and controls; any strategic implication is reflected at the strategic level too.

The practical guidance section at the end of this article shows how the alphaZ documents implement this layering across each ISO standard.

Risk rating - the unified scoring approach

A useful pattern across most strategic and specialised risk registers is to use the same scoring methodology - the same scale, the same definitions, the same wording. This keeps assessment consistent across disciplines, makes scoring easier to teach and audit, and lets risks recorded in different registers be compared on a common basis.

A widely used approach is a 3 by 3 matrix. Likelihood (Very Unlikely, Unlikely, Likely) crosses with consequence (Slightly Harmful, Harmful, Very Harmful) to give a risk rating of Tolerable, Moderate or Substantial. For business continuity assessments the consequence axis is rephrased as disruption to activities (Little Impact, Some Impact, Major Impact) but the bands map across.

The rating bands map to actions:

Tolerable - risk acceptable. Monitor and add controls if needed.
Moderate - monitor and reduce if possible.
Substantial - risk mitigation strategy and additional controls required. A residual rating that stays Substantial after controls means further action is needed - this is normally raised on the issues and actions register.

Environmental aspects are typically scored differently because environmental significance is determined by emergency potential, impact and applicable legislation rather than by likelihood and consequence. This is a deliberate divergence and is handled in the environmental management category.

The mechanics of this scoring - how to define each level for the organisation, how to calibrate scoring across the team, how to avoid common pitfalls - are covered in the dedicated risk assessment article.

Risk and opportunity in the management system cycle

Risk and opportunity work feeds in and out of every other part of the management system. A review of interested parties and SWOT analysis can inform specific risks and opportunities. A strategic register records and prioritises them. Treatment decisions either close them out, log them on the issues and actions register for action, or accept them as residual. Outcomes are reviewed at internal audits and at the management review, where their effectiveness is formally evaluated. New risks and opportunities are added as the year progresses - not in an annual burst.

This cycle is the practical face of "risk-based thinking". A register that is filled in once when the management system is set up and then left untouched until the next external audit is the single most common finding in this area. The fix is not better forms - it is treating the registers as live working documents that get updated when something changes, with a brief formal review at planned intervals.

How the rest of this category fits together

The articles in this category build outward from this overview. The next layer covers identification (where risks and opportunities come from), assessment (the likelihood and consequence scoring in detail), the strategic register itself, treatment options, and managing opportunities as a discipline in their own right. Beyond that, separate articles cover the specialised disciplines - information security risk, business continuity, bribery, consumer vulnerability and climate change. Operational risk assessment for workplace health and safety is covered in the health and safety category, where it sits alongside the practical content on hazards and controls.

Risk-based thinking gets a lot of mystique attached to it. It does not need to. The standards want you to think about what could go wrong, what could go right, write it down, decide what to do, do it, and check it worked. That is it.

The trap most organisations fall into is treating the risk register as an artefact for the auditor, not a working document. If your register has not changed in a year, your business has either had a remarkably stable year or - more likely - the register is not being used. Either way the auditor will spot it.

When auditing risk-based thinking I look for evidence that the organisation has actually thought about its risks and opportunities, not just filled in a template. The strategic register tells me about the headline thinking. The specialised registers - workplace hazards, information security, business continuity, whichever apply - tell me about the discipline-specific thinking. I expect the same scoring methodology and the same language across them.

I look at the residual ratings and ask what happened where the rating stays Substantial. There should be an entry on the issues and actions register or evidence of further treatment underway. A register full of Tolerable ratings with no audit trail of how they got there is a flag, not a clean bill of health.

The opportunities side of the register is the part organisations most often neglect. The clause is called actions to address risks and opportunities - both words matter. A register that lists 30 risks and 2 opportunities is not wrong as such, but it is rarely a true reflection of the organisation. There are usually more opportunities sitting unrecorded than there are unrecorded risks.

Practical Compliance Guidance

The IMS1 Manual Section 2.5 covers risk-based thinking and risk management and the family of risk registers at the management system level. It sets out which registers apply for which standards, who is responsible for each, and how they connect to the management review and the issues and actions register.

The alphaZ documents below are designed to work as a coherent set across the ISO standards. The strategic register sits at the top, the specialised registers handle their disciplines, and the issues and actions register tracks treatment actions through to closure.

alphaZ document	How to use it
ISO 9001/14001/45001 IMS Toolkit	Integrated toolkit including IMS1 Manual and the core risk registers used across quality, environmental and health and safety management.
ISO 9001 Management System Toolkit	Quality-only toolkit including IMS1 Manual and F-IMS23 Opportunities and Risks Register. Suitable where ISO 9001 is the only standard in scope.
F-IMS23 Opportunities and Risks Register	The strategic register. Captures the headline risks and opportunities for the organisation, with SWOT analysis, risk rating, controls and residual rating.
F-IMS22 Interested Parties Register	Records the organisation's interested parties and their needs and expectations. A primary input to risk and opportunity identification.
ER14 Hazard and Risk Assessment Register	The workplace hazard register and index of operational risk assessments. Used for ISO 45001 and to demonstrate compliance with the legal duty to assess workplace risk.
ER15 Information Security Risks Register	Asset, threat and vulnerability based register for information security risk. Used for ISO 27001, links to the Statement of Applicability and treatment decisions.
ER16 Business Continuity Risk Register	Disruption risk register for ISO 22301. Captures critical functions, recovery priority and business impact analysis.
F-IMS21 Business Continuity Register	Companion to ER16 covering the wider business continuity arrangements - critical functions, monitoring and testing, MTPD and RTO.
F-IMS34 Anti-bribery Compliance Register	Bribery risk register for ISO 37001. Records the anti-bribery management system arrangements, anti-bribery function, commitments and declarations.
F-IMS35 Business Associate Register	Bribery risk assessment of business associates - the people and organisations the company works with where bribery exposure could exist. Triggers due diligence where the rating is higher than Low.
ER33 Key Supplier Risk Register	Bribery risk assessment specifically for key suppliers, with status (approved, probation, suspended) and intervals for review.
ER24 Consumer Vulnerability Risks Register	Vulnerability risk register for ISO 22458 - risk research, case studies, advice provider details and ongoing monitoring of consumer-facing touchpoints.
F-IMS58 Vulnerability Risks Register	Companion to ER24 capturing vulnerability risk factors and triggers, with response guidance for staff.
F-IMS60 Environmental Aspects and Impacts Register	Environmental aspects register for ISO 14001. Uses a different methodology based on emergency potential, impact and legislation rather than likelihood and consequence.
F-IMS38 Climate Change Review	Climate change risk and opportunity review. Provides the climate change input required for several ISO standards following the 2024 amendments.
ER1 Issues and Actions Register	Where treatment actions arising from any of the risk registers are tracked through to closure, alongside other improvement actions.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Do we need a separate risk register for each ISO standard we are certified to?

No. The strategic risks and opportunities register covers the organisation as a whole and is shared across standards. Specialised registers exist where a discipline has its own methodology - information security risk, business continuity disruption, environmental aspects, bribery risk, consumer vulnerability - and only the ones relevant to the standards in scope need to be maintained.

What is the difference between a risk and an issue?

A risk is something that could happen but has not yet happened. An issue is something that has already happened or is happening now and needs action. Risks live on the relevant risk register. Issues are normally logged on the issues and actions register. A risk that materialises becomes an issue.

How often should the risk registers be reviewed?

There is no fixed frequency in the ISO standards. The registers should be live working documents updated whenever circumstances change, with a formal review at planned intervals - annually as a minimum and as part of the management review. Quarterly or six-monthly reviews are common where the business environment is changing quickly.

Do we need to record opportunities or just risks?

Both. The clause is "actions to address risks and opportunities" and ISO requires both to be considered. A register that records only risks is incomplete. Opportunities can sit alongside risks on the same register or in a clearly identified section.

Where do workplace risk assessments fit in?

Workplace risk assessments under the Management of Health and Safety at Work Regulations sit at operational level, indexed by a workplace hazard register. Strategic implications - for example a recurring injury type or a hazard with no adequate control - are escalated to the strategic risks register. The relationship between strategic and operational risk is covered separately in this category.

UK Legislation relevant to risk and opportunity management

Risk-based thinking under the ISO standards is a contractual requirement of certification, not a legal one. Several pieces of UK legislation do require organisations to identify and manage specific categories of risk, and the management system is the natural place for that work to be evidenced. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.

Further Resources