Planning in the PDCA Cycle
ISO 9001 is structured around the Plan-Do-Check-Act (PDCA) cycle. Clause 4 is the first Plan activity — context and scope analysis. Clause 6 is the second Plan activity — determining risks and opportunities, setting quality objectives, and planning QMS changes. The outputs of Clause 6 (risk and opportunity register, quality objectives plan, change management process) become inputs to Clause 7 (resources) and Clause 8 (operations). Planning must precede implementation; organizations that skip rigorous planning and move directly to implementation create chaotic QMS structures that become difficult to manage.
Clause 6.1: Addressing Risks and Opportunities
ISO 9001 explicitly incorporates risk-based thinking into QMS requirements. Clause 6.1 requires organizations to determine risks and opportunities that could affect the QMS's ability to achieve its intended outcomes and meet customer and regulatory requirements. The organization must plan actions to address these risks and opportunities and then evaluate whether those actions have been effective.
It is important to understand what ISO 9001 means by "risks" and "opportunities" in this context. Risks are factors that could prevent the organization from meeting its objectives. Opportunities are factors that could help the organization achieve or exceed its objectives. Both require planning and action.
| Risk Category | Example | Planning Action | Evaluation Method |
|---|---|---|---|
| Customer-facing risk | Misunderstanding complex customer requirements | Structured requirements review with customer sign-off | Reduction in requirements-related NCRs |
| Process risk | Key person dependency in quality-critical process | Cross-training, documented procedures, knowledge transfer | Knowledge transfer verification, process capability stable |
| Supplier risk | Single-source critical component | Approved alternate supplier development | Alternate supplier qualified and tested |
| Regulatory risk | Regulatory change affecting product conformity | Regulatory monitoring process, procedure update mechanism | Compliance verification, audit readiness |
| Opportunity | Digital process automation reducing variation | Investment case, pilot program, resource allocation | Process capability improvement, reduced variation metrics |
Clause 6.1 in Practice: What Is and Isn't Required
An important clarification: ISO 9001 does NOT require a formal risk register with complex ISO 31000 methodology, risk scoring matrices, or heat maps. It requires that risks and opportunities affecting the QMS are identified, that actions are planned to address them, and that the effectiveness of those actions is evaluated. A simple, well-maintained list of identified risks and the actions being taken is perfectly acceptable. Complexity is not a virtue in QMS documentation.
Many organizations distinguish between QMS-level risks (addressed in Clause 6.1 and documented in a risk register) and process-level risks embedded in operational procedures and process controls. This distinction is helpful but not required by the standard. The important thing is that risks affecting QMS outcomes are identified and managed somewhere in the system.
Clause 6.2: Quality Objectives
Quality objectives are targets that the organization sets for QMS performance. The standard requires that quality objectives are consistent with the quality policy, measurable, and monitored. This last point is critical: if an objective is not measured, the organization cannot demonstrate whether it has been met. Immeasurable objectives are a common nonconformity in certification audits.
| Objective Category | Example | Measurement | Target | Frequency |
|---|---|---|---|---|
| Customer Satisfaction | On-time delivery rate | % orders delivered on schedule | >95% | Monthly |
| Product/Service Quality | First-pass acceptance rate | % deliveries accepted without revision | >98% | Monthly |
| Customer Satisfaction Survey | Customer satisfaction score | Average score on satisfaction survey | >4.2/5.0 | Quarterly |
| Nonconformity Management | Customer complaint response time | Days to formal resolution | <5 working days | Monthly |
| Improvement Culture | Corrective action closure rate | % CA closed within agreed timeframe | >90% | Monthly |
Setting Objectives That Drive Behavior
Quality objectives should reflect meaningful business targets, not generic aspirations. An objective that says "improve customer satisfaction" is not a quality objective — it is a direction without measurement. An objective that says "achieve a customer satisfaction survey score of 4.2 or above on a 5-point scale, measured quarterly" is a quality objective that can be tracked and reported. At the same time, objectives should not be set so easily that they are always met with no effort. The best objectives create genuine improvement pressure while remaining achievable with focused effort.
Quality objectives must connect to actual customer and business outcomes. Setting objectives that look good in documentation but do not drive operational improvements creates a compliance burden rather than a management tool. The management review (Clause 9.3) is the mechanism for reviewing objective performance and making decisions about objectives that are not being achieved.
Clause 6.3: Planning of Changes
When changes are made to the QMS — whether adding a new process, redesigning an existing process, changing suppliers, implementing new technology, or restructuring the organization — these changes must be planned in a controlled manner. Clause 6.3 requires that planned QMS changes are made in a planned manner, including: understanding the purpose and expected outcomes of the change, assessing potential consequences of the change for QMS effectiveness and other business areas, ensuring adequate resources are available for the change, assigning clear responsibility and authority for change implementation, and maintaining appropriate documented information about the change.
Common QMS changes requiring Clause 6.3 process include: introducing new products or services, entering new markets or customer segments, implementing new technology platforms, outsourcing previously internal processes, adding new suppliers or changing critical suppliers, restructuring the organization, and changes to manufacturing processes or facilities. Organizations typically maintain a change management register documenting all changes made to the QMS during the year.
Risk and Opportunity Documentation
The documented information required for Clause 6.1 is a risk and opportunity register or risk management plan. This document should identify the key risks and opportunities affecting the QMS, describe the actions planned to address them, assign responsibility for managing each risk/opportunity, and include a mechanism for tracking whether actions are being implemented and whether they are effective. The risk register is presented and reviewed at each management review meeting.
| KEY IDEA | ISO 9001 does not require a formal risk register, an ISO 31000 methodology, or a risk scoring matrix. It requires that risks and opportunities affecting QMS outcomes are identified, addressed, and the effectiveness of actions evaluated. A simple, well-maintained list is perfectly acceptable. Auditors are looking for evidence of risk-based thinking, not complex risk management documentation. Focus on substance, not on impressive matrices. |
| IMPORTANT | Quality objectives must be measurable. "Improve customer satisfaction" is not a quality objective — it is an aspiration. "Achieve a customer satisfaction survey score of 4.2 or above on a 5-point scale, measured quarterly" is a quality objective. Unmeasured objectives will generate a major nonconformity at certification audit. Every quality objective must have a defined measurement method, target, and review frequency. |
| BITLION INSIGHT | The most common Clause 6 finding in Indonesian ISO 9001 audits is quality objectives that exist in documentation but are not actively monitored. The objective is defined, the measurement is specified, but the data is never collected or reviewed. The fix is straightforward: build objective measurement into the monthly management reporting cycle as a standing agenda item. Make quality objective performance as routine as sales reporting or financial reporting. |