Actions to address risks & opportunities
Plain-language summary
Before things go wrong, work out what could — and what could go right — and plan actions proportionate to the impact on your product and customers.
What the clause is really asking
Take the issues from 4.1 and the parties from 4.2 and turn them into planned action: which risks threaten the QMS achieving its results, which opportunities are worth chasing, what you will do about both, and how you will build that into your processes and judge whether it worked. No formal risk method is prescribed — proportionality is the principle.
What auditors look for
Auditors trace the thread: context issues -> risk register -> actions -> evidence the action happened -> evaluation of effectiveness. They probe whether risks live in the processes (FMEA-style thinking at operations level) or only in a register nobody opens, and whether any opportunity was ever actually pursued.
Typical evidence
Risk and opportunity register; action plans with owners and dates; management review evaluation; process-level risk evidence (e.g. FMEAs as input).
How to comply — recommendations
A one-page register scored simply (impact x likelihood) is enough for an SME. Review it quarterly, retire dead risks, and force at least one opportunity action per cycle — auditors rarely see the opportunity half done, and it is where the business value sits.
Common nonconformities
A risk register created for certification and never updated; risks with no linked action; opportunities section empty; no evaluation of whether actions worked.
Related clauses
IATF 16949: extended by 6.1.2.1-6.1.2.3; ISO 14001 6.1; ISO 45001 6.1
Qlause provides interpretive guidance only and is not a substitute for the standard. Refer to your licensed copy of ISO 9001 / IATF 16949 for the authoritative text.