www.iso-9001-checklist.co.

uk

Risk & Opportunity

ISO 9001:2015 & ISO 45001:2018

This procedure is the property of Your Company. It must not be reproduced in whole or in part or otherwise disclosed
without prior written consent.

The official controlled copy of this procedure is the digitally signed PDF document held within our network server and
visible to all authorised users. All printed copies, and all electronic copies and versions, except the ones described
above, are considered uncontrolled copies which should be used for reference only.
www.iso-9001-checklist.co.uk
Risk & Opportunity
ISO 9001:2015 & ISO 45001:2018

Contents
1 Procedure ___________________________________________________________________________________________________ 3

1.1 Introduction & Purpose _______________________________________________________________________________ 3

Process Overview __________________________________________________________________________________ 3
References _________________________________________________________________________________________ 3
Terms & Definitions ________________________________________________________________________________ 3

1.2 Application & Scope __________________________________________________________________________________ 4

1.3 Roles, Responsibilities & Authorities ________________________________________________________________ 4

Roles & Responsibilities ___________________________________________________________________________ 4
1.3.1.1 Top Management _______________________________________________________________________________ 4
1.3.1.2 HSQ Manager ___________________________________________________________________________________ 4
1.3.1.3 Line Managers & Supervisors ___________________________________________________________________ 5

1.4 Risk Management Process ____________________________________________________________________________ 5

General _____________________________________________________________________________________________ 5
Identification _______________________________________________________________________________________ 6
Assessment & Prioritization _______________________________________________________________________ 7
1.4.3.1 Risk Assessment _________________________________________________________________________________ 7
1.4.3.2 Risk Criteria ______________________________________________________________________________________ 8
1.4.3.3 Risk Evaluation __________________________________________________________________________________ 9
1.4.3.4 Risk Treatment__________________________________________________________________________________ 10
Risk Appetite ______________________________________________________________________________________ 10
Reviewing & Reporting ___________________________________________________________________________ 11
Monitoring ________________________________________________________________________________________ 11
Escalation _________________________________________________________________________________________ 11

1.5 Opportunity Management Process ________________________________________________________________ 12

General ____________________________________________________________________________________________ 12
Opportunities for Improving Operations _________________________________________________________ 12
Market Opportunities _____________________________________________________________________________ 13

1.6 Training ______________________________________________________________________________________________ 13

1.7 Communication ______________________________________________________________________________________ 13

1.8 Documentation ______________________________________________________________________________________ 14

Endeavour Technical Limited © 2024. All rights reserved Page 2 of 14

www.iso-9001-checklist.co.uk
Risk & Opportunity
ISO 9001:2015 & ISO 45001:2018

1 Procedure
1.1 Introduction & Purpose
The purpose of this procedure is to outline your organization’s risk and opportunity management framework
and the activities within. The risk and opportunity management framework defines our current risk
management process, which includes the definition of risk criteria, the identification, assessment, evaluation
prioritization and communication of actions to mitigate risks or to leverage opportunities.

Process Overview
The process overview (turtle diagram) provides internal and external auditors, process owners, and participants
an overview of the elements that are required by the risk and opportunity management process:

With what With who

• HSQ requirements • Line/Dept Managers

• Customer Requirements • HSQ Manager
• Organizational context • Top management

Input Activity Output

• Customer requirements Determination of risks and • Process improvement

• Compliance obligations opportunities relating to our • HSQ improvement
• Areas of concern organizational context and • Conforming processes
• Organization context the relevant needs and • Risk controls
• Needs and expectation of expectations of interested • Enhanced desirable effects
interested parties parties, including those that • Integrated actions
• Emergency preparedness impact upon our HSQ • Residual risk evaluation
• Internal and external issues management system’s ability • New practices
to achieve its intended
results
How With what measure

• Risk evaluation (5 x 5 matrix) • Mitigation success levels

• Risk & Opportunity Register • Time to implement
• SWOT/PESTLE analysis • Residual risk scores
• Risk ownership • Risk age/risk growth

References
Standard Title Description
BS EN ISO 9000:2015 Quality management systems Fundamentals and vocabulary
BS EN ISO 9001:2015 Quality management systems Requirements
BS EN ISO 45001:2018 OH&S management systems Requirements
BS EN ISO 19011:2018 Auditing management systems Guidelines for auditing

Terms & Definitions

Term Definition
Likelihood The chance of something happening
Consequence The outcome of an event having a negative effect on objectives
Risk An undesirable situation likely to occur, with a potentially negative consequence
Opportunity Opportunities are identified as positive effects of risk

Endeavour Technical Limited © 2024. All rights reserved Page 3 of 14

www.iso-9001-checklist.co.uk
Risk & Opportunity
ISO 9001:2015 & ISO 45001:2018

Term Definition
Risk Assessment The overall process of risk identification, risk analysis, and risk evaluation
Risk Identification The process of finding, recognizing and describing risks
Risk Analysis A process to comprehend the nature of risk and to determine the level of risk
Risk Treatment Risk treatment is used in the context of dealing with negative consequences of risk
Risk Criteria The terms of reference against which the significance of risk is evaluated

1.2 Application & Scope

Risk and opportunities are defined by your organization as ‘something happening that may have an impact on
the achievement of our objectives or which may affect our health, safety and quality management system’. Risk
and opportunity management is a central part of our organization’s strategic management.

It is the process whereby management teams and risk owners methodically address the risks and opportunities
attached to their activities with the goal of achieving sustained benefits within their activity.

1.3 Roles, Responsibilities & Authorities

Regardless of the scope, roles and responsibilities are agreed by Top management and incorporated into
existing job descriptions, and included in yearly objectives. All roles and designated person(s), team(s), or
group(s) are clearly communicated across your organization in order to encourage or improve collaboration
and cooperation for cross-functional process activities.

Roles & Responsibilities

The roles and responsibilities associated with the risk and opportunity process are defined in the context of
the management function and are not intended to correspond with organizational job titles. A role refers to a
set of connected behaviors or actions that are performed by a person, team, or group in a specific context.

1.3.1.1 Top Management

Top management are responsible for:

1. Ensuring that the risk management framework is established, implemented, monitored, and reviewed
for improvement;
2. Determining the relevant external and internal strategic issues:
a. That affects the ability to achieve the intended outcomes of the HSQ management system;
b. That can impact the planning of the HSQ management system.
3. Assessing conditions capable of affecting or being affected by our organization;
4. Determining strategic direction and operational purpose;
5. Ensuring the policy and objectives are:
a. Compatible with our context;
b. Compatible with our strategic direction.
6. Retaining ultimate authority and responsibility for Risk Management.
1.3.1.2 HSQ Manager
The HSQ Manager is responsible for:

1. Ensuring that the risk management process is communicated and integrated throughout the
organization, and that risks are identified, managed and monitored in accordance with this process;
2. Ensuring monitoring activities exist to verify risk and opportunities are effectively managed;
3. Evaluating feedback from operational performance and identifying opportunities for improvement;

Endeavour Technical Limited © 2024. All rights reserved Page 4 of 14

www.iso-9001-checklist.co.uk
Risk & Opportunity
ISO 9001:2015 & ISO 45001:2018

The needs and expectations of workers and interested parties are initially captured and analyzed using the
Context & Interested Parties Analysis matrix. Issues arising are escalated to the Risk & Opportunity Register for
further analysis, evaluation and mitigation.

Determine issues Identify existing controls

Identify and Determine the Evaluate the Identify and assess

External and
capture issues level of risk risks and options. Implement
internal issues
using the Risk (Likelihood x opportunities, mitigation measures
(4.1)
& Opportunity Consequence = and prioritize to treat the risks
Register Level of Risk) by risk level
Requirements
of relevant
interested
parties (4.2) Analyze and
evaluate the
Monitor and report the effectiveness of risk controls to stakeholders residual risk

Identification
Risk and opportunity identification is a critical activity at both a strategic and operational level. It needs to
include all significant sources of risk, including those beyond our organization’s control. If a risk, threat, or
opportunity is not identified, there can be no strategy to address it. Additional risk sources may be identified
throughout the operational cycle. Listed below are some typical examples of risk sources:

1. Requirements (i.e., unclear operational needs, attributes, constraints, technology, or design

processes; change frequency, etc.);
2. Technical Baseline (infeasible or incomplete design);
3. Schedule (unrealistic schedule estimates and/or allocation, concurrency);
4. Manpower (inadequate staffing and/or skills);
5. Cost/Budget (uncertainty of estimates, funding issues);
6. External Factors (facilities, infrastructure, subject matter expertise, etc.).
Using the information gained from the context, particularly as categorized by the SWOT and PESTLE
frameworks, the next step is to identify the risks that are likely to affect the achievement of the goals of the
organization, activity or initiative.

The objective of this step is not to create an onerous and lengthy list of all possible risks but to identify all
significant risks that could impact our organization. Risks and opportunities are identified through the use of:

1. Workshops and focus groups, using brainstorming approaches;

2. SWOT Analysis Template to identify and analyze strengths, weaknesses, opportunities, and threats
relating to internal issues;
3. PESTLE Analysis Template to identify and analyze external context issues from local, regional,
national, and international perspectives relating to external issues;
4. Context & Interested Parties Analysis matrix to identify and list the needs and expectations of any
relevant interested parties and the risks or opportunities arising;
5. Interviews with respective management by the Risk Administrator;
6. The intranet as a means of reporting incidents or risks for consideration.
The aim is to generate a comprehensive list of sources of possible risks and future events that could impact
the objectives of delivering quality product to our customers on schedule, and on budget. Your organization

Endeavour Technical Limited © 2024. All rights reserved Page 6 of 14