6.1 Actions to Address Risks and Opportunities [ISO 45001 Procedure]

6.1.1 General

ISO 45001 requires you to confirm that your organization has a methodology in place that enables you to effectively identify risks and opportunities with respect to the planning of its OH&S Management System.

Use a "Risk & Opportunity Register" to identify and record the risks and opportunities facing different areas of business. Identifying risk is a critical step in managing it and the risk and opportunity register allow our organization to assess the risk in context with our overall strategy and help record the controls and treatments of those risks.



Reference to risk-based thinking is present in the following clauses of the standards:

  1. Determine and address risks (Clause 4.4.1)
  2. Promote risk-based thinking (Clause 5.1.1)
  3. Ensure risks determined and addressed (Clause 5.1.2)
  4. Determine risks that need to be addressed to achieve intended results (Clause 6.1.1)
  5. Plan actions to address risks; integrate into processes; evaluate effectiveness of actions (Clause 6.1.2)
  6. Control those risks identified (Clause 8.1)
  7. Evaluate effectiveness of actions on risks (Clause 9.1.3)
  8. Review effectiveness of actions on risks (Clause 9.3.2)
  9. Improve the OH&S Management System by responding to risk (Clause 10.3)

The risks and opportunities should be relevant to the context of your organization (Clause 4.1), as well as, any interested parties (Clause 4.2). You should ensure that your organization has applied this risk identification methodology consistently and effectively.

What process has been developed to identify risks and opportunities? In the absence of documented processes/procedures, you may need to use observations and interviews (and a review of the process output, which may contain documented evidence) to assess the processes that determine whether or not undocumented processes are being carried out as planned.

External and internal issues, and relevant needs and expectations of relevant interested parties may be sources of risks. Objective evidence may be in the form of a dedicated risk matrix, risks added to other forms such as an aspect register, corrective/preventive action log and forms, etc.

All of the processes of an OH&S Management System do not represent the same level of risk in terms of your organization’s ability to meet its objectives. Due to this reason, the consequences of failures or nonconformities in relation to processes, systems, products and/or services will not be the same for all organizations.

When deciding how to plan and control the OH&S Management System, including its component processes and activities, your organization needs to consider both the type and level of risk associated with them. Ensure that your organization is taking a planned approach to addressing risks and realizing opportunities, and that any actions taken have been recorded.

Options to address risks and opportunities can include:

  • Avoiding risk
  • Taking risk in order to pursue an opportunity
  • Eliminating the risk source
  • Changing the likelihood or consequences
  • Sharing the risk
  • Retaining risk by informed decision;
  • SWOT analysis by the organization as part of its business strategy to identify the external risk and opportunities and action plan to address them
  • Formal business risk assessment performed by the organization talking into consideration its context, associated risk and opportunities and mitigation plan
  • Use of process approach by organization to identify sources of input, activities output, receiver of output, performance indicators to control and monitor processes, the risks and opportunities associated with them and action plan to address them

Your organization should begin to view the management of risks to its people, assets and all aspects of its operations as an important responsibility. Implement and maintain a risk management process to protect and support your organization’s responsibilities.


Risk Management Benefits

An effective risk management approach is not only good business practice but provides organizational resilience, confidence and benefits, including:

  • Provides a rigorous decision-making and planning process
  • Provides the flexibility to respond to unexpected threats
  • Takes advantage of opportunities and provides competitive advantage
  • Equips managers with tools to anticipate changes and threats, and to allocate appropriate resources
  • Provides assurance to Top management and stakeholders that critical risks are being managed
  • Enables better business resilience and compliance management

Risk Register

Identifying Risks and Opportunities - Use a Risk & Opportunity Register

While not mandated by ISO 45001:2018, risk registers can help identify and record the risks and opportunities facing different areas of the business and identifying risk is a critical step in managing it.

Risk registers will allow your organization to assess the risk in context with the overall context of your organization and will help to record the controls and treatments of those risks.

Risk registers can be developed in tiers:

  1. Strategic level
  2. Operational level
  3. Process level

The risk registers or risk logs become essential as it records the identified risks, their severity, and the actions steps to be taken. It can be a simple document, spreadsheet, or a database system, but the most effective format is a table. A table presents a great deal of information in just a few pages.

As the register is a living document, it is important to record the date that risks are identified or modified. Optional dates to include are the target and completion dates.

  1. Description of the risk
  2. Risk Type (business, project, stage)
  3. Likelihood of occurrence which provides an assessment on how likely it is that this risk will occur
  4. Severity of effect which provides an assessment of the impact that the occurrence of this risk would have on the project
  5. Countermeasures and actions taken to prevent, reduce, or transfer the risk. This may include production of contingency plans
  6. Risk owner who is responsible for ensuring that risks are appropriately engaged with countermeasures undertaken
  7. Current status of whether this is a current risk or if risk can no longer arise and impact
  8. Other columns such as quantitative value can also be added

Your organization should ensure that it has documented and clarified the roles, responsibilities, accountabilities and authorities at all levels of the business to address risk management. This ensures that a risk management approach is embedded your operations through a number of communications, training and support systems.


Risk Management Training

To ensure that adequate risk management competency levels are achieved and maintained, your organization should provide training in the risk management process and their application.

Specific risk management training sessions should be held on an annual basis, aimed at providing an overview of the risk management process.

Instruments providing training on appropriate controls include:

  • Job descriptions, contracts
  • Inductions
  • Briefings
  • Toolbox talks
  • Policies
  • Procedures, process maps
  • Terms of reference
  • Performance planning

Risk management responsibilities, accountabilities and authorities should be set out in the following documented information:

  1. Risk management policy
  2. Job/position descriptions
  3. Internet/intranet
  4. Project/process/product/service documentation
  5. Performance planning and review documentation


The Risk Evaluation Cycle - 7 Steps

Risk evaluation can be represented as a seven step, cyclical process:

  1. Planning
  2. Identification
  3. Assessment
  4. Response
  5. Review
  6. Reporting
  7. Monitoring

Step 1: Risk Evaluation Process: Planning

Risk evaluation should become embedded into your organization’s day-to-day operations and should be undertaken at all levels throughout your organization.

The overall aim of risk evaluation is to ensure that organizational capabilities and resources are employed in an efficient and effective manner to manage opportunities and threats.

Your organization should develop and document a plan that briefly describes how and when risk, in the form of strengths, weaknesses, opportunities and threats, will be assessed, and who will be involved.

This should reflect the scope (including its complexity, interfaces, etc.), policies and objectives.

Step 2: Risk Evaluation Process: Identification

In this step, your organization should systematically identify those risks associated with the scope of the process that could significantly affect the achievement of objectives and product conformity.

Risk identification should be carried out with the full involvement of the relevant parties to ensure the relevant perspectives and expertise should be represented (e.g.; appropriately qualified representatives from various functions, contractors, stakeholders, suppliers and specialists as appropriate.

Risk identification involves the relationship between your organization and the broader, external environment or community.

A range of issues should be considered in examining the strategic content, including:

  • Opportunities and threats associated with the local, regional, state and global economic, social, political, cultural, environmental, regulatory and competitive environments
  • Key thrusts of stakeholder strategies
  • Strengths and weaknesses of in attaining objectives

Operational risk identification involves gaining an understanding of the organisation’s capabilities, goals, objectives, strengths and weaknesses by considering:

  • Organisational structure and culture
  • Geographical/demographical
  • The identity and nature of interaction with key internal or external stakeholders
  • The existence of any operational constraints
  • Objectives and key performance indicators
  • Business resilience vulnerabilities
  • Relevant issues relating to recent change management risk, performance or audit reviews
  • Relevant stakeholder community concerns or requirements
  • Regulatory and contractual requirements and constraints
  • Health and safety management systems

Step 3: Risk Evaluation Process: Assessment

Having identified all hazards and associated risks which could impact on occupational health and safety, the process of rating the risks for significance can be carried out. This crucial process, together with a thorough knowledge of legal and other similar requirements, provide the foundations of the health and safety management system.

This assessment process is vital in determining the need for controls aimed at either reducing risk to levels deemed to be tolerable or meeting the requirements of legislation.

The significance level (or risk rating) should then be used to prioritise actions. Remember that the importance of this process cannot be overestimated. If you get this process wrong, the whole system will be suspect.

The assessment of the severity of a risk should drive management attention and supports the planning for risk mitigation.

Quantitative risk assessments (QRA) can be undertaken to provide an improved understanding of the risk profile and derive a more detailed understanding of certain cost and time risks. The output of QRA can also support decision making and monitoring of risk management activities.

Step 4: Risk Evaluation Process: Response

For each risk, the risk owner must establish an appropriate level of mitigation.

Control measures in addition to those already existing may be needed to achieve this level of mitigation. When a response action is completed, the risk should be reassessed (i.e., repeat Step 3) to reflect any newly introduced existing control measure.

Step 5: Risk Evaluation Process: Review

Regular reviews are essential to ensure that risks are being appropriately managed, and that the risk data remains accurate and reliable, reflecting any changes in circumstances or management activities.

Step 6: Risk Evaluation Process: Reporting

Regular reports are necessary to inform and provide assurance to Top management and other key stakeholders, that risks are being appropriately managed.

Reporting must be based on current process data, which must be updated and reviewed in good time for the reporting cycle (see Step 5 above).

On occasion, it may be appropriate to escalate a risk to ensure it is assessed and/or managed by the person or party best placed to do so (able and with appropriate authority). For example, where a more substantial or coordinated response is required than the current owner can authorise or implement, or where the risk severity or its effects on the wider project justify higher level assessment and/or management.

Step 7: Risk Evaluation Process: Monitoring

Continuous systematic and formal monitoring of implementation of the risk process and outputs will take place against appropriate performance indicators to ensure process compliance and effectiveness. Monitoring may take a variety of forms and range from self-assessment and internal audit to detailed reviews by independent external experts.

Related Information You Might Find Useful

Next ISO 45001 Clause

Each ISO 45001 Clause Explained

Updated: 1st April 2022
Author: Richard Keen

Richard Keen

Richard Keen

Richard is our Compliance Director, responsible for content & product development.
But most importantly he is ISO's biggest fanboy and a true evangelist of the standards.
Learn more about Richard

ISO templates

Don’t Try to Manage It All Alone!

Our ISO Auditors and OH&S Trainers have been in this industry for years, and since 2002 we’ve been providing thousands of small businesses and large corporations with the tools they need to get certified.

Instead of trying to create everything you need to follow this process from scratch, use ours. We have procedures, templates, checklists, process maps, forms and gap analysis tools to help you control your documented information without missing a single input or output.

Before you invest all the hours reinventing the wheel, before you spend countless dollars outsourcing the task — try our templates.

ISO 9001
ISO 14001
ISO 45001

Risks & Opportunities Procedure

The purpose of this procedure is to outline your organization’s the risk and opportunity management framework and the activities within.

The risk and opportunity management framework defines our current risk management process, which includes; methodology, risk appetite, methods for training and reporting.


Forms & Reports also included:

  • Control of Risks & Opportunities Process Activity Map
  • Risk Register
  • SWOT Template
  • PESTLE Template
  • Compliance Obligation Register (ISO 14001 version only)
  • Environmental Aspect & Impact Register (ISO 14001 version only)
  • Interested Party Analysis (ISO 14001 version only)

Free Download - Control of Calibrated Equipment Procedure - this will give you a good idea of what to expect when you purchase the procedure and the current level of documentation required for ISO.

$19 USD

add to cart

$19 USD

add to cart

$19 USD

add to cart

  • Written in International English
  • Fully-editable MS Word or Excel files, compatible with Google Docs and Apple Pages
  • All the templates use styles – making reformatting and rebranding a breeze
  • Immediate download

Pay by Credit Card, Debit Card, PayPal or Apple Pay.
Credit card, PayPal or ApplePay

money back guarantee

We are 100% confident in the quality and contents of our products. Used by thousands of organizations around the world, our templates have been sold online since 2002.

Please read our Money Back Guarantee.


Are The Templates Suitable For You?

Bought by Small Businesses and Large Corporations our templates have been sold online and CD since 2002.

Used by:

  • Small Businesses – dentists, accountants, engineers
  • Large organizations – hospitals, power plants, aircraft manufacturers

The Templates are used by first-timers following our step-by-step, clause-by-clause guidance documents; and experienced Quality Managers wishing to streamline and improve their existing documentation.

The application of our templates is scalable and generic; regardless of the size and type of organization. The elements that form the quality management system are the same.


Five Reasons To Choose Our Templates

1. Our customizable templates save you time and money by offering a streamlined process to create your quality documentation

2. They’ve got everything you need in one simple template

3. Proven to work our templates have helped thousands of businesses big and small achieve certification

4. Documents use styles to make reformatting and rebranding a breeze

5. Our templates are generalizable for any industry or sector. The application of our templates is scalable and generic; regardless of the size and type of organization.


FAQs About Our Templates

Ask Us a Question

More Information


ISO 9001 Client images