David in Office (2)In Part II, I round off the controversial issue of positive and negative risk, expose more uncertainty in the new definition and in the way the term risk is used in ISO DIS 9001 and finally draw some conclusions.


Someone who is pursuing an opportunity may be taking a risk and someone who, by their actions, may miss an opportunity is taking a risk.  Thus when we set out to identify risks, we should not only be looking at what could go wrong if we do X in the short or long term but what could go wrong in the short or long term if we don’t do X.

Rock climbing is hazardous but also presents opportunities for adventure, excitement  and pleasure.  People who engage in rock climbing are at risk of injury, perhaps even death and may find it difficult to get insurance.  Rock climbers take risks and by doing so may gain great pleasure but don’t insure against the possibility of pleasure, they only against the possibility of harm.  Insurance companies are interested in opportunities to make money out of people taking risks because the rock climber has transferred some of the risk to them but to the insurance company risk will always be used in the negative sense.

As mentioned in Part I, in the finance sector volatility is referred to as a risk but the risk is exposure to volatility rather than exposure to gain.  This only matters to you if you have investments and having made investments there is a risk that their value may go down.   We would not say there is a risk  the value will go up, we say there is chance or opportunity that the value will go up.  It’s this play on words that will create confusion among those outside the financial sector who are being asked to accept the new definition of risk.


David Hillson says[i] “there are things in the future that could happen but might not happen but if they did happen they would be helpful so they would help us to save money, save time, increase value and benefits enhance our reputation so we could look for these things and manage them proactively”.  But most of us would call these uncertainties opportunities e.g we say, there’s a chance we will win this new contract, we don’t say there’s a risk we will win this new contract unless doing so is going to have undesirable consequences.  We say this new technology will save us money and therefore we should not miss the opportunity to adopt it.  We don’t say his new technology will save us money and therefore we should not miss this risk.

My response to this is simple:

  • An uncertainty presents a risk if its occurrence may have a negative effect on an expected result and is therefore relevant.
  • An uncertainty presents an opportunity if its occurrence may have a positive effect on an expected result and is therefore relevant.


That risk is now ‘an effect’ is different to the way we normally use the word risk as in the sense of “exposure to a possibility”.  But an effect is the result of an action, but we are now being told that it’s more than a possibility and that it’s a certainty.  According to the OED we use the term effect to describe an operative influence; a mode or degree of operation on an object so ISO are also using the word effect differently to its normal use. If there is no action but the possibility of action there is only the possibility of an effect but ISO appear adamant that a risk is an effect and not the possibility of an effect”.  The only explanation I can offer is that we can imagine an effect without experiencing it.  Therefore ISO could be expecting us to refer to a situation as a risk where we are able to imagine that something good or bad could happen and may affect what we are trying to do. Wouldn’t it be simpler to use the words risk and opportunities as we have always used them?  Well, TC 176 are not stupid, this is what they have done.


In every instance in which  the term risk is used in the new draft it is used in the negative sense and never in the sense of a positive effect.  In fact, other than in the guidance and definitions, the word risk is only used among the requirements in the form of the compound term “risks an opportunities” with one exception in clause 8.5.5 on post delivery activities where the meaning is obviously referring to loss.   So it looks like TC 176 were taking no ‘risk’ that the word risk could be misunderstood, but nonetheless retained the new definition so as to cause confusion and uncertainty. So much for ISO/IEC Directives that require management system standards to be easily understood and unambiguous!

As mentioned in the introduction in Part I, the clause on preventive action has been removed and in its place a new clause added on “Actions to address risk and opportunities”.  If risk (effect of uncertainty) can indeed be positive why would Annex SL refer to opportunities?  Could it be that not everyone on these committees think in the same way?   The situation may change as we proceed to the FDIS as these uncertainties certainly need to be resolved

There is now a section on Risk-based thinking in the Introduction and another in Annex A entitled, Risk-based approach.  Whether it’s an approach or a way of thinking matters not, the intent is to change the way (a) we apply the requirements of ISO 9001 and (b) we manage quality.  This is a good thing because, for too long, the requirements have been treated by users as having to be met regardless of need.    The only exceptions that were permitted were to requirements in section 7.  Now, you are permitted to assess the risk and if you can produce evidence to show that the actions taken to address them are proportionate to the potential impact on the conformity of products and services, it appears you don’t need to meet a requirement that does not address a risk in the context of your organization.

A new guide to Risk-based thinking[ii] has been released by TC 176 in which there is a novel interpretation of the word opportunity.  It now appears that when faced with the risk of being injured crossing the road, the options you consider in order to reduce or eliminate the risk are referred to as opportunities.  This isn’t as crazy as it appears because it fits with my definition of an opportunity above, but these are not the only opportunities users of ISO 9001 should be identifying.  New technologies, methodologies, concepts, legislation, skills etc may enable your organization to bring innovative products and services to market more quickly than your competitors and satisfy more customers. Remember the second reason for using ISO 9001[iii] is to enhance customer satisfaction.


I have attempted to expose some of the uncertainties about risk in ISO DIS 9001.  The good news is that you can ignore the definition of risk given in ISO 9001 and assume the term risk is used in its negative sense and still understand and apply the requirements.  This is because almost everywhere the term risk is used in the standard it is combined with the word opportunity.

You have probably been taking a risk- based approach for years e.g. when you analyzed nonconformities and took action to prevent their recurrence, you were addressing risk, when you introduced training you were addressing risk, when you put in place controls over design, purchasing, production and service delivery, you were addressing risks.  So there is nothing new except a definition you can ignore and the realization that bringing your arrangements for the management of quality under control is about managing risks and opportunities.


After a period in aircraft production and development following which I qualified as a Chartered Engineer, I spent the next 20 years in quality management with British Aerospace and Ferranti International. For the next 15 years I operated as a management consultant and guided large and small companies through their ISO 9000 programmes, delivered quality management and auditor training courses throughout the world, set up my own consultancy business, Transition Support Ltd, and published several books on quality management many of which have been translated into Japanese, Spanish and Italian. A member of the IQA (Now CQI) since 1974, I was elected Fellow in 1988 and have served on and chaired several committees. In 2005 I took early retirement due to sudden sight loss but continue my interest in quality management. My Quality Systems Handbook first published in 1992 is now in its 6th edition and this particular piece on risk, I developed as I undertake my research for a major revision to align with ISO 9001:2015.



[i] https://www.youtube.com/watch?v=GO2rpxjbi_A

[iii] See clause 1.0 b) of ISO 9001


  1. Hi, David. In ISO/DIS 14001, the ISO/TC 207 (Environmental management) has changed the term “risks and opportunities” that was imposed by the ISO Directives (Annex SL).

    They changed the term “risks and opportunities” to “RISK associated with threats and opportunities”. How does it fit with the definition of “opportunity” that you suggested above?

    Remembering that the ISO Directives state that “The aim of this document is to enhance the consistency and alignment of ISO management system standards by providing a unifying and agreed high level structure, identical core text and COMMON terms and core definitions”.

    It seems that this objective is not being achieved…


    • Francesco I was aware there had been changes but not of the detail as I have not seen ISO DIS 14001. It depends on how they define threat because in common usage all threats might present risk but not all risks present a threat e.g. machinery breakdown may be a risk but not a threat. Seems they are playing with words again. Why not use the term uncertainty?

      • David, they didn’t define threat nor opportunity, but ISO DIS 14001 clearly states that “An environmental aspect having the potential to cause an adverse
        impact to the environment can be considered a “threat”, whereas an environmental aspect having the potential to cause a beneficial environmental impact can be considered an “opportunity” “.

        They adopted exactly the same definition of risk recommended by ISO 31000 (risk = effect of uncertainty on objectives), unlike Annex SL and ISO DIS 9001…

  2. Hi. In an article that was published some time ago by Quality Digest Daily under my signature, I strongly suggested that risk must not have only a negative meaning but that would have to be looked at as a challenge. However, my own interpretation of ISO DIS 9001:2015 is that risk keeps being viewed by ISO as a negative aspect or impact on quality management system. On the other hand, ISO’s TC/176 has always been excessively prudent in promoting innovative approaches, and – although it has made continual improvement a requirement – it seems it has forgotten the adage “no pain, no gain”.

    • Umberto When you say “no pain, no gain” you are taking about taking risk and the possibility of something undesirable happening remains, it’s all a question of weighing up the potential benefits and harms of exercising one choice of action over another. It does not change the definition of risk.

      Perhaps we have moved into a risk averse society and its all a confidence trick to take us back to an age when we were far more adventurous.

      • Yeah David, thank you. The Beatles’s song “Dear Prudence” was a lovely one but it looks as we’ve become too prudent so to be politically correct. An english she-writer wrote a little book titled “Dare”: I think that only a woman could write a book like that, males only feel comfortable with established traditions, in most cases. Your name reminds me of a scientist who worked on black holes and became famous for that, as I remember. We can’t – we must not – rely on thrilling films to release our desire, our need for adventure. We’ve to feel it with our skin.

Leave a Reply

Your email address will not be published. Required fields are marked *