ISO 9001 Clause 6, Planning, turns context into action: determine and address the risks and opportunities facing the QMS (6.1), set measurable quality objectives with plans to reach them (6.2), and manage changes to the QMS in a controlled way (6.3).

Clause 6 is the bridge between knowing your business and running it deliberately. It takes the issues and interested parties you named in Clause 4 and asks a simple question: so what are you going to do about them? Done well, Clause 6 is a short, living plan. Done badly, it becomes a risk register nobody opens and a wall of objectives nobody tracks. The difference is whether the paperwork drives real action.

What does ISO 9001 Clause 6 require?

Clause 6 has three parts. 6.1 asks you to determine risks and opportunities and plan actions to address them. 6.2 asks you to set quality objectives and plan how to achieve them. 6.3 asks you to plan changes to the QMS so you do not break the system while improving it. The through-line is that planning is proactive: you decide what could go wrong or go right before it does, and you act.

How Clause 6 planning connects context to operationPlanning turns context into controlled actionCLAUSE 4issues + parties6.1 RISKS + OPPS6.2 OBJECTIVES6.3 PLAN CHANGESCLAUSE 8operationCLAUSES 9+10check + improvePlan-Do-Check-Act runs through the whole standard; Clause 6 is the Plan.
Clause 6 is the "Plan" in Plan-Do-Check-Act. It converts context into risks, objectives, and controlled change.

How do you address risks and opportunities (6.1)?

Clause 6.1 requires you to determine the risks and opportunities that need to be addressed to give the QMS its best chance of achieving intended results, preventing or reducing undesired effects, and improving. Then you plan actions to address them and plan how to integrate those actions into your processes and evaluate whether they worked. This is what the standard calls risk-based thinking, and it replaced the old preventive-action clause in the 2015 revision.

Here is the part people miss and auditors love to point out: ISO 9001 does not mandate a formal risk method. There is no requirement for a risk register, a scoring scale, or an FMEA. The requirement is to think about risk and act proportionally. That said, most plants find a light method helps. A simple likelihood-versus-severity grid ranks what deserves attention. For higher-stakes process risks, a structured tool like FMEA or a study of process variation on a statistical process control chart gives you a defensible basis. The key word in 6.1 is proportional: the effort spent on a risk should match the harm it could do.

A likelihood-versus-severity risk matrix for 6.1Rank risks by likelihood and severity (6.1)watchkey setter issole expertact nowsupplier single-source partacceptHIGHMEDLOWLIKELIHOODMINORMODERATESEVERESEVERITY
A risk matrix keeps 6.1 proportional: the top-right corner gets your effort, the bottom-left gets a note.

Opportunities get less airtime but the clause asks for them by name. An opportunity is a favorable circumstance you could act on: a new product line, an automation grant, a process that could be simplified, a customer relationship worth deepening. Treating opportunities seriously is what keeps a QMS from being purely defensive.

A word on what "address" means, because auditors probe it. Clause 6.1 does not say you must eliminate every risk. It says you must determine which risks and opportunities need to be addressed and plan actions for them, then integrate those actions into your processes and evaluate their effectiveness. Addressing a risk can mean avoiding it, taking it on to pursue an opportunity, removing its source, changing the likelihood or consequences, sharing it, or accepting it by an informed decision. The nonconformity to avoid is a register full of high risks with a blank action column, or actions that were planned but never woven into how the work actually runs. The test is traceability: pick any significant risk and you should be able to point to the action, the owner, where it lives in a process, and evidence it was checked.

How do you write good quality objectives (6.2)?

Quality objectives are measurable targets for quality, set at relevant functions and levels, that are consistent with the quality policy. Clause 6.2.1 lists what they must be: consistent with the policy, measurable, mindful of applicable requirements, relevant to product conformity and customer satisfaction, monitored, communicated, and updated as needed. In plain terms: pick targets that matter, that you can measure, and that connect to the policy leadership set in Clause 5.

Clause 6.2.2 is the part most plants underbuild. It requires that for each objective you plan what will be done, what resources are required, who is responsible, when it will be completed, and how the results will be evaluated. That is a five-column action plan, and an objective without it is a wish. "Reduce scrap" is not an objective. "Reduce line-3 scrap from 4.1% to 2.5% by December 31, led by the line-3 supervisor, using a weekly Pareto review, measured from the scrap log" is.

The 6.2.2 quality objective action planEvery objective needs a 6.2.2 planWHATwill be doneRESOURCESrequiredWHOresponsibleWHENcompletedHOWevaluatedcut line-3 scrap 4.1% to 2.5% | Pareto board, 6h/wk | line-3 supervisor | Dec 31 | scrap log %An objective without these five columns is a wish, not a plan.
Clause 6.2.2 in template form. Fill all five columns and the objective becomes trackable and auditable.

How do you plan changes without causing chaos (6.3)?

Clause 6.3 requires that when you decide the QMS needs to change, you do it in a planned, systematic way. The standard asks you to consider the purpose of the change and its potential consequences, the integrity of the QMS, the availability of resources, and the allocation or reallocation of responsibilities and authorities. It is short, but it is the clause that stops a well-meant improvement from breaking three other things.

The practical read: before you move a line, swap a supplier, revise a core procedure, or reorganize a department, pause and ask what else this touches. Who owns the new way? What records or training need updating? What could go wrong, and how will we know? A change that has been thought through in these terms is 6.3 evidence. Note that 6.3 covers changes to the quality system itself; changes to production and service provision during operations are controlled separately under Clause 8.5.6.

The reason 6.3 exists as its own sub-clause is that unmanaged change is one of the most reliable ways to inject defects into a stable process. A plant improves a fixture on the day shift, does not update the setup sheet, and the night shift runs it the old way and scraps a lot. Nothing was done wrong except that the change skipped the plan. Even a light-touch approach, a one-page change note that names the purpose, the impact, the owner, and the training or documents to update, satisfies 6.3 and prevents that class of self-inflicted problem. Keep it proportional: a spec revision on a critical part deserves a fuller review than moving a shelf.

How do you build a risk and opportunity register that works?

If you want a lightweight approach that satisfies 6.1 and feeds 6.2, build it in this order and keep it living.

  1. Pull risks from your Clause 4 issues. Take each internal and external issue and interested-party requirement and ask what could go wrong or right. This gives every risk a traceable root.
  2. Rate each on likelihood and severity. Use a simple high/medium/low grid. You are ranking for attention, not calculating to three decimals.
  3. Decide an action for the ones that matter. Not every risk needs action; some you accept and monitor. For the rest, plan a proportional action and name an owner.
  4. Turn the biggest risks into objectives. Where a risk is important and ongoing, promote it to a quality objective with a full 6.2.2 action plan.
  5. Review on a set cadence. Revisit the register at management review and whenever context changes. A register updated once a year at audit time is a red flag; one that moves with the business is the point.

Keep it to one page or one screen. The value of 6.1 is not the document; it is that the plant acts on its biggest risks before they turn into Clause 10 corrective actions.

The numbers behind risk-based planning

Risk-based thinking was the headline change of the 2015 revision, and it reshaped how the standard is applied.

The plants that keep Clause 6 alive are the ones where risks and objectives are visible day to day, not filed until audit season. That is exactly the visibility Harmony's operations intelligence gives a floor: when scrap, downtime, and quality exceptions are captured digitally, your quality objectives read straight off live data instead of a monthly hand-count, and your QMS software stays fed. See it in practice in our customer story. Automotive suppliers should also review the tougher planning requirements in our IATF 16949 guide.