top of page

ISO 9001:2015 Context analysis and risk assessment, practical examples

The 2015 version of the ISO 9001 standard for quality management (as well as the 14001 for environmental management) has added specific requirements concerning both the topic of context analysis, stakeholders and their expectations, and the topic of evaluation of the risks and opportunities that may affect the achievement of system results.

The actual applications of these innovations can be endless and should be adapted to the processes and purposes of the organisation.

In my daily work, I have adopted a specific procedure that can help the entrepreneur or the Top Management to make a simple and schematic analysis of the context, of the stakeholders and their expectations and at the same time to define risks, opportunities and consequent actions.

What does the standard ask for?

Let's quickly review the standard requirements.

The organisation must evaluate and determine the internal and external factors, positive or negative, relevant for the purposes of the System and which influence the ability to achieve expected outcomes (provide products/services that meet the requirements, increase customer satisfaction, pursue quality objectives and company policy).

The assessment may include

External factors, for example:

  • Legal, regulatory, financial, political factors;

  • Technological factors;

  • Competitive, market, economic, cultural, social factors;

  • International, national, regional and local factors;

Internal factors, for example:

  • Activities, products, services;

  • Strategic direction, culture, values;

  • Knowledge, processes, systems, organisation performance.

In addition, it must assess and determine the stakeholders linked to the contextual factors, analysed above, that are relevant to the purposes of the System and that influence the ability to achieve expected outcomes (provide products/services that meet requirements, increase customer satisfaction, pursue quality objectives and company policy), taking care to determine their relevant requirements and compliance obligations (mandatory/obligatory or other voluntary arising from contractual relationships, voluntary initiative, etc.).

Stakeholders can include, for example:

  • Legal and regulatory authorities (local, regional, state, or international);

  • Shareholders;

  • Customers/clients;

  • Professional associations;

  • The community;

  • Suppliers;

  • The neighbourhood;

  • People in the organisation.

Requirements may include, for example:

  • Legislative requirements;

  • Permits, licenses;

  • Treaties, conventions, protocols;

  • Industrial codes and sector standards;

  • Agreements with the community or with organisations;

  • Agreements with clients; Organisation requirements;

  • Voluntary trademarks.

Finally, the risks and opportunities to be addressed must be assessed and determined in order to ensure that the system results are achieved, to increase the desired effects and to prevent undesirable effects, and actions must be planned to address risks and opportunities (avoid risks or pursue opportunities, remove the source of risk, modify the probability or consequences, share the risk, take actions for improvement, etc.).

I have created a single model to support organisations in this regard. The model is currently used by a good part of my clients who have obtained ISO 9001:2015, ISO 14001:2015, ISO 39001:2016 or integrated certification.

There are no calculations for risk assessment, just a definition of urgency.

If you buy the procedure, it includes 6 real-life examples of context analysis and risk assessment in certified companies.


bottom of page