ISO 9001:2015, clause 6.1 requires an organization to identify its risks and take actions to address identified risks. It is very tempting to start with a huge list of potential risks for the organization, but is the organization focusing on the actual risks that have an effect on its operations? To perform an effective risk assessment, an organization must first identify the uncertainty in its processes.

When uncertainties are identified, mitigation controls can be targeted at the effects of the identified uncertainties. Failing to identify an uncertainty first could lead to flawed risk identification and nonvalue-added controls. The approach defined here will lead to more effective and meaningful risk identification and mitigation.

 …