Select Page

IATF 16949:2016 Risk Management

Risks and Opportunities 

Risk-based thinking is presented within the introduction of IATF 16949, which is based off of ISO 9001. The QMS is advocating for mitigating and avoiding risk as well as addressing issues through “preventative actions” in previous revisions.

Risks are defined as either a positive or negative deviation from the expected. Addressing a risk may require pursuing a new opportunity. Organizations are required during planning of their QMS to address both risks and opportunities. Opportunities can include the adoption of new customers, products, technology or practices.

There are several requirements around risks and opportunities throughout the ISO 9001:2015 standard. The examples in the table below are just some of the clauses that in effect mandate risk management.

ISO 9001:2015 clauses Comments
4.4 Quality management system and its processes The overall quality management system (QMS) must consider both risks and opportunities as part of its core planning process.
5.1 Leadership and commitment Those who lead the organization must promote risk-based thinking.
5.1.2 Customer focus Ensure risks and opportunities that affect customers are determined and addressed.
6.1 Actions to address risks and opportunities  When planning for the QMS, determine and address risks and opportunities.
9.1.3 Analysis and evaluation  Evaluate the effectiveness of actions taken to address risks and opportunities.
10.2 Nonconformity and corrective action Update risks and opportunities determined during planning, if necessary.

How to address risks and opportunities?

The IATF 16949 requirements are based around risks and opportunities, and they do not require a formal risk management system. However, IATF 16949, based off ISO 9001 does require that organizations to decide what the risks are and how they will be addressed. When your organization is evaluating risks, it is helpful to use two metrics:

  1. Severity (If the risk occurs, how serious is it?)
  2. Probability (What is the probability of the risk occurring?)

Common methods for identifying and addressing risks within an organization include maintaing a risk register, performing FMEA (Failure Mode Effects Analysis) or FTA (Fault Tree Analysis), using a Probability and Impact Matrix, or other risk management exercises.

When addressing risks and opportunities, consider asking these key questions:

  • How will the organization identify potential threats?
  • What are they ways to prevent, or reduce, undesired effects?
  • How will the organization ensure that it can achieve its intended outcomes?
  • Who will be responsible for ensuring that this process works correctly?
  • When and how will the risk management actions be triggered?
  • What are the priorities and cost impacts of each threat?
  • Where could these threats come from?
  • Who are all of the potential players that could help identify and deal with these risks?
  • How can such a system for dealing with these risks be evaluated, tested and kept up-to-date to ensure it will work when needed?

We’re here to help you address IATF 16949 risk management requirements. Our business is to help comapnies quickly and cost effecitively gain IATF 16949 certifcation.

Please note that certain text from the ISO 9001 standard is only used for instructional purposes. Standard Stores recognizes and respects the International Organization for Standardization (ISO) copyright and intellectual property guidelines.


Our All-in-One Certification Package is a proven, efficient system. It gives you all you need to prepare for registration – in one simple to use package.

Customer Review:

"I have just passed my Audit with zero non-conformances for the second year in a row using your products to write my entire QMS. Thank you for producing documents of this quality"

Bettye Patrick

Buy the Standard

16949 Store Logo  IATF 16949