ISO 9001 Risk Assessment: Practical Template for UK SMBs

By Brian Crocker · Published 7 June 2026 · Last reviewed 24 May 2026

An ISO 9001 risk assessment under Clause 6.1 is where UK SMBs either overthink or underthink the requirement. Overthinking produces a 50-page risk register full of theoretical scenarios. Underthinking produces a one-line note saying "we manage risks" with no evidence. Both fail at audit.

This guide gives you a practical template, a scoring matrix, and real example risks for common UK SMB operations.

What Clause 6.1 Requires

Clause 6.1.1 says you must consider the issues from Clause 4.1 (context) and requirements from Clause 4.2 (interested parties), then determine the risks and opportunities that need addressing to ensure your QMS achieves its intended results, prevents undesired effects, and achieves improvement. If you haven't mapped your context yet, start with the gap analysis checklist — Clauses 4.1 and 4.2 feed directly into the risk assessment.

Clause 6.1.2 requires you to plan actions to address those risks, integrate them into your QMS processes, and evaluate their effectiveness.

The standard does not prescribe a methodology. ISO 31000 (Risk Management — Guidelines) is referenced as useful, but not required. For most UK SMBs, a likelihood-times-impact matrix is the simplest effective approach.

The Risk Assessment Template

Your risk register should capture these fields for each risk:

Field Purpose
Risk ID Unique reference (R-001, R-002, etc.)
Risk description What could happen and what it affects
Source clause Which ISO 9001 clause this relates to
Likelihood (1–5) How probable is this risk?
Impact (1–5) How severe would the consequence be?
Risk score Likelihood x Impact (1–25)
Current controls What you already do to manage this risk
Additional actions What else needs doing
Action owner Who is responsible
Target date Completion deadline
Last reviewed Date of most recent review

The Likelihood x Impact Matrix

Likelihood scale:

  • 1 (Rare): Less than once in 5 years
  • 2 (Unlikely): Once in 2–5 years
  • 3 (Possible): Has occurred before or could within 1–2 years
  • 4 (Likely): Expected at least once per year
  • 5 (Almost certain): Multiple times per year

Impact scale:

  • 1 (Negligible): Minimal effect. Resolved within normal operations
  • 2 (Minor): Small quality issue. Customer may not notice
  • 3 (Moderate): Noticeable issue, moderate cost (£1,000–£5,000), or 1–2 week delay
  • 4 (Major): Significant failure, £5,000–£25,000 cost, or customer relationship at risk
  • 5 (Severe): Critical failure, £25,000+ cost, regulatory action, or contract loss

Response thresholds:

  • 1–4 (Low): Accept and monitor. Review at each management review.
  • 5–9 (Medium): Existing controls may suffice, but evaluate whether improvements are needed.
  • 10–15 (High): Define specific additional controls, assign owners, set deadlines.
  • 16–25 (Critical): Immediate action. Escalate to top management.

Example Risks for UK SMBs

R-001: Key person dependency A critical process relies on one employee's knowledge. If they leave, the process stalls.

  • Likelihood: 3 | Impact: 4 | Score: 12 (High)
  • Actions: Document the process. Cross-train a second person. Review single-point-of-failure roles annually.
  • Source: Clause 7.2 (Competence)

R-002: Supplier delivery failure A key supplier fails to deliver on time, causing delays to customer commitments.

  • Likelihood: 3 | Impact: 3 | Score: 9 (Medium)
  • Controls: Approved supplier list with annual review. Alternative suppliers identified for top 5 materials.
  • Actions: Add delivery performance to supplier scorecard.
  • Source: Clause 8.4 (Externally provided processes)

R-003: Customer requirements not fully captured Incomplete order details lead to incorrect delivery, rework, and complaints.

  • Likelihood: 4 | Impact: 3 | Score: 12 (High)
  • Actions: Implement contract review checklist. Require customer sign-off on orders above £5,000.
  • Source: Clause 8.2 (Requirements for products and services)

R-004: Non-compliance with sector regulations Failure to meet UK regulations — Building Regulations 2010, CDM Regulations 2015, Food Safety Act 1990, or Data Protection Act 2018 — resulting in enforcement action.

  • Likelihood: 2 | Impact: 5 | Score: 10 (High)
  • Actions: Subscribe to legislation.gov.uk alerts. Assign compliance review to a named role. Include regulatory updates at management review.
  • Source: Clause 4.2, Clause 8.2.2

R-005: Loss of ISO 9001 certification Missed surveillance audits or unresolved major nonconformities result in certificate suspension. Loss of eligibility for public sector contracts per Procurement Policy Notes on gov.uk.

  • Likelihood: 1 | Impact: 5 | Score: 5 (Medium)
  • Controls: Internal audit programme. Surveillance audits booked.
  • Actions: Set reminders 3 months before each surveillance audit.
  • Source: Clause 9.2 (Internal audit)

R-006: Calibration lapse on measuring equipment Equipment goes out of calibration, producing unreliable results. Products shipped based on invalid measurements.

  • Likelihood: 2 | Impact: 4 | Score: 8 (Medium)
  • Controls: Calibration schedule maintained. Equipment calibrated to UKAS-traceable standards.
  • Actions: Set automated reminders 4 weeks before due dates. Define quarantine process for affected product.
  • Source: Clause 7.1.5 (Monitoring and measuring resources)

Don't Forget Opportunities

Clause 6.1 covers both risks and opportunities. Your register should include opportunities:

  • Reduce complaint response time from 5 days to 2 days via automated acknowledgement
  • Expand into public sector contracts by adding CHAS or Constructionline accreditation
  • Reduce waste costs by 10% through process mapping

Score opportunities the same way (likelihood of success x potential benefit) and assign actions where the score justifies the effort.

Keeping Your Risk Register Alive

A risk register created during implementation and never revisited is the most common Clause 6.1 finding. Keep it alive:

  1. Review at every management review — Clause 9.3.2(e) requires this as an input.
  2. Update when things change — new customers, new suppliers, new regulations, incidents.
  3. Close treated risks with evidence of what was done.
  4. Add new risks as they emerge. The register should grow and evolve.
  5. Check action completion — follow up on assigned deadlines.

If you need a quick check on your overall readiness, including Clause 6.1, our ISO 9001 readiness quiz gives you a score across all major clause areas.

ISO 9001 Risk Assessment Checklist

Before your audit, verify:

  • Risk register exists as documented information
  • Risks link to context (Clause 4.1) and interested party requirements (Clause 4.2)
  • Likelihood and impact are scored using a defined, consistent scale
  • Every high or critical risk has assigned actions, owners, and deadlines
  • Current controls are documented for each risk
  • Opportunities are included alongside risks
  • The register has been reviewed within the last 3 months
  • Evidence exists that risk actions have been completed (not just planned)
  • The risk register is an input to management review (check your minutes)
  • New risks have been added since the register was first created

This article is for general informational purposes only and does not constitute legal, regulatory, or professional compliance advice. ISO certification requirements vary by scope, sector, and certification body. Always verify requirements with your UKAS-accredited certification body or a qualified consultant before making compliance decisions.

ClauseWise is coming soon

Generate your ISO 9001 and ISO 27001 documentation without consultant fees.

Related articles

How Long Does ISO 9001 Certification Take? UK Timeline GuideBenefits of ISO 9001 Certification: What UK Businesses Actually GainHow to Write an ISO 9001 Quality Policy: Template and Examples