When ISO 9001:2015 was introduced, one of its most significant changes was the formal emphasis on risk-based thinking. Organizations were required to identify, evaluate, and address risks as part of their quality management planning (Clause 6.1). Importantly, ISO 9000:2015 (Clause 3.7.9) defined risk as the effect of uncertainty, with explicit recognition that this effect may be positive (opportunity) or negative (threat):
Note 1: An effect is a deviation from the expected — positive or negative.
Note 2: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.
Note 3: Risk is often characterized by reference to potential events and consequences, or a combination of these.
Note 4: Risk is often expressed in terms of consequences and the associated likelihood of occurrence.
Note 5: The word “risk” is sometimes used when there is the possibility of only negative consequences.
Note 6: This definition is aligned with Annex SL for management system standards, with the addition of Note 5.
This means ISO itself had already embedded the concept of opportunity within the definition of risk. So why does ISO 9001:2026 now introduce a separate requirement for opportunity-based thinking?
What ISO 9001:2026 Says About Opportunity-Based Thinking
The 2026 draft makes a deliberate distinction between risk and opportunity:
Clause 6.1.2 (Actions to address risks): Organizations must determine, analyze, and evaluate risks that can have an undesirable effect on conformity and customer satisfaction, and take proportionate actions to mitigate them.
Clause 6.1.3 (Actions to address opportunities): Organizations must similarly determine, analyze, and evaluate opportunities that can have a desirable effect on customer satisfaction and product/service conformity
Annex A emphasizes this separation:
“Risks are not opportunities. Determining and managing risks and opportunities are separate processes.” (Annex A.6.1.3)
The Case for Explicit Opportunity-Based Thinking
Supporters of the change argue that:
Positive Focus: Many organizations instinctively treat risk only as a threat. By explicitly requiring opportunity-based thinking, ISO ensures that companies don’t overlook innovation, improvement, or growth potential.
Strategic Alignment: Opportunities often align with strategic goals such as digitalization, sustainability, or customer experience enhancement. Treating them separately emphasizes their importance in long-term competitiveness.
Cultural Shift: A focus on opportunities encourages a proactive and innovative culture rather than one dominated by compliance and risk avoidance.
A Critical View: Do We Really Need It?
Here’s the counterpoint. Given that ISO 9000:2015 already defined risk as both positive and negative (see Clause 3.7.9, Notes 1 and 5), was it really necessary to separate opportunity-based thinking?
Duplication of Effort: Separating the two risks creating parallel registers (risk register vs opportunity register), adding bureaucracy without real benefit.
Risk of Overcomplication: Organizations may feel pressured to over-document opportunities, rather than integrating them naturally into risk-based planning.
Dilution of the Core Idea: In 2015, risk-based thinking was celebrated for being holistic. By splitting risk and opportunity, ISO 9001:2026 may unintentionally confuse organizations about the integrated nature of uncertainty management.
In other words: Would it not have been better to reinforce that “risk” already encompasses opportunities, rather than adding another layer?
Practical Implications for Organizations
If your organization is already certified to ISO 9001:2015, here’s what the change means in practice:
Separate Treatment: You’ll now need to explicitly identify and plan for opportunities, not just threats.
Management Review (Clause 9.3.2): Inputs to management review must include the effectiveness of actions taken to address both risks and opportunities. Expect auditors to probe how you track opportunities.
Improvement (Clause 10.1): Continual improvement has always implied seizing opportunities. Now it must be supported with structured evidence of opportunity identification and action.
Final Thoughts
The introduction of opportunity-based thinking in ISO 9001:2026 represents both a challenge and an opportunity. On the positive side, it encourages innovation, improvement, and customer-centric growth. On the critical side, it risks duplication, since ISO 9000:2015 had already included opportunities within the definition of risk (Clause 3.7.9, Notes 1 and 5).
The true value will depend on how organizations implement it: if treated as a compliance exercise, it adds little; but if embedded in strategy, opportunity-based thinking can help organizations move from risk avoidance to proactive innovation.
| Aspect | ISO 9001:2015 | ISO 9001:2026 (DIS) |
|---|---|---|
| Core concept | Risk-based thinking (Clause 6.1). | Risk-based thinking and opportunity-based thinking (Clauses 6.1.2 & 6.1.3). |
| Definition reference | ISO 9000:2015, 3.7.9 — Risk = effect of uncertainty (Note 1: positive or negative). | Annex A.6.1.3 — Risks are not opportunities; they are separate processes. |
| Treatment of opportunities | Opportunities were considered as positive side of risk (embedded). | Opportunities explicitly require determination, analysis, evaluation, and action planning. |
| Documentation | One integrated risk-based approach; no requirement for separate registers. | Likely need for separate evidence of opportunity identification and action. |
| Auditor focus | Evidence that risks (including positive/negative) were considered in planning. | Evidence that risks and opportunities were separately addressed and monitored. |
| Improvement link | Opportunities implied under continual improvement (Clause 10.1). | Opportunities explicitly linked to continual improvement and customer satisfaction. |
| Cultural message | “Think about uncertainty” — both threats and opportunities. | “Think about threats and think separately about opportunities.” |