Risk & Opportunities - Connected to above internal & external issue as to how we mitigated those risk that's what we need to do correct. Do we need to create a document for that.
You need to demonstrate somehow that you are complying with section 6.1, for that you can choose a risk register and a risk assesment document, both commonly used in the implementation of ISO 9001. However, ISO 9001 does not state that you need to document anything related to risks and opportunities, just that you must perform the processes in section 6.1, including:
- identify your risks and opportunities,
- plan a response with the necessary actions,
- integrate those plans into your QMS and
- evaluate its efectiveness.
In addition, the organization must update the risks and opportunities as an outcome of process non-conformities (section 10.2). So the answer i s that according to the standard, although documented information is not mandate, your company may have a different need for documented information and records regarding QMS risks and opportunities, such a risks and opportunities register or a risk assesment document. But this is up to your organization how to do it, for example, you can evaluate your risks at a management meeting and decide what actions to take without having a specific document written and still be compliant with the standard requirements.