This section of the knowledge base covers risk and opportunity management as ISO management systems require it - identifying what could affect the organisation, assessing how serious it is, deciding what to do, and tracking the result. The articles are written for the people who actually run risk management day to day - quality and SHEQ managers, compliance leads, business owners and management system owners working under ISO 9001, ISO 14001, ISO 45001, ISO 27001, ISO 22301, ISO 37001, ISO 22458 and ISO 42001.
The cluster starts with the foundation - what risk-based thinking is across all the standards, where risks and opportunities come from, and how the same likelihood and consequence scoring methodology applies across strategic and specialised registers. From there the articles cover building and maintaining the strategic risks register, the four treatment options (avoid, reduce, transfer, accept), and managing opportunities as a discipline in their own right rather than an afterthought to risk. The section continues with articles on specific risk types - climate change risk under the 2024 amendments, information security risk, business continuity disruption, bribery risk, and consumer vulnerability risk - each of which uses the same approach but has discipline-specific inputs and treatment options.
Throughout the section, the articles assume the management system is integrated rather than treated as a separate ISO compliance layer. A single strategic risks register covers risks and opportunities across every standard the organisation is certified to. Specialised registers exist where a discipline has its own methodology, but they share the same scoring approach and feed into the same management review. Where individual standards add specific risk requirements (ISO 27001 Annex A controls, ISO 22301 business impact analysis, ISO 37001 due diligence, ISO 22458 consumer vulnerability), the articles flag the position clearly.
Each article includes a practical advice section pointing at the alphaZ documents that operationalise risk management - the F-IMS23 strategic register, the F-IMS22 interested parties register, the specialised registers for workplace hazards, information security, business continuity, bribery and consumer vulnerability, the F-IMS38 climate change review, and the ER1 issues and actions register where treatment work is tracked through to closure. Used together these turn risk-based thinking into a working register that small and medium organisations can maintain without disproportionate effort.
Risk-based thinking is one of those phrases that gets dressed up to sound complicated. It is not. Look at what could go wrong, look at what could go right, decide what to do, do it, check it worked. The articles in this section walk through that with the level of detail you actually need - no more.
Most of the clients I work with already do risk management informally. The work the standards expect is not to invent something new. It is to make the thinking visible, repeatable and reviewable - one strategic register, consistent scoring, opportunities considered alongside risks, and a regular check that the controls in place are actually working. The articles here cover that end-to-end.
When auditing risk-based thinking I want to see evidence the organisation has engaged with it - not just a register that exists, but one that gets updated, scored consistently, and feeds the management review. The articles in this section give a working pattern for each part of that, with the audit angle flagged where it matters.