Identifying and Capitalising on Business Opportunities

Managing opportunities

Risk-based thinking under ISO 9001, ISO 14001, ISO 45001, ISO 27001, ISO 22301, ISO 37001, ISO 22458 and ISO 42001 requires the organisation to address opportunities, not just risks. The phrasing of Clause 6.1 - "actions to address risks and opportunities" - is deliberate. Both halves are required and both are audited.

In practice opportunities get less attention than risks. Most strategic registers are heavy on threats and light on opportunities, which usually reflects how the management system was set up rather than the actual state of the business. Most organisations have more opportunities they have not formally considered than risks they have not formally considered. The discipline of identifying, scoring and capturing opportunities is the same as for risks, but the mindset is different and the inputs are different.

What ISO means by opportunity

An opportunity in ISO terms is a circumstance that could lead to a positive outcome for the organisation - improved performance, new business, reduced cost, better customer satisfaction, environmental benefit, safer working, more secure information, and so on. The standards do not prescribe a narrow definition. Anything that could improve the organisation's ability to meet its objectives is in scope.

The most common opportunity types include:

• New markets, products, services or customer segments
• Process improvements that reduce cost, time or error rates
• Technology that enables new ways of working or new offerings
• Better supplier relationships, partnerships or collaborations
• Skills development that opens new capability for the organisation
• Regulatory or market changes that favour the organisation's position
• Reductions in environmental impact, energy use or waste
• Improvements in workplace health, safety, or staff retention

The point is that opportunities span every part of the management system, not just commercial growth. An opportunity to reduce energy use is part of the environmental side. An opportunity to retain staff better is part of the people side. An opportunity to streamline a quality process is part of the quality side.

Why opportunities get neglected

Three patterns explain why opportunities are typically under-represented on strategic registers.

The first is that risk language frames the conversation. The phrase "risk register" implies threats. Even when the form is labelled "Opportunities and Risks Register" or similar, the discussion around the table tends to focus on what could go wrong. The opportunity quadrant of SWOT often ends up with two or three vague entries while the threats quadrant has a dozen specific ones.

The second is that opportunities feel like business development rather than management system work. Organisations may already track opportunities through commercial pipelines, business plans or strategic projects, and treat the management system register as something separate. The result is that strategic opportunities are managed somewhere but not visible to the management system, which then looks like the management system is ignoring them.

The third is that opportunities require a different kind of thinking. Risk identification is largely about what could go wrong with what the organisation already does. Opportunity identification is about what could go better, what is not yet being done, what circumstances are changing in the organisation's favour. It is a more open-ended question and harder to answer in a one-hour workshop.

Recognising these patterns is the first step to working around them. Asking the question explicitly - "what opportunities are we not capturing" - in management meetings, audits and reviews moves the discussion away from risk-only thinking.

Where opportunities come from

The same sources that surface risks surface opportunities. The difference is in how they are read.

Interested parties. A customer expectation that is not yet served is an opportunity. A regulator that has signalled support for a particular practice is an opportunity. A supplier offering improved capability is an opportunity. The interested parties review should look for these as deliberately as it looks for unmet expectations that constitute risks.

SWOT. The Strengths and Opportunities quadrants force opportunity thinking. Strengths the organisation already has often translate into opportunities to extend them - a strong reputation in one market is an opportunity to enter another, a particular technical capability is an opportunity to develop new offerings.

Customer feedback. Complaints surface risks; suggestions, frequent questions, and feature requests often surface opportunities. A customer asking "do you do X" is signalling demand the organisation may not be meeting.

Process performance data. Processes that consistently exceed targets, projects that run faster than planned, products with low defect rates - these can be opportunities to do more, or to apply the same approach elsewhere. Processes that consistently underperform may be opportunities for improvement worth recording on the register rather than just leaving as ongoing background issues.

External change. Market shifts, new technology, regulatory change, competitor failures, geopolitical events - all create both risks and opportunities. The organisations that capture opportunities here are the ones that look at external change deliberately for what it enables, not just what it threatens.

Staff insight. People doing the work often see opportunities that management does not. A consultation or suggestion process gives the organisation a route into that knowledge. Many of the best opportunities come from "we could do this differently" observations rather than top-down strategy.

Scoring opportunities

Opportunities can be scored using a similar matrix to risks, with the levels reframed for positive outcomes:

• Likelihood becomes the chance of capturing the opportunity if action is taken
• Consequence becomes the positive impact if the opportunity is captured
• Rating bands reframe as low priority, worth pursuing, and high priority - mapping to the same Tolerable / Moderate / Substantial structure used for risks

The advantage of using the same matrix is that risks and opportunities can sit on the same register and be compared directly. The disadvantage is that the language can feel forced - "Substantial opportunity" reads oddly. Some organisations prefer a simpler high / medium / low score for opportunities while keeping the formal matrix for risks. Either is acceptable provided opportunities are scored consistently.

The point of scoring is to support prioritisation. An opportunity rated high priority warrants action and resource; one rated low priority is recorded but does not displace other work. Without scoring, every opportunity ends up looking equally important, which means none of them gets focused attention.

Capturing opportunities

Recording an opportunity is not the same as capturing it. Capture is the action that turns the opportunity into a positive outcome. The register entry should describe the actions to be taken, the owner, the timescale and the expected position once the action is complete.

For most opportunities of any size, the implementation work moves to the issues and actions register so it can be tracked through to closure alongside other improvement work. The opportunity entry on the strategic register references the action and updates once the action is complete. An opportunity that has been successfully captured stays on the register marked as realised, with the result documented.

For larger opportunities - new markets, major projects, significant capability investments - capture is normally a structured project rather than a single action. The strategic register entry tracks it at high level; the project itself sits in the wider business planning process.

The danger to avoid is opportunity entries that are recorded but never tracked. An entry that says "explore new market in X" with no owner, no timescale and no follow-up is a hope, not an opportunity. The disciplines that apply to risk treatment - ownership, timescale, action tracking, residual position - apply equally to opportunity capture.

Reviewing opportunities

Opportunities should be reviewed alongside risks at the formal management review under Clause 9.3. The review evaluates the effectiveness of actions taken to address opportunities as well as risks - whether the actions delivered the expected positive outcome, whether the rating was right, whether new opportunities have surfaced since the last review.

Between formal reviews, opportunity entries should be updated as actions progress and as circumstances change. An opportunity that has not been acted on for six months is either no longer an opportunity, in which case it should be closed, or has been deprioritised, in which case the reason should be recorded. Either is acceptable; leaving it on the register unchanged is not.

UK Legislation relevant to opportunities

UK law does not specifically require organisations to identify and capture opportunities, but several legal duties are best discharged through opportunity-driven action. The general duty under health and safety law to provide a safe workplace, the duty under the Equality Act to make reasonable adjustments, and the duty under climate change legislation to consider net-zero impact all reward proactive identification of improvement opportunities. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.

• Health and Safety at Work etc. Act 1974
• Equality Act 2010
• Climate Change Act 2008

Further Resources

• Risk and Opportunity Management
• Identifying Risks and Opportunities
• Treating Risks - Avoid, Reduce, Transfer, Accept
• Building and Maintaining a Strategic Risk Register
• ISO 9001 Clause 6.1 - Actions to Address Risks and Opportunities