Addressing Risks and Opportunities Procedure
| Procedure number | 05 |
| ISO/IEC 17025 reference | Clause 8.5 |
| Revision | 00 |
| Effective date | [Enter date] |
| Approved by | [Quality Manager / Laboratory Director] |
1. Purpose
To establish a systematic approach for identifying, assessing, and addressing risks and opportunities that could affect the laboratory's ability to achieve its objectives, maintain an effective quality management system, and deliver valid results.
2. Scope
This procedure applies to all laboratory activities and management system processes. It addresses both:
- Laboratory-level risks and opportunities — Affecting overall operations, staffing, equipment, procedures, and quality
- Testing-specific risks and opportunities — Affecting the validity and reliability of test results and data integrity in battery materials characterization
3. References
- ISO/IEC 17025:2017, Clause 8.5 — Actions to address risks and opportunities
- ISO/IEC 17025:2017, Clause 4.1 — Understanding the organization and its context
- Procedure 00 — Document and Record Control
- Procedure 03 — Quality Manual
- Procedure 04 — Competence, Training and Awareness
4. Definitions
| Term | Definition |
|---|---|
| Risk | The effect of uncertainty on achievement of laboratory objectives. A potential event or condition that could have a negative impact on laboratory operations, results, or objectives. |
| Opportunity | A potential circumstance or condition that could enhance laboratory capabilities, effectiveness, competitiveness, or achievement of objectives. |
| Risk assessment | The process of identifying risks and evaluating their likelihood and potential impact. |
| Mitigation | Actions taken to reduce the likelihood or impact of a risk. |
| Contingency plan | Predetermined actions to be taken if a risk materializes. |
| Root cause | The underlying reason why a risk or failure occurred. |
5. Responsibilities
| Role | Responsibility |
|---|---|
| Laboratory Director | Allocate resources for risk mitigation and opportunity capture. Approve strategic risk decisions. |
| Quality Manager | Maintain the Registry of Risks and Opportunities. Coordinate the risk identification process. Monitor implementation of risk actions. |
| Technical Manager | Identify testing-specific risks and opportunities. Assess risks related to methods, equipment, and competence. Recommend technical solutions. |
| All personnel | Report identified risks and opportunities to their supervisors. Implement risk mitigation actions. Provide input on operational risks. |
6. Procedure — Risk and Opportunity Management
6.1 Risk and opportunity identification
Risk and opportunity identification occurs:
- Annually — Systematic review during quality management review
- Ongoing — Personnel report risks/opportunities as they become aware of them
- Triggered — When equipment fails, procedures change, staff turnover occurs, or quality issues are detected
Sources of risk and opportunity identification
Laboratory-level risks and opportunities:
- Staffing (personnel availability, competence gaps, turnover)
- Equipment (aging instruments, maintenance schedules, technology advances)
- Procedures (procedure clarity, compliance, effectiveness)
- Quality system (management system gaps, audit findings, customer feedback)
- External factors (regulatory changes, accreditation requirements, market demands)
Testing-specific risks and opportunities (battery materials example):
- ICP-OES analysis — Risk: calibration drift, sample matrix interference → Opportunity: expand to additional elements
- Karl Fischer titration — Risk: moisture absorption, humidity sensitivity → Opportunity: high-precision moisture determination
- Laser diffraction — Risk: sample settling, refractive index assumptions → Opportunity: rapid particle size characterization
- BET analysis — Risk: outgassing requirements, temperature control → Opportunity: surface area certification capability
- HPLC-UV — Risk: peak interference, detector sensitivity → Opportunity: impurity profiling and method development
- Data integrity — Risk: LIMS downtime, manual transcription errors → Opportunity: automated result reporting
Documentation
When a risk or opportunity is identified, it is recorded in Appendix 05-App-01 — Registry of Key Risks and Opportunities with:
- Description of the risk/opportunity
- Relevant laboratory area or method
- Who identified it
- Date identified
6.2 Risk and opportunity assessment
Once identified, risks and opportunities are assessed according to their likelihood and impact:
Likelihood scale (for risks)
- High — Very likely to occur within the next 12 months
- Medium — Reasonably likely to occur within 1–3 years
- Low — Unlikely to occur, but possible
Impact scale (for risks)
- High — Would significantly affect laboratory operations, results validity, or compliance
- Medium — Would cause operational disruption or require workarounds
- Low — Minor impact; laboratory could continue with minimal disruption
Risk priority matrix
| Likelihood / Impact | Low | Medium | High |
|---|---|---|---|
| High | Medium priority | High priority | Critical |
| Medium | Low priority | Medium priority | High priority |
| Low | Low priority | Low priority | Medium priority |
Critical risks require action planning within 30 days.
High priority risks require action planning within 60 days.
Medium priority risks are included in routine planning and QMS review.
Low priority risks are documented but may not require immediate action.
Opportunity assessment
Opportunities are assessed by:
- Value to laboratory — Would it enhance capabilities, competitiveness, customer satisfaction?
- Feasibility — Can it be implemented with available resources (budget, time, expertise)?
- Strategic alignment — Does it support laboratory objectives and quality goals?
Documentation
Assessment results are recorded in Appendix 05-App-01, including:
- Likelihood and impact ratings (for risks)
- Priority level
- Value and feasibility assessment (for opportunities)
- Evaluator name and date
6.3 Planning actions to address risks and opportunities
Once assessed, the laboratory plans and implements actions to address identified risks and opportunities.
Risk mitigation actions
For each identified risk, the Technical Manager (or Quality Manager for non-technical risks) plans one or more actions:
Examples:
- Prevent the risk from occurring (eliminate the hazard)
- Example: Implement preventive maintenance schedule to prevent instrument failure
- Reduce the likelihood or impact of the risk
- Example: Cross-train additional analysts to reduce dependency on one person
- Detect and respond if the risk occurs (contingency planning)
- Example: Have backup equipment available if primary instrument fails
- Accept the risk if mitigation cost exceeds benefit
- Example: Accept occasional sample matrix interference; document and report in results
Opportunity capture actions
For opportunities, the laboratory decides whether to:
- Pursue the opportunity (allocate resources, plan implementation)
- Example: Invest in HPLC-UV training and method validation to offer new capability
- Monitor the opportunity for future timing (track but don't act now)
- Example: Watch for new laser diffraction technology, but maintain current particle sizing approach
- Decline the opportunity (not aligned with strategy)
- Example: Decide not to expand into nuclear magnetic resonance—outside scope
Action planning
For each action, document in Appendix 05-App-01:
- Specific action description
- Responsible person (who will implement)
- Target completion date
- Success criteria (how will we know the action worked?)
- Budget or resources required
Example risk action:
| Risk | Action | Responsible | Target Date | Success Criteria |
|---|---|---|---|---|
| ICP-OES instrument failure | Implement preventive maintenance every 6 months | Technical Manager | Ongoing | Maintenance log updated; instrument passes performance verification |
Example opportunity action:
| Opportunity | Action | Responsible | Target Date | Success Criteria |
|---|---|---|---|---|
| Expand to HPLC-UV testing | Complete method validation; train two analysts | Technical Manager | [Date 3 months out] | Validation report approved; two analysts authorized per Procedure 04 |
6.4 Implementation and monitoring
Implementation
Once actions are planned:
- Responsible person implements the action according to the planned timeline
- Progress is tracked and reported during quality management reviews
- Procedure 00 — Document and Record Control applies to any new procedures or documents created to address risks
Monitoring and verification
The Quality Manager monitors action progress:
- At each quality management review, verify status of risk mitigation and opportunity actions
- Check that target completion dates are met
- Evaluate effectiveness of completed actions
Effectiveness check questions:
- For risk mitigation: Did the action reduce the likelihood or impact of the risk as intended?
- For opportunity: Did the action deliver the expected benefits or capability?
- If action was ineffective, plan a revised approach
Recording outcomes
Document in Appendix 05-App-01:
- Completion date
- Actual outcome (what happened)
- Effectiveness assessment (worked as planned / partially worked / did not work)
- Any lessons learned
- Follow-up actions required (if any)
7. Integration with other procedures
Risk and opportunity management connects to other QMS procedures:
- Procedure 04 — Competence, Training and Awareness — Training needs are identified as opportunities; staff turnover is a risk
- Procedure 00 — Document and Record Control — Procedure updates may be a risk mitigation action
- Procedure 03 — Quality Manual — Strategic opportunities inform quality objectives
8. Note on formality
The standard (ISO/IEC 17025:2017, Clause 8.5) does not require a formal risk management process or methodology. This procedure provides a practical approach suitable for a small laboratory. The key requirement is objective evidence that risks and opportunities are being considered, and that decisions are documented.
Laboratories may adapt this procedure to use:
- Simplified risk matrices
- Qualitative rather than quantitative assessment
- Integration with existing team meetings rather than separate risk workshops
The important outcome is that risks are identified, assessed, and addressed—not the formality of the process.
9. Related documents
| Document | Reference |
|---|---|
| Appendix 1 — Registry of Key Risks and Opportunities | 05-App-01 |
| Procedure 00 — Document and Record Control | Procedure 00 |
| Procedure 03 — Quality Manual | Procedure 03 |
| Procedure 04 — Competence, Training and Awareness | Procedure 04 |
10. Revision history
| Revision | Date | Description | Approved by |
|---|---|---|---|
| 00 | [Date] | Initial issue | [Name] |
Why this section exists
Section 05 answers a question that every other section implicitly depends on: what could go wrong, and have we thought about it before it happens?
Most laboratory failures are not unforeseeable. Instruments age and drift. Key analysts leave and take method knowledge with them. Suppliers discontinue reference materials. Accreditation requirements change. These are not surprises — they are predictable events that a laboratory either anticipates or reacts to. Section 05 is the mechanism that forces anticipation.
Risk assessment is not a document — it is a conversation
The most common mistake laboratories make with section 05 is treating it as a compliance exercise. A risk register is created, reviewed at the annual management meeting, filed, and forgotten until the next audit. This produces a document that looks correct and does almost nothing.
A risk register that is actually working looks different. It is updated when an instrument starts behaving unexpectedly. It is consulted when a new method is being introduced. It is reviewed when a key analyst gives notice. It feeds directly into decisions about training, equipment maintenance schedules, and supplier qualification. The register is the record of a conversation the laboratory is having with itself about its own vulnerability — and that conversation needs to be continuous, not annual.
The distinction between risk and uncertainty
Risk in the context of section 05 is not the same as measurement uncertainty in section 15. Measurement uncertainty quantifies the variability inherent in a result. Risk here is about events — things that might happen and would affect the laboratory's ability to produce valid results. A power outage is a risk. A key supplier going out of business is a risk. An analyst performing a method they were never formally trained on is a risk. These are distinct from the statistical variability that section 15 addresses.
Keeping this distinction clear matters because the responses are different. Measurement uncertainty is reduced through better methods, more calibration points, and controlled conditions. Operational risk is addressed through contingency plans, cross-training, backup suppliers, and preventive maintenance.
The opportunity side is genuinely important
ISO/IEC 17025 is unusual among quality standards in explicitly requiring laboratories to consider opportunities, not just risks. This is often treated as an afterthought — a box to tick after the risk table is complete. It should not be.
An opportunity in this context is a potential improvement the laboratory could pursue: a new technique that would extend its scope, a training investment that would reduce dependency on a single analyst, a software tool that would eliminate manual transcription errors. Opportunities that are identified and evaluated — even if ultimately declined — represent the laboratory actively managing its own development rather than simply reacting to external pressure.
The connection to section 14 runs both ways
Section 05 and section 14 are two sides of the same coin. Section 05 identifies what could go wrong before it does. Section 14 captures what actually went wrong and learns from it.
The connection runs in both directions. Section 05 informs section 14 — a well-maintained risk register means that when something goes wrong, the investigation has context: was this risk already identified? Were the controls in place? Did they fail, or were they never implemented?
But section 14 also feeds back into section 05 — and this is the direction most laboratories miss. Every nonconformity is simultaneously a risk that materialized and an opportunity to improve. The event itself is the risk side. The investigation and corrective action that follow are the opportunity side — the laboratory now knows something about its own vulnerability that it didn't know before.
A few concrete examples: a missed instrument calibration reveals that the scheduling system is unreliable — opportunity to implement a better oversight mechanism. An analyst error on a complex matrix reveals a gap in the training pathway — opportunity to add a competence check that didn't exist before. A supplier delivers a reference material outside specification — opportunity to qualify a backup supplier.
In each case the nonconformity is not just a problem to be closed. It is information about a systemic weakness. Section 05 is where that information becomes a managed improvement rather than a closed ticket.
The most useful risk registers are not written from scratch at the start of a laboratory's life. They are built incrementally, fed by real experience — including everything section 14 has ever captured. A laboratory with five years of thorough nonconformity records has a rich source of material for a genuinely grounded section 05.
If your section 14 keeps seeing the same type of nonconformity, your section 05 has a gap.