A formal and documented risk management process is not a requirement of the ISO standard, but rather risk is a concept for both positive and negative actions to fulfill the organizations mandate to its external organizations (customers and stakeholders). ISO 9001:2015 refers to risk as having both a possible positive and negative outcome in the same vein as it does with opportunities. It then goes on to state throughout the standard and in clause 6.1 specifically that risks and opportunities should be addressed proportionate to their impacts on the ability to deliver products and services