A formal and documented risk management process is not a requirement of the ISO standard, but rather risk is a concept for both positive and negative actions to fulfill the organizations mandate to its external organizations (customers and stakeholders). ISO 9001:2015 refers to risk as having both a possible positive and negative outcome in the same vein as it does with opportunities. It then goes on to state throughout the standard and in clause 6.1 specifically that risks and opportunities should be addressed proportionate to their impacts on the ability to deliver products and services

By adopting ISO 9001:2015 to embed quality management into government, organizations are required to establish a systematic approach to risk, rather than treating it as a single component of a quality management system. The good news is, if you are already working with systems aligned to the HLS you are in a great position to gain efficiencies. Why? Before HLS, organizations could have multiple, disparate systems in place that involved duplicate time, effort, and resources to continually run these systems. With Annex SL organizations can benefit from aligning separate systems and conduct one