A significant change in ISO 9001:2026 involves separate actions to address risks and opportunities. In her article “Brainstorming: The Ultimate Risk Management Tool,” Jenna M Schoettker writes, “Think of risk as two sides of a coin. On one side we have our negative risk, while the other side would be defined as an opportunity.”

In her March 2026 webinar with Quality Digest, SGS’s Sabrina Ippolito¹ elaborated that risk management focuses on undesirable effects, while opportunities enhance desirable outcomes. This reference also cites risk registers, which are similar in appearance to the risk identification section of the Army’s DD2977—“Deliberate Risk Assessment.” DD2977 offers three major advantages for users:
1. The Army has used it with confidence for decades, so it’s a proven approach.
2. It’s simple; the worksheet and the instructions comprise three pages. ATP 5–19 “Risk Management” provides more detailed guidance if needed.
3. It’s free because it’s a publication of the U.S. government.

When opportunities become risk

Even though ISO 9001:2026 will treat risks and opportunities as separate issues, we need only one second-tier process to address both. Henry Ford summed up the principle in a single sentence. “If a device would save in time just 10 per cent. or increase results 10 per cent., then its absence is always a 10 per cent. tax.”² This is a direct conversion of an opportunity (i.e., increase results 10%) into a risk (absence of the improvement is a 10% tax). This deserves particular attention because, unlike undesirable outcomes such as rework, scrap, warranty costs, safety incidents, and product liability, unrealized benefits from failure to recognize and act on an opportunity are invisible to the cost accounting system.

A job can waste almost two-thirds of workers’ labor, and nobody will pay attention because the waste is built into the job. There will not even be an accounting variance, or difference between the standard cost and actual cost, to reflect this because the waste is built into the standard cost. Ford explained, “Time waste differs from material waste in that there can be no salvage. The easiest of all wastes, and the hardest to correct, is the waste of time, because wasted time does not litter the floor like wasted material.”³ The waste is asymptomatic because, unlike poor quality, it does nothing to announce its presence. Many organizations also tolerate, or take for granted, wastes of material and energy that would have drawn immediate attention in any of Ford’s establishments.

An opportunity therefore becomes a risk if we can phrase the situation as, “If our competitors do it and we don’t, they will run us out of business” or, “If we don’t do this, we will waste a lot of money.” As but one example, “If our competitors adopt digital photography, which we invented, and we continue to focus on photographic film, we will go out of business.” This happened to Kodak. Frederic and Charles Fisher recognized, on the other hand, that the automobile was making horse-drawn carriages obsolete, so they built automobile bodies instead.

Now we’ll look at how DD2977 works.

DD2977—‘Deliberate Risk Assessment Worksheet’

DD2977 begins, as do other risk management processes, with identifying the risks and whatever controls we already have in place to address them (Figure 1). Failure mode effects analysis (FMEA) breaks the latter down into prevention and detection controls. Prevention controls seek to disable the failure modes and their causes, while detection controls identify and intercept nonconforming work before it can reach an internal or external customer.

Figure 1: DD2977 risk identification and controls

Note also the five steps of risk management: 1) Identify; 2) Assess; 3) Develop controls and make decisions; 4) Implement; and 5) Supervise and evaluate. These appear in Figure 2 from ATP 5–19, which adds that risk management practitioners “need not be highly trained in RM or safety to apply these steps.” 

Figure 2: Risk management process from ATP 5-19

ATP 5–19 raises the very important point that risk depends not only on the probability of occurrence per opportunity for failure, but also the frequency of exposure to the risk: “Exposure is the frequency and length of time personnel and equipment are subjected to a hazard or hazards.”

If we have a maintenance job that involves hot work or confined-space entry, it requires a work permit and safety measures. The frequency of exposure to the risks is, however, low because of the relative infrequency of these tasks. If we’re making tens of thousands of parts, or treating tens of thousands of patients, the frequency of exposure to whatever risks are present is much greater. This doesn’t mean it’s ever acceptable to de-emphasize safety because “we’re only doing it once.” Nonconforming work becomes a near certainty, given enough opportunities along with inadequate controls.

We then use DD2977’s risk assessment matrix (Figure 3) to classify the risk level. If we’re assessing a workplace safety risk that can cause death, but it’s unlikely to happen, then the Severity level is Catastrophic, and the expected frequency is Unlikely. The risk level is Medium because a risk with a potentially fatal outcome can never have a risk level below Medium if the event is remotely possible. 

Figure 3: DD2977 Risk Assessment Matrix

If the risk level is unacceptable, then controls must be improved to reduce it and get a lower residual risk level in Field 9, as shown in Figure 1. This is the same approach used in FMEA. However, the AIAG/VDA FMEA Handbook (AIAG 2019) awards an Action Priority (AP) rating of Low if an activity’s Prevention controls make the failure impossible—as in “Never,” rather than “Unlikely.” Even with Severity and Detection ratings of 10 (worst possible), an Occurrence rating of 1 (best possible) results in an AP of Low.

As an example, connecting an enteral feeding tube to an intravenous line is likely to cause death or serious injury (DD2977—Catastrophic, FMEA—Severity 10), and numerous fatalities have resulted from this. Nestlé’s SpikeRight enteral feeding tube connector is designed to be physically incompatible with intravenous lines. The video is an excellent illustration of poka-yoke or error-proofing. The “No IV” symbol on the bag tells the nurse, “Don’t connect this to an IV line.” The design of the connector system says, “You can’t connect this to an IV line.” This exemplifies Ford’s “Can’t rather than don’t” safety principle. If the failure is physically impossible, the Occurrence rating should be 1.

This article therefore recommends a modification of the DD2977 Risk Assessment Matrix that adds a Frequency column for “Never,” whose requirement is the same as AIAG/VDA’s for an Occurrence rating of 1; “Failure eliminated through prevention control and failure cause is not possible by design” (page 65 for Design FMEA) or “Failure Mode cannot be physically produced due to the Failure Cause” (page 111 for Process FMEA). A frequency of Never will always result in a risk level of Low. We’ll also add a frequency column for “Always,” which pertains when an inefficiency is built into a job. This puts the risks associated with failure to act on opportunities into an entirely new perspective.

Adapting DD2977 to quality, safety, and continuity of operations

The AIAG/VDA FMEA Handbook is probably the best FMEA reference in existence:
• Its systematic approach helps ensure that potential failure modes and their causes (known previously as mechanisms) will be identified.
• It does away with the Risk Priority Number (RPN) which, as the product of three ordinal numbers (Severity, Occurrence, and Detection), is a poor metric. It replaces the RPN with an Action Priority rating of High, Medium, or Low, which is a simplification similar to DD2977’s EH, H, M, and L
• It bases Occurrence and Detection ratings on the nature of the Prevention and Detection controls, as opposed to likelihoods of occurrence and nondetection that are often hard to quantify in practice.

The AIAG/VDA manual is, however, far more extensive than DD2977, whose basics fit on three pages. If people really don’t want to do FMEA, and their customers don’t require it, it’s better to have a simple process they will use and that delivers actionable results, rather than a sophisticated and extensive process they won’t use. The next section shows how to use DD2977 as a simpler alternative to FMEA. DD2977 also works for applications, including opportunities, for which FMEA isn’t applicable.

Severity rating conversion

The first step is to convert the FMEA Severity ratings, when available, into DD2977’s ratings, as shown in Figure 4. 
Figure 4: Severity rating conversions

Note 1: A higher Severity rating is up to the discretion of the user. For example, 9 and 10 are generally reserved for risks to safety and regulatory compliance. But these aren’t relevant to continuity of operations, for which we need consider only economic risks. We must also recognize the force majeure that keeps us from receiving purchased items (including electricity) or meeting the needs of our own customers can easily affect our continuity of operations.

Note 2: DD2977 allows moderate and negligible severities for minor and minimal injuries. The AIAG/VDA Handbook doesn’t permit a severity rating of less than 8 for anything that is safety-related.

Convert occurrence and detection ratings

The next step is to convert FMEA’s occurrence and detection ratings (if available) into DD2977’s probability ratings. The middle of Figure 5 is open to some interpretation and modification, although the upper left corner is not. If the occurrence rating is very poor (8 to 10), the prevention controls aren’t adequate and problems will occur. If the detection controls are similarly inadequate, then the problems won’t be intercepted before they can reach customers, injure workers, or disrupt operations. We must classify these situations as Frequent. If the occurrence rating is 1, however, the failure can’t happen. The AIAG/VDA Handbook assigns a risk priority of Low when O = 1, even if S = 10 and D = 10, so we can assign a probability of Never.

Figure 5: Convert FMEA occurrence and detection to DD2977 probability

The FMEA/VDA manual gives more weight to Occurrence than Detection, but it also says (page 113) that D = 1 requires the detection control to “ALWAYS detect the failure mode or failure cause.” Unlike O = 1, D = 1 doesn’t result in an automatic Action Priority of Low. A combination of D = 1 and O = 3 or less delivers AP = Low (pages 116–117) regardless of the severity, which could allow a probability of Never for this combination as well.

Here’s a supply chain and continuity of operations example. Suppose the Susquehanna River can overflow its banks to flood an automotive supplier. If this can lead to an extensive line shutdown at the automaker, we might assign a Catastrophic severity. If the flood probability is seldom (D), then our risk level is High. If a levee is built to contain the river, then the probability is reduced to Unlikely and the residual risk is now Medium.

Safety incidents, supply chain interruptions, and poor quality are all risks in the traditional sense of a bad outcome. The quality profession tends to focus on quality-related risks. The supply chain profession, e.g., as represented by ASCM, focuses on supply chain risks. However, nobody really devotes the same kind of attention to opportunities.

When opportunities become risks

Suppose we have a job design that might waste a certain amount of labor. This doesn’t risk safety, quality, or continuity of operations, but there’s a serious risk associated with failure to remove the waste. If the waste is present, then the probability is 100% (Always) because the waste is built into the job. Using DD2977 in this application requires an augmented risk table, as shown in Figure 6. 
Figure 6: Augmented DD2977 risk table

The optional column for Never deploys the AIAG/VDA FMEA Handbook’s position that an occurrence rating of 1, which means the failure can’t be produced, delivers an action priority of Low even if the severity and detection ratings are both 10.

When it comes to opportunities, though, we must add a column for Always. If we use Ford’s example of the absence of a device that would save 10% of time, the activity in question is always subject to a 10% tax. If brick layers must always bend over to pick up bricks and mortar, then their job always wastes 64% of their labor. If strawberry pickers must always bend over and walk to do their jobs—and Henry Ford wrote that no job should ever require anybody to bend over or take more than one step in any direction—then the job always wastes labor. The only question is how much.

The next step is to classify the severity of missed opportunities, and this is largely up to the judgment of the user. Is a 10% inefficiency Negligible or Moderate? If it relates to labor, 10% is 48 minutes out of every 8 hour work day. An inefficiency of 64% rises to the level of critical or even catastrophic. We’re paying almost three people to do one person’s job, which means we’re paying them less than they should earn and charging our customers more than they should pay.

Failure to implement a new technology can easily be catastrophic. Kodak, for example, developed digital photography but didn’t bother to pursue it because the company’s focus was on photographic film. Almost nobody buys photographic film today. Videocassette recorders and players are obsolete as well, and the same for movie rental businesses like Blockbuster. Retail sales organizations are being overtaken rapidly by online businesses.

The following is a possible classification, but this is again open to modification by the user:
• Catastrophic: Failure to recognize and adopt a game-changing technology, such as (for example) the need for automobile bodies instead of horse-drawn carriages. Failure to recognize and address a waste of 50% or more of materials, energy, or labor
• Critical: Failure to recognize and address a waste of 25–50% of materials, energy, or labor
• Moderate: Failure to recognize and address a waste of 10–25% of materials, energy, or labor
• Negligible: Failure to recognize and address a waste of up to 10% of materials, energy, or labor

Henry Ford’s statement, “If a device would save in time just 10 per cent. or increase results 10 per cent., then its absence is always a 10 per cent. tax,” offers a clear-cut way to treat opportunities like risks and address them with the same methods. The risk of not addressing an opportunity can be far more harmful than the risk of not addressing a low-level or even medium-level quality problem, as long as the latter doesn’t cause safety or regulatory problems.

Summary

Actions to address risks and opportunities have been a long-standing requirement of ISO 9001. DD2977, Deliberate Risk Assessment, is 1) proven by the Army’s long experience with it, 2) simple, and 3) free. This article has shown how it can be deployed to risks associated not only with safety but also quality, continuity of operations, and opportunities.

References

1. Ippolito, Sabrina. “ISO 9001:2026 Transition Strategy Session: Move Confidently, Compete Effectively.” SGS, webinar presented by Quality Digest, March 24, 2026.
2. Ford, Henry, and Crowther, Samuel. My Life and Work. Doubleday, Page & Co. 1922.
3. Ford, Henry, and Crowther, Samuel. Today and Tomorrow. Doubleday, Page & Co. 1926.