# ISO 17025 Risk, Opportunity & Corrective Action Management

> Identify and manage laboratory risks and opportunities per ISO/IEC 17025:2017 Clauses 8.5–8.7. Produces a scored risk register, corrective action procedure with root cause analysis, and CAPA tracking log. Risk register validator checks entry completeness and scoring; corrective action tracker validates procedure elements from trigger through effectiveness verification.



Tags: ISO 17025, Risk Management, Corrective Actions, Improvement, Clause 8.5, Clause 8.6, Clause 8.7, CAPA


## Example Prompts

- Build a risk register for our calibration laboratory covering all operational areas
- Create a corrective action procedure with root cause analysis for ISO 17025
- Identify risks and opportunities across our lab operations for accreditation readiness

URL: https://rakenne.app/skills/iso17025-risk-opportunity-management/index.md

Try this skill: https://rakenne.app/a/?skill=iso17025-risk-opportunity-management


## Overview

Identify and manage laboratory risks and opportunities per ISO/IEC 17025:2017 Clauses 8.5-8.7. Risk-based thinking is a fundamental principle of the 2017 revision of the standard — laboratories must consider risks and opportunities associated with their activities to ensure the management system achieves its intended outcomes, prevent or reduce undesired effects, and identify improvement opportunities.

This skill produces a risk and opportunity register scored using a likelihood-impact matrix (each rated 1-5), a procedure for identifying and treating risks, a corrective action procedure with defined root cause analysis methodology, and a CAPA tracking log. The risk register covers all operational areas: technical risks (method performance, measurement uncertainty), structural risks (impartiality threats, resource constraints), operational risks (sample integrity, equipment reliability), and external risks (regulatory changes, supply chain disruptions).

The corrective action process (Clause 8.7) connects to multiple trigger sources — nonconforming work, complaints, audit findings, PT failures, and trend analysis. Each corrective action follows a structured path from identification through root cause analysis, action planning, implementation, and effectiveness verification. The CAPA log template provides a trackable record from trigger to closure.

### What It Covers

- **Risk identification** — systematic identification of risks across all laboratory operations and clause areas
- **Risk assessment** — likelihood (1-5) and impact (1-5) scoring with calculated risk levels
- **Opportunity identification** — improvement opportunities documented alongside risks
- **Current controls** — existing mitigation measures documented for each risk
- **Treatment plans** — additional actions defined for high-risk items with owners and review dates
- **Improvement objectives** — measurable improvement indicators per Clause 8.6
- **Corrective action triggers** — nonconforming work, complaints, audit findings, PT failures, trend analysis
- **Root cause methodology** — 5-Why analysis, fishbone diagrams, fault tree analysis
- **Effectiveness verification** — confirming corrective actions prevent recurrence
- **CAPA tracking** — log with unique identifiers, owners, deadlines, status, and closure criteria

## Example Conversation

> **You:** We need to build a risk register and corrective action process for our lab. LabTech Analytical, Austin TX, environmental testing — drinking water and soil, 12 analysts, pursuing A2LA accreditation. We've never done any formal risk assessment before. Not sure where to start.
>
> **Agent:** Risk assessment can feel abstract at first, but for a testing lab it's very concrete — we're identifying what could go wrong and what you're doing (or should be doing) about it. I'll walk you through it by operational area. Let's start with the risks you probably already know about:
>
> 1. What keeps you up at night about your testing operations? Equipment breaking? Losing key staff?
> 2. Have you had any significant quality issues in the past year — failed PT studies, client complaints, equipment problems?
> 3. Any upcoming changes — new methods, new staff, facility moves, regulatory changes?
>
> **You:** Biggest worry is honestly the ICP-MS. It's our only one and if it goes down we can't run metals for anyone. We failed one ERA PT study for lead last year — turned out to be a bad standard prep. And we're adding two new analysts in Q2 so there's a training burden. Also the new EPA Lead and Copper Rule revisions mean we'll probably see a lot more lead testing volume soon.
>
> **Agent:** Those are exactly the kinds of things that belong in the register. Let me identify risks and opportunities across all areas. Here's what I'm building:
>
> **High-risk items** (Likelihood x Impact):
> - R-001: Single ICP-MS failure halts all metals testing (L:3 x I:5 = 15 — HIGH)
> - R-002: Key personnel departure with no cross-training (L:2 x I:5 = 10 — HIGH)
> - R-003: Standard/reagent preparation error affecting result validity (L:3 x I:4 = 12 — HIGH)
>
> **Medium-risk items:**
> - R-004: New analyst competency gaps during training period (L:4 x I:3 = 12 — MEDIUM)
> - R-005: Sample holding time exceedance during high-volume periods (L:3 x I:3 = 9 — MEDIUM)
> - R-006: Impartiality threat from major client commercial pressure (L:2 x I:4 = 8 — MEDIUM)
>
> **Opportunities:**
> - O-001: Increased lead testing volume from LCR revisions — revenue growth and method expertise
> - O-002: Cross-training program improves resilience and staff development
> - O-003: Backup ICP-MS arrangement with partner lab reduces single-point-of-failure risk
>
> **You:** That PT failure for lead — we never did a formal root cause analysis, we just figured it was the standard and re-prepped. Is that going to be a problem for the assessor?
>
> **Agent:** Yes, an assessor will want to see that PT failures trigger the corrective action process with documented root cause analysis. "We think it was the standard" isn't sufficient — you need to show the investigation path. For the corrective action procedure, I'll include these root cause methodologies:
>
> - **5-Why analysis** — for straightforward issues (your PT failure is a good candidate)
> - **Fishbone (Ishikawa) diagram** — for complex issues with multiple potential causes
>
> For your lead PT failure, a 5-Why would look like: Why did we fail? → Results were biased high → Why? → Calibration standard was incorrect → Why? → Standard preparation error → Why? → No independent verification of standard concentration → Why? → No SOP requirement for second-source verification. **Corrective action:** Require second-source calibration verification standard for all metals analyses.
>
> I've drafted the risk register, risk procedure, corrective action procedure, and CAPA log. Running validation now.
>
> Running `risk_register_validator`... **PASS**. All entries have unique IDs, descriptions, source classification, clause references, likelihood/impact scoring, current controls, additional actions, owners, and review dates. Both risks and opportunities are documented.
>
> Running `corrective_action_tracker`... **PASS**. All trigger events covered (nonconforming work, complaints, audit findings, PT failures, trend analysis). Root cause methodology specified (5-Why and fishbone). Action planning, effectiveness verification, prevention of recurrence, CAPA identifiers, and deadlines all present.

## Sample Output Excerpt

The skill produces a risk procedure, risk register, corrective action procedure, and CAPA log. Here is an excerpt from the risk register showing scored entries.

---

## Risk and Opportunity Register

**Document ID:** LTA-REG-003 | **Revision:** 1 | **Last Review:** 2026-03-31

### Risk Scoring Matrix

| | Impact 1 (Negligible) | Impact 2 (Minor) | Impact 3 (Moderate) | Impact 4 (Major) | Impact 5 (Critical) |
|---|:---:|:---:|:---:|:---:|:---:|
| **Likelihood 5 (Almost Certain)** | 5 | 10 | 15 | 20 | 25 |
| **Likelihood 4 (Likely)** | 4 | 8 | 12 | 16 | 20 |
| **Likelihood 3 (Possible)** | 3 | 6 | 9 | 12 | 15 |
| **Likelihood 2 (Unlikely)** | 2 | 4 | 6 | 8 | 10 |
| **Likelihood 1 (Rare)** | 1 | 2 | 3 | 4 | 5 |

**Risk levels:** 1-4 LOW (accept) | 5-9 MEDIUM (monitor) | 10-15 HIGH (mitigate) | 16-25 CRITICAL (immediate action)

### Risk Entries

| Risk ID | Description | Source | Affected Clause | L | I | Risk Level | Current Controls | Additional Actions | Owner | Review Date |
|---------|-------------|--------|----------------|---|---|-----------|-----------------|-------------------|-------|-------------|
| R-001 | Single ICP-MS failure halts all metals testing — no backup instrument | Internal | 6.4 | 3 | 5 | 15 HIGH | Preventive maintenance schedule, service contract | Establish backup arrangement with partner lab; evaluate lease of second ICP-MS | S. Chen | 2026-06-30 |
| R-002 | Key personnel departure with institutional knowledge loss | Internal | 6.2 | 2 | 5 | 10 HIGH | Personnel files, training records | Implement cross-training matrix; document all tribal knowledge in SOPs | J. Park | 2026-06-30 |
| R-003 | Standard/reagent preparation error producing invalid calibration | Internal | 7.7 | 3 | 4 | 12 HIGH | Prep logs, expiry tracking | Require second-source verification for all calibration standards | M. Rodriguez | 2026-04-30 |

### Opportunity Entries

| Opp ID | Description | Source | Related Clause | Potential Benefit | Actions to Realize | Owner | Review Date |
|--------|-------------|--------|---------------|-------------------|-------------------|-------|-------------|
| O-001 | Increased lead testing demand from EPA LCR revisions | External | 7.1 | Revenue growth, method expertise deepening | Monitor TCEQ guidance; prepare capacity plan; validate lower reporting limits | S. Chen | 2026-06-30 |
| O-002 | Cross-training program | Internal | 6.2 | Improved resilience, staff development, reduced single-point-of-failure | Develop competency matrix with backup assignments for all critical methods | J. Park | 2026-05-31 |

<!-- /excerpt -->

## Extension Tools

### `risk_register_validator`

Validates the risk and opportunity register for entry completeness and scoring correctness.

| Check | What It Validates |
|-------|-------------------|
| **Unique identifiers** | Each risk entry has a unique Risk ID (e.g., R-001) |
| **Descriptions** | Risk/opportunity descriptions present |
| **Source classification** | Each risk classified as internal or external source |
| **Clause references** | Affected ISO 17025 clause mapped for each entry |
| **Likelihood scoring** | Likelihood rating (1-5) present |
| **Impact scoring** | Impact/severity rating (1-5) present |
| **Risk level** | Calculated risk level or rating present |
| **Current controls** | Existing mitigation measures documented |
| **Additional actions** | Treatment plans defined for high-risk items |
| **Owners** | Risk owners assigned to each entry |
| **Review dates** | Next review date set for each entry |
| **Opportunities** | At least some opportunity entries documented (not only risks) |
| **Minimum coverage** | At least 5 risk entries covering different operational areas |

### `corrective_action_tracker`

Validates the corrective action procedure for all required process elements and log structure.

| Check | What It Validates |
|-------|-------------------|
| **Trigger: Nonconforming work** | NC work listed as a corrective action trigger |
| **Trigger: Complaints** | Complaints listed as a trigger event |
| **Trigger: Audit findings** | Internal/external audit findings listed as a trigger |
| **Trigger: PT failures** | Proficiency testing failures listed as a trigger |
| **Trigger: Trend analysis** | Trend monitoring listed as a trigger |
| **Root cause analysis** | Root cause analysis requirement addressed |
| **RCA methodology** | Specific methodology named (5-Why, fishbone, fault tree) |
| **Action planning** | Corrective action planning process defined |
| **Effectiveness verification** | Verification that corrective actions are effective |
| **Prevention of recurrence** | Measures to prevent recurrence addressed |
| **CAPA identifiers** | Unique CAPA log entry IDs present |
| **Deadlines** | Due dates or target dates for corrective actions |

## Getting Started

Activate the *ISO 17025 Risk, Opportunity & Corrective Action Management* skill and describe your laboratory's operations, known risks, and any recent quality issues. The agent will guide you through a systematic risk identification exercise covering technical, structural, operational, and external risk categories.

Have this information ready:
- Known operational risks — equipment vulnerabilities, staffing concerns, supply chain issues
- Recent quality incidents — PT failures, client complaints, equipment malfunctions, nonconforming work events
- Upcoming changes — new methods, staff turnover, facility modifications, regulatory changes
- Current mitigation measures you already have in place (even informal ones)
- Who in your organization should own risk management (typically the Quality Manager)
- Preferred root cause analysis methodology, or let the agent recommend one

The risk register and corrective action procedure connect to several other ISO 17025 processes. Complaints and nonconforming work feed into CAPA as trigger events, internal audit findings generate corrective actions, and management review evaluates the effectiveness of the entire system. Build this skill early so other processes can reference it.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)