What evidence is expected in order to show compliance to having addressed risks?

To understand what is required, we need to look at the particular clause in ISO 9001:2015, which is:
 
6.1. Actions to address risks and opportunities.

6.1.1. When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:

a) give assurance that the quality management system can achieve its intended result(s)
b) enhance desirable effects; c) prevent, or reduce, undesired effects
d) achieve improvement.

6.1.2. The organization shall plan:

• integrate and implement the actions into its quality management system process
• evaluate the effectiveness of these actions

So how does this relate to the context of a quality management system to ISO 9001:2015?
 
Firstly, the client has to identify what the particular risk is to the business.
 
There are many ways of doing this, but a particular method that is gaining favour, is the use the HSEs 5x5 risk assessment approach which can give a final rating of Low / Moderate / High.
 
Once the risks have been identified, the client can identify the significant (High) risks to the business, often the client uses a table to describe this, such as: 

Secondly, the client has to identify what objectives and actions can be set to mitigate these risks in addition to the quality management system process that the company has established and implemented, which could include:

• Performance monitoring systems for complaints, nonconformities, resource issues that could have a negative impact on the company
• Internal audit system to checking the effectiveness of the systems
• Management review process for the reviewing of the whole system.

Thirdly, the client has to review the results (evidence) from the performance monitoring to identify:

Evidence that confirms compliance, which could include:

• Number of complaints for this year and last year;
  • Have these been categorised correctly
  • Is there an increase and / or decrease in the numbers
  • Since previous improvements have been implemented, has this had an impact elsewhere that may need to reviewed and amended
• Number of audit findings for this year and last year;
  • Have these been categorised correctly
  • Is there an increase and / or decrease in the numbers
  • Since previous improvements have been implemented, has this had an impact elsewhere that may need to reviewed and amended
• Number of product nonconformities for this year and last year;
  • Have these been categorised correctly
  • Is there an increase and / or decrease in the numbers
  • Since previous improvements have been implemented, has this had an impact elsewhere that may need to reviewed and amended
• Number of service provider issues for this year and last year;
  • Have these been categorised correctly
  • Is there an increase and / or decrease in the numbers
  • Since previous improvements have been implemented, as this had an impact elsewhere that may need to reviewed and amended
• Increase in business for this year and last year;
  • Is this just in new clients or is there an increase in existing clients also
  • If just new clients are you losing existing clients
• Agreements with non-governmental organizations;
  • Evidence to demonstrate that these are being adhered to
• Requirements from regulatory bodies;
  • Is there any monitoring that may be required, associated to the company’s activities
• International, national and local laws;
  • Are there any laws / regulations that are applicable which require some form of statutory inspections, for example
    • Lifting Operations and Lifting Equipment Regulations (LOLER)
      • Do fork lift trucks have a Certificate of Thorough Examination
    • Pressure Vessel Directive
      • Are pressure vessels inspected and tested in line with the Written Scheme of Examination
• Requirements as specified in permits and /or licenses;
  • Is monitoring required for any permits that the company has, for example
    • Consent to Discharge Licence
      • Are the results in line with the permitted requirements
      • Is there evidence of any breaches
• Judgments of courts or tribunals;
  • If any have been issued, is there evidence to demonstrate that they are being complied with.

Typical types of evidence can include:

• Results from surveys of companies who use their services
• Complaints and feedback from companies who use their services
• Staff surveys and feedback
• Quality monitoring including reviews of:
  • Services
  • Complaints
  • Audits
  • Comparative information
  • Risk assessments
  • Reporting and learning from incidents
  • Information from regulators, inspections or accreditation schemes
  • Action plans and monitoring improvements.

Trends, whether these are positive or negative:

• From the results gathered, within each of the measured areas, are the trends positive or negative
  • If negative, then a further review will be required to establish as to why this has happened and
    • Does the measurement frequency need to be changed, for example increased
    • Does the issue being measured need to be changed, for example, can this be better defined
    • Can the change  point be established and linked to a particular event.
  • If positive, then a further review will be required to establish as to why this has happened and
    • Does the measurement frequency need to be changed, for example decreased to a watching  brief
    • Does the issue being measured need to be changed
    • Can the change  point be established and linked to a particular, which could demonstrate effectiveness of a particular action being implemented.

The above information is not exhaustive, but indicative. However, the actual evidence will vary due to the context of the organization and their activities.