Nonconformities and corrective actions.

Managing nonconformities under ISO 9001 clause 10.2 requires four steps: react, analyze root cause, define corrective action, verify effectiveness. The 5-whys and Ishikawa diagram are the standard root-cause tools.

The internal audit detected a nonconformity. The corrective action register opens a new line. Three months later it is closed with the laconic note "training given to operator". A year later the same nonconformity reappears in the surveillance audit. Sound familiar? It is the most common failure mode in ISO 9001 systems, and it has a specific root cause: the corrective action acted on the symptom, not on the root cause.

What ISO 9001 clause 10.2 requires

Clause 10.2 of ISO 9001:2015 (and equivalent clauses in 14001, 45001, 27001 and the other Annex SL standards) requires four explicit steps when a nonconformity occurs:

1. React to the nonconformity: control and correct it, deal with the consequences.
2. Evaluate the need for action on the cause to prevent recurrence: review and analyze, determine the causes, determine whether similar nonconformities exist or could occur.
3. Implement the necessary action.
4. Review the effectiveness of any corrective action taken.

Most systems do steps 1 and 3 well but skip step 2 (root cause analysis) and step 4 (effectiveness verification). Without those two steps the nonconformity is statistically certain to recur.

The difference between correction and corrective action

This is the conceptual key:

• Correction: immediate action to deal with the nonconformity itself. Example: rejecting the defective batch, redoing the wrong delivery, refunding the customer.
• Corrective action: action on the cause of the nonconformity to prevent it from recurring. Example: redesigning the inspection control that did not detect the defect, modifying the training programme, changing the supplier.

An audit finding that lists only the correction without a corrective action is incomplete. The standard requires both.

The 5-whys technique

The 5-whys is the most widely used technique for non-complex nonconformities. It consists of asking "why" five consecutive times to dig from the visible symptom to the underlying systemic cause. Practical example:

• Symptom: customer received the wrong part.
• Why? Because the order picker took it from the wrong bin.
• Why? Because the bin labels were faded.
• Why? Because no label-replacement protocol exists.
• Why? Because the warehouse procedure does not include preventive maintenance of identification.
• Why? Because the warehouse procedure was inherited from another company without sector-specific review.

The root cause is not "the picker made a mistake" but "the warehouse procedure has no provision for identification maintenance". The corrective action acts on the latter, not on the former.

The Ishikawa diagram (fishbone)

For complex multi-cause nonconformities, the Ishikawa diagram organizes possible causes into six categories (the 6 Ms):

• Methods: procedures, instructions, working ways.
• Materials: raw materials, components, inputs.
• Machinery: equipment, tools, facilities.
• Manpower: training, experience, motivation, availability.
• Measurement: indicators, controls, instruments.
• Environment: temperature, humidity, light, working environment.

The team brainstorms hypotheses in each category, then verifies them with evidence. Useful when the cause is not obvious or when there are multiple interacting causes.

Effectiveness verification: the step almost everyone skips

Implementing the corrective action is not the same as verifying that it worked. Effectiveness verification requires waiting a reasonable period after implementation (typically 3-6 months) and reviewing that the nonconformity has not recurred. The verification can be:

• Statistical: indicator metric before/after implementation.
• Documentary: review of records of similar processes after the change.
• Observational: targeted internal audit on the modified process.
• Customer feedback: review of complaints related to the original symptom.

Closing a corrective action without verification is one of the most frequent findings in surveillance audits. The system loses credibility because closures stop being trustworthy.

Common closure errors

• Closing with "training given": training is sometimes part of the solution, but rarely the root cause. If the procedure is broken, training people on a broken procedure changes nothing.
• Closing without effectiveness verification: as explained above.
• Closing several nonconformities with a single generic action: each nonconformity needs its own root cause analysis; aggregating loses information.
• Acting on the operator: blaming the operator who reported the problem is the fastest way to kill the reporting culture.
• Closing on deadline without genuine resolution: artificial closures to clean up the dashboard re-emerge as repeated findings in the next audit.

How to organize the corrective action register

The minimum effective register includes:

• NC identifier, opening date, source (audit, complaint, internal observation, accident).
• Nonconformity description with reference to the breached requirement.
• Correction applied and date.
• Root cause analysis (method used and conclusion).
• Corrective action defined, owner, deadline.
• Effectiveness verification (method, date, conclusion).
• Final closure with verification signature.

The register feeds the periodic management review with trend indicators: number of NCs by source, percentage closed within deadline, average closure time, percentage of NCs by repeated category (early-warning indicator).

From corrective culture to preventive culture

A mature ISO 9001 system does not just react well: it anticipates. Clause 6.1 (risks and opportunities) absorbs what the 2015 revision called preventive action. The natural evolution is:

• Year 1: react to detected nonconformities.
• Year 2: analyze trends and act on systemic causes.
• Year 3+: identify risks before they materialize and act preventively.

The journey takes time, and the milestone is when corrective actions stop being a chore and become a strategic learning system. Book a 45-minute session and we will look at your corrective action register and identify the underlying patterns.

Frequently asked questions

What is a nonconformity in ISO?

A nonconformity is the breach of a requirement: a clause of the standard, a procedure, a customer specification or a legal requirement. ISO 9001 clause 10.2 requires reacting to each nonconformity and evaluating whether corrective action is needed.

What is the difference between corrective and preventive action?

Corrective action acts on the cause of a nonconformity that has already occurred to prevent recurrence. Preventive action acts on a potential cause to prevent a nonconformity from happening. Since ISO 9001:2015, the term preventive action was absorbed into risk management (clause 6.1).

What is the 5-whys technique?

It is a root cause analysis technique that consists of asking 'why' five consecutive times to dig from the visible symptom to the underlying systemic cause. Simple, fast and effective for non-complex nonconformities.

What is the Ishikawa diagram?

Also called fishbone diagram, it is a graphic technique that organizes the possible causes of a problem into six categories (the 6 Ms: methods, materials, machinery, manpower, measurement, environment). Useful for complex multi-cause nonconformities.

When can a corrective action be closed?

Only after verifying that it has been effective, which requires waiting a reasonable period after implementation (typically 3-6 months) and reviewing that the nonconformity has not recurred. Closing without effectiveness verification is one of the most frequent audit findings.