Non-Conformance Reporting: A Business Owner’s Guide

An ISO non-conformance is defined as a failure in meeting clauses in the applicable ISO standard. If non-conformities are detected by ISO auditors, organisations must assess and correct the identified non-conformity prior to their next scheduled audit to ensure they qualify for Certification or are approved to maintain Certification.

In the simplest terms, non-conformance reporting is a vital process of ensuring ongoing ISO compliance – so it’s well worth investing in your non-conformance reporting and corrective action processes to maintain your ISO Certification.

For small business owners, establishing non-conformance reporting processes can feel a little abstract. While similar to ‘contingency planning’ in a traditional sense, non-conformance reporting processes do have a greater focus on aligning with the ISO Certification Standards. This is why ISO consultants can be such a valuable resource when it comes to establishing non-conformance reporting processes.

Today, our ISO consultants at S & J Auditing & Consulting will share their expert insights into non-conformance reporting, outlining how you can optimise your reporting processes and ensure your corrective actions are primed to deliver the strongest results with every ISO audit.

What is a Non-Conformance Report?

A non-conformance report is a specific type of ISO audit report designed to describe all identified areas of non-conformance within Management Systems relating to any of the recognised ISO Standards.

Non-conformance report templates are generally developed by an organisation to ensure a tailored approach to corrective actions, these being actions that are developed to correct non-conformances and support ongoing ISO compliance. However, non-conformance reports can be issued by both internal auditors and compliance officers within your organisation, as well as third-party auditors like Certification auditors.

What to Include in a Non-Conformance Report

Non-conformance reports should generally include 5 key details to support corrective action and continuous process improvement strategies. These 5 key details are as follows:

1. Identification of the source and cause of the non-conformities.
2. Thorough details on where the non-conformity occurred and who was involved (i.e. establishing chain of custody).
3. Evaluation of the non-conformity, outlining the scope observed by the auditor, and corroborated by personnel involved in the non-conformance.
4. Recommendations on how the non-conformity can be avoided to reduce risks of recurring issues.
5. Explanation of the corrective actions that will be taken in order to correct the non-conformity.

Types of ISO Non-Conformities

There are two different types of non-conformities, these being major and minor non-conformities.

As you’d expect, minor non-conformities are generally considered to be ‘quick fixes’, like small mistakes or gaps in process documentation that can be corrected with minimal disruption to your organisation and your ISO Management Systems.

Contrastingly, major non-conformities are often more serious and consequential where your organisation has demonstrated a failure to meet foundational requirements of your ISO frameworks. Major non-conformities can often take the form of identified workplace risks or hazards that threaten worker safety, or even systemic flaws that impede on the implementation of your ISO Management Systems.

How Do You Identify Non-Conformities?

Non-conformities are best identified by using ISO frameworks to evaluate ISO Management Systems.

For example, if an Environmental Management System fails to tick all the boxes across your ISO 14001 audit checklist, all the unchecked boxes can be treated as non-conformances. Further investigation and evaluation in the form of non-conformance reporting can then be used to determine whether the identified non-conformities are either major or minor.

Common ISO Non-Conformities

As we’ve mentioned, non-conformance reporting processes are a vital component of reaching Certification readiness. In fact, non-conformance reporting processes are mentioned in the ISO 9001:2015 Quality Management Systems Standard as a prerequisite to Certification, stating that organisations must be able to ‘identify and control’ non-conformities in their products and services to ensure consistent quality.

However, what constitutes a non-conformity within a Quality Management System may not apply to other types of ISO Management Systems. Here are the most common types of non-conformities across the core ISO Management Standards that we work with.

Common Non-Conformities Across ISO 9001

Here are some of the most common non-conformities observed across the development, implementation, and maintenance of Quality Management Systems (that must be compliant with the ISO 9001:2015 Standard):

• Incorrect or incomplete documentation for policies, processes, and workflows
• A failure to implement ISO staff training or outline roles and responsibilities relating to the QMS
• A failure to implement internal auditing and management review processes
• A lack of performance monitoring and customer complaint management processes
• Lack of documentation for product and service supervision (i.e. on-site testing, equipment maintenance schedules, product quality checks, etc.)
• Incomplete risk and opportunity management processes
• A failure to establish, communicate, and monitor quality objectives

Common Non-Conformities Across ISO 14001

Here are some of the most common non-conformities observed across the development, implementation, and maintenance of Environmental Management Systems (that must be compliant with the ISO 14001:2015 Standard):

• Incorrect or incomplete documentation of environmental policies and processes
• A failure to incorporate environmental performance review processes
• A failure to integrate environmental monitoring processes for suppliers and external stakeholders
• A lack of customer concern management processes for addressing environmental issues
• Incomplete or insufficient risk management processes, resulting in resource waste or environmental hazards
• A failure to outline staff and department roles and responsibilities relating to the EMS

Common Non-Conformities Across ISO 45001

Here are some of the most common non-conformities observed across the development, implementation, and maintenance of OH&S Management Systems (that must be compliant with the ISO 45001:2018 Standard):

• Incorrect or incomplete documentation for OH&S policies and processes
• Incomplete or insufficient risk management processes, resulting in undetected workplace hazards
• A failure to integrate equipment testing and maintenance to support OH&S (e.g. Testing and tagging of fire extinguishers etc.)
• A failure to integrate staff training and licensing/qualification renewal requirements
• A failure to communicate OH&S processes and safety measures to staff, on-site visitors, etc.
• Lack of process infrastructure for supporting internal reviews and continuous process improvements
• Breaches in regulatory obligations

Tips for Managing your Non-Conformance Reporting

Non-conformance reports outline non-conformities in great detail to support corrective action procedures. But because these reports can be so dense, they can often be daunting for business owners and their teams to get through.

Whilst a proactive approach (where you’re aware of common non-conformances and how they can be avoided) is always better than a reactive approach, it’s important to keep in mind that non-conformities can happen at any time. The best method for correcting them is to keep your reporting, auditing, and review processes effective and systematic.

Here are the top non-conformance report management solutions that our ISO consultants have recommended to many of our clients who have had to deal with unexpected non-conformities.

Establish your Non-Conformance Reporting Template Early

If your organisation is looking to implement a HSEQ Management System, you can expect your non-conformities to get pretty dynamic and multi-dimensional. Whilst there are many benefits to achieving ISO Certification across multiple Certification Standards, implementing these multi-faceted systems makes compliance management an even more important priority that often requires larger internal compliance teams.

Major non-conformities that could affect multiple ISO Management Systems are best tackled with a well-structured and consistent approach. This means making sure your non-conformance reporting templates are standardised and approved by all key stakeholders within your organisation.

Integrate Non-Conformance Reporting with Internal Audit Processes

The overarching goal of non-conformance reports is ultimately to help you maintain your ISO Certification and continue improving your Management Systems. As such, your non-conformance reporting should also support internal audit processes alongside being referenced by your compliance officers.

By making sure that both your ISO compliance officers and auditors have access to non-conformance reports across their procedures, you can improve your organisation’s chances of enjoying process improvements that also support your ongoing compliance monitoring and non-conformance risk assessments.

Introduce Response Plan Templates to Support Corrective Actions

If your compliance team and other stakeholders often find themselves confused on how best to tackle a non-conformity, it can delay corrective action planning. The best way to help them find and implement the right responses is simply to provide them with response plan templates.

These can be as simple as providing a well-defined list of response options (i.e. rework, regrade, remove, etc.) so that the non-conformity can be addressed in the most efficient, and solutions-oriented manner.

Record All Non-Conformance Reports for Historic Reference

And finally, in the spirit of efficiency, keep in mind that recurring non-conformities are a drain on your resources. You don’t want to keep receiving the same non-conformance report on your desk every quarter.

How can you avoid falling into this ‘Groundhog Day’-esque trap?

By making sure you learn from your mistakes.

And the secret to learning from your mistakes within the context of ISO

Management Systems is to make sure your mistakes are well-documented for future reference.

With robust record-keeping processes in place, you can ensure your non-conformance reports are less likely to deliver recurring results, as any repetitive outcomes and variations in observations of those outcomes (via monitoring) are more visible and thus, more likely to be thoroughly addressed.

Optimise your Non-Conformance Reporting Processes with our ISO Consultants

Although non-conformance reports are designed to help you align with ISO frameworks, these reporting processes are most impactful when they’re tailored to your organisation’s operational policies and procedures. If your non-conformance reports and subsequent corrective action planning are easily accessible to staff, you can strengthen your organisation’s ability to maintain ISO compliance and your ISO Certification over the long term.

If you’d like to invest in non-conformance reporting processes that are tailored to your business and are uncertain where to start, simply get in touch with our team of local ISO consultants here at S & J Auditing & Consulting. We’ll help you put the necessary steps in place to make sure your non-conformance reporting supports your Management Systems as they evolve.