ISO 9001:2015 requires that when a nonconformity occurs, including any arising from customer complaints, organisations to take the following steps:

1. Immediate containment actions. IE: React to the nonconformity and as appropriate, take action to control and correct it and deal with the consequences.
2. Identify Root Cause / Similar products or processes consideration. IE: Evaluate the need for action to eliminate the cause(s) of the nonconformity, so that it does not recur or occur elsewhere, by: Reviewing and analysing the nonconformity, Establishing the cause(s), Determining if any similar nonconformities exist, or could potentially occur elsewhere.
3. Implement Corrective Action to address root cause(s) and review effectiveness.

4. Update Risks and Opportunities planning and any changes to the management system as appropriate. It is also noted that corrective actions must be appropriate to the effects of the nonconformities under review and that documented information (records) must be retained as evidence of:

   • The nature of the nonconformities,
   • Any subsequent actions taken and the results of corrective actions taken.

Comment:

Note the explicit requirement to determine if other similar nonconformities exist or could exist elsewhere. IE similar products or processes must also be considered. (As common sense would dictate!)

Risks and opportunities are also required to be reviewed as part of the nonconformity and corrective action process. (It is possible that this review may result in the likelihood of recurrence of a risk being reduced, but not eliminated entirely of course.)

The standard recognises that not every nonconformity should be treated equally. EG: High risk concerns, with potential safety consequences, regulatory requirement infringement or significant impact on customers, may require full in depth root cause analysis, utilising cross functional teams and an appropriate level of problem solving / corrective action tools, such as data collection and analysis, Ishikawa (fishbone) diagrams to brainstorm potential causes and solutions, or even a full blown Six Sigma project.

Where consequences are of a much lower risk or impact, appropriately scaled resources and countermeasure measures should be taken. EG: A simple “5 Y’s” exercise may suffice. (This is good news for organisations with long lists of open and overdue corrective actions, some of which could have been dealt with quickly and simply, thereby allowing resources to concentrate on the “vital few” complex / significant concerns.)

The “Global 8D” template is a widely used and effective tool which aids organisations to structure their problem resolution processes which can be used to address simple concerns directly, or to act as a structure and report out tool for larger projects.

Note also the requirement to where required, make changes to the Management System as part of the nonconformity corrective action process in order to prevent a recurrence. (Many organisations may well already address this requirements, as depending on the nature of the nonconformity, organisational processes may have been identified as a key part of the root cause / non detection.)

Note that records are required and they must include the identification of the nature of any nonconformity, the action(s) taken and crucially - the results of any corrective action. IE evidence must be gathered to determine if the actions carried out were effective.

(See also article 6.1 Actions to address risks and opportunities.)

Audit Check:

Records (documented information) may be requested to determine not only if the problem and the corrective actions implemented were described adequately, but also the results. IE were the actions taken successful and if not, revisited in accordance with Plan Do Check Act methodology.

Auditors may also specifically check that where nonconformities have been identified, an investigation has been conducted to determine whether other similar nonconformities have or could, occur elsewhere and that if the organisation has considered whether it needs to make changes to the wider Management System as part of the process.