The ISO 9001:2015 standard for quality management systems requires organizations that adopt it to plan and conduct internal audits. Before receiving the ISO 9001 certification, the final step is the complete internal audit, in order to verify that the quality system is aligned with the internationally recognized standard.
Audits, whether internal (conducted by the organization's staff) or external (conducted by a certification body or a customer), do not change, can highlight non-conformities, defined in ISO 17021 as a non-fulfillment of a requirement.
A non-conformity is not necessarily a negative thing, especially if it is isolated or occasional. Audits, as they were conceived in ISO 9001, are a structure that serves to help organizations identify and solve their problems related to the quality system before they translate into product quality problems or waste. Only systemic and repeated non-conformities are worrying.
Discovering a problem in the quality system during an audit is normal, but highlighting a series of problems is a clear sign of weakness in corporate quality management because it means that you cannot see, measure, communicate or improve the things that matter. That's why a single gap can be an isolated incident, while a major non-conformity could be a significant wake-up call about your ability to manage quality effectively.
It is important to emphasize, however, that each non-conformity is an opportunity for improvement. Problems of any size should lead to corrective action. However, major and minor non-conformities mean different things for your organization.
The main difference between these two types is based on the impact of the problem on the rest of the system or product: a minor non-conformity is generally a weakness in the system that could, potentially, lead to significant problems of the quality system in the future. An example might be an unauthorized change to a document or an incorrectly calibrated instrument.
A major non-conformity, on the other hand, is proof of a significant problem in the management system that could threaten an organization's ability to achieve its goals or protect customers. This could be a pattern of unauthorized document changes or poor calibration procedures that result in incorrectly tested products.
A detection of a minor non-conformity is not an obstacle to certification or to the success of surveillance audits, but your organization will have to respond with an effective corrective action plan to avoid losing certification or having it suspended.
Serious non-conformities, on the other hand, can prevent your organization from obtaining certification or confirming it during annual surveillance audits. To ensure certification, a surveillance audit and, in general, a well-functioning and successful quality system, it is essential to address the biggest risks by knowing in which areas organizations often struggle to meet the ISO 9001 standard.
The sections of ISO 9001:2015 that give the most problems in this sense are 4 (failure to identify and define the parties concerned), 6 (incomplete definition of change management and issues relating to risk assessment), 7 (poor documentation of training and acquisition of records), 8 (missing or incorrectly documented inspections), 9 (incomplete documentation relating to internal audits and ineffective management review) and 10 (incomplete documentation relating to corrective actions).
What happens if there are problems within the quality system (those listed or others)?
ISO 9001:2015 includes a clear and in-depth guide on how to respond to any non-conformity detected through customer complaints or audits. Section 10.2, in particular, states that organizations must:
- Correct the non-conformities;
- Eliminate the causes that generated it;
- Implement a corrective action;
- Check the results;
- Update the risk register;
- Implement the change so that it becomes permanent within the system;
- Document the results of the corrective action
And what would happen if corrective actions were not taken? It's soon said: the potential impact on your organization depends on the size of the non-conformity to which we are referring. If found during certification or re-certification, it is almost certain that a non-conformity can create obstacles. You may still obtain certification if the non-conformity is minor, but the problems not corrected, sooner or later, will constitute a real barrier to ISO 9001 certification.
The problems related to the certification path, however, are not the only risk you would run avoiding correcting the problems found. The major non-conformities, in fact, can cause a number of problems, including:
- Delays in product delivery or service delivery;
- Reworking;
- Products not accepted by the customer;
- Growing operating costs;
- Etc.
Discovering a non-conformity, therefore, is not necessarily a negative thing, since minor problems can represent an opportunity to strengthen your quality management system, however, a corrective action must be implemented immediately, which remains the only possible response to a non-conformity of any size. Remember, in fact, that while it is more likely that a problem of a certain importance will immediately affect profitability or customer satisfaction, all types of non-conformity, even minor ones, can have an impact downstream. How to protect yourself, therefore, from non-conformities?
Audits and customer feedback are an invaluable source for discovering them, however, they are not the only tools that can be used, especially if your organization cares about having a proactive and quality-oriented culture.
Corrective action is a reaction to a mistake found in the quality system. It is better, however, to start immediately protecting yourself from the risks of non-conformity by adopting the best practices to prevent these problems from occurring. The best ways to proceed are:
- Do a management review at least once a year or, even better, semi-annually or every three months. Use these moments as opportunities to deepen the changes, requirements, processes and risks related to the product and the service and use a defined system to plan and implement improvements to the Quality system. The management review is the basis of continuous improvement;
- Analyze the data on the quality of your work. Customer feedback and measurements of the goodness of the work performed must be recorded and translated into actions. Negative feedback from customers and quality measurements other than those expected can reveal a certain tendency in terms of complaints, non-conformities and deviations from the standard. By actively analyzing these data, it is possible to understand more effectively the difference between isolated events and emerging patterns to accelerate the analysis of the main causes;
- Do continuous checks - Internal audits can be performed on an ongoing basis to assess the state of health of the necessary processes of Quality. Some processes may even require more frequent audits to examine the progress of the results. Even more importantly, audits can be a valuable tool for the discovery with collaborators of individual areas of opportunity for improvement. In a quality-oriented culture, in fact, the employees closest to the process can collaborate through internal audits to raise doubts or suggest opportunities for development;
- Increase the visibility of the non-conformity process - It is easy for non-conformities and corrective actions to be lost with the weeks and months or remain buried under the priorities. If you do not keep an eye on it, you cannot ensure that the opportunities for improvement are implemented quickly, with simple and shared tools.
When problems are discovered in advance by an employee, or during an internal audit or in a management review, they can represent an opportunity. Discovering minor problems proactively can prevent significant problems and future obstacles to certification.
A systemic and comprehensive approach to risk and opportunity management is fundamental, especially if a minor non-conformity has the potential to turn into significant problems. To fully realize the benefits of an ISO 9001:2015 quality management system, the best approach is to protect yourself from non-conformities and related risks. Promote improvement with management review, internal audit, data monitoring and people collaboration.
How is your organization behaving with respect to best practices for quality management? Could existing gaps in your processes lead to major non-conformities by certification bodies?