By Duke Okes
Certification bodies classify audit nonconformities as either major or minor depending on the perception of whether they represent a significant breakdown of the management system. This is logical, since the purpose is to decide whether certification of the system is warranted. However, far too many internal auditors choose to use the same classifications, implying that risks are binary.
In reality, each audit nonconformity can represent a significantly different level of risk. And the risk is not only a function of the nonconformity itself, but also the context of the organization or process. For example, failure to sign off on a document may be an insignificant risk if it is simply a training record indicating which employees attended a workshop on lean production, but highly significant if it is a document authorizing release of product in a medical device company.
Given the attention that the board, senior management, internal (financial) auditors, and others have paid to risk management since the turn of the century, and the fact that risk-based thinking is now explicitly required by ISO 9001:2015, it’s high time that internal auditors of all management systems ensure that audit findings are ranked accordingly. The resulting classifications can then indicate whether a corrective action investigation makes sense or if correction is sufficient. And even if corrective action is to be carried out, how deep should it go (e.g., which of the following must the investigation look for: errors in prevention, detection, prediction, physical causes only, or also system causes)?
Related Article: Analytics for Auditors
Most organizations have more data than they will ever use. Some of it is maintained to have a record of what has occurred, other data is used to monitor and/or control business processes, and still more is used to predict future outcomes.
Click Here to Read
One common example of a multilevel classification system is the following:
- Major—Significant breakdown of the system, as indicated by the specific failure or the frequency of occurrence
- Minor—An issue unlikely to have a significant impact
- Observation—Something that might be a weakness but there is no requirement or objective evidence to cite
- Opportunity for Improvement—Something that may enhance performance of the system
Although these four levels may be viable, the purpose appears simply to enhance the opportunity to provide feedback when there is no nonconformity, but it does little to help process owners distinguish between levels of risk. A classification system enhancing the minor and major continuum may look like the following:
- Critical—Potential for a severe impact on operations, stakeholders, cost, etc.
- Major—High impact on operations, stakeholders, and cost
- Moderate—Slight impact on operations and/or cost; no impact on stakeholders
- Minor—No measurable impact on operations, cost, or stakeholders
Note that the impacts of concern can be whatever the organization decides, although they would typically be related to organizational objectives. And the potential degree of impact (e.g., product functionality, duration of disruption of operations, revenue or cost dollars, likely stakeholder responses) can be defined for each level, creating a risk appetite table (see example).
Example: Audit NC Risk Ranking Table (Click Table to Enlarge)
Note that for a QMS, not many audit nonconformities are likely to fall into the higher categories, while nonconforming material can quite easily. For example, finding that a supplier has not been through their annual audit or an individual has not completed training may not create a high risk, although this will, of course, often depend on the industry (i.e., degree of regulation). But, in safety, environmental, and information security, the risks are likely to be higher. It’s also important to recognize that the degree of risk may not actually be known until containment has been performed.
Another factor that could be considered as part of risk ranking is velocity. That is, how quickly can the nonconformity impact the product, operations, and/or stakeholders. If velocity is high, then obviously the risk is higher. If velocity is low, there is the potential to take action to offset or alleviate the potential impact.
These nonconformity rankings better help to define the appropriate degree of response to each nonconformity, such as whether corrective action will be required, the resources to be applied and timing expected, and how quickly and to whom the finding will be reported. For example, the board should be informed of critical findings, while perhaps only the process owner needs to be informed of a minor one (which would be in line with ISO 9001:2015 clause 9.2.2 internal audit, “d) ensure that the results of the audit are reported to relevant management.”
The concern over the lack of distinction when using only major and minor has even been addressed for auditors of medical devices by the Global Harmonization Task Force, which issued a document in 2012 for nonconformity grading. It ranks them based on whether the nonconformity is indirectly or directly related to product quality (the former being clauses 4.1 through 6.3 of ISO 13485 and the latter being clauses 6.4 through 8.5), and whether it is the first nonconformity or a repeat (defined as having had another nonconformity within the same subclause during the previous two audits of that subclause, with subclause level defined as X.X.X).
For organizations that have a risk management program in place it will be easier to determine the level of risk for each nonconformity since higher risk processes will have been identified. There might even be key risk indicators and key control indicators in place. A failure of a control related to a higher-risk process is obviously more likely to be a higher-level risk. And even if there is no formal risk management program, remember that ISO 9001:2015 calls for the audit program to take into account “importance of the processes concerned,” which implies that some sort of risk evaluation should be completed at least by the auditors, if not by process owners.
About the Author
Duke Okes is a knowledge architect who has trained thousands of quality management professionals in techniques for planning, controlling and improvement of organizational processes. He has published numerous articles on how to advance the state of quality auditing, and is the author of two books, Root Cause Analysis: The Core of Problem Solving and Corrective Action and Performance Metrics: The Levers for Process Management.
References
To download the Global Harmonization Task Force document visit: http://www.imdrf.org/docs/ghtf/final/sg3/technical-docs/ghtf-sg3-n19-2012-nonconformity-grading-121102.doc.