Nonconformities are inevitable in any management system — what matters is how your organization responds. Clause 10.2 of ISO 14001:2015 establishes a structured five-step process for reacting to nonconformities, identifying root causes, implementing corrective actions, and verifying effectiveness. The 2015 revision embedded former “preventive action” requirements into risk-based thinking (Clause 6.1), making the corrective action process focused on eliminating causes of actual problems.
What Is a Nonconformity?
A nonconformity is any deviation from the requirements of ISO 14001:2015 or the organization’s own EMS. Sources include internal audits, external audits, monitoring data showing exceedances, compliance evaluation findings, incident investigations, stakeholder complaints, and management review findings.
Minor vs. Major Nonconformities
Minor: An isolated lapse or deviation from a specific requirement that does not indicate a systemic breakdown. Examples include a missed document review date or incomplete training record.
Major: A total absence or complete breakdown of a system element, or a pattern of minor nonconformities indicating systemic failure. Examples include no environmental aspects register, failure to conduct management review, or ongoing regulatory noncompliance.
The Five-Step Corrective Action Process
- React: Control and correct the nonconformity immediately. Deal with consequences, including mitigating adverse environmental impacts (e.g., containing a spill, stopping a discharge)
- Evaluate: Review the nonconformity, determine root causes, and determine if similar nonconformities exist or could potentially occur elsewhere. Auditors specifically verify this step
- Implement: Take corrective actions proportionate to the significance of the effects, including environmental impacts
- Review effectiveness: Verify that corrective actions have eliminated the root cause and the nonconformity has not recurred
- Make EMS changes: Update the EMS if necessary — this may include revising procedures, modifying operational controls, or updating the risk assessment
Correction vs. Corrective Action
Correction addresses the immediate problem (containing a spill, stopping a process, cleaning up a release). Corrective action eliminates root causes to prevent recurrence (installing secondary containment, changing procedures, retraining personnel). Both are required — correction first for immediate response, then systematic investigation and permanent fixes.
Root Cause Analysis Methods
While no specific methodology is prescribed, widely accepted tools include:
- 5 Whys: Iteratively asking “why” to drill down from symptoms to root causes
- Fishbone (Ishikawa) Diagram: Categorizing potential causes by people, processes, equipment, materials, environment, and management
- FMEA: Failure Mode and Effects Analysis for systematic risk evaluation
- Pareto Analysis: Identifying the vital few causes responsible for the majority of problems
Documentation Requirements
The standard requires retaining documented information of the nature of nonconformities and subsequent actions taken, and the results of corrective actions. Organizations typically maintain a Nonconformance Register or Corrective Action Report (CAR) capturing the description, root cause findings, immediate correction, corrective action plan, responsibilities, timelines, and effectiveness verification.
Common Pitfalls
- Addressing symptoms without investigating root causes
- Not checking whether similar nonconformities exist elsewhere
- Corrective actions disproportionate to the environmental impact
- Failing to verify effectiveness after implementation
- Incomplete documentation that cannot demonstrate the full process to auditors
