ISO 20000 & ITIL® Blog

Corrective and Preventive Actions in ISO 20000 – What they are and how to use them

Have you ever thought that, once you finish implementation of the ISO 20000-based Service Management System (SMS), it’s not the end of your activities? SMS (including all processes) will be monitored and you will notice that some parts of the SMS can be improved, or that others don’t fulfill their purpose or hit their targets.

That’s where corrective and preventive action take place. Although ISO standards which are based on Annex-SL (e.g. ISO 9001, ISO 27001, ISO 14001, etc.) only recognize corrective action, ISO 20000 still uses both, preventive and corrective action. Let’s see what they are and how to apply them.

Where do they belong?

ISO 20000, as with many other management systems, is PDCA-based (Plan-Do-Check-Act, see the example of application while setting up the ISO 9001-based QMS in the article Plan-Do-Check-Act in the ISO 9001 Standard). PDCA must be applied while setting up the SMS, as well as to all processes within the scope of the SMS.

Maintenance and improvement (learn more about improvement in the article ITIL Continual Service Improvement – don’t lose the momentum) of the SMS belongs to the “Act” phase of the PDCA-cycle (section 4.5.5 in the standard). That means that services (the entire SMS and all service management processes) are subject to improvement. To enable improvement of the processes, improvement should be built-in as an essential element of each process. One of the ways to achieve that is through monitoring and measurement. Results of these activities would show nonconformities which result in corrective (i.e. preventive) actions.

Corrective actions

Corrective actions are the result of the reported or analyzed dysfunctions. For example, if a user reports an incident on one of the IT services your company provides, your colleagues implement a temporary fix (workaround) and initiate a new search in order to find root cause of the incident. Once Problem Management finds the root cause, they start an initiative to correct that root cause through a change in existing service. That change is your corrective action.

Don’t mix corrective actions with changes. Changes encompass many more tasks and activities then corrective action, e.g. user doesn’t like how the user interface on an application looks, and would like you to change it.

Preventive actions

If you are monitoring and measuring various elements of your SMS, you will often be in situations where everything works well but you notice that something can be done better, or that some future (unwanted) situations can be avoided. That’s where preventive actions take place. Basically, by implementing preventive actions you are eliminating the cause of future nonconformities. That creates a positive effect for the SMS and, even more importantly, services you deliver to your customers.

Preventive actions handle potential nonconformities. This means that, if you detect potential nonconformity and don’t react, the result would have a negative impact on the services you provide,  and customers will notice that. For example, if you notice that a number of users of the service increases faster than planned, new capacity needs to be added to support that increase. If you don’t do that, once you reach a critical number of users, the service will not be available due to insufficient capacity. So, proactive action is needed to avoid the possibility of future problems.

How to apply them?

The standard requires that you document corrective and preventive actions. Since the issue of whether or not to document something is clear, the question is: how much detail should be recorded? Well, that’s up to you, but keep it reasonable (i.e. don’t complicate things with too many details). Complex issues, and consequently corrective/preventive action, can be a project in their own right. That’s where you will need to record many more details. Typically, documentation records who initiated the corrective/preventive action, when the action was initiated, what was the cause of the problem, description of the issue, and when the problem was resolved.

Another important question is: who can initiate corrective or preventive action? The answer is anyone in the company, or your suppliers, partners, customers, etc. Corrective/preventive actions can be raised as a result of internal audit, problem management analysis, change management analysis, test results, direct suggestion from the customer, or management directive.

Improve, improve, improve…

So, corrective or preventive actions are your medium to keep PDCA cycle rolling. Once you implement an action, its results are a new subject to monitor, measure and (if needed) to improve. Efficiency of the SMS, achievement of the service targets and customer satisfaction are the ultimate goal. Corrective and preventing actions are your message to the customers that you always have your eyes open and that you are looking two steps ahead.

Download this free white paper: Checklist of Mandatory Documentation Required by ISO/IEC 20000-1:2011 to get a better idea of which documents you need for IT service management.

Advisera Branimir Valentic
Branimir Valentic
Branimir is an expert in IT service management (consultancy, training and tools), IT governance (training and consulting), project management and consultancy in IT and telecommunication. He holds the following certificates: ITIL Expert, ISO 20000, ISMS Lead Auditor and PRINCE2.