Get 4 FREE months of Conformio to implement ISO 27001

How to create a nonconformance report – The 5-step guide

It is not surprising that, with so many parties involved in the different processes, along with pieces of equipment, suppliers, and much more, sooner or later there will inevitably be some nonconformances within your management system.

In this article, you’ll find guidelines to understand the importance of writing a good nonconformance report and how to create a successful and useful one.

What is a nonconformance?

ISO standards define a nonconformance as the failure to meet one or more of the existing requirements. These requirements can be related to customers, regulatory or statutory bodies, any ISO standard, or the organization’s requirements (for instance, a failure to follow a company procedure).

Nonconformances can be found anywhere in a business and at any level of the company´s operations, from manufacturing processes or service provision, to work instructions and procedures. For instance, a nonconformity can arise from an employee who is not following a specific standard and thereby creates more issues down the production line, which will ultimately have an impact on the final customer.

Nonconformance and nonconformity mean the same thing and can be used interchangeably. However, the term noncompliance has a slightly different meaning: while a nonconformance usually refers to a product or service that does not conform to customer requirements, a noncompliance refers to a product or service that does not meet the requirements established by statutory or regulatory authorities. This can include deviations when meeting the requirements of a procedure, policies, contractual obligations, work instructions, etc.

How do you deal with a nonconformance?

When a nonconformity occurs, the organization can react in different ways, from controlling to correcting or accepting the consequences. If you detect that the problem that causes the nonconformance is more serious, the company must identify the root cause of the nonconformance in order to prevent it from happening again, as well as implement an effective corrective action if needed.

A corrective action is the action conducted to prevent recurrence of a nonconformance. For example, a corrective action can include providing training to employees on new policies and procedures that were not being followed correctly in a process, in order to prevent recurrence of the nonconformity.

However, not every nonconformity needs to generate a corrective action, and a simple correction can be enough to solve an issue. For example, a correction can be a worker who removes a product from a manufacturing line because it contains a label that was not printed correctly.

Sometimes corrective actions will require an investment, and the company will have to decide whether a nonconformity is relevant or frequent enough to spend the amount of money necessary to implement the corrective action.

For more information about the root cause analysis, see How to use root cause analysis to support corrective actions in your QMS.

What is a nonconformance report?

Basically, a nonconformance report (NCR) is a document that contains the details about the requirement not being met by the nonconformance, how the nonconformity occurred, and how to deal with the nonconformance before deciding whether or not to apply a corrective action.

It is very important to keep in mind the main purpose of a nonconformance report, which is to take the necessary actions to correct any failure and, if needed, to eliminate the cause of the nonconformity, rather than just complying with the requirements of ISO standards.

A nonconformance report must be completed by the person designated by top management for that purpose. Usually, this role is taken by a quality manager, but the head of the department and other relevant positions within the Quality Management System (QMS) can also write an NCR.

Writing a documented procedure for creating an NCR

This procedure should describe the process of addressing nonconformities, including how to detect the nonconformances and write a nonconformance report. It should contain the responsibilities when opening a nonconformance report, as well as the reasons to create it and the assignation of a code for the nonconformance report that will facilitate its identification and monitoring, as well as for its later analysis during the management review.

The best way to structure such a procedure is to follow the five-step process described in the next section.

How do you write a nonconformance report?

To achieve the main goal of an effective nonconformance report, you should follow these guidelines:

  1. Describe in detail the issue that caused the nonconformance.The responsible person for opening the nonconformance report should provide details of the issue that caused the nonconformance, including the “who, what, when, and where” of detecting the nonconformance.This description needs to be clear and understandable, so the nonconformance can be investigated correctly if needed.
  2. Include the requirement not being met.You must note the requirement that the organization has not fulfilled, so you ensure that the responsible person for addressing the nonconformance understands the exact requirement that is being violated. The more specific you are about the issue, the more effective the correction or corrective action will be. Some examples of requirements not being met can be client requirements, ISO standards, regulatory requirements, etc.
  3. Create an action plan to carry out the necessary corrections & corrective actions.This is probably the most relevant step, since the action plan contains the instructions on how to overcome the nonconformance, and, if you perform it correctly, you will be able to reduce the consequences of a nonconformance, and minor issues will not grow into a major problems for the organization.Depending on the depth of the nonconformity, two different approaches are possible: performing only the corrections, or also the corrective actions.Corrections are activities that deal only with the consequences of a nonconformance – for example, if an internal audit did not take into account the whole scope of the management system, then the correction will be to perform an additional internal audit that will cover the whole scope.Corrective actions go a step further from corrections – they analyze the cause of the nonconformance, and they will focus on eliminating the cause, in order to prevent the same problem from happening again. Using the same example of the internal audit, the root cause could be that the internal auditor was not trained properly, or that the person who had defined the internal audit program was not informed about the required scope.In principle, the decision to open a corrective action will be made if the nonconformity significantly affects the achievement of the goals of the management system.Subsequently, it is necessary to indicate the responsibilities and actions to be carried out with the nonconforming material or service that originated the problem, for example, return of product to supplier, reprocessing of parts, agreeing on new conditions with the customer, etc.For more information about corrective actions, see Seven Steps for Corrective and Preventive Actions to support Continual Improvement.
  4. Verify the closure of the actions you need to include in the nonconformance report the results of the actions taken to solve the problem. In case the nonconformity has not been solved after carrying out the planned actions, another report should be opened with the details of the original nonconformance.For more information about corrective actions, see How to proceed once a QMS corrective action is defined?
  5. Monitor and measure NCRsNonconformance reports are inputs of the management review, and they are a key part of the continual improvement of the system. You can group these nonconformance reports by different elements, such as origin of the nonconformance or date, and analyze these data to obtain paramount information for the continual improvement of the organization.For more information about the management review process, see How to make management review more useful in your QMS.

How to create a nonconformance report - The 5-step guide - Advisera


A well-written nonconformance report: Key to keeping problems under control

Learning how to effectively write a nonconformance report will help the company to keep problems under control, since the person responsible for the problem knows exactly what is wrong, and what needs to be done to correct the issue and avoid its future repetition.

A complete and clear nonconformance report ensures that there is a successful solution for each problem, but also that the actions performed to solve the problem are monitored successfully. Ultimately, this might become the most important element of maintaining and improving your information security management (ISO 27001), quality management (ISO 9001), environmental management (ISO 14001), health & safety management (ISO 45001), or any other management system.

Check out these templates, which will help you with the nonconformances:

Advisera Iciar Gallo

Iciar Gallo

Iciar Gallo has more than 10 years of experience in business consulting training and auditing, including a number of management systems such as ISO 14001 and ISO 9001. She has worked for several international companies and prestigious universities, leading projects in Spain, Panama, Venezuela, England, and more recently in the USA. She has also worked as a teacher of several courses on environmental standards and at AENOR and Advisera. Iciar holds an MSc degree in Environmental Management and Control from the Technical University of Madrid and is certified as an auditor of ISO 9001 and ISO 14001.
Read more articles by Iciar Gallo