Is this a nonconformity or an opportunity for improvement? Understanding the difference.
When auditing a management system in accordance with a standard such as ISO 9001 (Quality Management System), ISO/IEC 27001 (Information Security Management System), or others, two common findings are “nonconformities” and “opportunities for improvement” (OFIs). Both are key concepts for auditing, but they carry different implications. Let’s explore the differences between them and look at how they appear in the context of management systems and ISO standards.
What is a nonconformity?
A nonconformity is a non-fulfilment of a requirement. It can be a requirement from a standard, a requirement from an internal procedure or possibly a regulatory requirement. In ISO terms, nonconformity indicates a gap or failure to comply with specific mandatory requirements.
Some examples of nonconformities in the context of ISO standards:
- ISO/IEC 27001: Information security management nonconformity. During an ISO/IEC 27001 audit, a nonconformity might be discovered if a company has not properly encrypted sensitive information. For example, if encryption was mandated as a security measure to protect sensitive data, and the auditor finds that the organization stores sensitive data in plain text, this would be recorded as a nonconformity in relation to the organization’s procedures.
- ISO 9001: Quality management system nonconformity. If a company fails to conduct regular internal audits of its QMS as required by the standard, this would be classified as a nonconformity. Internal audits must be conducted at planned intervals to confirm that the quality system continues to conform to requirements and is effectively implemented and maintained. Failure to conduct internal audits is a nonconformity in relation to the standard’s requirements and indicates a serious breakdown in process control.
Types of nonconformities
Nonconformities are typically categorized as major and minor.
- Major nonconformity. This is a serious failure that impacts the capability of the management system to achieve its intended outcomes. A major nonconformity in relation to ISO 45001 could be if the organization did not conduct an occupational health and safety risk assessment. Or if it did not establish OH&S objectives.
- Minor nonconformity. This is a less severe issue, but one that still needs to be corrected. For example, an organization may have established a process to evaluate and select suppliers (as required by ISO 9001) but there are still suppliers who did not go through the evaluation process.
Action required
For any nonconformity (major or minor), corrective actions are required. The organization must investigate the root cause of the nonconformity, take action to address the issue, and verify that the corrective action is effective.
In the case of third-party audits for certification purposes, the effectiveness of corrective actions for major nonconformities must be evaluated before certification can be granted or maintained, while for minor nonconformities an acceptable proposal of corrective actions is sufficient.
What is an opportunity for improvement (OFI)?
An opportunity for improvement, on the other hand, is not a failure to meet a requirement. Instead, it is a suggestion by the auditor to enhance or optimize existing processes. These are not mandatory to act on but provide a chance to increase the effectiveness of the management system.
Examples of opportunities for improvement (OFIs)
- ISO/IEC 27001: Information security management. During an ISO/IEC 27001 audit, an auditor might note that the organization has strong access control policies, but they could improved by implementing multifactor authentication (MFA) for all employees, not just those in high-risk roles. While MFA isn’t a requirement, it represents an improvement in overall security.
- ISO 9001: Quality management. In an ISO 9001 audit, the auditor could identify that while a company’s customer feedback process meets the requirements of the standard, there might be an opportunity to automate the collection of feedback through digital means, thus enhancing the speed and efficiency of data analysis.
Action required
Unlike nonconformities, there is no obligation to take action on an OFI. However, addressing these suggestions can lead to better performance and compliance over time. Organizations that consistently identify and implement OFIs tend to see incremental improvements in their management systems, which can help maintain competitiveness.
Key differences between nonconformity and opportunity for improvement
| Aspect | Nonconformity | Opportunity for improvement |
| Definition | Non-fulfilment of a requirement | Suggestion to enhance an existing process |
| Nature | Must be addressed | Optional to implement |
| Impact on certification | Could affect certification | No impact on certification |
| Examples | Failure to implement encryption as required (ISO/IEC 27001) Not performing internal audits of the QMS (ISO 9001) | Adding MFA for all employees for extra security (ISO/IEC 27001) Automate customer feedback collection (ISO 9001) |
Why both are important for continual improvement?
While nonconformities point out critical gaps that need fixing to remain compliant, opportunities for improvement drive innovation and optimization within the management system. Both findings contribute to an organization’s commitment to continual improvement, a key tenet in ISO standards.
ISO standards are not just about meeting baseline requirements—they encourage businesses to push for better, more efficient ways to operate. Correcting nonconformities keeps the system stable and compliant, while embracing opportunities for improvement helps an organization grow and evolve.
Conclusion
Understanding the difference between a nonconformity and an opportunity for improvement is crucial for businesses looking to improve continually and maintain their management systems effective. While one demands immediate corrective action, the other encourages forward-thinking and proactive enhancement. Both play a role in strengthening an organization’s management system, ensuring long-term success and resilience in today’s competitive environment.
By addressing nonconformities promptly and embracing opportunities for improvement, organizations can not only maintain their ISO certifications but also enhance their processes, reduce risks, and improve efficiency.
If you want to learn more about management system auditing and the management of nonconformities we have tailored courses available on demand for ISO 9001 auditing or ISO 19011 (management system auditing).
If you want to prove your knowledge and get the recognition you deserve, please check out our online certification programs.
