In simple terms, a non-conformity is when a applicant or certificate holder (the client) fails to conform to a requirement for certification. All of the requirements that apply to the client should be written in the standard.
One of the responsibilities of the auditor is to grade a non-conformity; that is to determine whether or not it is really serious or a small matter. Most schemes use the terms major and minor to grade non-conformities. Other schemes use terms such as critical to describe non-conformities that are so serious that it means the client automatically fails the audit.
There are two approaches that a scheme may uses to determine how to grade a non-conformity. And just to complicate things there are hybrid approaches that some schemes use which combine elements of these two approaches.
The first approach, and generally the most common, is for the auditor to take a decision about how serious the non-conformity is based on a set of criteria. An example of the criteria used to grade a non-conformity are as follows:
A Major non-conformity is normally raised when one or more of the following are found:
- The absence or total failure to meet a requirement and the failure has or is likely to result in the client failing to achieve the objective of a requirement.
- The non-conformity is highly likely to result in a breakdown of an requirement or materially reduce the ability to achieve the objective of a requirement.
- A minor non-conformity that is shown to continue over a specified period of time or occurs repeatedly.
A minor non-conformity is usually raised when the client does not meet the requirement and the non-conformity does not jeopardize the integrity of the scheme. This includes one or more of the following:
- Where there is a failure to comply with a requirement is not likely to result in the breakdown of a system to meet a requirement and will not risk the integrity of the products or services that are being certified by the scheme.
- Where the failure does not meet the definition of a major non-conformity.
In brief an auditor must determine if the products or services that are being certified are likely or not meet the objective of the scheme. An example is for a scheme that requires that daily records be kept. If the auditor finds only a few records on file the non-conformity is likely to be graded as a major. If only a few days of records are missing, the non-conformity is likely to be graded as a minor.
In the second approach, the scheme determines in the standard how a non-conformity for each requirement is to be graded.
In these schemes the standard is written so that each requirement is graded and for any non-conformity, no matter how serious is graded as specified in the standard. Schemes that use this approach sometimes use the category of 'critical' for some requirements. A failure of a critical requirement means an automatic failure of the audit. For example for a non-conformity raised against a requirement that daily records be kept which is graded in the standard as a major in the standard would be graded as a major non-conformity even if only one day's records are missing.
For both of these approaches, an auditor may raise an observation for cases when the auditor finds cases where a non-conformity is likely to occur. Observations are intended to be helpful to the client so that they can address problems before a non-conformity occurs.
A Hybrid approach
Some schemes may wish to grade some requirements in their standard as critical or major, and leave the remaining requirements un-graded. The result is a scheme in which the auditor is required to grade certain non-conformities a certain way while giving the decision about grading for the rest to the auditor based on the severity of the impact.
Hybrid approaches are used most commonly for schemes that wish to specify which non-conformities will result in an automatic failure of the audit, that is to grade just the critical requirements and leave the rest to the auditor to grade according to the severity of the non-conformity.
Choosing an approach to grading non-conformities
Most schemes will decide which approach (or hybrid version) they will used based on their own needs. Often this is driven by the question of how the scheme owner chooses to approach an audit. In cases where the scheme wishes to ensure that all non-conformities are graded identically across all clients, the second approach may be preferred. In other cases, the scheme owner may prefer to focus less on designing the standard and wishes to have a professional auditor take a decision about grading.
Neither is better, neither is worse, it is a matter of preference.