What is non-conformance management?
Compliance is “the ability of a process, product, or service to meet the requirements it is intended to meet.”
A non-conformance indicates that something has gone wrong, and therefore the result does not coincide with the original requirements.
The management of non-conformities is a priority in our business and it is part of the daily life of Digital Services Companies (DSCs).
The non-conformance management process is an integral part of the Quality Assurance strategy.
By quickly identifying and effectively resolving non-conformities, the service provider:
- secures its reputation in the market
- Strengthens its competitiveness
- increases customer satisfaction
- promotes continuous improvement within the organization.
These are all issues that place the management of non-conformities at the heart of Delivery’s concerns.
Why manage non-conformities?
Aiming for 100% compliance is the stated objective, unfortunately incidents are almost inevitable… In the most common case, this can be the non-conformity relating to a digital product (requirement not covered, failure, etc.)
This is commonly a matter of quality, but also of any other deviation from the normative framework in force within the company, i.e. the standards, rules and principles that apply to it.
The normative framework of Delivery, and by extension of the company, is by nature plural. Indeed, this framework is articulated around several interdependent axes that are more or less significant in the daily life of project teams.
Here are some of the most important ones:
- Quality of service
- Internal policies and processes
- Protection of personal data
- IT security
- Contractual provisions
- Laws and regulations
- The company’s obligations
- Employees’ obligations
Agility:
A product delivered to the customer that doesn’t work when handled
❌ Non-compliance with requirements and quality of service
An important contract signed by a manager who does not have a delegation of authority
❌ Non-compliance with the Group’s governance rules
A project that has been under management for which a resource has been missing for months
❌
Non-compliance with the contract and the obligation of means
A company solution that has not been updated with the latest security patch
❌ Non-compliance with IT security
An employee who uses the customer’s non-anonymized data to conduct tests
❌ Non-compliance with regulations (GDPR)
An employee who posts photos of their colleagues on a social network without their knowledge
❌ Non-compliance with image rights and privacy
An employee working from home who is unreachable between 10 a.m. and 12 p.m., and between 2 p.m. and 4 p.m
❌ Non-compliance with the company’s telework charter
A salesperson who invites a prospect to a match in a VIP box in the middle of a pre-sales session
❌ Non-compliance with the law (corruption and anti-competitive practice)
Prevent non-conformities
Managing non-conformities is first and foremost about preventing them from occurring.
They can have significant consequences for both the company and its customers, so you might as well anticipate them.
With this in mind, a set of levers are activated within the company:
1. Knowledge management
Between knowledgeable peers who participate in cross-fertilization and knowledge sharing, but also through the content made available to employees (SharePoint sites, policies, charters, etc.).
Information sharing sessions:
- Project Committees
- Webinars
- Feedback
- Retrospective
also contribute to the dissemination of knowledge. The latter is essential to remain alert to the normative framework and to apprehend non-conformities in full knowledge of the facts.
2. Learning
It covers several aspects: it is obviously a question of deepening and extending one’s business skills, but more broadly and continuously, of being aware of the general issues of compliance.
Webinars (e.g. Data Privacy), awareness-raising meetings (e.g. Cyber Security by the IT Department), regular visits to business sharing sites or equivalent within the company, solicitations to those in the know of the company, etc.
3. Risk management
But also opportunities, which aims to anticipate events that could potentially impact the project (and beyond that, the company).
It is an essential component of Delivery (see the page dedicated to the practice ), but it cannot be strictly limited to project boundaries.
Any non-compliance detected, whether potential or actual, should be addressed as a risk.
4. Control
Helps prevent non-conformities, whether in governance bodies, in the context of reporting (e.g. to hierarchical and/or functional management) or through targeted actions such as project check-ups.
It should be noted that this is not necessarily an imposed – binding – control and that this approach is part of a logic of beneficial prevention.
5. Continuous improvement
Is by definition a means of preventing non-conformities. Because we have learned from past experiences, and possibly from the mistakes or shortcomings encountered, we are better able to avoid their repetition.
This principle is virtuous and is based on the ability of employees to capitalize on their lessons and best practices by making them available to their colleagues.
Manage non-conformances:
1/3 Detect non-conformities
The first step in the non-conformance management process is to identify non-conformances.
They can be potential (i.e., the non-compliance is “anticipatable” and possibly accepted as such) or actual (i.e., the non-compliance is “findable“).
Detection can come from several sources:
- Internal : during:
- External : during:
- External Project Governance Bodies
- Dedicated project phases (e.g. a customer acceptance)
- Informal exchanges with customer contacts or any other stakeholder
- Customer-initiated audits
Once identified, each non-conformance must be documented in order to have the necessary elements for its analysis.
The minimum requirement is to provide both views: the one that is compliant and the one that is not.
In the case of a non-compliance related to a delivered product, for example, the product will be compared with the expected that was specified.
In addition, the scope of the non-conformity, as well as its impact, will be assessed in order to guide corrective actions.
Points of attention
Detecting does not mean communicating
The extent of the non-compliance should be carefully measured at the time of detection.
A non-compliance identified internally may not directly concern the client and should remain at the discretion of the service provider.
Similarly, some non-conformities are sensitive by nature and must be addressed with all the usual precautions in terms of information.
Detecting rhymes with logging
Regardless of the nature of the non-compliance, it must be recorded for further processing and follow-up.
A non-compliance should not be forgotten or go unheeded.
2/3 Dealing with non-conformities
Once a non-conformance has been identified, it must be addressed appropriately.
It is then subject to corrective or preventive actions, depending on the nature of the non-compliance.
As soon as a non-conformity occurs, it is necessary to react quickly in two steps:
A. Controlling Nonconformance
The challenge is to limit the risks and/or impact of non-compliance as much as possible by taking rapid action. This action focuses on responsiveness and efficiency.
For example:
- In the event of an identified non-compliance consisting of a suspected personal data breach on an IT solution, the reflex will be to immediately inform the IT department and the Legal Department (the Privacy division) who will decide and take the appropriate measures.
- In the case of a developer who deviates from the process and does not carry out his unit tests before delivery to the customer, thus impacting quality and customer satisfaction, the reflex will be to alert managers internally and manage the situation vis-à-vis the customer.
B. Preventing or correcting nonconformance
In a short period of time, it is a matter of initiating preventive actions and corrective actions to eliminate the non-compliance and return to a normal situation.
- This can be immediate, for a non-conformity that is precisely identified and easily treated.
E.g. a configuration setting that solves a system access problem. - This can be palliative, i.e. based on a temporary bypass or countermeasure.
E.g., isolating a virtual machine infected with a vulnerability attack. - This can be planned, i.e. based on a multi-step approach that must be piloted.
E.g., a process that has weaknesses and needs to be reworked before being redeployed.
In any case, non-compliance must be addressed in a sustainable manner.
It is therefore essential to analyze the root causes of non-compliance and not remain “on the surface”: applying a causal analysis method can help to understand the underlying cause(s) of a non-compliance.
This understanding guides preventive actions that will prevent the recurrence of the non-conformance or the occurrence of similar non-conformities.
3/3 Track non-conformities
Once a non-compliance treatment has been implemented, it is essential to follow up on the actions taken to confirm the effectiveness of the approach.
That is to say, to endorse the return to compliance, on the one hand, and to have the guarantee that there will be no recurrence of non-compliance in the future, on the other hand.
In this sense, a period of observation can allow us to remain vigilant during a given period of time.
This step also aims to capitalize on experience because, beyond the non-compliance as such, it is the approach that is proven.
It is therefore a question of carrying out a retrospective of the non-conformance management process and the Quality Management System (QMS).
This retrospective makes it possible to identify and then make changes that will ultimately make it possible to address future non-conformities even more effectively.
This method is useful for tracking down to the root cause of a problem.
The principle is simple: you have to start from the observation and ask the question “why?” 5 times successively, bouncing back on the answers provided as you go along.
Here’s an example:
- Why is there a corrupted file in the folder on the server? Because the publisher didn’t check the file before uploading it to the server.
- Why didn’t the publisher check the file before publishing it? Because it doesn’t have the necessary software to open this type of file.
- Why doesn’t he have the software to check the file when he’s publishing it? Because it doesn’t usually handle this type of file and has been asked for a favor.
- Why was he asked for this service? Because it had to be published quickly and the author couldn’t do it on time.
- Why couldn’t the author do it on time? Because it was Friday at 3 p.m. and he wanted to go to the countryside for the weekend.
The 5Ps, in this example, demonstrate that based on an observation that can be processed immediately (the deletion or replacement of the said corrupted file), several underlying causes are at the origin of the non-compliance observed and will have to be addressed:
- The publisher has taken on a responsibility that he should not have taken,
- The author lacked professionalism and deviated from a quality process,
- The author did not comply with the company’s HR policy.
Focus on Causal Analysis: The Ishikawa Diagram
This method consists of a visual representation of a problem. This representation makes it possible to highlight the different causes of the problem and their effects.
The diagram is called a fishbone diagram; Each of these edges represents one of the causes of the problem.
What’s the point? Taking a step back from the problem and the interdependence/influence of factors on each other.
The Ishikawa diagram is based (in French) on the 5M, 6M or 7M to categorize the causes, according to the client/project context:
Manpower, Materials, Machines, Method, Environment (Milieu), Management and/or Financial Means.
Representation is carried out, as far as possible, in a co-working session, in order to obtain an exhaustive mapping of the causes.
This is followed by prioritization of causes (ABC analysis or 5-point scoring, for example), and the implementation of an action plan.
0 Comments