What is ISO 14001 Clause 10.2 trying to achieve?

Clause 10.2 is about making sure problems are not ignored, patched over or allowed to happen again.

When a nonconformity occurs, the organisation should react in a controlled way. It should deal with the immediate issue, consider any environmental consequences, investigate the need for deeper action, and retain evidence of what happened and what was done.

The purpose is to:

• control and correct problems when they occur;
• deal with the consequences, including environmental impacts;
• understand why the nonconformity happened;
• decide whether action is needed to prevent recurrence;
• consider whether similar issues exist or could happen elsewhere;
• implement appropriate corrective action;
• review whether the corrective action was effective;
• make changes to the EMS where needed.

Clause 10.2 helps turn problems into learning. The EMS should not just mop up the spill; it should ask why the bucket keeps falling over.

What is a nonconformity?

A nonconformity is a failure to meet a requirement.

In an Environmental Management System, a requirement may come from:

• ISO 14001 itself;
• the organisation’s own EMS procedures;
• the environmental policy;
• operational control requirements;
• compliance obligations;
• customer or contractual requirements;
• environmental objectives and action plans;
• internal audit criteria;
• permit, licence or regulator requirements.

Nonconformities may be found through internal audits, external audits, inspections, monitoring, incidents, complaints, compliance evaluation, management review or routine supervision.

Examples of EMS nonconformities

Examples of ISO 14001 nonconformities may include:

• significant environmental aspects not being properly identified;
• compliance obligations not being evaluated at planned intervals;
• waste transfer records missing or incomplete;
• spill kits not inspected as required;
• environmental objectives not monitored;
• contractors not briefed on environmental controls;
• emergency response arrangements not tested where planned;
• obsolete procedures still being used;
• monitoring equipment not calibrated or verified where necessary;
• internal audits not completed according to the audit programme;
• nonconformities not followed up effectively;
• employees unaware of relevant environmental controls.

The common thread is that a requirement exists, but the evidence shows it has not been fulfilled.

Reacting to a nonconformity

When a nonconformity occurs, the first step is to react appropriately.

This may involve:

• stopping an activity if environmental harm could occur;
• containing a spill or leak;
• segregating incorrect waste;
• replacing missing environmental equipment;
• correcting an inaccurate record;
• notifying relevant managers;
• informing a customer or regulator where required;
• raising a formal nonconformity record;
• preventing further immediate impact.

The reaction should be proportionate. A serious spill requires urgent control and escalation. A missing signature on a low-risk record may require a simpler correction.

Correction versus corrective action

Correction and corrective action are often confused.

Correction deals with the immediate issue.

Corrective action deals with the cause of the issue, to reduce the chance of it happening again or happening somewhere else.

Not every correction will require a large corrective action project. However, the organisation should evaluate whether deeper action is needed.

Dealing with consequences and environmental impacts

Clause 10.2 expects the organisation to deal with the consequences of nonconformity, including adverse environmental impacts where relevant.

This may include:

• cleaning up a spill;
• protecting drains or watercourses;
• segregating contaminated waste;
• arranging specialist disposal;
• repairing damaged containment;
• notifying relevant authorities where required;
• communicating with affected interested parties;
• monitoring the affected area;
• checking whether compliance obligations have been affected;
• reviewing whether emergency arrangements worked.

For EMS auditors, this is important: a nonconformity is not only an administrative issue. It may have real environmental consequences that need to be mitigated.

Evaluating the need for corrective action

After reacting to the nonconformity, the organisation should evaluate whether action is needed to eliminate the cause or causes.

This evaluation should consider:

• what happened;
• why it happened;
• how serious the issue was;
• whether environmental impacts occurred or could have occurred;
• whether compliance obligations were affected;
• whether the issue has happened before;
• whether similar issues exist elsewhere;
• whether the issue could occur elsewhere;
• what action is appropriate and proportionate.

The organisation should avoid both extremes: ignoring causes altogether, or creating an overblown investigation for every tiny error. The response should match the significance of the issue.

Determining the cause of a nonconformity

Cause analysis helps the organisation understand why the nonconformity occurred.

Causes may relate to:

• unclear procedures;
• lack of competence or awareness;
• poor communication;
• insufficient resources;
• weak supervision;
• poorly designed controls;
• equipment failure;
• supplier or contractor failure;
• uncontrolled change;
• inadequate monitoring;
• unclear responsibilities;
• conflicting priorities.

A useful cause analysis looks beyond “someone forgot”. People forget for reasons: workload, poor systems, unclear expectations, bad layout, no reminders, weak training, or controls designed by someone who clearly never had to use them on a wet Tuesday morning.

Checking whether similar nonconformities exist

Clause 10.2 is not only about stopping the same issue happening again in the same place. The organisation should also consider whether similar nonconformities exist or could occur elsewhere.

This is a powerful requirement because it pushes the organisation to think system-wide.

Examples include:

• if one spill kit is unchecked, checking whether other spill kits are also unchecked;
• if one waste record is missing, sampling other waste records;
• if one contractor missed induction, checking induction records for other contractors;
• if one site has outdated procedures, checking whether other sites use the same document system;
• if one legal requirement was missed, reviewing the legal update process;
• if one emergency drill failed, checking whether similar emergency arrangements elsewhere are weak.

This helps prevent local fixes when the real problem is systemic.

Implementing corrective action

Where corrective action is needed, the organisation should implement suitable action.

Corrective actions may include:

• updating procedures or work instructions;
• improving training or awareness;
• changing inspection frequencies;
• adding checks or reminders;
• improving signage or labelling;
• changing equipment or storage arrangements;
• strengthening contractor controls;
• updating supplier requirements;
• changing responsibilities or escalation routes;
• improving monitoring or measurement methods;
• reviewing compliance obligations;
• updating the EMS where needed.

Good corrective actions are specific, assigned, time-bound and capable of being checked for effectiveness.

Corrective action should match significance

ISO 14001 expects corrective actions to be appropriate to the significance of the effects of the nonconformities, including their environmental impacts.

This means the organisation should consider:

• actual environmental harm;
• potential environmental harm;
• compliance risk;
• scale and duration of the issue;
• likelihood of recurrence;
• whether the issue could occur elsewhere;
• interested party concern;
• operational disruption;
• previous history of similar issues.

A major spill, permit breach or repeated audit finding needs a stronger response than a minor one-off documentation error. Proportionate does not mean casual; it means suitable for the risk and impact.

Reviewing the effectiveness of corrective action

Corrective action is not finished just because someone has ticked a box saying “done”.

The organisation should review whether the corrective action was effective.

Effectiveness review may involve:

• checking whether the action was completed;
• checking whether the same issue has recurred;
• sampling similar records or locations;
• interviewing relevant people;
• observing the revised control in use;
• reviewing monitoring data after the action;
• checking inspection or audit results;
• confirming that environmental impacts have been controlled;
• checking whether the EMS change has been embedded.

A corrective action is only useful if it actually reduces the chance of the problem happening again.

Making changes to the EMS

Sometimes a nonconformity reveals that the EMS itself needs to change.

EMS changes may include:

• updating procedures;
• changing roles or responsibilities;
• improving competence requirements;
• strengthening operational controls;
• changing the internal audit programme;
• updating environmental aspects or risks;
• reviewing compliance obligations;
• improving monitoring and measurement;
• updating emergency response arrangements;
• changing management review inputs or reporting.

This is where Clause 10.2 links directly with continual improvement. Nonconformities should help the organisation strengthen the EMS, not simply tidy up isolated mistakes.

Documented information for Clause 10.2

The organisation should retain documented information as evidence of the nature of nonconformities, subsequent actions taken and the results of corrective action.

Evidence may include:

• nonconformity reports;
• incident reports;
• audit findings;
• records of immediate corrections;
• records of environmental impact mitigation;
• cause analysis records;
• corrective action plans;
• action owners and completion dates;
• evidence of completed actions;
• effectiveness review records;
• updated procedures, controls or training records;
• management review records where significant issues are escalated.

Records should be clear enough to show what happened, what was done, why the action was appropriate, and whether the action worked.

Nonconformity and compliance obligations

Nonconformities may be linked to compliance obligations, but not every compliance issue is automatically handled in the same way.

If a compliance evaluation identifies a failure to meet an obligation, the organisation should determine and implement action to achieve compliance. In some cases, this may involve communicating with a regulator or agreeing a course of action.

Compliance-related nonconformities still need to be corrected, even where they have not yet resulted in actual legal non-compliance.

Practical implementation guidance

A practical nonconformity and corrective action process should answer:

• How are nonconformities reported?
• Who is responsible for reacting to them?
• How are immediate corrections made?
• How are environmental consequences dealt with?
• How is the need for corrective action evaluated?
• How are causes determined?
• How does the organisation check for similar issues elsewhere?
• How are corrective actions assigned and tracked?
• How is effectiveness reviewed?
• When are EMS changes required?
• What documented information is retained?

The process should be clear enough that people know what to do, but not so bureaucratic that everyone hides from it like it is holding a clipboard and wearing a hi-vis of doom.

What auditors typically look for

Auditors look for evidence that nonconformities are managed properly from initial reaction through to effective corrective action.

Evidence may include:

• nonconformity procedure or process;
• nonconformity records;
• incident records;
• audit reports;
• records of correction and containment;
• evidence of environmental impact mitigation;
• cause analysis;
• evidence that similar issues were considered;
• corrective action records;
• effectiveness review evidence;
• updated EMS documents or controls;
• management review outputs;
• interviews with process owners, auditors and responsible managers.

Common weaknesses in Clause 10.2

• nonconformities are corrected but causes are not considered;
• corrective actions are vague, such as “retrain staff” with no deeper review;
• environmental consequences are not recorded or mitigated;
• similar issues elsewhere are not checked;
• actions are overdue or repeatedly extended;
• effectiveness reviews are missing or superficial;
• repeat findings show corrective actions are not working;
• compliance-related issues are not escalated properly;
• records do not show what action was taken;
• EMS procedures are not updated after system weaknesses are found;
• nonconformities are treated as blame events rather than system learning opportunities.

Weak example

Better example

Real-world example: waste documentation issue

An internal audit finds that several waste transfer records are missing required information.

A suitable response may include:

• correcting the records where possible;
• checking whether the issue affects compliance obligations;
• reviewing other recent waste records;
• identifying why the records were incomplete;
• briefing the person responsible for checking waste documentation;
• updating the waste procedure or checklist;
• checking a sample of future records to confirm improvement;
• reporting significant compliance implications to management review.

This shows how a document issue can still have environmental and compliance significance.

Real-world example: contractor environmental failure

A contractor washes equipment in an unsuitable area, creating a risk of contaminated water entering surface drains.

A suitable response may include:

• stopping the activity immediately;
• protecting drains and cleaning the area where needed;
• checking whether any discharge occurred;
• reviewing contractor induction records;
• identifying whether site rules were unclear or not communicated;
• briefing the contractor and relevant supervisors;
• updating contractor controls or permits-to-work;
• checking whether other contractors understand the same requirement;
• reviewing effectiveness during a follow-up site inspection.

This shows how Clause 10.2 can link to operational control, communication, awareness and compliance obligations.

Real-world example: repeated internal audit finding

Internal audits repeatedly find that environmental objectives are not being updated or reviewed.

A weak response would be to update the objectives once and close the finding.

A stronger response may include:

• reviewing why objectives were not being maintained;
• checking whether ownership and review frequency were unclear;
• assigning objective owners;
• adding objective progress to management review inputs;
• creating a simple objective tracker;
• checking progress at the next review cycle;
• updating the internal audit programme to follow up effectiveness.

This turns a repeated finding into EMS improvement, rather than another annual sigh.

Auditor questions for ISO 14001 Clause 10.2

• How does the organisation identify and report nonconformities?
• What happens when a nonconformity occurs?
• How does the organisation control and correct the immediate issue?
• How are environmental consequences dealt with?
• How are adverse environmental impacts mitigated where relevant?
• How does the organisation decide whether corrective action is needed?
• How are causes of nonconformities determined?
• How does the organisation check whether similar nonconformities exist?
• How does the organisation check whether similar issues could occur elsewhere?
• How are corrective actions implemented and tracked?
• How is corrective action effectiveness reviewed?
• How are EMS changes made where needed?
• How are corrective actions matched to the significance of the issue?
• What documented information is retained as evidence?

Related ISO 14001 clauses

• Clause 6.1.2 — Environmental aspects
• Clause 6.1.3 — Compliance obligations
• Clause 6.1.4 — Risks and opportunities
• Clause 6.3 — Planning of changes
• Clause 7.2 — Competence
• Clause 7.3 — Awareness
• Clause 7.4 — Communication
• Clause 7.5 — Documented information
• Clause 8.1 — Operational planning and control
• Clause 8.2 — Emergency preparedness and response
• Clause 9.1 — Monitoring, measurement, analysis and evaluation
• Clause 9.1.2 — Evaluation of compliance
• Clause 9.2 — Internal audit
• Clause 9.3 — Management review
• Clause 10.1 — Continual improvement

Continue learning

This page is part of SQMC’s ISO 14001:2026 guidance library for auditors, managers and QHSE professionals.

• Return to ISO 14001:2026 for Auditors
• Clause 10 — Improvement
• Continual improvement explained
• Internal audit explained
• Management review explained
• ISO 14001 audit programme template