Clause 10: Improvement
Continual improvement and nonconformity management including corrective actions for the AI Management System.
Chapter Overview
Clause 10 completes the PDCA cycle with the "Act" phase. It covers how organizations handle nonconformities and drive continual improvement of their AIMS. This clause ensures your management system evolves and improves over time.
Clause Structure
| Sub-clause | Title | Focus |
|---|---|---|
| 10.1 | Continual improvement | Ongoing AIMS enhancement |
| 10.2 | Nonconformity and corrective action | Handling problems and preventing recurrence |
10.1 Continual Improvement
Requirement
The organization shall continually improve the suitability, adequacy, and effectiveness of the AI management system.
Suitability: Is the AIMS appropriate for the organization's context and needs?
Adequacy: Is the AIMS sufficient to manage AI risks and achieve objectives?
Effectiveness: Is the AIMS achieving its intended outcomes?
Sources of Improvement
| Source | Improvement Inputs |
|---|---|
| Internal Audits | Findings, observations, recommendations |
| Management Review | Decisions, action items, strategic direction |
| Performance Monitoring | KPI trends, gaps, anomalies |
| Incidents | Root causes, lessons learned |
| Corrective Actions | Systemic issues, pattern analysis |
| Stakeholder Feedback | Complaints, suggestions, expectations |
| External Changes | Regulations, technology, best practices |
| Benchmarking | Industry comparisons, maturity assessments |
Improvement Process
- Identify: Recognize improvement opportunities from various sources
- Evaluate: Assess potential benefits, costs, and feasibility
- Prioritize: Rank improvements based on value and risk
- Plan: Define actions, resources, responsibilities, timelines
- Implement: Execute improvement actions
- Verify: Confirm improvements achieve intended results
- Standardize: Embed successful improvements into AIMS
Types of Improvement
| Type | Description | Examples |
|---|---|---|
| Corrective | Fixing identified problems | Addressing audit findings, closing nonconformities |
| Preventive | Preventing potential problems | Proactive risk treatment, control enhancements |
| Innovative | New approaches and capabilities | New tools, automation, process redesign |
| Incremental | Small, ongoing enhancements | Process optimization, efficiency gains |
10.2 Nonconformity and Corrective Action
Requirement
When a nonconformity occurs, the organization shall:
- React to the nonconformity and, as applicable, take action to control and correct it, and deal with the consequences
- Evaluate the need for action to eliminate the causes of the nonconformity, so it does not recur or occur elsewhere, by reviewing the nonconformity, determining the causes, and determining if similar nonconformities exist or could potentially occur
- Implement any action needed
- Review the effectiveness of any corrective action taken
- Make changes to the AIMS, if necessary
Corrective actions shall be appropriate to the effects of the nonconformities encountered.
The organization shall retain documented information as evidence of the nature of the nonconformities and any subsequent actions taken, and the results of any corrective action.
A nonconformity is the non-fulfilment of a requirement. This could be:
• Non-compliance with ISO 42001 requirements
• Non-compliance with organizational policies/procedures
• Non-compliance with legal/regulatory requirements
• Failure to meet AI objectives
• Control failures or gaps
Nonconformity Sources
| Source | Examples |
|---|---|
| Internal Audits | Audit findings classified as nonconformities |
| External Audits | Certification audit findings |
| Incidents | AI system failures, security breaches, bias incidents |
| Complaints | Customer or stakeholder complaints |
| Monitoring | KPI breaches, control failures |
| Management Review | Issues identified during review |
| Self-identification | Staff reporting issues |
Corrective Action Process
1. Immediate Response (Correction)
• Contain the problem
• Mitigate immediate consequences
• Protect affected parties
2. Root Cause Analysis
• Investigate underlying causes
• Use techniques: 5 Whys, Fishbone, Fault Tree
• Determine if issue is systemic
3. Action Planning
• Define corrective actions to eliminate root cause
• Assign responsibilities
• Set deadlines
4. Implementation
• Execute planned actions
• Document evidence of completion
5. Effectiveness Review
• Verify actions were effective
• Confirm nonconformity has not recurred
• Close the corrective action
Root Cause Analysis Techniques
| Technique | Description | Best For |
|---|---|---|
| 5 Whys | Ask "why" repeatedly to drill down to root cause | Simple, single-cause issues |
| Fishbone (Ishikawa) | Categorize potential causes (people, process, technology, etc.) | Complex issues with multiple factors |
| Fault Tree Analysis | Map logical relationships between events and causes | Technical/system failures |
| Pareto Analysis | Identify the vital few causes from trivial many | Recurring issues, pattern analysis |
5 Whys Example
Problem: AI model showed discriminatory outcomes for loan applications
Why 1: Why did the model show bias?
→ Training data was not representative of all demographic groups
Why 2: Why was training data not representative?
→ Data was collected from limited geographic regions
Why 3: Why was data collected from limited regions?
→ No data diversity requirements were specified
Why 4: Why were diversity requirements not specified?
→ Data acquisition process didn't include bias assessment
Why 5: Why didn't the process include bias assessment?
→ Data governance procedure was incomplete
Root Cause: Inadequate data governance procedure
Corrective Action: Update data governance procedure to include diversity requirements and bias assessment at data acquisition stage
Template: Corrective Action Request (CAR)
CAR Number: [Unique ID]
Date Raised: [Date]
Raised By: [Name]
Source: [Audit/Incident/Complaint/Other]
1. NONCONFORMITY DESCRIPTION
Requirement: [ISO 42001 clause/policy/procedure]
Description: [What was found]
Evidence: [Objective evidence]
Classification: [Major/Minor]
2. IMMEDIATE ACTION (CORRECTION)
Action taken: [Immediate containment/correction]
Date completed: [Date]
Completed by: [Name]
3. ROOT CAUSE ANALYSIS
Analysis method: [5 Whys/Fishbone/Other]
Root cause: [Identified root cause]
Systemic? [Yes/No - does this affect other areas?]
4. CORRECTIVE ACTION PLAN
Actions: [List of actions to eliminate root cause]
Responsible: [Name for each action]
Target date: [Deadline for each action]
5. IMPLEMENTATION EVIDENCE
Actions completed: [Evidence of completion]
Date completed: [Actual completion date]
6. EFFECTIVENESS REVIEW
Review date: [Date - typically 3-6 months after]
Review method: [How effectiveness was verified]
Effective? [Yes/No]
Reviewed by: [Name]
7. CLOSURE
Closed by: [Name]
Date closed: [Date]
Documented Information Requirements
Required:
• Nature of nonconformities (10.2)
• Actions taken (10.2)
• Results of corrective actions (10.2)
Recommended:
• Corrective Action Procedure
• Corrective Action Register/Log
• Improvement Register
• Root Cause Analysis Records
Sample Audit Questions
10.1 Continual Improvement:
• How do you identify improvement opportunities?
• Show me examples of improvements made to the AIMS
• How do you prioritize improvements?
• How do improvements from management review get implemented?
10.2 Nonconformity and Corrective Action:
• Show me your corrective action process
• Walk me through a recent corrective action
• How do you conduct root cause analysis?
• How do you verify corrective actions are effective?
• Show me your corrective action register
• Are there any overdue corrective actions?
Common Nonconformities
| Type | Nonconformity | How to Avoid |
|---|---|---|
| Major | No corrective action process in place | Establish documented CA procedure |
| Major | Nonconformities not addressed | Track and close all nonconformities |
| Minor | Root cause analysis not conducted | Require RCA for all nonconformities |
| Minor | Effectiveness not verified | Schedule effectiveness reviews |
| Minor | Corrective actions overdue | Monitor and escalate overdue items |
| Minor | No evidence of continual improvement | Document improvement activities |
Integration with PDCA
Clause 10 represents the "ACT" phase of PDCA:
PLAN (Clauses 4-7): Establish AIMS foundation
DO (Clause 8): Operate the AIMS
CHECK (Clause 9): Monitor and evaluate
ACT (Clause 10): Improve based on findings
The cycle then repeats - improvements from Clause 10 feed back into planning (Clause 6), creating a continuous improvement loop.
1. Continual improvement covers suitability, adequacy, AND effectiveness
2. Nonconformity handling requires both correction (immediate) and corrective action (root cause)
3. Root cause analysis is essential - don't just treat symptoms
4. Corrective actions must be verified for effectiveness
5. Documented information required for nonconformities, actions, and results
6. Clause 10 completes the PDCA cycle and feeds back into planning
• Know the difference between correction (immediate fix) and corrective action (eliminate root cause)
• Remember the five steps when nonconformity occurs (react, evaluate, implement, review, change AIMS if needed)
• Corrective actions must be "appropriate to the effects" of the nonconformity
• Three types of documented information required (nature, actions, results)
• Continual improvement addresses suitability, adequacy, and effectiveness
• Understand how Clause 10 completes the PDCA cycle