|
| 1 | +# Nonconformity and Corrective Action Register (NCR Register) |
| 2 | +## ISO/IEC 42001:2023 | Clause 10.1 — Template |
| 3 | + |
| 4 | +**Document ID:** AIMS-NCR-001 |
| 5 | +**Version:** 1.0 |
| 6 | +**Owner:** AI Governance Lead |
| 7 | +**Date:** ___________________________ |
| 8 | +**Review Cycle:** Monthly; updated as NCRs arise |
| 9 | + |
| 10 | +--- |
| 11 | + |
| 12 | +## NCR Severity Classification |
| 13 | + |
| 14 | +| Severity | Description | Response | |
| 15 | +|---------|-------------|---------| |
| 16 | +| Critical | Complete failure; significant harm; major regulatory breach | Immediate containment; root cause within 48h; CA within 30 days | |
| 17 | +| Major | Significant AIMS failure; effectiveness compromised | Root cause within 5 days; CA within 30 days | |
| 18 | +| Minor | Partial non-compliance; isolated failure | CA within 60 days | |
| 19 | +| Observation | Improvement opportunity; not yet a nonconformity | Consider improvement action | |
| 20 | + |
| 21 | +--- |
| 22 | + |
| 23 | +## NCR Sources |
| 24 | + |
| 25 | +| Source | Examples | |
| 26 | +|--------|---------| |
| 27 | +| Internal Audit | Audit finding | |
| 28 | +| AI Incident | System failure; harmful output | |
| 29 | +| Performance Monitoring | Metric below target | |
| 30 | +| Management Review | Identified at review | |
| 31 | +| Stakeholder Complaint | Customer, employee, regulator | |
| 32 | +| Supplier Nonconformity | Third-party AI vendor failure | |
| 33 | +| Self-identified | Identified by process owner | |
| 34 | +| External Audit | Certification body finding | |
| 35 | + |
| 36 | +--- |
| 37 | + |
| 38 | +## Nonconformity Register |
| 39 | + |
| 40 | +| NCR ID | Date | Source | Description | Severity | Clause | AI System | Immediate Action | Root Cause | Corrective Action | CA Owner | Due Date | Status | Effectiveness Check | Closed | |
| 41 | +|--------|------|--------|-------------|---------|--------|---------|-----------------|-----------|------------------|---------|---------|--------|---------------------|--------| |
| 42 | +| NCR-001 | | | | Critical/Major/Minor | | | | | | | | Open | | | |
| 43 | +| NCR-002 | | | | | | | | | | | | | | | |
| 44 | +| NCR-003 | | | | | | | | | | | | | | | |
| 45 | + |
| 46 | +--- |
| 47 | + |
| 48 | +## Corrective Action Process |
| 49 | + |
| 50 | +1. **Detect and Record** — Raise NCR with description, date, and source |
| 51 | +2. **Contain** — Take immediate action to stop harm spreading |
| 52 | +3. **Root Cause Analysis** — Use 5 Whys, Fishbone, or fault tree analysis |
| 53 | +4. **Plan CA** — Define specific actions to address root cause |
| 54 | +5. **Implement** — Execute corrective actions; update documentation |
| 55 | +6. **Verify Effectiveness** — Check the fix worked; close only when confirmed |
| 56 | +7. **Update AIMS** — Update risk register, procedures, or controls as needed |
| 57 | + |
| 58 | +--- |
| 59 | + |
| 60 | +## NCR Summary Dashboard |
| 61 | + |
| 62 | +| Period | Raised | Critical | Major | Minor | Closed | Overdue | |
| 63 | +|--------|--------|---------|-------|-------|--------|---------| |
| 64 | +| Q1 [Year] | | | | | | | |
| 65 | +| Q2 [Year] | | | | | | | |
| 66 | +| Q3 [Year] | | | | | | | |
| 67 | +| Q4 [Year] | | | | | | | |
| 68 | + |
| 69 | +--- |
| 70 | + |
| 71 | +## Review History |
| 72 | + |
| 73 | +| Version | Date | Changes | Approved By | |
| 74 | +|---------|------|---------|-------------| |
| 75 | +| 1.0 | | Initial issue | | |
| 76 | + |
| 77 | +--- |
| 78 | + |
| 79 | +*ISO/IEC 42001:2023 AI Governance Toolkit | Clause 10.1 | See root README.md for full index* |
0 commit comments