Root Causes of Nonconformities

Clients often ask how we categorize the root causes of nonconformities that we discover within the organization and the products and services we deliver.  We use the list below.

  1. Uncategorized (under investigation)
  2. Accidental loss of physical IT asset
  3. Theft or malicious interference with physical IT asset
  4. Malware attack
  5. Denial of service attack
  6. Failure or defective operation of physical IT asset
  7. Insecure configuration
  8. Phishing or social engineering
  9. Defect in 3rd party software
  10. Defect in our software
  11. Failure to follow authorised policies or procedures
  12. Utility service outage or defect
  13. Reported in error (not a nonconformity)
  14. Inadequate training
  15. Environmental (fire, flood, lightning, earthquake, etc.)
  16. Other

Because this set of reasons appears in pull-down lists we try to keep it to 16 or fewer, combining any newly identified causes with existing entries.  ‘Defect in our software’ covers a range of causes that include:

  • Coding error
  • Version misconfiguration of software components
  • Misunderstanding of requirement(s)

The ‘Reported in error’ category includes discovery of requirements never previously stated by the client and which could not be reasonably anticipated.