Writing Corrective Actions That Actually Close Non-Conformances

Most corrective actions fail because they fix symptoms, not causes. How to write corrective actions that address root causes and actually prevent recurrence — for BRCGS, FSSC, and any GFSI audit.

Every food safety system generates non-conformances. Internal audits, hygiene inspections, customer complaints, product testing — all of them will eventually produce a finding that requires a corrective action. What separates the sites that pass their next audit from the ones that get hit with the same finding again comes down to one thing: whether the corrective action addressed what actually caused the problem.

Most don't. And most auditors can tell within sixty seconds.

This article explains how to write corrective actions that close non-conformances permanently — structured for BRCGS Food Safety Issue 9, and applicable across FSSC 22000, GFSI Global Markets, and any other GFSI-benchmarked scheme.

1. Why Most Corrective Actions Don't Work: The Containment-Only Trap

When a non-conformance is identified, the instinct is to fix it immediately. The temperature log wasn't filled in, so you fill it in. The pest bait station was missing its activity card, so you replace it. The foreign body was found in the product, so you remove it.

These are containment actions. They are necessary. They are not corrective actions.

Containment stops the bleeding. A corrective action prevents the wound from reopening. The problem is that many food businesses document the containment step, call it a corrective action, sign it off, and file it — leaving the underlying system failure completely untouched.

The result is entirely predictable: the same non-conformance appears at the next audit. Or the one after that. At some point an auditor notices the pattern and raises a finding against your corrective action procedure in addition to the original clause. Under BRCGS clause 1.1.12, if effective corrective or preventive action has not been introduced and a non-conformity recurs, the auditor will raise a non-conformity against this clause as well as against the clause with the recurring issue. You now have two problems where you started with one.

The containment-only trap is especially common in smaller operations where the person writing the corrective action is also the person who caused the non-conformance — or their direct supervisor. The pressure to close the finding quickly, combined with the discomfort of examining systemic failures, produces answers that are plausible enough to satisfy a quick review but shallow enough to guarantee recurrence.

2. Correction vs Corrective Action — The Distinction That Matters

The terminology is precise, and the distinction is not semantic.

Correction is the immediate action taken to deal with the non-conformance itself. Isolating the affected product. Stopping the line. Filling in the missing record. Quarantining the non-conforming batch. A correction manages the current situation.

Corrective action is the action taken to eliminate the cause of the non-conformance so it cannot recur. Updating a procedure. Redesigning a label. Changing a workflow. Fixing a system gap. A corrective action changes something about the way the site operates.

Preventive action goes further: it identifies and eliminates potential causes of non-conformances that have not yet occurred, based on trend analysis or risk assessment.

Under BRCGS clause 3.7.2, when a non-conformity places safety, authenticity, legality, or quality at risk, the required record must include both the corrective action (immediate) and the preventive action arising from root cause analysis. Both are required. A record that documents only the correction — however detailed — does not satisfy the clause.

In practice, many sites collapse all three into a single field on their corrective action form and write something like "staff retrained." This satisfies none of the three requirements. The product was discarded (correction — acceptable). Staff retraining is not a root cause finding; it is a response to one. And without identifying what the root cause actually was, no genuine preventive action is possible.

3. Root Cause Analysis Methods That Work in Food Manufacturing

Root cause analysis is the mechanism that connects the non-conformance to its cause. Without it, every corrective action is a guess. With it, the action addresses something real.

Two methods are worth knowing in a food manufacturing context.

The Five Whys

This is the method most commonly referenced in BRCGS guidance, and it is the right tool for most non-conformances at site level. The approach is straightforward: ask "why did this happen?" and keep asking until you reach a cause that, if eliminated, would prevent the problem from recurring.

The BRCGS Issue 9 Interpretation Guideline provides a worked example. An operator uses the wrong ingredient during weighing. The instinctive response — "operator error, retrain staff" — does not explain why the error occurred. Working through the five whys reveals that:

• The operator was unfamiliar with the procedure
• Training had been completed but not signed off as understood
• The two ingredients looked identical
• Their labels had been removed during cleaning and not replaced
• Cleaning staff did not understand the significance of returning labels
• No post-cleaning line check existed that included a signage verification

The root causes were an incomplete training procedure, a faulty cleaning process, and the absence of a post-cleaning sign-off. Not "operator error." Each of those systemic causes requires a discrete corrective action. That is the output the five whys is designed to produce.

A practical note: the five in "five whys" is approximate. Stop when you reach a cause that is actionable and, if addressed, would prevent recurrence. That may take three iterations. It may take seven. The number is not the goal.

Fishbone (Ishikawa) Diagram

Where the five whys works best for linear cause-and-effect chains, the fishbone diagram is better suited to complex non-conformances with multiple contributing factors. It structures potential causes across standard categories — commonly people, process, equipment, materials, environment, measurement — and maps how they converge on the observed effect.

In food manufacturing, fishbone analysis is particularly useful for contamination events, recurring microbiological failures, or any situation where the cause is not obviously a single point of failure. It ensures that an investigation team examines every plausible causal pathway rather than pursuing the first plausible explanation.

For most internal audit findings and procedural non-conformances, the five whys is sufficient. For product safety incidents, significant quality failures, or any non-conformance that will be reviewed by a certification body, the fishbone approach produces a more defensible investigation record.

What Root Cause Analysis Is Not

Root cause analysis is not a documentation exercise completed after the fact to satisfy a form. It is an investigation. The people conducting it need to understand what was actually happening on the site at the time the non-conformance occurred — which means interviewing the relevant operators, examining the actual records, reviewing the procedure in question, and looking at the physical environment if relevant.

"Staff were not following the procedure" is a description of a non-conformance, not a root cause. The root cause asks why the procedure was not followed: Was the procedure not accessible? Not understood? Impractical to follow given the actual workflow? Not clearly communicated at training? Each of these requires a different corrective action. Treating them all as "retraining required" produces a retraining that changes nothing, because the underlying reason for non-compliance has not been addressed.

4. Writing the Corrective Action: Problem Statement, Root Cause, Action, Evidence

Problem Statement

Describe what was observed. Be specific: include the date the non-conformance was identified, the location or process involved, what was found, and the applicable clause or procedure requirement. Vague problem statements produce vague corrective actions. Specific problem statements direct the investigation.

The problem statement should also include an assessment of the potential consequences. Under BRCGS clause 3.7.2, this assessment must be completed by a competent and authorised person. Is product safety compromised? Is affected product in trade? What is the scope of potential impact?

Root Cause

State the finding of the root cause analysis — not the method, but the result. For example: "No defined re-baiting schedule existed in the pest control procedure following the transition to a new pest control contractor in October. The pest control verification checklist did not include a check on service interval compliance." This is a root cause. It identifies a system gap that, once closed, prevents recurrence.

If the five whys method was used, it is good practice to include the chain of reasoning in the record — both for transparency and because an auditor reviewing the finding can follow the logic.

Corrective and Preventive Actions

State the specific actions to be taken, distinguishing between the immediate correction (already completed or underway) and the systemic preventive action arising from the root cause.

Each action should be expressed as a discrete, observable task. Not "improve pest control monitoring" but "update PRP-07 Pest Control to include a maximum service interval of 28 days for all rodent bait stations, with a mandatory sign-off by the pest control contractor and site QA at each service visit."

Assign a named role and a due date to every action. The BRCGS standard requires identification of who is authorised and responsible — not a department, not "management", but a named role. This is important: it makes follow-up unambiguous and prevents actions from drifting because no one person owns them.

Evidence

Document what evidence will confirm that each action has been completed. For a procedure update: the revised procedure with version number and approval date. For training: signed training records. For physical repairs: a dated photograph or inspection sign-off. For a process change: the first monitoring records showing the new control in operation.

The evidence requirement exists because "action completed" entered on a form is not evidence. It is a claim. Auditors verify claims. The evidence is what turns a claim into a fact.

5. Timeframes and Tracking — How to Manage Open Actions

BRCGS clause 1.1.12 requires that corrective actions from the previous certification audit are completed within 28 days. This is the standard's specific requirement for audit findings, but it reflects a broader principle: corrective actions must be completed in a timely fashion, proportionate to the potential consequences.

In practice, some corrective actions — a structural repair, a supplier change, a significant procedure overhaul — cannot be completed in 28 days. The standard acknowledges this. Where set timescales are not met, the reason for the delay must be recorded and reviewed by appropriate site management. The site must assess whether the delay creates an ongoing risk and ensure product safety is not compromised in the interim. A corrective action that has been delayed with documented justification, an interim control measure, and management sign-off is auditable. A corrective action that is simply overdue is a finding.

Open corrective actions must be tracked. Every site needs a register — whether a dedicated software system or a well-maintained spreadsheet — that shows, at minimum: the non-conformance reference, the root cause finding, the actions required, the responsible person, the due date, the current status, and the date of closure verification.

This register should be a standing agenda item at management review meetings. Patterns visible in aggregate — recurring non-conformances in a particular area, a specific type of finding appearing repeatedly across audit cycles — require trend-level investigation and root cause analysis, not just action-by-action closure. Clause 3.7.2 explicitly requires this: where there is a significant trend in a specific type of non-conformity, root cause analysis must be used to investigate the trend.

6. Verification of Effectiveness — Proving the Fix Worked

Closing a corrective action by completing the stated actions and filing the evidence is not the final step. The final step is verification of effectiveness: confirming that the action actually prevented recurrence.

Under BRCGS clause 3.7.2, the required record must include details of the verification checks to ensure the action has been implemented and is effective. Implementation and effectiveness are two different things. A procedure can be updated (implementation verified) and the same non-conformance can still recur because the procedure update did not address the actual root cause (effectiveness not verified).

Verification of effectiveness requires planning at the time the corrective action is written, not retrospectively. Decide, when you design the corrective action, how you will know in 30, 60, or 90 days whether it worked. This might be:

• Re-auditing the specific clause or area within a defined timeframe
• Reviewing monitoring records to confirm the new control is being applied consistently
• Checking that the non-conformance has not recurred across a defined number of production cycles
• A targeted inspection of the corrected process by a supervisor or quality team member

Where a corrective action proves ineffective — the non-conformance recurs despite the action taken — the original root cause analysis must be revisited. Either the root cause was not correctly identified, or the corrective action did not adequately address it. This is not a failure of process; it is how the process is designed to work. The failure is treating an ineffective corrective action as closed.

7. How Auditors Evaluate Your Corrective Action Process

When a BRCGS auditor reviews your corrective action system, they are asking a specific set of questions. Understanding these questions helps you build a system that withstands the scrutiny.

Does a documented procedure exist? Clause 3.7.1 requires a documented procedure. The procedure must define when root cause analysis is required, who is authorised to complete it, which methods the site uses, what records are required, and how verification of completed actions is conducted. The procedure itself will be reviewed.

Is the corrective action process being applied consistently? The auditor will sample corrective action records across different sources — internal audits, inspections, complaints, product testing. Inconsistent application (thorough documentation for customer complaints, superficial records for internal findings) suggests the system is being operated for appearance rather than function.

Is the root cause analysis credible? An auditor with manufacturing experience can evaluate whether a root cause finding is genuine. "Staff error" attributed to every non-conformance is not credible. Root cause findings should vary by non-conformance type and reflect actual investigation of the specific incident.

Are actions completed within agreed timescales? Overdue actions without documented justification are an immediate finding. The auditor will check the log against due dates.

Is there evidence of effectiveness verification? The auditor will look for evidence that completed actions were reviewed for effectiveness — not just signed off as done.

Are recurring non-conformances being addressed at a systemic level? If the same clause or area appears in consecutive audit cycles, the auditor will expect to see evidence that the site recognised the trend and conducted root cause analysis at the system level, not just the incident level.

The broader signal an auditor reads from your corrective action system is your site's food safety culture. A system that generates thorough, honest root cause analyses — including ones that reveal management failures, resource constraints, or design flaws in the site's own procedures — demonstrates a genuine commitment to improvement. A system that consistently produces "retraining completed" regardless of the non-conformance type demonstrates the opposite.

8. Good vs Bad Corrective Actions — Real-World Patterns

These examples are drawn from common patterns in food manufacturing sites. None are specific to any individual organisation.

Example 1: Metal detector check records not completed for three consecutive production shifts

Weak corrective action:

"Staff retrained on metal detector check procedure. Records will be completed going forward."

Why it fails: No root cause. No specific action with an owner or due date. No explanation of why training alone would produce a different outcome. An auditor will not accept this as closure. If this non-conformance recurs, the site has no defence.

Strong corrective action:

Correction: Production Manager reviewed the three affected shifts. No product safety risk identified based on upstream CCP verification. Product released.

Root cause: Metal detector check form was printed at the start of the week and clipped to the line board. On the three affected shifts, a change in line configuration meant the operator worked at a different position and was not aware the form applied to their workstation. No visual instruction linked the check to the operator's position.

Corrective action: Updated the metal detector check instruction (WI-CCP-04 v3) to include a diagram showing responsibility by workstation position. Laminated copy posted at each operator workstation, not only at the board. Revised effective 22 March; training completed with all production staff by 25 March. Training records filed under HR-Training-March.

Preventive action: Internal audit schedule updated to include a check on metal detector record completion as a standalone item quarterly. Next check scheduled 15 June.

Verification of effectiveness: QA Supervisor to review metal detector records for completeness at the end of each week for eight consecutive weeks. Results to be reported at the monthly quality meeting.

Example 2: Allergen risk assessment not updated following introduction of a new ingredient containing mustard

Weak corrective action:

"Allergen risk assessment reviewed. Document updated."

Why it fails: No description of what was missing or what changed. No root cause. No confirmation that the update is complete or accurate. No action to prevent the same gap occurring the next time a new ingredient is introduced.

Strong corrective action:

Correction: Allergen risk assessment updated to include mustard as a declared allergen. All affected product specifications reviewed and updated. Label review completed — product label updated to include mustard declaration. Affected batch placed on hold pending label change confirmation; released 28 March.

Root cause: New ingredient approval process (PRE-08) required supplier specification review but did not include a mandatory trigger to update the allergen risk assessment. The new ingredient was approved and released to production without the allergen risk assessment being revised.

Corrective action: PRE-08 New Ingredient Approval Procedure updated (v4, effective 1 April) to include a mandatory step: "Allergen risk assessment review and sign-off by QA Manager prior to first production use." New ingredient approval form updated to include allergen risk assessment reference as a required completion field before sign-off.

Preventive action: All ingredients introduced in the past 12 months reviewed against current allergen risk assessment. Two further gaps identified; updates completed by 5 April.

Verification of effectiveness: Next new ingredient approval to be processed under the revised procedure. QA Manager to confirm allergen risk assessment was reviewed prior to release.

These examples illustrate the difference between documentation that describes activity and documentation that demonstrates system improvement. The first type satisfies a form. The second type closes a non-conformance.

The Standard That Governs This

Everything in this article is grounded in BRCGS Food Safety Issue 9, specifically:

• Clause 1.1.12 — Root causes of previous audit non-conformities effectively addressed to prevent recurrence
• Clause 3.7.1 — Documented procedure for handling and correcting issues, including root cause analysis and preventive action
• Clause 3.7.2 — Full investigation requirements for non-conformances affecting safety, authenticity, legality, or quality, including all record elements and verification of effectiveness

The same principles are required under FSSC 22000 v6 and the GFSI Global Markets Programme at both Basic and Intermediate tiers, with minor variation in terminology. The structure described here — problem statement, root cause, corrective action, preventive action, evidence, verification — is transferable across all of them.

If your corrective action system is not producing this level of documentation consistently, the gap is almost always in one of two places: the root cause analysis is not being completed with sufficient rigour, or the verification of effectiveness step is being skipped. Both are fixable. Start with the procedure — if it does not clearly define how root cause analysis is done, who does it, and how effectiveness is confirmed, no amount of individual effort will produce consistent results across your team.