Corrective or Preventive Action – Risk based thinking?

Truck being loaded with shipping containers

Recently I had a lovely email from a past student saying that she missed our blogs. We have been a little slack and I must admit that we haven’t published one for about three months! Sorry.

Well I rang her and asked if she had any topics in particular that she would like us to write about. A little later I received an email offering two topics which had come about from findings by her employer’s external certification auditor. These were:

  1. Being proactive in preventative action
  2. Emergency Preparedness & Response (going beyond a fire drill).

I’m going to address the first topic in this post and I’ll talk about the other in ‘Emergency testing- It’s more than just a fire drill’

Being Proactive in Preventative Actions

“In our last external audit (4801 Safety) we were advised to improve communication of Preventative Actions to all workers, whether it was an overloaded truck notice which had been issued, or outcome of a client complaint, or a site where the environmental control didn’t work.

We want everybody to learn from our mistakes etc. When you think about it, communicating PA’s in a proactive manner is diligence to “Commitment to continual improvement”.

PAs can be simply a Toolbox meeting, posters, skills trained on the job – all documented correctly. E.g. I implemented a “Safety Flash” poster at work for all incidents – with photos / colourful / to inform What happened / CAs implemented / and PAs to take away so it doesn’t happen again.”

This question raises several great discussion points, and in itself explains why the International ISO standards have changed some of the words and terminology that they use.

Let me explain…

What does corrective and preventive action mean?

Firstly, what does preventive mean? Here we need to look at the ISO definition of both  preventive action and its partner, corrective action.

Preventive action: action to eliminate the cause of a potential nonconformity or other potential undesirable situation.

Corrective action: action to eliminate the cause of a nonconformity and to prevent recurrence.

There is also a further explanatory note:

Corrective action is to prevent recurrence whereas preventive action is taken to prevent occurrence.

Now going back to the question that was asked, in each of the cases mentioned an issue had already occurred – the overloaded truck notice which had been issued, the outcome of a client complaint, and the site where the environmental control did not work. This is a very common mix up that a lot of auditors make, and as such it’s important for both auditees and auditors to know and understand the difference.

With that in mind, it’s not actually preventive action that we need; it’s corrective action to prevent recurrence of the issue, not to prevent its occurrence.

Corrective Or Preventive action examples

Let me give some everyday scenarios of both corrective or preventive action examples…

Putting fuel in our car = preventive action. We don’t want to run out of petrol and be stranded somewhere.
Mending our gutters after a leak = corrective action. We don’t want water leaks next time it rains.
Training our staff = preventive action. We want our people to be competent so they don’t perform tasks incorrectly.
Responding to a customer complaint = corrective action. We want to correct the issue so we don’t have other customers complaining.

This difference between preventive and corrective action has always been the case but it is something that trips up a lot of organisations; therefore ISO is doing something quite dramatic with its current release of management system standards. This takes us nicely to our next topic.

Preventive Action in AS/NZS 4801:2001 Vs ‘Risk based thinking’ in ISO standards

The question mentions AS/NZS 4801 which is an Australian and New Zealand standard released way back in 2001. It is not an international ISO standard. Now 2001 was 15 years ago and most ISO standards have gone through two revisions since then. This means they have improved and kept up with the times, and have worked out what words and terminologies work and those that don’t. As a result ISO no longer use the heading ‘preventive action’ as a clause (it is still mentioned in the text but not very often).

ISO has replaced preventive action with the term ‘risk based thinking’, which means to control and manage your risks to prevent issues from occurring, which is normal risk management. This of course is what preventive action always was – it’s just that no one understood it. In fact one could easily argue that the main purpose of a management system is to prevent things from going wrong, so essentially it is all just a system of preventive action.

Preventive Action at the front of the Standard

And just one final point… in older versions of management standards, preventive action was always at the back of the standard. In recent standards such as ISO 9001:2015, ISO 14001:2015,  ISO 27001:2013 and the yet to be finalised ISO 45001 for OHS, it is at the front, which is exactly where it should be. If you have corrective action and preventive action in the same procedure, if you have CAPA processes, if you have non-conformance reports that require both corrective and preventive action to be taken, then the true concept of preventive action has been missed, because something has already gone wrong.

Note: Technically speaking, there is no difference between the words preventative and preventive – ISO use the word preventive in all of their management system standards, and as such it is what I have used in this blog.


Related articles

Miners underground in safety personal protective equipment (PPE)

What is the difference between AS/NZS 4801 and OHSAS 18001?

AS/NZS 4801 or OHSAS 18001? Both standards align well with other Management Systems standards, however this article aims to outline their subtle differences.

Read More


Corrective vs Preventive – Is there a Difference?

Corrective and Preventive Actions are key elements in any management system. Any business using ISO 9001, ISO 14001, OHSAS 18001, or AS/NZS 4801 as the core of its management systems should have this type of focus. Unfortunately, many still don’t.

Read More

emergency testing

Emergency testing- It’s more than just a fire drill

Emergency testing is a criteria for a number of the standards. Being prepared is crucial for both businesses and employees to ensure the best response is taken in the event of an emergency. This article goes beyond the standard fire drill when talking about emergency preparedness.

Read More


Leave a Reply

Your email address will not be published.

“Well structured content, fantastic presentation by Miguel and loads learnt. The ISO 27001 training is helping me understand my clients’ needs better and make useful recommendations. Moreover, this was so much fun – thanks team!”

“Overall very valuable course. Balance of theory with practical workshops was excellent. Trainers stuck to timetable very well.”

“The course was thorough and many relevant examples provided by both Tom and Jackie to help me apply it to the workplace.”

“Great presentation of the course, engaging facilitators and good use of group work. I found the course to be a great refresher for an audit course I did 10 years ago and now feel more motivated to go audits in a non-bow tie way!”

“Trainers’ knowledge was excellent, their knowledge made the training and learning easy.”