Purpose Drives Effectiveness of Risk Management
Unless you are clear about the purpose of your risk management process, you are unlikely to achieve effectiveness.
A clearly articulated purpose helps you to establish clear goals, objectives and measures. Without such clarity, you would not know if the process is delivering the results you expect.
Monitoring and evaluating the suitability and continuing effectiveness of the entire risk management process is a requirement of ISO 14971:2019, the state-of-the-art standard for risk management of medical devices. The standard is pretty clear in assigning this responsibility to the top management and expects that these reviews are done at planned intervals and all decisions and actions are appropriately documented.
So if you a member of top management, and you are asked about how you evaluate the suitability and effectiveness of your risk management process, how would you answer that question?
Check out this brief video to see how others responded in my LinkedIn poll which asked about the most important success factor for evaluating the success of the risk management process.
In simple terms, a process is a "set of interrelated or interacting activities that use inputs to deliver an intended result", as defined in ISO 14971:2019.
Let us pause for a moment to focus on the keyword intended in this definition. What do we want the process to achieve? How will we measure success? How will these results contribute to our organization's business results? These are important questions to consider during the strategic planning phase.
Risk management of medical devices is a complex process, but it can be represented by a simple illustration below:
In practice, a considerable amount of effort is spent in identifying inputs (e.g. people, policies and systems) and developing various activities and outputs through procedures to meet regulatory requirements. However, as a general observation, little time is spent on clearly defining the goals and effectiveness measures for the entire process. As a result, evaluation of effectiveness is more of an implicit process in management reviews. Here is an insightful comment shared by an industry colleague in my LinkedIn poll:
"I believe that the managements approach to risk effectiveness is more implicit. I haven’t seen specific questions being asked about effectiveness, but the expectations of risk control measures is that if they work, then it results in the reduction of the overall risk levels, which is what the management reviews. And this metric works well for both pre and post market risks."
This approach may be sufficient for the purpose of regulatory compliance, but it leaves a lot of "money on the table" from a business point of view. How do we relate reduction in risk levels to measurable business outcomes such as improved customer satisfaction, increased intent to buy and lower recall rates? These are only a few examples of business metrics; there may be others more relevant to your specific business situation.
The point is that if we don't clearly articulate effectiveness metrics, then we do not have a mechanism to measure and improve. We don't know how well our system is working to deliver desired results; we can only observe its weaknesses when "things go wrong", such as adverse events, recalls or audit observations. Then it turns into a firefighting operation and not a value-creating operation.
Risk management of medical devices is not easy. It touches nearly every business operation and requires a lot of resources. Wouldn't it be nice to be able to show a return on this investment in tangible, business terms?
It is certainly possible. But first, we must start treating it as a business process and not simply an exercise in regulatory compliance.
Please share your thoughts, insights and best practices below.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I specialize in developing and implementing risk management systems for medical devices. My goal is to help you build safe medical devices through management systems that are not only compliant, but efficient and effective in meeting the needs of your stakeholders. Visit my website to learn more about my areas of focus or schedule a 15-minute introductory call for a quick consultation. Check out my learning and development website, explore new online courses and join my free knowledge sharing forum.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Business Process Transformation(BPT) Coach, Author and Cognitive Neuroscientist. Post-Doc-Neuroscience @ MIT
2yThere is no better illustration than the one contained in the ICH-Q9 that has the General Risk Management Process, simple but powerful to guide any person thru the whole process that wants to eliminate or mitigate risk and Know the working difference between Risk Analysis, Risk Assessment, and Risk Management.