By Veronica Stephens and Jayet Moon
We know you’re familiar with ISO 14971, the “Application of Risk Management to Medical Devices” standard. Upon closer inspection, you’ll learn that this standard is in fact a standard for medical device safety risk management. Safety risk management is the identification, analysis, and elimination (and/or mitigation to an acceptable or tolerable level) of the hazards, as well as the subsequent risks, that threaten the intended use of the medical device. However, ISO 14971:2019 defines risk management very broadly as: “systematic application of management policies, procedures and practices to the tasks of analyzing, evaluating, controlling and monitoring risk.” We have a slight misalignment here. A safety risk management standard, by its definition, has an expansive scope to include management policies, procedures, and practices, yet the substance in the standard vehemently focuses on product safety (as it should!). It must be noted that of course, the management policies and procedures do directly and indirectly affect safety, but they also affect other risks.
Why is this discussion important? Risk management goes beyond the product safety aspects and includes strategic and operational elements. These are touched upon in ISO 13485:2016, “Medical Device Quality Systems.” Clause 4.1.2 requires that the risk-based approach is also applied to the appropriate processes in the quality management system (QMS). These processes need to be identified and managed through risk-based controls. The focus is on implementing a risk-based approach within those processes where failure could lead directly or indirectly to product that is unsafe or does not perform as intended.
At the same time, in the introduction to ISO 13485:2016, 0.2 Clarification of Concepts, it is mentioned: “When the term risk is used, the application of the term within this international standard pertains to safety or performance of the medical device or meeting applicable regulatory requirements.” In other ISO standards such as ISO 31000, details about organization risk governance and risk framework, while not prescriptive, are explicitly stated as they are more focused on strategic and enterprise risks.
This brings us back to the question: Why discuss this? The safety risk is not confined to the product. It reverberates upward into operational and strategic risk. For example, acute or chronic poor safety performance of a product can lead to changes in strategic plan and subsequent operational adjustments. That’s a bottom-up effect.
Changes in market conditions, company profile, mergers/acquisitions, competition and external factors such as pandemics directly affect the strategic plan, leading to operational-level adjustment. These may not affect the safety-risk profile of the device but certainly are bona fide risks to the organization.
Therefore, it’s important to view risk management from all perspectives to ensure organizational success (as shown in Figure 1 and elaborated below).
Figure 1: Risk management hierarchy
Let’s dissect this. The first issue is the definition of the word “risk” itself. Oxford Dictionary defines it as “a situation involving exposure to danger.” This is a situational definition. It does not imply probability or severity but focuses on situational “uncertainty.” Do we expose ourselves to danger? Almost every day. Grocery shopping in the pandemic is a risk, as is air travel. In the same vein, organizational decisions are rife with exposure to danger. However, we do expose ourselves to risk to capitalize on an opportunity. Within uncertainty lie both danger leading to loss and opportunity leading to profit. ISO 31000:2018 uses this concept to come up with a simple and profound definition of risk: “the effect of uncertainty on objectives.” In this vein,
Strategic risk management is the effect of uncertainty on strategic goals and objectives.Operational risk management is the effect of uncertainty on operational goals and objectives.Safety risk management is the effect of uncertainty on product safety goals and objectives.The patient or healthcare worker to dangerThe company to reputational and financial dangerEU Medical Device Regulation (MDR) effective May 2021, the focus is on “benefit-risk,” which is an assessment of product performance as opportunity for patient benefit weighed against the negative risk inherent in the medical device product. The bottom line is that risk management affects decision-making, which is a critical success factor in organizational success. It boils down to the risks you want to manage using your risk management framework.
The definition of risk from ISO 31000:2018 looks at both positive and negative aspects of risk. To some readers, this may be a new concept. A one-dimensional version of risk (based only on reduction and avoidance of negative risk), at best, will result in zero losses (this is the aim of safety planning). No company becomes successful by aiming for zero loss; it becomes successful by aiming for large profits and gains (this is the aim of strategic planning). That said, zero loss and zero defect is an admirable quality goal, much popularized by the quality guru, Phillip B. Crosby. A more holistic definition of risk management allows us to leverage the existing risk management framework for organizational benefit and not just prevention of loss.
While strategic risk management propagates a top-down approach to risk management, product/service risk management aims for a bottom-up approach. At the product/service risk management level, the designers of products, processes, and services adopt a risk-based mindset to preemptively mitigate subsystem-specific, foreseeable risks. This results in low-risk products, processes, and services, which in turn allow greater tolerances for operational and subsequently strategic risks. Safe products and processes may encourage positive risk-taking by engendering confidence in top management, leading them to strategically leverage strengths to capitalize on business opportunities. The level(s) of risk management should be recognized as part of setting the context of risk management activities.
Thus, risk managed at one level allows for opportunities for value creation at other levels. Mismanaged risks will lead to reduction in value because risks may magnify as they shift through levels.
Risk-based thinking is a philosophy and not a set of tools. Risk-based thinking will not automatically follow by simply creating a risk analysis document or a risk manager position within a company. Risk-based thinking must be tied and aligned to the culture of a company, such that its objectives, whether they be individual or organizational, incorporate this approach.
As shown in Figure 1, there can be a hierarchy of risk management activities in an organization. Product safety risk management is an important level, but there are operational risks such as supply chain risk, and strategic risks that affect strategic objectives. Identification of these levels is a first step, followed by identification of risks themselves, and then subsequent assessment, evaluation, and treatment. It is important that your organization speak a common risk language and understand that these levels interact with each other and are not siloed. Here, the culture of risk-based thinking comes into play. Risk-based thinking, on a foundational level, means risk-based decision-making. The same decision-making process can be applied to any level of risk management — whether it be safety, supply chain, enterprise risk, etc. This is shown in Figure 2.
Figure 2: Risk-based decision-making
The beauty of this decision-making model is that it is universal — it applies to every ISO standard that deals with risk, whether it be 14971 for medical device risk management, 31000 for enterprise risk management, 9001 for risk-based thinking, or 10993 for biocompatibility, as well as IEC 60300 for technological systems and many others. Aligning the decision-making culture to a model like this that incorporates deliberate analytical thought through a risk lens can set a strong foundation for risk intelligence. Risk intelligence is the organizational ability to think holistically about risk and uncertainty, speak a common risk language, and effectively use forward-looking risk concepts and tools in making better decisions.
As the recent pandemic has taught us, good management of risks is a major driver of business continuity and sustained success. Focusing only on product safety risk management without strategic risk management is a risk to the whole organization. Complex risks such as COVID-19 will continue to rise in the coming years and the companies that imbibe and nurture a risk-intelligent culture will continue to take them in their stride and move upward and onward.
About The Authors:
Veronica Stephens is the senior vice president of quality and risk management solutions for the firm Auchincloss-Stephens. She is a risk management subject matter expert with over two decades of experience in Fortune 500 companies across a range of industries, including pharmaceuticals, food production, consumables, durables, and medical devices.
Jayet Moon earned a master’s degree in biomedical engineering from Drexel University in Philadelphia and is a Project Management Institute (PMI)-Certified Risk Management Professional (PMI-RMP). Jayet is also a Chartered Quality Professional in the UK (CQP-MCQI). He is also an Enterprise Risk Management Certified Professional (ERMCP) and a Risk Management Society (RIMS)-Certified Risk Management Professional (RIMS-CRMP). He is a Fellow of the International Institute of Risk & Safety Management. His new book, Foundations of Quality Risk Management, was recently released by ASQ Quality Press. He holds ASQ CQE, CQSP, and CQIA certifications.