Dan Brown

June 1, 2010

8 Min Read
Why Risk Analysis Matters

In more than just the obvious way, risk is a four-letter word in the business world. Companies face risk if they move forward, and they face risk if they stand still. In all stages of medical product design and manufacturing ISO 13485 and FDA regulations require risk management, but the fact remains that establishing effective risk management is more easily said than done. Nevertheless, there are some basic steps a device industry executive can take that make setting up a risk management plan a less vexing procedure.

Requirements for risk management have been well documented in the medical device, aerospace, and automotive worlds. Now, risk management criteria are being offered to the rest of the manufacturing world. This is an example of a positive export of knowledge from the medical device industry, among others. For example, last year, ISO published 31000:2009 "Risk management—Principles and Guidelines." This is “14971-lite” for any industry’s application of risk management.

For too many companies, risk analysis is a failure mode and effects analysis (FMEA) procedure conducted once and later pulled out of a file drawer for the auditors to review. This approach barely meets the requirements and unfortunately misses the mark on intent. First, it serves only to identify risks but does not manage them. Second, it misses risks beyond the of the FMEA procedure, be they design or processing risks. In addition, the scoring criteria must be relevant to the specific manufacturing operation and understood by all those preparing and using the FMEAs. Furthermore, as a snapshot in time, the analysis may not cover changes that have occurred since it was prepared.

A Flowchart Is a Useful Tool

Why does risk matter? The answer is found in newspaper headlines, stock market reports, FDA consent degrees, attorney fees, class-action lawsuits, lost business analysis, and other negative outcomes. A failure to act becomes mismanagement and leads to a great deal of risk beyond the professional and corporate risk. Senior executives have been held personally and criminally liable for their actions while running their companies. Device industry executives are mandated, therefore, by their companies, their stakeholders, and regulators to be effective risk managers.

Effective risk management for a device industry executive entails taking a broad look at all aspects of your company’s business practices. Does your process for risk identification include all sources of risk? What about your supply chain? What about your computer and communications systems, your employees, equipment and equipment capabilities, power outages, or facility shutdowns? Does it include environmental issues like earthquakes, fires, floods, tornadoes, hurricanes, and blizzards? All these elements are different risks with different problems. Proper risk identification looks for all of these potential concerns.

Are you a component supplier? If so, have your customers properly defined all of their requirements and shared those with you? Are you really certain about that? If you’re the design-owner, are you subcontracting components? If so, can your chosen supplier meet all of the requirements you have specified? Do you understand their processing procedures well enough to know what you need to be asking of them?

A high-level flowchart of a firm’s operations is a useful tool for risk identification. If you don’t have one, it is worthwhile to create it. For every box on the flowchart, the project management team should ask: What can go wrong here, how will we know if it does, and what do we do if it happens? Putting the answers to such critical questions right into the document creates a risk management tool that can be used during the entire development process. Review the flowchart often in order to ensure that it remains current. When corrections are made, add the lessons learned to the risk management chart. Remember to add all improvements made to the system through risk management to your list of corporate preventive actions. Every action taken to mitigate risk is a “preventive action” in the lingo of ISO quality standards.

With respect to all those issues, auditors will ask for evidence showing how your system is designed to identify and reduce these potential sources of risk. As noted, simply pulling an FMEA document out of your files is not sufficient evidence that you have identified all your contentious sources. Once the sources of risk have been identified, an effective plan determines the best approach to alleviating these problem areas.

Document and Carefully Respond

Managing risk begins with documentation and continues with carefully considered responses. There are many items to think about. Among the concerns are redundant facilities in different areas of the country, alternate suppliers, validated production processes, mistake-proofing (poka yoke), inspection and testing, and control plans. Additional considerations include feasibility studies, design for manufacturability, design for maintainability, design of experiments, statistical process controls, process capability studies, Six Sigma, and lean manufacturing.

No one from outside of the company can tell you what you must do to manage risks, though some consultants may be able to offer good advice. For every risk, there is a means to mitigate it if it is cost effective to do so.

What are the best guidelines for determining a good risk management strategy? Here, ISO 31000 offers some very effective guidance. It states that proper risk management should:

  • Create value. Risk management must add value, not reduce it.

  • Be an integral part of organizational processes. A firm should design risk management procedures into its business model. The process should not be an afterthought.

  • Be based on facts, not assumptions. A company must make decisions using the best available information.

  • Explicitly address uncertainty. The risk analysis must state both known and unknown factors. No risk is known in full until something happens.

  • Provide a systematic and structured approach. This is to ensure that the procedures are applied consistently.

  • Be tailored to your company’s operations and products. An off-the-shelf fix will be ineffective.

  • Take into account human factors. Humans can dramatically increase or decrease risk.

  • Help everyone in the company to understand the process by being transparent and inclusive. If the risk management plan is in a confidential folder in the CEO’s office, it loses all credibility.

  • Be dynamic, iterative, and responsive to change. Risk management is a living process. As the company, products, and process change, so do the risk factors.

  • Be capable of continual improvement. The first pass-through of the process will have flaws. Perfection follows continual use.

Determining Acceptable Risk

Now the question becomes: How much risk management is enough? The answer to that question lies in understanding that not all risks are created equal. Some risks are acceptable, some risks are not. Companies must prioritize their risk mitigation activities. Too little and a device manufacturer ends up on the wrong side of a product liability lawsuit; too much and it goes bankrupt and produces nothing. It is the obligation and liability of company executives to draw those lines.

The food industry has a highly effective risk management strategy called hazard analysis and critical control points (HACCP). The key word here is critical. Rather than attempt controlling every risk at every step, the most effective approach is to look at the processes and determine the last point at which no further control can impact that feature, attribute, or risk potential of a product. That step becomes the critical control point. It is where the strategy ensures that the potential risk is either eliminated, if possible, or at least mitigated. Although this concept originated in the food industry, it can, and should, be a key component of effective risk management processes for medical device manufacturers.

Another effective model is the one used by ISO in determining the changes made to ISO 9001 in 2008. A simple matrix was used to compare the beneficial impact of the change with the resources required to implement the change. The vertical axis of this impacts/benefits matrix determines whether the change requires a high, medium, or low amount of resources and effort in order to implement it effectively. The horizontal axis determines whether the changes offer a high, medium, or low level of benefit to the company. If the level of benefit is low and the cost is high, the changes aren’t worth it. Conversely, a high level of benefit at a low cost makes the changes worthwhile. In between is where the harder decisions must be made. This is where having facts and clearly established decision criteria make the device company executive’s job easier.

A Shield Against Lawsuits

No discussion of risk management is complete without a consideration of legal and ethical concerns. Effective risk management is your best shield from lawsuits. If you are in the industry long enough, you will have a recall and you will have a lawsuit. What you do today, before any problem occurs, will dramatically influence how your company is perceived should a liability trial occur. If you have been open and honest about trying to identify and control risks wherever encountered—and you have records of your due diligence—you can greatly reduce any award a lawyer could obtain.

Nearly every company struggles with risk management. Struggling is understandable, but it is not an excuse for ignoring proper risk management procedures. Medical device manufacturers will only get better at the process by practicing proper risk management more often. It’s important to remember that the goal is to add value, not cost.

Effective risk management saves money in at least three ways: It reduces corporate liability insurance costs, reduces failure rates, and improves your customer satisfaction (that is, retention) levels. It’s equally important to remember that these are all preventive actions. Fixing problems before they arise is always cheaper than fixing them after you have caused mistakes.

Dan Brown is the medical device industry expert for the American Society for Quality (ASQ) and is the ISO 13485 registration services manager for Eagle Registrations Inc. (Dayton, OH). More information about risk management, HACCP, and ISO standards is available at the American Society for Quality Knowledge Center.

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like