Risk Management Lessons Beyond ISO 14971

By James A. Dunning, Owner, QPC Services, LLC | March 22, 2017

Risk management used to be simple. Much simpler than it is now, if my memory serves me correctly.

I’m not dreaming, am I? Risk management was simpler back in the day, wasn’t it? Alas, maybe it was never simple, and I’ve just forgotten about the pain associated with my early involvement in medical device risk management. 

The term “risk management” has become non-specific over the years. Even within the medical device industry, when the term is used, it is usually followed by several adjectives to better define its intended scope. Such clarification is necessary since the body of knowledge, legislation and associated regulations, and international risk management standards have expanded. In short, risk management has become quite a bit more complex since the dawn of the millennium, and will continue to do so as it evolves.

It’s now not enough for medtech professionals to limit risk management to product safety as specified in ISO 14971 Risk Management Requirements for Medical Devices. I know that’s a big statement, but I stand by it. ISO 14971 soundly addresses risk management for medical device product safety, but it does not address any of the other areas where risk management is a key consideration. Thomson Reuters has good information about risk management considerations, much of which applies directly to the banking and insurance industry. The company’s website is a great place to learn more about the broad scope of risk management:

Several areas should be considered in a state-of-the-art risk management program that are beyond ISO 14971’s specific requirements:

Customer and Third Party Risk
Among the issues that must be addressed in this “risk sector,” according to Thomson Reuters, include:
  • Anti-money laundering—This risk is particularly pertinent to medtech firms that provide products to emerging world markets. 
  • Bribery and corruption—The digital knowledge-sharing forum Corporate Compliance Insights best addresses this issue on its website ( in which it states, in part, “Pharmaceutical and medical device companies are fast becoming the enforcement punching bag, eclipsing the long-suffering status of the oil and gas energy. If you ignore the political and public relations challenges facing the pharmaceutical and medical device industries, you are being naive. In almost every possible area for enforcement, pharmaceutical and medical companies have been the targets of aggressive criminal, civil and regulatory action.” 
  • Know your customer—The mandate to know who you are doing business with and ensuring those parties are operating in a lawful, compliant manner, is more urgent, more tightly regulated, and more complex than ever before.
  • Sanctions—Regulated organizations need to ensure they comply with sanctions regardless of where they operate in the world. An informed approach allows organizations to focus resources on and tailor systems and controls to where business is most likely to encounter sanctioned parties.
  • Third-party risks—Detect, assess, and minimize potential risks associated with suppliers, distributors, and partners.
  • Ultimate beneficial ownership—There is an increasing expectation on companies worldwide to understand with whom they are conducting business. The transparency of company ownership and control have always been a focal point under the Anti-Money Laundering/Countering the Financing of Terrorism legislation, last revised in 2015.
Corporate Governance and Controls
  • Conduct risk—Often defined as risk to the delivery of fair customer outcomes or to market integrity.
  • Corporate governance—This term describes the composition of and relationships within an organization that help guide and establish its overall strategy and performance.
  • Internal audit—Businesses now look to internal auditors to provide advice and insight on ways to improve processes and internal controls.
Compliance Risk
  • Compliance management—Ask yourself these questions, and the definition of compliance management will become clear: Has my organization let an important regulatory change slip through the cracks? What were the associated costs?
  • Compliance training—Many legal problems originate from employees acting improperly out of ignorance, misunderstanding, or a blatant disrespect of the laws, regulations, and policies that govern their daily job responsibilities. Many of these problems can be avoided—or at least mitigated—through compliance training.
  • FATCA compliance—The Foreign Account Tax Compliance Act (FATCA) requires foreign financial institutions to report information about financial accounts held by U.S. taxpayers to the Internal Revenue Service or other national tax body.
  • Policy management—Many organizations are now creating policy management frameworks. The drive behind this is the need to reduce compliance risk by making regulatory change “business as usual.”
Financial Risk
  • All companies face financial risks. Controlling financial risk is a basic component of good management.
Enterprise Risk Management
  • Enterprise risk management (ERM) is the process of planning, organizing, leading, and controlling the activities of an organization to minimize the effects of risk on capital and earnings. ERM expands the process to include not just risks associated with accidental losses, but also financial, strategic, operational, and other risks.
Previously, my approach to risk management was less than comprehensive. The focus was on integrating the applicable regulatory standard—most often ISO 14971—and integrating the product safety risk management requirements into the quality management system. Initially, I would center the risk management function within the design and development function. But  after gaining more experience, I found it more appropriate to center risk management within the management responsibility function. I have also found that cost of quality programs or cost of poor quality provide excellent support to a comprehensive risk management program, mostly due to the link with the financial function. In addition, technology (basically, anything that uses software) provides key design inputs for any risk management program.   

Since all of the above noted risk management areas can be overwhelming, consider an expanded risk management program as a basic tool. The key to initiating a risk management program expansion effort is to establish design requirements that identify the key focus areas. 

Risk management requirements in many modern medtech firms have gone beyond the requirements of ISO 14971. It is time for medtech’s regulatory and/or quality professionals to take a fresh look at their organizations’ risk management programs. 

James A. “Jim” Dunning’s consulting career began in 2001. He has provided quality and regulatory consulting services for various companies ranging from Fortune 500 medical device firms to startups. Dunning’s passion, however, lies with startups and small companies, especially those in regulatory distress. He has prepared 510(k) applications, developed Quality Management Systems, provided Quality System Training, and advised on quality, business, and leadership issues. He can be reached at
  • Loading Orthopedic Devices with Biologics and Pharmaceuticals

    Loading Orthopedic Devices with Biologics and Pharmaceuticals

    Dr. Kevin Nelson, Founder and CSO, TissueGen Inc.||May 19, 2017
    Fiber technology enables the delivery of the therapeutic components via a biodegradable platform that can be implanted.

  • Looking Beneath the Surface

    Looking Beneath the Surface

    Sam Brusco, Associate Editor||May 19, 2017
    Surface treatments seek to improve orthopedic device usability, longevity, and bone integration.

  • Going to Extremes

    Going to Extremes

    Michael Barbella, Managing Editor||May 19, 2017
    The innovation and market value found in extremity solutions is prompting a change of heart among major orthopedic firms.