Three Places for Risk Management in Life Science Organizations

By Alexa Sussman, Content Marketing Writer, EtQ | March 22, 2017

By now, the concept of risk probably isn’t a brand new one—it has entered into many regulations, standards, and best practices. Risk-based thinking has become a cornerstone in many industries, especially those as critical as the life sciences. However, that doesn’t mean organizations aren’t still learning how to best apply risk techniques to their operations.

For example, ISO 14971 is solely dedicated to risk management in medical device production. If regulatory bodies are placing that much emphasis on risk assessment and management, then it’s important organizations take heed and apply these practices. But that is easier said than done, as many organizations are unsure of how to get the most out of risk practices.

So where does risk fit in an organization’s life science processes? To better answer that question, this article will examine some basics of risk management, as well as three areas where it’s most important to incorporate risk.

Risk Management: The Basics
Based on standards and best practices, companies need to find, assess, and mitigate risk. There are several tools to help accomplish that. The simplest and most common risk tool is the risk matrix. Because it gives an easily digestible visual representation of risk, it is useful for both quality experts and newcomers alike.

To use a risk matrix:
  • Assign a numerical value to the frequency (how often the event is likely to occur) and the severity (the potential impact of the event) of any given event. Create the scales and intervals for these values based on the best fit for the organization.
  • Plot these values on a numerical matrix, with severity on the “x” axis and frequency on the “y” axis.
  • Define the risk value by a mathematical formula, usually multiplying the severity value by the frequency value.
  • Measure the risk value against predetermined standards for the organization. Ranges should be defined for “Low-Risk” or “Generally Acceptable” risk zones, as well as “High-Risk” or “Generally Unacceptable” risk zones.
It’s important to note that while this provides a good basic assessment tool, there are some gray areas that are harder to define. When risk values fall on the borderline or in the middle of zones, there must be a way to concretely classify them.

Many organizations typically adopt the As Low as Reasonably Practicable (ALARP) principle. This means they can accept any risk as low as possible, or “not catastrophic,” if necessary. Other organizations simply weigh the cost versus benefits of mitigating the risk to assess worth. For example, a company wouldn’t spend $1 million to prevent a minor inconvenience, but would definitely invest that amount of money to prevent a fatality.

For different needs within organizations, there are additional risk tools:
  • Decision Tree: This method is useful when deciding between different courses of action. It shows a series of questions or decision points that branch out into possible outcomes to see all possibilities and make an informed decision.
  • Failure Modes and Effects Analysis (FMEA): This method outlines all the possible failure points within the design phase, before production even begins. For each step, each failure point and its cause, the effect on higher levels in the process, existing controls or detection methods, and any required actions are recorded.
  • Bowtie Model: This method is to be used for high-impact events. It helps to visualize complex risk scenarios. At the center of the diagram is the potential event under evaluation, with preventive controls on the left and recovery controls on the right—to mitigate the situation if it were to happen.
Risk assessment is a useful tool for decision-making and process improvement if it is known exactly how to apply it to an organization.

How Can Risk Management Be Applied in the Life Sciences?
Risk management can be applied to just about any area of an organization, but three areas especially benefit from risk processes. Utilizing risk tools and using that information as the basis for decision-making can help to improve cybersecurity, prioritize and verify corrective actions, and carry out efficient audits.

Let’s take a closer look at each.

1. Cybersecurity
Most people will experience a cybersecurity breach at one point—a stolen credit card, compromised email or social media account, etc. These minor infractions are inconvenient and unwelcomed, but are usually resolved without longstanding effects.

When cybersecurity is breached in the life sciences industry, it’s not so simple. When a medical device is hacked, not only is its function compromised but additional information is at risk. Many medical devices are connected to personal information systems or hospital Internet networks, potentially putting thousands of other patients’ information at risk.

Cybersecurity threats are ever-present, even with multiple controls in place. Because of this, the U.S. Food and Drug Administration recommends taking a full lifecycle approach to cybersecurity, starting in the planning and design phases and extending through post-market.

Risk plays a major role in this approach, especially in the planning phase. It’s important to constantly monitor and detect risks—cybersecurity threats are always evolving as hackers advance. Risk tools can be employed to identify and understand the potential impact of a vulnerability. By pointing out where potential attacks could occur at each stage, companies can be confident their process is safe.

If an area with a high risk for attack is discovered, it can be mitigated before escalating into an actual issue. Organizations can issue software patches, require password changes, or make overhauling changes in process designs to prevent attacks. Once the changes are in place, check the residual risk to ensure it is now within an acceptable range. Doing so will drastically decrease the chances of cybersecurity compromises.

2. Corrective Action
If there’s a fire in the kitchen, is the first step to start cleaning up the ashes of whatever got burned? No, the correct first action would be to put out the flames, even if the ashes are spotted first! When things are going wrong, it’s important to prioritize what to initially deal with, so time isn’t wasted on less important problems while high-impact issues cause further complications.

The same holds true when approaching the corrective action process. There may be multiple corrective actions in progress at one time, but it’s not always best to deal with them in chronological order. Run each issue through a risk tool—the risk matrix is useful in this case—to compare the potential impacts on the organization. Issues can be prioritized to know which need immediate attention, and which can be addressed later.

Risk tools will also help check effectiveness of a corrective action. By repeating the risk assessment as part of a verification check, an action’s effect plan can be seen. If the risk is now within an acceptable range or altogether eliminated, the action plan was successful. If there is no change to the risk measurement, or it is still higher than acceptable, implement another action plan. Repeat this process until the results are acceptable.

Not only does risk management help to prioritize corrective actions for the best use of resources, it streamlines the actual corrective action process so it is efficient and complete.

3. Audit Management
With a doctor’s appointment approaching, which scenario would make patients feel more confident in their results? Knowing they eat right, exercise, and address minor health concerns before they escalate, or not taking proactive measures and having no idea what to expect? Health can be proactively managed by making good lifestyle choices and avoiding harmful ones. Doctors will also appreciate the steps taken to manage personal health, as it makes their jobs easier too.

Similarly, risk and audits have a two-way relationship. This mutually beneficial interaction makes risk management an invaluable part of an audit strategy. Let’s examine the relationship from both sides to fully understand how important risk is here.

Audits can help reduce organizational risk. They should not be feared—in fact, they should be embraced. Audits serve as excellent diagnostic tools to help improve processes by uncovering weaknesses that might not have otherwise been discovered. Conducting audits helps reduce organizational risk by proactively detecting risks. Launching corrective actions from audit results puts companies ahead of the game—issues can be fixed before they manifest as problems affecting products or customers.

Many risks organizations would otherwise have trouble identifying come from their supply chain. Conducting supplier audits gives much needed insight into how the supplier’s standards measure up to an organization’s. Following the same procedure for supplier audits and supplier corrective actions will greatly reduce risk within the supply chain.

Risk management plays a role in successfully completing an audit. Audits yield a great deal of information, but what companies do with the information is especially important. Similar to conducting regular corrective actions, risk tools can help to prioritize which audit findings to deal with first when there are multiple areas needing improvement. It also serves as the aforementioned verification check during corrective actions. Utilizing risk tools and management practices during audits helps to complete them efficiently and effectively.

Closing Thoughts
Risk is discussed everywhere these days. Companies can’t escape terms like risk management, risk assessment, and risk-based thinking when dealing with quality management in the life sciences—and for good reason.

Risk-based thinking urges quality professionals to make decisions and put procedures in place with the priorities of mitigating present risks, engaging in low-risk behaviors, and avoiding high-risk behaviors. To truly achieve this, organizations must fully understand risk management basics, risk tools, and the proper ways to implement them within their processes.

If risk management is something new, start with simple tools and basic ideas. Use risk-based thinking to guide decision-making involving cybersecurity, corrective actions, and audits (both internal and supplier). Doing so will improve overall quality, resulting in better products put into the market. 

Alexa Sussman is a marketing content writer for EtQ. She is responsible for developing and writing content for EtQ, a leading enterprise quality and compliance management software vendor, as well as traqpath, EtQ’s compliance and event-tracking solution. 

Related Manufacturing: