There are two ways to think about risk management. One can look at it as a business concern, or as a product concern. Today we’re going to look at the business concern side, and we’ll cover the product risks in a future post.
Examining risk management as a business concern has to do with personnel, management styles, even record keeping and HR practices. Essentially, the question is: Does how you run your business constitute a non-conformance risk? If your business is run responsibly, with clear chains of command and ethics safeguards in place, you have little to worry about.
One way to think about this would be to answer the question, “who is responsible if X, Y, or Z fails, and why?” This can be painful because it requires examining staff competencies and applying accountability to those positions: do you have the right people with the right knowledge, enough skills, and the proper tools, to execute their responsibilities? For example:
- If you find out that a production line worker won’t call for an e-stop—even though protocols exist—because they are intimidated by their manager, you have a business risk that needs to be addressed.
- If revenue is tied to performance, it could lead to issues where certain liberties may be taken allowing quality system functions to fail.
- If management has not considered alerting the Certification Body/Notified Body of its plans to modify the quality management system, they run the risk of not being within compliance with the requirements of the Standard.
Building a company culture that successfully navigates risk management means all accountable parties within your company need to know where the buck ultimately stops—who has responsibility if something goes wrong—and in most cases, this rests firmly at the top. Direction must not only flow from the CEO/Founder/Entrepreneur to be passed down the chain of command, but it must then come back up from the rank-and-file. This means that the CEO must make risk management a priority, and then give everyone the right and the directive to point out where risks lie, whether it is in the supply chain, the manufacturing processes, or management and take action to accomplish it. A leader can’t say, “I want to know of even the slightest concerns about our product or business!” and then turn a deaf ear when someone points out an area of non-conformity. It’s hardest to turn the mirror on one’s self, but all too often, the proper allocation of resources is not provided.
Risk management requires a verification review or assessment by a qualified auditor/expert. In order to gain certification, the risk management (of both management and product-related aspects) needs to be assessed under quality management system principles—such as ISO 13485—by professionals. TÜV Rheinland possesses years of experience with some of the most accomplished experts in their field, and able to perform such assessments.
For more information about our healthcare services, please visit our website or contact us to speak to one of our experts.