By: Regina Fullin
Sr. Compliance/Validation Consultant
Compliance Team Inc.
Gaining understanding of your organization’s compliance risk can be challenging. It seems like regulators choose a different area of focus each time when performing an audit of your organization. It is possible to manage this challenge. Several methodologies can be combined at an organization to create a system of risk management, which can result in a comprehensive evaluation of an organization’s quality compliance risk. This article will explore several of the elements that contribute to a comprehensive evaluation, which should keep your organization ahead of any regulatory pitfalls.
Key to the risk management process is implementation of an ISO-based Risk Management Program. The benefit of this program is twofold: first, with its derivation from an accepted standard, such a program has credibility among regulatory auditors. Because of its wide acceptance, the rationale behind its implementation has a low risk (in itself) of being questioned in an audit situation. The second reason for using an ISO-based Risk Management program is that it works. The basic program can be illustrated as shown below:
The overall framework has five elements (in red above) and follows the Shewhart Cycle of Plan/Do/Study/Act, but the mandate and commitment must be obtained through an executive sponsor. The executive sponsor is an essential element because all organizational change occurs from the top downward. Organizations that focus on quality, compliance and risk management are likely led by executives who are deeply conscious of their stakeholders.
Each specific task under the Plan/Do/Study/Act can be customized to suit the particular needs of the organization. For example, Section 5.3.3, instructs organizations to integrate risk management into organizational processes. Organizations have different ways to create value, correspondingly, each organization will develop different ways to integrate risk management into the process.
The level of risk will vary according to the type of product a company sells. For example, an intravenous chemotherapy drug will carry higher risk than a palliative therapy with little life-saving effect, such as over-the-counter pharmaceuticals. To understand the risk associated with a particular product, ask the following questions:
What is the intended use of the product? How difficult is it to manufacture? How expensive is it to manufacture? How valuable is the product? Is the product susceptible to theft or other supply chain diversion? How sick are the patients who use it? Are medical professionals expected to administer the treatment, or is the treatment self-administered or administered by untrained people? What are the risks of product misuse? What labeling is required for the product to prevent misuse? How many requirements must be fulfilled to successfully produce the product? What is the product shelf life? How robust is the product to temperature and humidity changes? How successfully can your competitors produce a competing product? How loyal are your customers? What are the unstated expectations of your customers? How easily would it be to add product features that improve customer loyalty? What are the FDA’s expectations for a product of this type? What are regulators focusing on right now? How easily can the company fulfill these expectations?
The answers to the above questions can be categorized as (a) Product Risks (b) Business/Legal Risks (c) Safety Risks (d) Regulatory Risks. Many product risk factors can affect more than one risk category. For example, the risks of a regulatory finding for a product may at first be a regulatory risk, but could become a business/legal risk, causing customers to abandon your company and go to competitors if a regulatory finding becomes widely publicized.
Some risks require greater understanding than what can be identified through a superficial review. It takes experience and organizational maturity to fully define a product’s risk profile. The process can be frustratingly slow, but there are ways to speed up the process.
One way of speeding up the process is to use an FMEA (Failure Modes and Effects Analysis). An FMEA follows a process from start to finish and identifies each of the risks along the way. FMEAs can focus on the manufacturing process, the supply chain process, the process in the hands of the end-user, and in fact, any process. As risks are identified, they are evaluated and classified. Generally, the risks are evaluated for the likelihood of occurrence, incident severity were the instance to occur, the likelihood that the incident is identified before any harm can result, and any mitigation actions inherent to product/process design that prevent harms.
Plenty of articles in the literature describe how to use an FMEA, so it will not be discussed in this article. Keep in mind that the FMEA is only one form of risk assessment, but, like the ISO/DIS 31000 process, it is an accepted method that works, and has wide acceptance. Other forms of risk analysis may prove effective for a given organization. To prevent adverse consequences in the event of an audit, use a published risk assessment method, rather than invent one.
Inputs for FMEA risk assessment come from several sources, from the bulleted list below. Assess these data points in your organization’s Management Review process (for medical devices) or as part of the Product Quality Review process (for pharmaceutical products).
- Engineering studies and R&D data
- Competitor Data
- FDA Regulations and publicly-available warning letters
- Industry experts, such as physicians
- Customer feedback, such as complaints
- Financial data estimating the costs of risk mitigation.
After identifying the risks with the product, the company faces a choice about how to address each identified risk. Once identifying a risk, the risk owner, usually the Management Representative, has four choices:
- Risk Avoidance: Minimize risk to near-absent levels; for high-risk factors
- Risk Reduction: Minimize risk to acceptable levels: for factors of lower-risk
- Risk Transfer: Allowing another business entity to manage the risk; such as an insurance policy.
- Risk Acceptance: For low-risk factors, allowing the risk to exist unmitigated.
The rationale for each risk management decision should be documented and if the risk is unnecessarily high, should be input in the organization’s CAPA system. Risk may involve cost analysis, but risk is not a pure financial analysis. Cost estimates for wrongful death jury awards and, punitive damages, are minor compared to the potential losses caused by, regulatory fines, remediation costs and customer abandonment. Therefore, the only acceptable quality level for a product is one where the product benefits outweigh the risks.
One way of approaching risk from a non-financial perspective is to consider the ratio of the cost of poor quality to the cost of high quality. This roughly translates into the cost of risk acceptance against the costs associated with avoiding transferring or reducing risk. The cost of risk acceptance is roughly estimated as the cost of all actions needed to preserve the life and health of the patient population, since it is never acceptable to allow a product to injure or kill the patients it is intended to help. Benchmarking your competitor’s product can help identify the potential risks that harm patients so you can estimate the what it takes to prevent such a tragedy.
Revisiting the Plan/Do/Study/Act cycle, the graphic suggests that the bulk of the work in this cycle occurs at the Planning stage. After a discussion of the Study actions it becomes clear, that the bulk of the work in the cycle is done in Study phase of the process. With each iteration of the cycle, an organization learns from its mistakes, becomes more mature, and becomes better-equipped to manage risk.
The Executive Sponsor provides the fuel for the process, to ensure that the greatest effort (to study and learn as much as possible from each cycle) occurs in the Study phase of the cycle. Therefore, the most essential element of an effective risk management system is the Executive Sponsor. The executive sponsor needs to be a very special person in the organization, someone who fully supports the risk management process, with the necessary courage to challenge the status quo. An effective executive sponsor needs to allow mistakes, be passionate about learning from them, and make the company a better place for all of its stakeholders. Quality guru W. Edwards Deming summarized the idea most succinctly in the principle, “Drive out fear.”
Risk management, therefore, is not a process driven by fear of all adverse consequences. It is the opposite. Fear is a force that causes good people to make poor judgements. Fear is the emotion that causes people to ignore facts they would prefer not to face. Fear persuades people to cover up issues that could have been resolved in time for the next audit. Fear can cause organizations to manage for the short-term, rather than considering long-term consequences. Fear is at the root of petty departmental turf wars that throw the organization off balance and out of alignment. Fear is the constricting pressure on quality budgets and the reason why employees fail to voice their ideas to build a better system.
When management creates an open, learning culture, something amazing happens. Employees become engaged in their work, and people break departmental barriers in order to collaborate and make the company the best it can be. The identified risks dissolve away as committed individuals make incremental improvements. Costs are driven down as quality becomes less expensive and easier to implement. Profits improve as customer satisfaction achieves top levels.
Risk management, therefore, is more than a process, and more than a means of creating business value. Risk management is a path to improve the lives of stakeholders in your company’s processes. This applies to all stakeholders: managers, line workers, customers, caregivers and patients. Those of us who work in FDA-regulated industries are called to a higher purpose, and risk management aligns with this purpose. I invite you to realize your organization’s higher purpose by taking a fearless assessment of your company’s risks, and engaging staff and peers in the effort. If this task seems too big, Compliance Team can help. Call us today if you need experts to guide you on your organization’s risk management journey.