By Mark Durivage, Quality Systems Compliance LLC
Probably the most significant concern for anyone responsible for implementing, deploying, and maintaining a quality management system is the integration of risk-based thinking. Risk-based thinking can and should be applied to the organization’s strategic and tactical planning processes.
This article will first present the definitions and requirements regarding risk and planning and then introduce some tools that can be utilized to incorporate and integrate risk management techniques in and throughout the organization’s strategic and tactical planning processes.
Definitions and Background
There are several ISO standards, FDA regulations, and international guidance documents that provide direction and lay out the framework for successfully implementing, maintaining, and sustaining an effective and robust quality management system, regardless of its type or size or the products and services it provides, requiring the use of risk-based thinking and planning.
ISO 9001:2015 Quality management systems —Requirements states the QMS “needs to demonstrate the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements and aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.”
ISO 9004:2009 Managing for the sustained success of an organization — A quality management approach, clause 9.3.5 Risks provides the following guidance: “The organization should assess the risks related to planned innovation activities, including considering the potential impact on the organization of changes, and prepare preventive actions to mitigate those risks, including contingency plans, where necessary.”
ISO 13485:2016 Medical devices — Quality management systems — Requirements for regulatory purposes, defines as risk the combination of the probability of occurrence of harm and the severity of that harm. The standard further requires that organizations apply a risk-based approach to the control of the appropriate processes needed for the quality management system. Furthermore, the standard requires the controls shall be proportionate to the risk involved.
ISO 31000:2009 Risk management — Principles and guidelines defines risk as an effect of uncertainty on objectives. The standard further defines the risk management process as a systematic application of management policies, procedures, and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring, and reviewing risk.
The FDA’s Quality Systems Approach to Pharmaceutical CGMP Regulations Guidance for Industry states “Quality risk management is a valuable component of an effective quality systems framework. Quality risk management can, for example, help guide the setting of specifications and process parameters for drug manufacturing, assess and mitigate the risk of changing a process or specification, and determine the extent of discrepancy investigations and corrective actions.”
From the FDA’s Medical Devices; Current Good Manufacturing Practice (CGMP) Final Rule; Quality System Regulation:
Brainstorming, Affinity Diagrams, And Multi-Voting
Before presenting some of the tools used for risk-based planning, it should be stated that risk management tools are the most useful and complete when performed using a team-based approach. Brainstorming is one tool to generate lists of ideas on what risks may be present and how to manage and mitigate those risks.
Brainstorming involves a group of individuals generating ideas without considering whether the ideas are good or bad. The technique relies on the free flow of ideas and that ideas will trigger additional ideas that an individual working alone may not have thought about. A good method for brainstorming is to write the ideas on sticky notes.
Once the list of ideas is generated, an affinity diagram can be completed to group ideas into logical categories. The process works by having the individual team members place the ideas generated during the brainstorming session (captured on sticky notes) into logical groups. The process usually works best when a time limit is set.
The last step is to prioritize the groups of ideas in the affinity diagram. One technique that can be used for this step is multi-voting, which can be done by having everyone rank the groups. For example, there may be 10 groups, so each person would rank each group 10, 9, 8, 7, etc., by assigning the most important group the highest number. After the scores are tallied, the groups are ranked by their average rankings.
Figure 1: The process of generating, organizing, and prioritizing ideas
Benchmarking can be used to measure your organization’s performance against that of other companies that are successful, determine what makes those companies successful, and use the information to improve performance. The benchmarking process, which can be used to assess other organizations, systems, processes, services, and products, can be competitive or technical. Competitive benchmarking measures how an organization is performing as compared to its competitors. Technical benchmarking is conducted to determine the features of products or services. The output of the benchmarking process can be used to perform a strengths, weaknesses, opportunities, and threats (SWOT) analysis or a political, social, economic, and technological (PEST) analysis.
Strengths, Weaknesses, Opportunities, And Threats (SWOT) Analysis
SWOT analysis is a planning tool that can be used to identify internal and external strengths and weaknesses. SWOT can be used for short-term tactical planning for processes and systems and for long-term strategic organizational planning. An example SWOT analysis template is shown in Figure 2.
Figure 2: Example SWOT analysis template
Figure 3: Example SWOT analysis
Political, Social, Economic, And Technological (PEST) Analysis
PEST analysis is a planning tool is like the SWOT analysis but is more focused on long-term strategic organizational planning rather than short-term tactical planning. An example PEST analysis template is shown in Figure 4.
Figure 4: Example PEST analysis template
Figure 5: Example PEST analysis
A variation of PEST analysis is the PESTLE analysis. PESTLE analysis is simple PEST analysis with the additional topics of legal and environmental.
The discussion above describes various tools to aid the process of identifying and integrating risk management throughout the QMS. There are many more tools available to identify, analyze, mitigate, and monitor risk.
I cannot emphasize enough the importance of documenting the tools and methods used. Best practice includes providing rationale for your organization’s use of risk management tools and activities. The requirements and risk management tools presented in this article can and should be utilized based upon industry practice, guidance documents, and regulatory requirements.
About The Author:
Mark Allen Durivage is the managing principal consultant at Quality Systems Compliance LLC and an author of several quality-related books. He earned a BAS in computer aided machining from Siena Heights University and an MS in quality management from Eastern Michigan University. Durivage is an ASQ Fellow and holds several ASQ certifications, including CQM/OE, CRE, CQE, CQA, CHA, CBA, CPGP, CSQP, and CSSBB. He also is a Certified Tissue Bank Specialist (CTBS) and holds a Global Regulatory Affairs Certification (RAC). Durivage resides in Lambertville, Michigan. Please feel free to email him at firstname.lastname@example.org with any questions or comments, and connect with him on LinkedIn.