Changes to Internal Processes and Risk Evaluation - Mitigations

ukrainka85

Starting to get Involved
One of the departments in my organization implemented a CCB (Change Control Board) to review change requests for their processes. They are following change control best practices to make sure their decisions to update processes are well communicated, planned and reviewed. They are assessing risk/impacts associated with the process changes.

They are currently saying that above a certain level of risk associated with the process change, they will have mitigations in place. But this is confusing me because I have never had to think of mitigations for process changes and I am almost tempted to think that the process change is a mitigation in itself, but that's not true. Can someone please help me think this through?

What are some examples of mitigations for high-risk process change? An example I thought of: if a process change will overhaul how the department conducts client communication globally, a hands-on training is mandatory (mitigation) of all department employees to ensure that everyone knows what to do.

*These are not manufacturing processes, but processes of the project management department within a clinical trial vendor
 

yodon

Leader
Super Moderator
Any process change carries risk. Just consider what could go wrong if the process fails.

Just thinking out loud...
  • Transitioning from a paper-based system to electronic records could result in loss of data. Mitigation may be data transfer validation, daily audits, etc.
  • Updating forms might result in confusion on how to properly fill out a form. Mitigations may include additional supervisory / QA oversight / review for a period
  • Adoption of a software tool to help automate may allow unauthorized access to data.
 

qualprod

Trusted Information Resource
One of the departments in my organization implemented a CCB (Change Control Board) to review change requests for their processes. They are following change control best practices to make sure their decisions to update processes are well communicated, planned and reviewed. They are assessing risk/impacts associated with the process changes.

They are currently saying that above a certain level of risk associated with the process change, they will have mitigations in place. But this is confusing me because I have never had to think of mitigations for process changes and I am almost tempted to think that the process change is a mitigation in itself, but that's not true. Can someone please help me think this through?

What are some examples of mitigations for high-risk process change? An example I thought of: if a process change will overhaul how the department conducts client communication globally, a hands-on training is mandatory (mitigation) of all department employees to ensure that everyone knows what to do.

*These are not manufacturing processes, but processes of the project management department within a clinical trial vendor
Ukrainka85
Mitigation is what you do to lower the risk value.
Once mitigation is done, evaluate residual risk and decide if it is time to close it.
Hope this helps
 

John Broomfield

Leader
Super Moderator
Mitigation makes something bad less worse. It is what insurance companies require of us when we’ve suffered a loss.

Better to treat adverse risks by eliminating their causes to the extent possible.

Therefore use design control principles to change process designs by validating the verified changes perhaps through a pilot or trial so only the validated change is rolled out worldwide.

Mitigation is the weakest risk treatment.
 

ukrainka85

Starting to get Involved
Mitigation makes something bad less worse. It is what insurance companies require of us when we’ve suffered a loss.

Better to treat adverse risks by eliminating their causes to the extent possible.

Therefore use design control principles to change process designs by validating the verified changes perhaps through a pilot or trial so only the validated change is rolled out worldwide.

Mitigation is the weakest risk treatment.

Thank you for the feedback, John. It does help to clarify with this example of doing a pilot. We are currently doing this on a few process changes. I may have been overthinking it.

Why is mitigation the weakest in your opinion?
 

ukrainka85

Starting to get Involved
Ukrainka85
Mitigation is what you do to lower the risk value.
Once mitigation is done, evaluate residual risk and decide if it is time to close it.
Hope this helps

Thank you, qualprod!
Yes, that is the process the departments are supposed to implement. I was more thinking about what are examples of mitigations for a process change.
 

ukrainka85

Starting to get Involved
Any process change carries risk. Just consider what could go wrong if the process fails.

Just thinking out loud...
  • Transitioning from a paper-based system to electronic records could result in loss of data. Mitigation may be data transfer validation, daily audits, etc.
  • Updating forms might result in confusion on how to properly fill out a form. Mitigations may include additional supervisory / QA oversight / review for a period
  • Adoption of a software tool to help automate may allow unauthorized access to data.

Thank you, yodon!
Your examples were helpful to help me think through it.
 

John Broomfield

Leader
Super Moderator
Regarding the positive meaning of mitigation you are right Jim.

Thanks, I made a mistake not getting out of my insurance mindset.
 
Top Bottom