Dumb question on Risk Assessment - Include planned mitigations?

M

MIREGMGR

#21
I'm glad our NB is more sensible in that regard, recognizing that we are experts and we start our design from an intelligently considered risk stance.

Thus our risk analysis fully documents the risks related to the user, the use environment, etc., but we don't have to waste time documenting a process for artificially evaluating and adding the totally obvious requirements that no experienced engineer would ever consider not including.
 
Elsmar Forum Sponsor
S

SteveZed

#22
Re: Dumb question on Risk Assessment

Thanks to the Initial Poster -- this discussion mirrors almost verbatim ones we've had internally ...

I was floored by the following, however:

During that audit, there were 2 findings related to ISO14971 (ISO13485 / MDD audit, European firm, German notified body):
1: hazards that do not lead to a control measure were recorded in the risk management file.
2: Not all selected control measures were recorded in the risk management file.

In the discussion, they indicated that when a control measure is not listed in the risk analysis, there is a chance that in future updates, the control measure is 'removed'.
I can understand issue #2, but what is the problem with item #1? It may take up extra paper, but why did the auditor care?

I find that we sometimes list hazards during inital brainstorming before we have completely closed on the risk. Later, it may be determined that the risk is low enough that controls are not necessary, but we retain the line in the table to document that we came to that conclusion. Is there a pitfall in this?

Thanks,
-Steve
 
M

MIREGMGR

#23
Re: Dumb question on Risk Assessment

...we sometimes list hazards during inital brainstorming before we have completely closed on the risk. Later, it may be determined that the risk is low enough that controls are not necessary, but we retain the line in the table to document that we came to that conclusion.
We do that, too. I think it's the sensible approach. We haven't been gigged for it.
 
K

kgott

#24
Re: Dumb question on Risk Assessment

Later, it may be determined that the risk is low enough that controls are not necessary, but we retain the line in the table to document that we came to that conclusion. Is there a pitfall in this?

Thanks,
-Steve
Is there a pitfall in this: No.
Provided that you have indicated that existing controls are adequate and or that the risk is low (and not acceptable) I cannot see a problem with it.
I think we can all agree that risk can rarely be eliminated but it can be controlled (at least by reducing it) and that is the best we can do.
 

Richard Regalado

Trusted Information Resource
#25
Re: Dumb question on Risk Assessment

I do not include planned mitigations on risk assessments on the simple reasoning that their effectiveness cannot be verified until these controls or countermeasures are implemented.
 
P

pldey42

#26
In my work in information security and business continuity I've been learning from other fields like H&S and medical devices. Perhaps sharing some lessons from Infosec and BC might be helpful in this difficult area:

Both InfoSec and BC are moving towards emphasising impact and severity more than probability, for these reasons:

  1. Probability is hard to estimate, especially for software failures, and for events that have never happened for which there are no statistics
  2. Some managers, when they see that a risk is low probability, think no further than "It'll never happen to us," enjoy a false sense of security, and refuse even the simplest, affordable mitigations
  3. Low probability, high impact events can be devastating if they occur, and their mitigation is often affordable. BP in the Gulf is an example, where the US regulator's requirement for business continuity planning was waived to enable drilling to start quickly.

Indeed, BS 25999 (Business Continuity Management) is based upon the idea of identifying critical processes and considering the impact should they fail, regardless of the reasons they might fail or the risks inherent in them. You plan to somehow sustain processes that, if they were to fail, would materially threaten the survival of the business. In a sense, you plan for a failure of risk management. The standard does also call for risk management, but not as something to stake the business upon: it's used to attempt to reduce the probability of bad events and/or their impact, but only as an adjunct. The core is to plan for failure.

In information security, the whole thing is based on risk management. To the OP's question, organizations will often have some mitigations (we call them "controls") in place such as locks on doors, secure filing cabinets and networks protected with passwords, firewalls and the like.

Sometimes they assess the risks assuming the mitigations in place work as they should (and sometimes they have data showing effectiveness of controls). This enables them to identify additional mitigations necessary.

Other times they assess the risks assuming a green field, without the existing controls. This helps validate the existing selection and identify controls that are disproportionate or out of date, which can safely be removed; or maybe are no longer strong enough to contain a risk that has become more dangerous.

Either way, risk management is a continuing cycle that's repeated as often as necessary. How often is a matter of judgement, but for some issues of national security it can be daily, hourly even.

Another aspect is that the mitigations, the controls, can themselves introduce risks. Put locks on the doors, someone will lock themselves out. Use encryption software, and there's a risk that it will fail, or the key will get lost and the information is lost; or worse, an attacker cracks the code and quietly steals secrets you thought were secure. Use the cloud for backups, and the internet connection to the cloud gets destroyed.

Infosec and BC professionals, and no doubt medical device designers too, assess the residual risks associated with the controls and may choose to mitigate those too, all the time remembering that there is no such thing as zero risk.

The information security management standard is interesting in that it requires managers to sign off on the residual risks: they are accountable for the risks their business takes (and it's recognized that zero risk does not exist; the risks simply have to be "reasonable", whatever that means). There's a risk in this of building personal blame games into the management culture, so it seems to me important that everyone understands that, should something bad happen, it's not somebody's fault that a risk was not identified or properly controlled; it's a failure of the risk management process which, as in quality, then gets a corrective action.

Risk management is very subjective, because it's not just about the bad things that could happen, but public or customer perception of them. For example, Pan Am was terminally damaged by the Lockerbie disaster: even though the sad loss of that plane made hardly any difference to the safety statistics of air travel (it was as safe as ever) the constant pictures on TV of the crashed plane associated danger and the Pan Am brand in the public mind.

For Infosec and BC professionals that means that mitigation action is not only about containing and managing the incident itself in the scientific and engineering sense, but also PR. For example, when a Virgin train crashed a few years ago, Richard Branson was almost immediately on TV saying all the right things, not only because it was the right thing to do, but also because he wanted passengers to continue to book Virgin trains despite TV images of his wrecked one. He was astonishing: he promised us that the rail network was safe, only hours after what turned out to be a serious points failure, and we believed him. Charisma can be a risk mitigation!

Given that risk management is somewhat subjective, it's vital that auditors assess the organization's risk assessments against its own defined risk assessment process and put their own judgement to one side. Auditors are naturally conservative souls who hate risk, and must keep those anxieties in check. That's not a reason to write down the details of risk assessments though: the reason for writing it all down is so that risk assessments are carried out consistently (and not driven by the most neurotic manager, or the most lurid press stories) and to assure that, when something does go bang, the organization can defend itself in court by showing it had, indeed, performed diligent risk assessments and taken responsible, not reckless, risks.

Finally, I read somewhere (wish I could remember where) that it matters less how you do risk assessment; more critical is how often, and who does it.

Hope this helps,
Pat
 

mvroops

Starting to get Involved
#27
As ISO 14971 need to identify the Risk / Hazard.
Foe Example 1. Switch ON button - Am i getting shock / or safe to operate
2. Enclosure - Sharp edges - it may hurt operator hand .
RMS is live document it will be updated
Even design / POC/ pilot/ proto type / final product stages also.
Each risk should be given proper identification and analysis and risk mitigation to be done.

FMEA tool can be used .
 
Thread starter Similar threads Forum Replies Date
Q Graduation date on my resume - Dumb Resume Question Career and Occupation Discussions 12
G Is it dumb to develop an ISO 17025 web site? ISO 17025 related Discussions 9
Wes Bucey A really DUMB Nigerian phishing letter! "FBI" (USA) Email promising dire consequences Coffee Break and Water Cooler Discussions 9
SteelMaiden Another dumb thing to do.... Coffee Break and Water Cooler Discussions 7
ScottK Are there eBayers dumb enough to pay outrageous shipping? Coffee Break and Water Cooler Discussions 16
I More Dumb Jokes - Adults Only Please!!! Funny Stuff - Jokes and Humour 21
lanley liao Question regarding the calibration of monitoring and measure equipment. Oil and Gas Industry Standards and Regulations 0
C Gauge R&R Question Using Minitab Software 1
J IATF 16949 Internal Audit question - Auditor's responsibility Internal Auditing 6
K Question on MDR classification EU Medical Device Regulations 4
D Question on equipment - when to use reference only or research only stickers ISO 13485:2016 - Medical Device Quality Management Systems 5
D Work Instruction Question ISO 13485:2016 - Medical Device Quality Management Systems 5
M Clinical Decision Support Software Question 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
John C. Abnet VDA 6.3 - Question 7.3 - "blocking of parts" VDA Standards - Germany's Automotive Standards 6
D Approved supplier list - Distributors question ISO 13485:2016 - Medical Device Quality Management Systems 6
D Equipment Register and PM question ISO 13485:2016 - Medical Device Quality Management Systems 2
D Question regarding "storage and distribution" ISO 13485:2016 - Medical Device Quality Management Systems 1
D Calibration tolerance question using Pipettes Medical Device and FDA Regulations and Standards News 1
D Question regarding customer feedback process ISO 13485:2016 - Medical Device Quality Management Systems 3
D Equipment Register related question ISO 13485:2016 - Medical Device Quality Management Systems 1
S Study sign off question / responsibilities ISO 13485:2016 - Medical Device Quality Management Systems 3
S Qualification question - ISO 13485 - Setting up a small lab Reliability Analysis - Predictions, Testing and Standards 2
M Question for Auditors - "Off the Record" Conversation? General Auditing Discussions 14
D Question regarding ECO process, specifically for Life Science products and defining form fit and function ISO 13485:2016 - Medical Device Quality Management Systems 1
R Accelerated Aging - Creating test samples - Implantable medical device Question Other Medical Device Related Standards 4
A Question on Authorized Representative in Malaysia Other Medical Device Regulations World-Wide 3
D Limited Scope for second site Question? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
I ISO 2233:2000 Question - Medical Device Shipping/Transportation Validation Other ISO and International Standards and European Regulations 1
Anonymous16-2 Labeling Question (Dietary Supplements/Food) Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 1
T Question for: Cg & Cgk calculation General Measurement Device and Calibration Topics 3
N ASL Question for GitHub ISO 13485:2016 - Medical Device Quality Management Systems 6
hogheavenfarm GDT Flatness measurement question Inspection, Prints (Drawings), Testing, Sampling and Related Topics 10
A Question on ISO 14001:2015 - Are annual audits required? ISO 14001:2015 Specific Discussions 11
dinaroxentool Question about FDA Classification of a Device 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
J Another DFAR question 252.225-7009 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 0
F Conflict Mineral Smelter Question RoHS, REACH, ELV, IMDS and Restricted Substances 8
R NRTL - Scope Question - Off-the-Shelf Plug In IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D API 6A Certification Question Oil and Gas Industry Standards and Regulations 4
dinaroxentool Question about qualification as a medical device or accessory in Europe EU Medical Device Regulations 2
R DHR question: Traceability of components ISO 13485:2016 - Medical Device Quality Management Systems 2
C MDR - Question around software accesories EU Medical Device Regulations 2
K My question is, what/when is a nonconformity? Therefore what requires an NCR? Nonconformance and Corrective Action 9
Watchcat Authoritative References about the Research Question? Quality Tools, Improvement and Analysis 0
T Question about Quality Department employee position titles Quality Manager and Management Related Issues 10
N Question on creepage/clearance requirements for HF Active Accessories for 2nd edition 60601-1 IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
J Question: How to create an IMDS RoHS, REACH, ELV, IMDS and Restricted Substances 3
K Question on whether IEC 60601-2-62 standard is applied IEC 60601 - Medical Electrical Equipment Safety Standards Series 4
B QMS question in regards to multiple medical devices/products and N/A activities Other Medical Device Related Standards 12
C NB approval - Basic question about Notified Bodies and their role EU Medical Device Regulations 10
G Question about Non-conformances during New Product Introduction Nonconformance and Corrective Action 14

Similar threads

Top Bottom