Risk Approach doesn't address External Issues (Auditor's Comment)

Silex7

Involved In Discussions
#1
Hello Everyone :) ,

If some of you could remember my inquiry I posted here before about: Auditor requests confidential information via Email , I am indeed so grateful for your help. The Audit was last Wednesday and it went really very systematic and informative ( I was a little bit afraid that he would hinder me after I sent them that e-email, lol).

The Auditor just stopped by my Risk Approach, he claimed that I am not covering the External issues very well , although I am running a good risk assessment system for my internal process, but I still need to cover external issue as well, as clause 6.1 requires to take into consideration issues from clauses 4.1 and 4.2 .

But my question here, is that for a good risk assessment you should deploy an Action Plan, How would you set an action plan for something very changeable like economical issues and market variation, uncontrolled factors in general?

The other question, do you merge the context of organization with interested parties in your risk assessment?
My plan is:
Internal manufacturing process with FMEA risk assessment....... [Process Risk]
IPs' and organization context model for my departments ( HR, Logistics,..etc)....... [Business Risk]

Your help and suggestions are highly appreciated!
 
Elsmar Forum Sponsor

Chennaiite

Never-say-die
Trusted Information Resource
#2
But my question here, is that for a good risk assessment you should deploy an Action Plan, How would you set an action plan for something very changeable like economical issues and market variation, uncontrolled factors in general?
Probably, there is no simple answer.
For uncontrollable factors (even for controllable factors for that matter), one idea can be to keep an option to clip the loss if there will be an exposure to downside (Economic recession, Natural disaster, etc.); This is more like "planned options" during Crisis Management phase i.e after exposure to damage. And I believe Crisis Management is an essential part of Risk Management; No level of Risk based thinking during preparation stage could help us avert crisis in future;
 

Kronos147

Trusted Information Resource
#3
You probably already do things that do address external risks. You may not be creating effective documentation of it.

Have a quick meeting with top management to kick the concept around. Do a follow up meeting a week later, capture some of these comments, throw them into the next management review meeting and bam, call it a day. Then the next management review meeting after that bring the stuff forward and develop it a little each meeting.

Any need for activities can be documented as action items or a CAPA.
 

Silex7

Involved In Discussions
#4
Probably, there is no simple answer.
For uncontrollable factors (even for controllable factors for that matter), one idea can be to keep an option to clip the loss if there will be an exposure to downside (Economic recession, Natural disaster, etc.); This is more like "planned options" during Crisis Management phase i.e after exposure to damage. And I believe Crisis Management is an essential part of Risk Management; No level of Risk based thinking during preparation stage could help us avert crisis in future;
Yes, I agree to this point. I think your point is best described in the standard ISO31000/ IEC31010 5.3.2 as follow:

1542391410810.png


From my understanding external issues , could be addressed in risk assessment with a ''Qualitative'' control , which could be ; implementation options, strategies,...etc . Am I correct?
In this case this standard provide a different non-quantitative models that can be applied for external issues risk identification.
 

Silex7

Involved In Discussions
#5
You probably already do things that do address external risks. You may not be creating effective documentation of it.

Have a quick meeting with top management to kick the concept around. Do a follow up meeting a week later, capture some of these comments, throw them into the next management review meeting and bam, call it a day. Then the next management review meeting after that bring the stuff forward and develop it a little each meeting.

Any need for activities can be documented as action items or a CAPA.
I was not addressing the external issues clearly in my risk assessment , because I didn't have any clue how to set control plan for such kinds of risks, and obviously as you mentioned I didn't have a effective documentation for it.
And yes, I am preparing for a meeting soon, but I'll make just management meeting to include everyone in the new risk plan.
 

Bev D

Heretical Statistician
Staff member
Super Moderator
#6
You’re correct that many external risks can’t be prevented. The good news is that you don’t have to. Think About how you detect the occurence early and how you mitigate it. Extra inventory, notification clauses for suppliers who don’t want to work with you anymore, alternative sources, etc.
 
#7
Let's firstly answer the auditor's point: Not their call to share opinion. "Very well" is subjective.

On the approach to Context, I believe you're possibly making it too complex, compared to what ISO 9001 actually requires you to do. I'd suggest dialing back your approach.
 

Chennaiite

Never-say-die
Trusted Information Resource
#8
From my understanding external issues , could be addressed in risk assessment with a ''Qualitative'' control , which could be ; implementation options, strategies,...etc . Am I correct?
In this case this standard provide a different non-quantitative models that can be applied for external issues risk identification.
I am a fan of Murphy's Law;
Simply, I think irrespective of whether you measure the effectiveness of existing controls Qualitatively or Quantitatively, as they say "anything that can go wrong will go wrong sooner or later"
Caveat : That does not take anything away from a proactive Risk Management Process that constantly measures and mitigates Risk;
 

qualprod

Trusted Information Resource
#9
Hello Everyone :) ,

If some of you could remember my inquiry I posted here before about: Auditor requests confidential information via Email , I am indeed so grateful for your help. The Audit was last Wednesday and it went really very systematic and informative ( I was a little bit afraid that he would hinder me after I sent them that e-email, lol).

The Auditor just stopped by my Risk Approach, he claimed that I am not covering the External issues very well , although I am running a good risk assessment system for my internal process, but I still need to cover external issue as well, as clause 6.1 requires to take into consideration issues from clauses 4.1 and 4.2 .

But my question here, is that for a good risk assessment you should deploy an Action Plan, How would you set an action plan for something very changeable like economical issues and market variation, uncontrolled factors in general?

The other question, do you merge the context of organization with interested parties in your risk assessment?
My plan is:
Internal manufacturing process with FMEA risk assessment....... [Process Risk]
IPs' and organization context model for my departments ( HR, Logistics,..etc)....... [Business Risk]

Your help and suggestions are highly appreciated!
First, in 4.1 identify external and internal issues, the positive and negative.
Positive side are opportunities, negatives are risks.
First, the standard requires to identify only which is pertinent, suppose the economical issues, well , even if it is dynamic, whatever it is, you can implement something to mitigate it.
E.g.dolar value fluctuation, if is negative, trying to do something for not affecting, could be maybe to get an insurance, to look for a partner to share the risk,etc.
On the other hand, to merge 4.1 and 4.2?
First off, the focus is different, 4.1 is to identify internal and external issues, next , the positive and negative, and 4.2 identify interested parties and their requirements, so merge, I think doesn't apply, why you want to do it?
Regards
 

Silex7

Involved In Discussions
#10
First off, the focus is different, 4.1 is to identify internal and external issues, next , the positive and negative, and 4.2 identify interested parties and their requirements, so merge, I think doesn't apply, why you want to do it?
Regards
Thanks for your answer.
The Auditor after discussing this part showed me a merged risk assessment model that has organization contexts and Interested parties together , and he told me that's a good example one.. in the table after you identify and state each risk there are two columns, first one describes if the risk is external or internal, the other column would describe what interested party had to be related to this issue.
I think this is a good way of having both (4.1) and (4.2) as one table , right?
 
Thread starter Similar threads Forum Replies Date
G Any good examples of CAPA forms that include a risk based approach? ISO 13485:2016 - Medical Device Quality Management Systems 5
D Validation of existing equipment - Risk based approach example ISO 13485:2016 - Medical Device Quality Management Systems 3
C Usability IEC 62366-1:2015 and MDR 2017/745 - Risk based approach IEC 62366 - Medical Device Usability Engineering 1
M Informational USFDA draft guidance – A Risk-Based Approach to Monitoring of Clinical Investigations Questions and Answers Guidance for Industry Medical Device and FDA Regulations and Standards News 0
Pmarszal ISO 19011:2018 - Risk Based Approach for planning, conducting and reporting of internal audits Internal Auditing 8
Q Questions about the Risk-based approach to QMS processes ISO 13485:2016 - Medical Device Quality Management Systems 17
S ISO 13485:2016 - Risk-based Approach ISO 13485:2016 - Medical Device Quality Management Systems 3
S Risk based approach - Procedures already take a risk-based approach to QMS processes ISO 13485:2016 - Medical Device Quality Management Systems 3
S ISO 13485:2016 - How I can integrate a risk management approach in our SOPs ISO 13485:2016 - Medical Device Quality Management Systems 1
S Risk Based Approach for ISO 13485:2016 Form/Procedure ISO 13485:2016 - Medical Device Quality Management Systems 23
alonFAI How to define a Risk Based Approach for Supplier Management per ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
B Risk Requirements to meet the explicit Risk Based Approach of ISO 13485:2016 Examples ISO 13485:2016 - Medical Device Quality Management Systems 21
A FTA-Top/Down approach to Risk Analysis ISO 14971 - Medical Device Risk Management 2
AnaMariaVR2 Structured Approach to Benefit-Risk Assessment in Drug Regulatory Decision-Making Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 0
M Name for FMEA (Risk Analysis Approach) Program FMEA and Control Plans 1
V Evolving QA from 'Compliance-based' to 'Science/Risk-based' approach US Food and Drug Administration (FDA) 2
AnaMariaVR2 Risk Based Approach to Validation [article] Qualification and Validation (including 21 CFR Part 11) 3
T Best Risk Analysis Approach (ISO 14971) - Class IIa Medical Devices ISO 14971 - Medical Device Risk Management 16
C ISO/ PAS 28000 Implementation Guide - I'm interested in its risk based approach Other ISO and International Standards and European Regulations 4
Sidney Vianna Risk Based Audits - Will the industry change it's approach? Registrars and Notified Bodies 0
Scott Catron Any difference in FDA inspections since the risk-based approach was announced? US Food and Drug Administration (FDA) 6
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 2
A ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
Q Example of the Risk Template Document Control Systems, Procedures, Forms and Templates 1
K Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
A Risk Number for each software requirement IEC 62304 - Medical Device Software Life Cycle Processes 7
A IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D Importing a general wellness low risk product Other US Medical Device Regulations 3
C Quantifying risk in choosing the number of parts, operators and replicates in a GR&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
R AQL, Consumer Risk and MA Statistical Analysis Tools, Techniques and SPC 2
M Risk managment report of Surgical Mask Example ISO 14971 - Medical Device Risk Management 14
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
A 5 x 5 Risk Matrix - Looking for a good example Manufacturing and Related Processes 2
F Risk for Quality Assurance Department in a Hospital - Hospital Incident Reporting ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
M Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
T How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
adir88 Documenting Risk Control Option Analysis ISO 14971 - Medical Device Risk Management 8
B Risk Assessment Checklist for Non product Software IEC 62304 - Medical Device Software Life Cycle Processes 1
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
K Identification of hazards and Risk file IEC 62366 - Medical Device Usability Engineering 7
S Risk based internal auditing Internal Auditing 6
Robert Stanley I'm @ RISK of not showing my RISKS! ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 20
M Estimating the benefit-risk ration under MDR EU Medical Device Regulations 1
adir88 Information of safety can reduce risk now? ISO 14971 - Medical Device Risk Management 12
adir88 MDR requirement: Risk Management Plan for "each device" ISO 14971 - Medical Device Risk Management 5
M Has anyone heard of Run at Risk? Manufacturing and Related Processes 14
Tagin Is SARS-CoV-2/COVID-19 on your risk register? Misc. Quality Assurance and Business Systems Related Topics 11
D IEC 62304 Risk Classification - With and without hardware control IEC 62304 - Medical Device Software Life Cycle Processes 2
Similar threads


















































Top Bottom