SBS - The Best Value in QMS software

Risk Approach doesn't address External Issues (Auditor's Comment)

Silex7

Involved In Discussions
#1
Hello Everyone :) ,

If some of you could remember my inquiry I posted here before about: Auditor requests confidential information via Email , I am indeed so grateful for your help. The Audit was last Wednesday and it went really very systematic and informative ( I was a little bit afraid that he would hinder me after I sent them that e-email, lol).

The Auditor just stopped by my Risk Approach, he claimed that I am not covering the External issues very well , although I am running a good risk assessment system for my internal process, but I still need to cover external issue as well, as clause 6.1 requires to take into consideration issues from clauses 4.1 and 4.2 .

But my question here, is that for a good risk assessment you should deploy an Action Plan, How would you set an action plan for something very changeable like economical issues and market variation, uncontrolled factors in general?

The other question, do you merge the context of organization with interested parties in your risk assessment?
My plan is:
Internal manufacturing process with FMEA risk assessment....... [Process Risk]
IPs' and organization context model for my departments ( HR, Logistics,..etc)....... [Business Risk]

Your help and suggestions are highly appreciated!
 
Elsmar Forum Sponsor

Chennaiite

Never-say-die
Trusted Information Resource
#2
But my question here, is that for a good risk assessment you should deploy an Action Plan, How would you set an action plan for something very changeable like economical issues and market variation, uncontrolled factors in general?
Probably, there is no simple answer.
For uncontrollable factors (even for controllable factors for that matter), one idea can be to keep an option to clip the loss if there will be an exposure to downside (Economic recession, Natural disaster, etc.); This is more like "planned options" during Crisis Management phase i.e after exposure to damage. And I believe Crisis Management is an essential part of Risk Management; No level of Risk based thinking during preparation stage could help us avert crisis in future;
 

Kronos147

Trusted Information Resource
#3
You probably already do things that do address external risks. You may not be creating effective documentation of it.

Have a quick meeting with top management to kick the concept around. Do a follow up meeting a week later, capture some of these comments, throw them into the next management review meeting and bam, call it a day. Then the next management review meeting after that bring the stuff forward and develop it a little each meeting.

Any need for activities can be documented as action items or a CAPA.
 

Silex7

Involved In Discussions
#4
Probably, there is no simple answer.
For uncontrollable factors (even for controllable factors for that matter), one idea can be to keep an option to clip the loss if there will be an exposure to downside (Economic recession, Natural disaster, etc.); This is more like "planned options" during Crisis Management phase i.e after exposure to damage. And I believe Crisis Management is an essential part of Risk Management; No level of Risk based thinking during preparation stage could help us avert crisis in future;
Yes, I agree to this point. I think your point is best described in the standard ISO31000/ IEC31010 5.3.2 as follow:

1542391410810.png

From my understanding external issues , could be addressed in risk assessment with a ''Qualitative'' control , which could be ; implementation options, strategies,...etc . Am I correct?
In this case this standard provide a different non-quantitative models that can be applied for external issues risk identification.
 

Silex7

Involved In Discussions
#5
You probably already do things that do address external risks. You may not be creating effective documentation of it.

Have a quick meeting with top management to kick the concept around. Do a follow up meeting a week later, capture some of these comments, throw them into the next management review meeting and bam, call it a day. Then the next management review meeting after that bring the stuff forward and develop it a little each meeting.

Any need for activities can be documented as action items or a CAPA.
I was not addressing the external issues clearly in my risk assessment , because I didn't have any clue how to set control plan for such kinds of risks, and obviously as you mentioned I didn't have a effective documentation for it.
And yes, I am preparing for a meeting soon, but I'll make just management meeting to include everyone in the new risk plan.
 

Bev D

Heretical Statistician
Staff member
Super Moderator
#6
You’re correct that many external risks can’t be prevented. The good news is that you don’t have to. Think About how you detect the occurence early and how you mitigate it. Extra inventory, notification clauses for suppliers who don’t want to work with you anymore, alternative sources, etc.
 
#7
Let's firstly answer the auditor's point: Not their call to share opinion. "Very well" is subjective.

On the approach to Context, I believe you're possibly making it too complex, compared to what ISO 9001 actually requires you to do. I'd suggest dialing back your approach.
 

Chennaiite

Never-say-die
Trusted Information Resource
#8
From my understanding external issues , could be addressed in risk assessment with a ''Qualitative'' control , which could be ; implementation options, strategies,...etc . Am I correct?
In this case this standard provide a different non-quantitative models that can be applied for external issues risk identification.
I am a fan of Murphy's Law;
Simply, I think irrespective of whether you measure the effectiveness of existing controls Qualitatively or Quantitatively, as they say "anything that can go wrong will go wrong sooner or later"
Caveat : That does not take anything away from a proactive Risk Management Process that constantly measures and mitigates Risk;
 

qualprod

Trusted Information Resource
#9
Hello Everyone :) ,

If some of you could remember my inquiry I posted here before about: Auditor requests confidential information via Email , I am indeed so grateful for your help. The Audit was last Wednesday and it went really very systematic and informative ( I was a little bit afraid that he would hinder me after I sent them that e-email, lol).

The Auditor just stopped by my Risk Approach, he claimed that I am not covering the External issues very well , although I am running a good risk assessment system for my internal process, but I still need to cover external issue as well, as clause 6.1 requires to take into consideration issues from clauses 4.1 and 4.2 .

But my question here, is that for a good risk assessment you should deploy an Action Plan, How would you set an action plan for something very changeable like economical issues and market variation, uncontrolled factors in general?

The other question, do you merge the context of organization with interested parties in your risk assessment?
My plan is:
Internal manufacturing process with FMEA risk assessment....... [Process Risk]
IPs' and organization context model for my departments ( HR, Logistics,..etc)....... [Business Risk]

Your help and suggestions are highly appreciated!
First, in 4.1 identify external and internal issues, the positive and negative.
Positive side are opportunities, negatives are risks.
First, the standard requires to identify only which is pertinent, suppose the economical issues, well , even if it is dynamic, whatever it is, you can implement something to mitigate it.
E.g.dolar value fluctuation, if is negative, trying to do something for not affecting, could be maybe to get an insurance, to look for a partner to share the risk,etc.
On the other hand, to merge 4.1 and 4.2?
First off, the focus is different, 4.1 is to identify internal and external issues, next , the positive and negative, and 4.2 identify interested parties and their requirements, so merge, I think doesn't apply, why you want to do it?
Regards
 

Silex7

Involved In Discussions
#10
First off, the focus is different, 4.1 is to identify internal and external issues, next , the positive and negative, and 4.2 identify interested parties and their requirements, so merge, I think doesn't apply, why you want to do it?
Regards
Thanks for your answer.
The Auditor after discussing this part showed me a merged risk assessment model that has organization contexts and Interested parties together , and he told me that's a good example one.. in the table after you identify and state each risk there are two columns, first one describes if the risk is external or internal, the other column would describe what interested party had to be related to this issue.
I think this is a good way of having both (4.1) and (4.2) as one table , right?
 
Thread starter Similar threads Forum Replies Date
G Any good examples of CAPA forms that include a risk based approach? ISO 13485:2016 - Medical Device Quality Management Systems 8
D Validation of existing equipment - Risk based approach example ISO 13485:2016 - Medical Device Quality Management Systems 3
C Usability IEC 62366-1:2015 and MDR 2017/745 - Risk based approach IEC 62366 - Medical Device Usability Engineering 1
M Informational USFDA draft guidance – A Risk-Based Approach to Monitoring of Clinical Investigations Questions and Answers Guidance for Industry Medical Device and FDA Regulations and Standards News 0
Pmarszal ISO 19011:2018 - Risk Based Approach for planning, conducting and reporting of internal audits Internal Auditing 8
Q Questions about the Risk-based approach to QMS processes ISO 13485:2016 - Medical Device Quality Management Systems 17
S ISO 13485:2016 - Risk-based Approach ISO 13485:2016 - Medical Device Quality Management Systems 3
S Risk based approach - Procedures already take a risk-based approach to QMS processes ISO 13485:2016 - Medical Device Quality Management Systems 3
S ISO 13485:2016 - How I can integrate a risk management approach in our SOPs ISO 13485:2016 - Medical Device Quality Management Systems 1
S Risk Based Approach for ISO 13485:2016 Form/Procedure ISO 13485:2016 - Medical Device Quality Management Systems 23
alonFAI How to define a Risk Based Approach for Supplier Management per ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
B Risk Requirements to meet the explicit Risk Based Approach of ISO 13485:2016 Examples ISO 13485:2016 - Medical Device Quality Management Systems 21
A FTA-Top/Down approach to Risk Analysis ISO 14971 - Medical Device Risk Management 2
AnaMariaVR2 Structured Approach to Benefit-Risk Assessment in Drug Regulatory Decision-Making Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 0
M Name for FMEA (Risk Analysis Approach) Program FMEA and Control Plans 1
V Evolving QA from 'Compliance-based' to 'Science/Risk-based' approach US Food and Drug Administration (FDA) 2
AnaMariaVR2 Risk Based Approach to Validation [article] Qualification and Validation (including 21 CFR Part 11) 3
T Best Risk Analysis Approach (ISO 14971) - Class IIa Medical Devices ISO 14971 - Medical Device Risk Management 16
C ISO/ PAS 28000 Implementation Guide - I'm interested in its risk based approach Other ISO and International Standards and European Regulations 4
Sidney Vianna Risk Based Audits - Will the industry change it's approach? Registrars and Notified Bodies 0
Scott Catron Any difference in FDA inspections since the risk-based approach was announced? US Food and Drug Administration (FDA) 6
H Risk Analysis and Probability of Occurrence ISO 14971 - Medical Device Risk Management 3
B Risk analysis for defective measuring or measuring equipment out of calibration General Measurement Device and Calibration Topics 2
P Benefit risk analysis on pFMEA ISO 14971 - Medical Device Risk Management 9
B AS9102 - 3D printing a special tool required for assembly (counterfeit risk?) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 12
K Defining risk control measures IEC 62304 - Medical Device Software Life Cycle Processes 14
U Supply risk management Manufacturing and Related Processes 4
T Biological Evaluation (10993) & Risk Management ISO 14971 - Medical Device Risk Management 9
D Cybersecurity and Risk Management: Loss of confidentiality IEC 62304 - Medical Device Software Life Cycle Processes 5
Q FMEA and Risk assessment in Microsoft Access FMEA and Control Plans 6
I Realization processes input into overall risk ISO 14971 - Medical Device Risk Management 2
M Need Help With Information Security Asset Risk Register IEC 27001 - Information Security Management Systems (ISMS) 2
thisby_ Post Market/Production Risk Assessment ISO 14971 - Medical Device Risk Management 0
S Risk Management Review ISO 14971 - Medical Device Risk Management 4
D Low risk IVD study in the UK, do I need MHRA approval? UK Medical Device Regulations 1
S Risk Management and other Files ISO 14971 - Medical Device Risk Management 8
silentmonkey Overall Benefit/Risk Analysis - Risk Management VS Clinical Evaluation ISO 14971 - Medical Device Risk Management 3
N ISO 27001 for Jumb Burger - Risk Assessment sheet IEC 27001 - Information Security Management Systems (ISMS) 11
C Risk Assessment Tools ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
qualprod Examples to mitigate risk from Covid ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
G Risk of stopping your customer's line IATF 16949 - Automotive Quality Systems Standard 4
C Risk Matrix vs FMEAs ISO 14971 - Medical Device Risk Management 12
S IVD risk class II devices for Brazil and MDSAP Other Medical Device Regulations World-Wide 0
M ISO 14971:2019: Criteria for overall residual risk ISO 14971 - Medical Device Risk Management 11
M ISO14971:2019 - Verification of implementation and effectiveness of risk control ISO 14971 - Medical Device Risk Management 3
Aymaneh Medical Device Cybersecurity Risk Management IEC 27001 - Information Security Management Systems (ISMS) 2
S Traceability of requirements to design and risk Design and Development of Products and Processes 3
R Risk control measures as per ISO 14971 ISO 14971 - Medical Device Risk Management 6
D Deciding whether or not pre-market clinical investigation is required for low risk device EU Medical Device Regulations 5
R The term "Benefit Risk Ratio" in EU MDR, do I need to present benefit risk analysis as a RATIO Risk Management Principles and Generic Guidelines 4

Similar threads

Top Bottom