Risk closeout , mitigation was not effective, next?

qualprod

Trusted Information Resource
#1
Hello everybody
Im facing certain doubts as to what actions to take after a risk was not mitigated properly, was high value, after evaluating residual ia almost same value.
I see two possible ways :
Because I have a document (risk analysis), ok
One way is to declare it ineffective first analysis and start a new one.
Other option could be to keep same analysis but adding other mitigation plans.

What action are you taking when risk mitigation was not effective?

Thanks for your help
 
Elsmar Forum Sponsor

John Broomfield

Staff member
Super Moderator
#3
Hello everybody
Im facing certain doubts as to what actions to take after a risk was not mitigated properly, was high value, after evaluating residual ia almost same value.
I see two possible ways :
Because I have a document (risk analysis), ok
One way is to declare it ineffective first analysis and start a new one.
Other option could be to keep same analysis but adding other mitigation plans.

What action are you taking when risk mitigation was not effective?

Thanks for your help
qualprod,

And, of course, you’ll want to remove the system weaknesses that caused this ineffective risk analysis or risk treatment so it doesn’t happen again.

So, raise a corrective action request per the requirements of your management system. That is what you close out not the risk.

John
 
#5
Since mitigation is just to reduce the severity of the risk, can you put control (administrative, engineering, etc ) in such way that it reduces the likelihood of the risk or even eliminates it.

Id prefer to establish mitigation after establishing prevention to bring the risk to alarp.
 

qualprod

Trusted Information Resource
#6
Thanks Golfman25
As I understand, I'll declare risk analysis ineffective, because only 2 out of 4 actions for mitigation worked fine, as such will be closed out, but immediately will do the the analysis again (new analysis on same risk ).
Depending on the risk value I might decide to open a Ca when is ineffective.
On the other hand, I think the risk value is changed by implementing actions (mitigation)
risk value = occurrance x impact= risk vàlue, if Occurrence is low, of course risk value will change.
Is the way I understand both issues, are you agree, maybe I'm misunderstanding something.
PD
I think that criteria to open CA for each ineffective ,may be not recommended, it may be applied when is a repetitive failure on same risk.
Please give inputs, thanks
 

Ninja

Looking for Reality
Trusted Information Resource
#7
I think that criteria to open CA for each ineffective ,may be not recommended, it may be applied when is a repetitive failure on same risk.
Going back into plain language:

- We saw a risk.
- We decided it was worth some effort to lower it (by lowering impact or lowering chance of occurrence, whichever).
- We came up with four ideas that we thought would work.
- Two of the ideas actually WERE good, and they worked to our satisfaction.
- Two of the ideas weren't as great as we thought, and nothing really happened.
- ...So we're gonna come up with more ideas based on this lesson learned and try again.

Me...I would have this as part of the original risk management...I tried and failed so I'm trying something different. Case still open.
Probably OK to document that it didn't work, close it, and open a new one...it's all just paperwork.

I don't see a real need to burn calories on paperwork...burn calories instead on coming up with the thing that mitigates the risk. The concept here is similar to R&D...we don't know what will work, and we're trying to figure it out...and we're not done yet.

HTH
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#8
We may never "fully" mitigate a risk, as issues (I think of them as factors that enable risk) can change. There can also be more than one risk involved, and an opportunity can introduce its own risk.

We should not feel as though we must squash the thing completely, just address that which would bring value.
 

John Broomfield

Staff member
Super Moderator
#9
Going back into plain language:

- We saw a risk.
- We decided it was worth some effort to lower it (by lowering impact or lowering chance of occurrence, whichever).
- We came up with four ideas that we thought would work.
- Two of the ideas actually WERE good, and they worked to our satisfaction.
- Two of the ideas weren't as great as we thought, and nothing really happened.
- ...So we're gonna come up with more ideas based on this lesson learned and try again.

Me...I would have this as part of the original risk management...I tried and failed so I'm trying something different. Case still open.
Probably OK to document that it didn't work, close it, and open a new one...it's all just paperwork.

I don't see a real need to burn calories on paperwork...burn calories instead on coming up with the thing that mitigates the risk. The concept here is similar to R&D...we don't know what will work, and we're trying to figure it out...and we're not done yet.

HTH
Ninja,

You make a fair point about persisting with ineffective processes that have yet to be validated.

But the “suck and see” approach to risk management is risky in itself.

So, we need to consider the consequences of inadequate understanding of the hazards and how to remove or mitigate the most damaging of these hazards.

I do admit that I’m playing it safe by advocating corrective action after the inherently risky RM processes have failed once.

Thanks for the reminder.

John
 

Ninja

Looking for Reality
Trusted Information Resource
#10
Well,
Maybe we're saying the same thing...but maybe not...so I figured I push on it again here...

"But the “suck and see” approach to risk management is risky in itself. "

Not 100% sure what you mean by this. Life is trial and error. If you're advocating thinking about pros and cons before trying, I'm 100% in agreement...but no matter how long you consider, you still have to try it to be sure.
...and since you're not 100% sure until after the try, it does (of course) involve its own risk...that's what every number below 100% includes...risk.

"So, we need to consider the consequences of inadequate understanding of the hazards and how to remove or mitigate the most damaging of these hazards."

Yup...that's why it's called "Trying"...
If we had complete understanding of the hazard and how to mitigate it, we'd be done already.

"advocating corrective action after the inherently risky RM processes have failed once"

Really not sure if I understand this. The real world steps are the same...I'm only seeing differences in documentation system...so perhaps I just don't understand what you're saying...it doesn't matter to me how its documented.
To me, it's pretty similar to Design Control...we don't know how to do what we want, and we're working to figure it out...
Putting this into CA on first failure seems to me like putting every R&D project into the CA system when the first try doesn't work.

Risk management totally IS NOT Design control...and I'm not saying it is...I'm just drawing the parallel in documentation approach.
 
Thread starter Similar threads Forum Replies Date
Q Risk (closeout and options for the addressing) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
Sravan Manchikanti Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
E Normal Condition Hazards in Risk Analysis ISO 14971 - Medical Device Risk Management 3
silentmonkey Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
R Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4
B Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 4
R Opportunity For Improvement vs Opportunity (Positive Risk) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
R FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
A ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
Q Example of the Risk Template Document Control Systems, Procedures, Forms and Templates 1
K Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
A Risk Number for each software requirement IEC 62304 - Medical Device Software Life Cycle Processes 7
A IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D Importing a general wellness low risk product Other US Medical Device Regulations 3
C Quantifying risk in choosing the number of parts, operators and replicates in a GR&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
R AQL, Consumer Risk and MA Statistical Analysis Tools, Techniques and SPC 2
M Risk managment report of Surgical Mask Example ISO 14971 - Medical Device Risk Management 14
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
A 5 x 5 Risk Matrix - Looking for a good example Manufacturing and Related Processes 2
F Risk for Quality Assurance Department in a Hospital - Hospital Incident Reporting ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
M Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
T How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
adir88 Documenting Risk Control Option Analysis ISO 14971 - Medical Device Risk Management 8
B Risk Assessment Checklist for Non product Software IEC 62304 - Medical Device Software Life Cycle Processes 1
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
K Identification of hazards and Risk file IEC 62366 - Medical Device Usability Engineering 7
S Risk based internal auditing Internal Auditing 6
Robert Stanley I'm @ RISK of not showing my RISKS! ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 20
M Estimating the benefit-risk ration under MDR EU Medical Device Regulations 1
adir88 Information of safety can reduce risk now? ISO 14971 - Medical Device Risk Management 12
G Any good examples of CAPA forms that include a risk based approach? ISO 13485:2016 - Medical Device Quality Management Systems 8
adir88 MDR requirement: Risk Management Plan for "each device" ISO 14971 - Medical Device Risk Management 5
M Has anyone heard of Run at Risk? Manufacturing and Related Processes 15
Tagin Is SARS-CoV-2/COVID-19 on your risk register? Misc. Quality Assurance and Business Systems Related Topics 11
D IEC 62304 Risk Classification - With and without hardware control IEC 62304 - Medical Device Software Life Cycle Processes 2
J ISO 14971 applied to ISO 13485? Low risk class 1 devices ISO 13485:2016 - Medical Device Quality Management Systems 3
DuncanGibbons Classification of aerospace parts depending on their risk and criticality etc. Federal Aviation Administration (FAA) Standards and Requirements 3
D Performance specification as a Risk Control Measure, EN 14971 ISO 14971 - Medical Device Risk Management 7
M Risk Classification For Supplier - Clinical Research Organisation (CRO) Supply Chain Security Management Systems 3
Sidney Vianna IAQG SCMH explains "positive risk"..........but does it? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
MrTetris Unacceptable risk and information for safety ISO 14971 - Medical Device Risk Management 16
M IATF 16949 (6.1.1 - Planning and Risk Analysis for a remote site) Process Maps, Process Mapping and Turtle Diagrams 5
D Risk Analysis & Technical File - What detail goes in the Risk Management Report ISO 14971 - Medical Device Risk Management 5
C AS9100 Rev D 8.1.1 & APQP - Operational risk management process AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 0
B ATP 5-19 "Risk Management" Misc. Quality Assurance and Business Systems Related Topics 2
D Reduction of software class based on multiple external risk controls IEC 62304 - Medical Device Software Life Cycle Processes 5
N Risk Management besides mandated FDA requirements 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1

Similar threads

Top Bottom