Risk Management Review


Involved In Discussions
Hi All,

Should the "Risk Management Report" be changed to "Risk Management Review" in our Risk Management Files? And what about the content under it if it needs to be changed.


Bev D

Heretical Statistician
Super Moderator
Well words matter.
report is just a thing (noun). it is a record of sorts.
review is an action as in "to review the report". reports that are not reviewed by others are useless.
files are where reports go to disappear

what is your intent?


Super Moderator
Not exactly sure where you're headed but, per the standard:

The results of this [risk management] review shall be recorded and maintained as the risk management report and shall be included in the risk management file.

(emphasis added)

So you document the results of the risk management review. You could include them or reference them in the report.


Trusted Information Resource
In the update of ISO 14971:2012 to ISO 14971:2019 that section's header changed from "Risk management report" to Risk management review".
That namechange is less important than what changed within that clause, namely it is no longer a review of the risk management process (which could have focused on the 'procedure') but is on the execution of the risk management plan (so a realized part of risk management), as well as that information is no longer only obtained, but instead collected and reviewed. Last (but perhaps more least) assignment of responsibility for the review by way of the risk management plan has been changed from should to shall.
The clause keeps the record of the activity defined as "risk management report" in contrast to the section title's change. Reading between the lines the activity of reviewing actually executed risk management versus planned risk management has been made more important than simply having a report with certain line items, but the report is still an essential output of that activity.
Recommend: don't change the name of the report, do check whether you're now reviewing executed risk management versus plan, instead of procedure versus standard.
In my word for word redline I've seen the update to make many of such nuanced changes, but overall if you had the right spirit you were already doing the right stuff. If you were nitpicking for holes in the standard, then the update closed a lot (But I think there should have been enough grounds to stick it to any true abusers).


Trusted Information Resource
Risk management review during product planning refers to the process of assessing and evaluating potential risks associated with a product before it is developed and brought to market. It is an important step in product planning to identify and mitigate risks that could negatively impact the success of the product or pose harm to users, stakeholders, or the organization itself.
Risk management (for medical devices) is appropriate at all life-cycle phases of a product, including when a device is 'on market'.

The Risk Management Report is intended to be the top-level summary of the risk profile of the device (and/or device family) and it is intended to be kept up-to-date via regular periodic, and if necessary ad-hoc, reviews. The necessity and schedule of the Risk Reviews is best including in the original Risk Management Plan; I suppose this could be established in a broader policy.

Typically the RM Report isn't generated (finalized) until the device is to be transferred to production, as risk controls are still being verified to be effective. It is entirely conceivable that a RM Report might never need to be updated, although I would recommend RM Reports be updated to document the outcomes of all Risk Reviews simply because I like the ease of being able to provide only two documents as 'bookends' of the Risk Management process: the Risk Management Plan and the Risk Management Report. These two documents won't have enough details to allow internally focused people to do anything like problem-solving, but they will be a high-level picture of where to start.


Quite Involved in Discussions
If I had meeting minutes, I'd call it "Risk Management Review Meeting Minutes", then I would write this up into the final document - the "Risk Management Report". If I only had one covering both, I would call it a "Risk Management Report" and make sure it used the word "reviewed" a lot.
If I were writing a procedure, I would call the section "Risk Management Review".
Top Bottom