When do we identify Residual Risk?

ukrainka85

Starting to get Involved
#1
Should Residual Risk be identified in the initial version of a Risk Assessment right after we have identified what our risk responses will be OR should residual risk be calculated during the monitoring portion of the Risk Management process where we are seeing if the risk responses are actually "working"?
 
Elsmar Forum Sponsor

yodon

Leader
Super Moderator
#2
Residual risk is, initially, your estimate of how well your controls mitigate the risks. Through postmarket activities, you are continually assessing whether your probability / severity assignments are accurate and if your risk controls are effective - and so you are possibly updating the residual risk throughout the life of the device.
 

qualprod

Trusted Information Resource
#3
Residual risk is, initially, your estimate of how well your controls mitigate the risks. Through postmarket activities, you are continually assessing whether your probability / severity assignments are accurate and if your risk controls are effective - and so you are possibly updating the residual risk throughout the life of the device.
the approach I follow is:
1 First a risk is identified
2 the value is calculated
3 according the value or category, action plans are performed to lower the risk value.
4 once action plans are working, new Condition of risk Is evaluated.
5 this previous point Is residual risk
Hope this helps
 
Last edited by a moderator:

John Broomfield

Leader
Super Moderator
#4
Residual means what you are left with after taking care of what you can.

So, we maintain our car, check our tires, make sure we are safe to drive, drive according to the conditions and obey signs, officers of the law and other traffic guides.

Our valid insurance policy covers us and others for the residual risks.
 

ukrainka85

Starting to get Involved
#5
Thanks for the feedback. Still unclear when in the process residual risk is assigned. Yodon said "Residual risk is, initially, your estimate of how well your controls mitigate the risks.", but Qualpod said "once action plans are working, new Condition of risk Is evaluated." Former sounds like evaluation of residual risk should be done up front before implementing the risk responses, as an estimate. Later sounds like we estimate the effects of the risk responses on the existing risks during periodic monitoring. Maybe it's both?

(1) estimate the residual risk based on existing controls and proposed responses, and (2) evaluate if the mitigations are actually having the effect they are supposed to. But what if they don't have the effect which was expected...? Where should that risk number be implemented. I get the question of "do we update the residual risk score during periodic monitoring"?
 

yodon

Leader
Super Moderator
#6
I don't think there's any conflict.

Maybe walking through an example would help.

During my initial risk management activities (during design), I identify a risk and assign a probability (4) and severity (3). My initial risk value is (4*3) 12. I then determine a set of controls and, with agreement from the team, we feel the probability of occurrence has been reduced so we reduce that value to 2. My new risk score is (2*3) 6. This is my initial residual risk. We likely never make the probability go to 0 so we (always) have residual risk.

The team determines that the benefits of the device outweigh this residual risk (a whole separate ball o' yarn) and the product can be released.

After you put the product in the field, you start getting feedback, complaints, adverse event reports, etc. You review all these to determine if, in this example, your controls were truly effective in reducing the probability as you estimated. Assuming, in this example, you determine that the probability is, in fact higher than your updated estimate (2). You then update the risk file with the new probability and score it out again. Use your documentation change records / history to help keep track of what was done (you can also have a notes section in your risk analysis). Maybe you determine this is unacceptable and go back to design to see if you can make changes to reduce the risk. Maybe you determine you can't make it any safer and so you re-do the exercise of determining if the benefits still outweigh the risks.

Risk management is an active process throughout the product life. These postmarket reviews may identify new risks, different severity levels, new ways of realizing risk, etc. All this is input to your Risk management process. You are continually reviewing available information to determine if your existing risk profile (and, by association, your residual risk) is accurate.
 
#7
residual risk: risk remaining after risk control measures have been taken

Each time you implement a risk control measure, you will re-evaluate the residual risk. You also will have to evaluate the overall residual risk, which is the risk of the device as a whole.

You should not record a risk level based on what you will do in the future to control the risk. You should only record the residual risk level after the controls have been implemented.
 

qualprod

Trusted Information Resource
#8
Thanks for the feedback. Still unclear when in the process residual risk is assigned. Yodon said "Residual risk is, initially, your estimate of how well your controls mitigate the risks.", but Qualpod said "once action plans are working, new Condition of risk Is evaluated." Former sounds like evaluation of residual risk should be done up front before implementing the risk responses, as an estimate. Later sounds like we estimate the effects of the risk responses on the existing risks during periodic monitoring. Maybe it's both?

(1) estimate the residual risk based on existing controls and proposed responses, and (2) evaluate if the mitigations are actually having the effect they are supposed to. But what if they don't have the effect which was expected...? Where should that risk number be implemented. I get the question of "do we update the residual risk score during periodic monitoring"?
Dear ukrain
first off, You don´t mention if it is risk under 9001 or other standard.
Under 9001 is not necessary to establish complex methodology because is it not required.
it only requires to identify risk and opportunities and take actions to address such R&O.
but if you work under other standards, it may be helpful to take a look at ISO 31010, into it
there are several methods to address the risks.
However if you want to apply some other efforts to address the risk in 9001 (is my case), there are some easy practices
to follow.
I have to say that ...Risk always exist.
However the value changes over the time, for different causes, economy, goverment, laws, etc.
You need to establish allowable values for your bussiness.
Example: if you detect a risk, and use the formulae PxI (probability ximpact) and get low values (2x1=2)
then, this risk is under an acceptable value, so it is not needed to take actions and that´s all.
but this or other risk, sometimes it will come up, and at analzing, you get high values, (5X5=25), so
according to your criteria , you must do something to lower that value.
Then you define actions, put them to work, and after some elapsed time, you evaluate the same risk
and get this values (2x2=4), now your risk value is under the control you have defined.
Example of criteria:
risk type A , low risk , 1-5, do nothing
risk type B . Medium risk 6 -12, implement action plans within 3 days after is detected.
and so on, additionally, you have to assign values for probability and impact.
Hope it helps.
 

ukrainka85

Starting to get Involved
#9
Dear ukrain
first off, You don´t mention if it is risk under 9001 or other standard.
Under 9001 is not necessary to establish complex methodology because is it not required.
it only requires to identify risk and opportunities and take actions to address such R&O.
but if you work under other standards, it may be helpful to take a look at ISO 31010, into it
there are several methods to address the risks.
However if you want to apply some other efforts to address the risk in 9001 (is my case), there are some easy practices
to follow.
I have to say that ...Risk always exist.
However the value changes over the time, for different causes, economy, goverment, laws, etc.
You need to establish allowable values for your bussiness.
Example: if you detect a risk, and use the formulae PxI (probability ximpact) and get low values (2x1=2)
then, this risk is under an acceptable value, so it is not needed to take actions and that´s all.
but this or other risk, sometimes it will come up, and at analzing, you get high values, (5X5=25), so
according to your criteria , you must do something to lower that value.
Then you define actions, put them to work, and after some elapsed time, you evaluate the same risk
and get this values (2x2=4), now your risk value is under the control you have defined.
Example of criteria:
risk type A , low risk , 1-5, do nothing
risk type B . Medium risk 6 -12, implement action plans within 3 days after is detected.
and so on, additionally, you have to assign values for probability and impact.
Hope it helps.

Even though 9001 does not require complex methodology, monitoring/review is part of 9001, and ISO 31000 guidance does have methodology on how Risk Management should be implemented. Risk Management is a process in my overall QMS (my industry is in pharma/clinical trials), and therefore it should have a monitoring/review component. ISO 31000 guidance says: "Monitoring and review need to be an integral part of the risk treatment implementation to give assurance that the different forms of treatment become and remain effective." This sounds like we need to evaluate if our controls are working. If we don't use "residual risk" as a concept/measure of risk after a mitigation, then the R/O tool will only have inherent risk evaluated? That seems incomplete from a Risk Management process perspective.
 

ukrainka85

Starting to get Involved
#10
residual risk: risk remaining after risk control measures have been taken

Each time you implement a risk control measure, you will re-evaluate the residual risk. You also will have to evaluate the overall residual risk, which is the risk of the device as a whole.

You should not record a risk level based on what you will do in the future to control the risk. You should only record the residual risk level after the controls have been implemented.
Yes and no. This is where my confusion comes from. It sounds like some people say residual risk should be estimated up front to show how our controls deal with inherent risk. Other people say that residual risk should be measured after controls have been implemented. There are different scenarios. It seems that when we have existing controls, we should calculate residual risk to see if those controls are already effective to treat new or existing risks. If yes, residual risk should be recorded. If no (no controls or they are not effective), we will need to develop additional risk treatment actions. In this case, it is irrelevant to estimate residual risk because it doesn't seem to add value. See diagram. Why would we estimate it? 1572457616228.png

1572457616228.png
 
Thread starter Similar threads Forum Replies Date
F How to define/identify emerging risks? EU Medical Device Regulations 7
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
T ISO 9001 8.5.2. - Identification and traceability to Identify Outputs - Services ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
D How to Identify the Risks and Opportunities required for QMS Processes? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
D How to identify and confirm that the developed device fall under Israel electro medical device category Other Medical Device Regulations World-Wide 1
D How to identify and confirm that the developed device fall under Israel electro medical device category Other Medical Device Regulations World-Wide 1
E How do you identify what standards a country recognizes outside of FDA, EU, Health Canada Other Medical Device Related Standards 1
Marc Can you identify this moth? 19 January 2019 After Work and Weekend Discussion Topics 6
K Please help identify appropriate statistical treatment Statistical Analysis Tools, Techniques and SPC 13
D Help identify a Nationally Recognized Testing Laboratory (NRTL) (UL) certified lab General Measurement Device and Calibration Topics 3
T To Identify the Applicable MDD Directive - Prepared blood smear EU Medical Device Regulations 13
A Requirement to Identify Changes to record in ISO 13485 : 2016 ISO 13485:2016 - Medical Device Quality Management Systems 4
R AS9100D Cl. 8.4.2 - Identify Raw Material as a Significant Operational Risk AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
C How to Identify Counterfeit Medications (drugs)? US Food and Drug Administration (FDA) 5
P How to identify the Management Representative ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
T How to identify requirements for 'Incoming inspection' Inspection, Prints (Drawings), Testing, Sampling and Related Topics 5
M How to identify software configuration items in a BOM Quality Manager and Management Related Issues 3
S Resource Planning/How to identify IATF 16949 - Automotive Quality Systems Standard 1
V How to identify Customer Specific Requirement If is not provided by Customer Customer and Company Specific Requirements 5
B How to identify Six Sigma Yellow Belt Project Six Sigma 4
C Must we identify steps taken to identify the Root Cause of a failure Nonconformance and Corrective Action 15
G How to identify Key Characteristics (KC) in a Design FMEA (DFMEA) FMEA and Control Plans 2
X Existing Toolroom Process Validation - Need to identify clauses addressed. Manufacturing and Related Processes 7
C How Can I Identify 304 Stainless Steel? Manufacturing and Related Processes 6
Geoff Cotton How to identify Stakeholders in a Company Quality Tools, Improvement and Analysis 9
M How to identify CTQ / Critical Characteristics using the DFMEA approach. FMEA and Control Plans 3
R 3rd Party Audit Comment - Identify ISO Clauses/Sub Clauses to each Process Quality Management System (QMS) Manuals 45
J AS9100:C Risk Management - Identify the Risk for the Sales/Contract Processes AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 12
T How to Identify Taper Gages without potentially damaging them General Measurement Device and Calibration Topics 5
N How to Number (Identify) and Index Forms Document Control Systems, Procedures, Forms and Templates 1
A DoC for Software Product - How can I identify the specific units that are covered? EU Medical Device Regulations 6
T How to Identify "Observation" in Internal Audits? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 26
X Audit Findings - The Process/Clause Matrix does not identify all the processes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 30
S Identify Environment Aspect by Activities Approach ISO 14001:2015 Specific Discussions 4
T Can't identify my company's "Key Process" Process Maps, Process Mapping and Turtle Diagrams 27
B Effectiveness of 200% Visual Inspection to Identify Defects and Defectives Inspection, Prints (Drawings), Testing, Sampling and Related Topics 32
N Definition IDENTIFY and DETERMINE - What is the technical difference between the words Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 64
A Procedure to Identify Potential Emergency Situations and Accidents Miscellaneous Environmental Standards and EMS Related Discussions 4
D AS9102 - How to title the attached form and how to identify the characteristics AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
kedarg6500 How to Identify Critical to Quality Characteristics (CTQ) FMEA and Control Plans 2
Le Chiffre At what point do you need to identify a U.S. Agent - 510(k) 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
M New to AS9100 - Clause 7.5.3 - Do you have to identify each part produced AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
S Form to identify status of product on the production floor. IATF 16949 - Automotive Quality Systems Standard 5
L Special Characteristics - What if the customer does not identify any SCs? FMEA and Control Plans 5
M How do you identify the wrong orientation in complex wiring harness? Manufacturing and Related Processes 21
W How do you address clause 4.1 General requirements - Identify the processes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 21
S CE Mark using Registered Trademark to identify the legal manufacturer EU Medical Device Regulations 6
B Determine vs. identify (as in clause 4.1 a), any differences? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
B How to identify the processes needed for quality management system ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
I Skill Matrix Format as a Tool to Identify Training Needs Document Control Systems, Procedures, Forms and Templates 1

Similar threads

Top Bottom