When do we identify Residual Risk?

ukrainka85

Starting to get Involved
Should Residual Risk be identified in the initial version of a Risk Assessment right after we have identified what our risk responses will be OR should residual risk be calculated during the monitoring portion of the Risk Management process where we are seeing if the risk responses are actually "working"?
 

yodon

Leader
Super Moderator
Residual risk is, initially, your estimate of how well your controls mitigate the risks. Through postmarket activities, you are continually assessing whether your probability / severity assignments are accurate and if your risk controls are effective - and so you are possibly updating the residual risk throughout the life of the device.
 

qualprod

Trusted Information Resource
Residual risk is, initially, your estimate of how well your controls mitigate the risks. Through postmarket activities, you are continually assessing whether your probability / severity assignments are accurate and if your risk controls are effective - and so you are possibly updating the residual risk throughout the life of the device.
the approach I follow is:
1 First a risk is identified
2 the value is calculated
3 according the value or category, action plans are performed to lower the risk value.
4 once action plans are working, new Condition of risk Is evaluated.
5 this previous point Is residual risk
Hope this helps
 
Last edited by a moderator:

John Broomfield

Leader
Super Moderator
Residual means what you are left with after taking care of what you can.

So, we maintain our car, check our tires, make sure we are safe to drive, drive according to the conditions and obey signs, officers of the law and other traffic guides.

Our valid insurance policy covers us and others for the residual risks.
 

ukrainka85

Starting to get Involved
Thanks for the feedback. Still unclear when in the process residual risk is assigned. Yodon said "Residual risk is, initially, your estimate of how well your controls mitigate the risks.", but Qualpod said "once action plans are working, new Condition of risk Is evaluated." Former sounds like evaluation of residual risk should be done up front before implementing the risk responses, as an estimate. Later sounds like we estimate the effects of the risk responses on the existing risks during periodic monitoring. Maybe it's both?

(1) estimate the residual risk based on existing controls and proposed responses, and (2) evaluate if the mitigations are actually having the effect they are supposed to. But what if they don't have the effect which was expected...? Where should that risk number be implemented. I get the question of "do we update the residual risk score during periodic monitoring"?
 

yodon

Leader
Super Moderator
I don't think there's any conflict.

Maybe walking through an example would help.

During my initial risk management activities (during design), I identify a risk and assign a probability (4) and severity (3). My initial risk value is (4*3) 12. I then determine a set of controls and, with agreement from the team, we feel the probability of occurrence has been reduced so we reduce that value to 2. My new risk score is (2*3) 6. This is my initial residual risk. We likely never make the probability go to 0 so we (always) have residual risk.

The team determines that the benefits of the device outweigh this residual risk (a whole separate ball o' yarn) and the product can be released.

After you put the product in the field, you start getting feedback, complaints, adverse event reports, etc. You review all these to determine if, in this example, your controls were truly effective in reducing the probability as you estimated. Assuming, in this example, you determine that the probability is, in fact higher than your updated estimate (2). You then update the risk file with the new probability and score it out again. Use your documentation change records / history to help keep track of what was done (you can also have a notes section in your risk analysis). Maybe you determine this is unacceptable and go back to design to see if you can make changes to reduce the risk. Maybe you determine you can't make it any safer and so you re-do the exercise of determining if the benefits still outweigh the risks.

Risk management is an active process throughout the product life. These postmarket reviews may identify new risks, different severity levels, new ways of realizing risk, etc. All this is input to your Risk management process. You are continually reviewing available information to determine if your existing risk profile (and, by association, your residual risk) is accurate.
 
residual risk: risk remaining after risk control measures have been taken

Each time you implement a risk control measure, you will re-evaluate the residual risk. You also will have to evaluate the overall residual risk, which is the risk of the device as a whole.

You should not record a risk level based on what you will do in the future to control the risk. You should only record the residual risk level after the controls have been implemented.
 

qualprod

Trusted Information Resource
Thanks for the feedback. Still unclear when in the process residual risk is assigned. Yodon said "Residual risk is, initially, your estimate of how well your controls mitigate the risks.", but Qualpod said "once action plans are working, new Condition of risk Is evaluated." Former sounds like evaluation of residual risk should be done up front before implementing the risk responses, as an estimate. Later sounds like we estimate the effects of the risk responses on the existing risks during periodic monitoring. Maybe it's both?

(1) estimate the residual risk based on existing controls and proposed responses, and (2) evaluate if the mitigations are actually having the effect they are supposed to. But what if they don't have the effect which was expected...? Where should that risk number be implemented. I get the question of "do we update the residual risk score during periodic monitoring"?

Dear ukrain
first off, You don´t mention if it is risk under 9001 or other standard.
Under 9001 is not necessary to establish complex methodology because is it not required.
it only requires to identify risk and opportunities and take actions to address such R&O.
but if you work under other standards, it may be helpful to take a look at ISO 31010, into it
there are several methods to address the risks.
However if you want to apply some other efforts to address the risk in 9001 (is my case), there are some easy practices
to follow.
I have to say that ...Risk always exist.
However the value changes over the time, for different causes, economy, goverment, laws, etc.
You need to establish allowable values for your bussiness.
Example: if you detect a risk, and use the formulae PxI (probability ximpact) and get low values (2x1=2)
then, this risk is under an acceptable value, so it is not needed to take actions and that´s all.
but this or other risk, sometimes it will come up, and at analzing, you get high values, (5X5=25), so
according to your criteria , you must do something to lower that value.
Then you define actions, put them to work, and after some elapsed time, you evaluate the same risk
and get this values (2x2=4), now your risk value is under the control you have defined.
Example of criteria:
risk type A , low risk , 1-5, do nothing
risk type B . Medium risk 6 -12, implement action plans within 3 days after is detected.
and so on, additionally, you have to assign values for probability and impact.
Hope it helps.
 

ukrainka85

Starting to get Involved
Dear ukrain
first off, You don´t mention if it is risk under 9001 or other standard.
Under 9001 is not necessary to establish complex methodology because is it not required.
it only requires to identify risk and opportunities and take actions to address such R&O.
but if you work under other standards, it may be helpful to take a look at ISO 31010, into it
there are several methods to address the risks.
However if you want to apply some other efforts to address the risk in 9001 (is my case), there are some easy practices
to follow.
I have to say that ...Risk always exist.
However the value changes over the time, for different causes, economy, goverment, laws, etc.
You need to establish allowable values for your bussiness.
Example: if you detect a risk, and use the formulae PxI (probability ximpact) and get low values (2x1=2)
then, this risk is under an acceptable value, so it is not needed to take actions and that´s all.
but this or other risk, sometimes it will come up, and at analzing, you get high values, (5X5=25), so
according to your criteria , you must do something to lower that value.
Then you define actions, put them to work, and after some elapsed time, you evaluate the same risk
and get this values (2x2=4), now your risk value is under the control you have defined.
Example of criteria:
risk type A , low risk , 1-5, do nothing
risk type B . Medium risk 6 -12, implement action plans within 3 days after is detected.
and so on, additionally, you have to assign values for probability and impact.
Hope it helps.


Even though 9001 does not require complex methodology, monitoring/review is part of 9001, and ISO 31000 guidance does have methodology on how Risk Management should be implemented. Risk Management is a process in my overall QMS (my industry is in pharma/clinical trials), and therefore it should have a monitoring/review component. ISO 31000 guidance says: "Monitoring and review need to be an integral part of the risk treatment implementation to give assurance that the different forms of treatment become and remain effective." This sounds like we need to evaluate if our controls are working. If we don't use "residual risk" as a concept/measure of risk after a mitigation, then the R/O tool will only have inherent risk evaluated? That seems incomplete from a Risk Management process perspective.
 

ukrainka85

Starting to get Involved
residual risk: risk remaining after risk control measures have been taken

Each time you implement a risk control measure, you will re-evaluate the residual risk. You also will have to evaluate the overall residual risk, which is the risk of the device as a whole.

You should not record a risk level based on what you will do in the future to control the risk. You should only record the residual risk level after the controls have been implemented.

Yes and no. This is where my confusion comes from. It sounds like some people say residual risk should be estimated up front to show how our controls deal with inherent risk. Other people say that residual risk should be measured after controls have been implemented. There are different scenarios. It seems that when we have existing controls, we should calculate residual risk to see if those controls are already effective to treat new or existing risks. If yes, residual risk should be recorded. If no (no controls or they are not effective), we will need to develop additional risk treatment actions. In this case, it is irrelevant to estimate residual risk because it doesn't seem to add value. See diagram. Why would we estimate it? 1572457616228.png

1572457616228.png
 
Top Bottom