The notion of a risk-based approach to manufacturing domains such as quality, asset performance, safety and environmental management is not new to life sciences manufacturers. What’s changed is the scope and nature of risk management processes, and how they relate to overall enterprise risk management, sustainable operations, and profitable growth. This trend is driven by the accelerating rate of change in global business networks and operations, creating a more dynamic risk environment and calling for better risk processes and outcomes.
The demand for transparent and effective risk management from external stakeholders has also contributed to the need to change risk strategies and processes. Today, customers, regulators, investors, employees, and other concerned stakeholders demand accountability for management systems failures and the resulting incidents and accidents that harm people, production, profitability, and ultimately reputation and shareholder value.
Life sciences manufacturers should consider the advantages of a unified risk management framework to address all types of risk relevant to the enterprise.
Risk Management Shortchanged When Focus is Limited to Compliance
Compliance assurance is an essential capability of any regulated organization. Life sciences manufacturing is among the most heavily regulated industries, especially from a product lifecycle standpoint. The industry is governed by a plethora of legal requirements and consensus standards including ISO 14971, ISO 13485:2016, and FDA Q9, among many others.
As a result, life science companies are intensely focused on meeting compliance requirements and managing the associated regulatory risk (to some extent at the expense of holistic risk management). Such a focus on compliance per se is a sound business strategy when the license to operate, product commercialization, and business continuity depend on meeting compliance obligations. On the other hand, compliance is just one aspect of the total risk picture. Industry and regulatory compliance assurance don’t equal effective risk management.
The life sciences-specific standards cited above, as well as cross-industry standards adopted in life sciences such as ISO 9001 and ISO 14001 all have risk-related requirements. However, there was a lack of standardization of risk requirements across these standards as they were developed somewhat independently. As a result, over time many organizations created multiple siloed risk management processes and systems.
C-Suite and Corp Boards Attacking Silos
As with most industries, risk in all its forms has captured the attention of corporate boards and C-suite executives in the life sciences sector. Enterprise risk portfolio management is elevated to a strategic business issue. This is reflected in the executive focus on the disclosure and management of all issues that can have a material impact on the business. Companies are moving from pure financial reporting to integrated reporting that covers non-financial issues such as environmental, social, and governance matters.
With the changing business landscape and increased stakeholder demands for transparency, the life sciences risk portfolio has steadily expanded far beyond regulatory risk to encompass categories such as strategic, financial, operational, supply chain, and reputational risk.
The ongoing digitalization of manufacturing operations also comes into play. Smart Manufacturing based on the Industrial Internet of Things (IIoT) changes the risk landscape by introducing cybersecurity threats, among other risks. The scope, dynamics, and impact of risk to be managed in life sciences have increased, stressing the existing fragmented risk management processes and systems.
Towards Integrated Risk Management
Such a framework supports a risk-based approach as mandated in recently revised ISO management system standards. The foundation is a closed-loop risk management process spanning identification, analysis, controls, and monitoring. Best practice guidance for an integrated risk management approach is found in the ISO 31000 risk management guidelines. This guide was updated earlier in 2018 and is congruent with the risk-based approach common to ISO 9001, 14001, and 45001. Yes, risk management requirements are now more harmonized, but integrated risk management still needs attention to align people,
There are also many challenges associated with a move towards a unified risk management system. Strategic considerations of how risk relates to enterprise objectives and risk tolerance need to be managed. At the same time, provisions need to be made for risk assessment and control for specific operational risks that may require specialized risk assessment and hazard analysis methods, and a way to tie them into the overall risk management framework. Although challenging, implementing an integrated approach will help life science companies efficiently deal with the entire risk portfolio, instead of just focusing strictly on regulatory compliance.