Managing risk in a quality management system (QMS) is considered a clear maturity indicator and a way to determine that an organization is evolving or has evolved from a reactive and less controlled state towards an agile, market-leading proactive and anticipatory approach to quality management.
In this post we are going to discuss how an organization should underpin its CAPA process and what is on the risk horizon for mainstream quality management.
Risk Management Is of Strategic Importance
For life sciences companies, medical device manufacturers and those in aerospace or automotive, this shift is more an alignment for mainstream quality management to the practices they have been engaged in for years in the form of ISO 14971 in the context of ISO 13485 and the identification of vulnerabilities in the QMS (TS 16949) among others. For mainstream quality or those organizations that have yet to implement risk management processes, it is a new language and all stakeholders will need to understand it--and the sooner the better.
Risk management as part of a QMS has a strategic relevance, and understanding how it feeds enterprise risk and ultimately an organizations’ governance, risk and compliance (GRC) strategy is a significant topic--one too large for a blog article. A good place to start the journey or open the discussion is a risk-based approach to corrective and preventive actions (CAPA)--risk management at grassroots one might say.
When the Draft International Standard (DIS) for ISO 9001:2015 was published earlier this year, commentators began to discuss the more explicit requirements around risk management. Many quality professionals proclaimed that we have been doing this all along through preventive actions. And to some extent they were right, identifying and implementing preventive actions is about risk--an issue was identified upstream, before it occurred or before a vulnerability materialized. But unless the action was the direct outcome of a risk assessment or assessed based on the risk the issue (hazard) posed, it is not true risk management nor risk-based and the reason for that is structure.
Most of Us Are Already Very Good At Assessing Risk
We evaluate risk both consciously and subconsciously frequently in our lives. We implement informal corrective and preventive actions and evaluate the effectiveness of controls. Consider a conscious evaluation of the route to work based on the time of leaving your home of a morning for an important meeting. What is the likelihood (probability) of congestion (hazard) on your route given the usual start time is 7.30 a.m.? If you're late, upsetting or potentially losing a key client would be the severest of results (harm).
Leaving earlier than usual would be an option (control) and is this (residual risk) tolerable given that not residing at the location of the meeting necessitates the need to get to work via a route with known congestion (inherent risk). It is safe to assume upsetting or losing a client is not considered tolerable.
The control mechanism of leaving earlier, a preventive action, does not guarantee getting to the meeting but it does reduce the probability of occurrence significantly. You may still encounter a different hazard but I hope you didn’t consider sleeping at the office! Identifying and analyzing all hazards in a systematic way and evaluating these would constitute a full risk analysis.
What is lacking from the simplified commute analogy is the structure of the assessment and fact that it's a single point in time issue and that an individual can rapidly process risk evaluation and has intuitively already dismissed all the low probability and minimal harm hazards in their analysis. Organizations are often challenged when going through the process of hazard identification and analysis.
There is a clear need to build a taxonomy of risks by product, process or another denominator. The organization requires consistent hazard assessment parameters that are relevant up, down, and across the value chain. Risk tolerance has to be set and monitored, control effectiveness and hazard re-assessment, based on priority requires scheduling. The risk landscape should be easily interrogated so intelligence and insight can be acted upon and, sometimes more importantly, not acted upon.
Attack Risk Management by Weaving into CAPA Processes
Given the magnitude of the task, it is no surprise that one of the most commonly harmonized processes in EQMS, CAPA, is regularly the first place that has risk assessment baked in. It is also true that providers of EQMS solutions often explicitly link bi-directionally between their risk management toolsets and their CAPA modules--an obvious link being from risk assessment to actions but the reciprocal link being of importance when starting out from a CAPA initiation.
Assessing CAPA when initiated using the basic and consistent risk-based principles adds rigor and aids harmonization. It helps bed-in the principles and is more digestible for an organization in getting started with the language and tools of risk management. An immediate benefit is realized by stemming any first-in, first-out mindset that has crept in. Additionally, opinion is replaced by the methodology of assessment and thus better business value is the direct result.
This approach to CAPA is a good example of implicit risk management used to improve the process overall. It is not meant to replace or serve as an alternative to the business’ requirement for explicit risk management as articulated by the standards and direction of updates to standards mentioned earlier in this post.
A typical assessment will use probability on a scale of improbable to frequent versus an axis of harm (severity) from negligible to catastrophic. Context regarding harm is typically expressed in the product or service harm ranging from needing improvement to product non-conformity in the field. Also included are qualifiers to help understand financial risk (harm) from a few thousand dollars to multi-millions depending on the size of the enterprise, and finally the aforementioned compliance risk ranging from an opportunity for improvement (OFI) through enforcement body driven product recall or service suspension.
An EQMS will provide a common framework for CAPA, risk-based CAPA and for the long-term, full risk management in an explicit form. The tools do not do the work for an organization--it is not that easy. These solutions do however provide consistent, efficient, and effective frameworks for taxonomy and methodologies in addition to accountability, ownership, traceability and flexible analysis and reporting.