It’s undeniable that the healthcare sector is where the safety of patients and anyone involved in medical procedures is and must be a priority. While in other industries, threats may pose a business challenge rather than a physical one, it’s not the case here. When a patient’s health and wellbeing are compromised, the consequences may be severe. That’s also why the sector is heavily regulated and very specific instructions on how to identify and mitigate risk are regularly issued by supervising institutions such as European Commission in the EU, Medicines and Healthcare products Regulatory Agency (MHRA) in the UK, and U.S. Food and Drug Administration (FDA) in the US.
In the EU, the medical device sector is standardised following the Medical Device Regulation that went into effect on May 26th, 2021, with the previous regulation (Medical Device Directive) expired after a 3-year transition period.
Learn more about the changes brought about by the MDR and how it compares to the MDD –> EU MDR vs MDD: what’s changing for the European MedTech industry?
According to this document, devices are classified based on the risk they pose to patients’ health and safety and then divided into 4 classes: I, IIa, IIb and III. For more information on the medical device classification and how to assess how your product should be classified, visit our blog –> EU MDR: what you need to know about Medical Device Regulation in 2021.
The EU Medical Device Regulation has been also aligned with the ISO 14971 standard since 2012 and therefore, this norm is widely used for assessing and managing risk for medical devices on the EU market, with a separate directive ISO 14971:2019 recommended for the rest of the world.
It’s important to add here that while medical devices in class IIa, IIb and III need to be assessed by a Notified Body supervised by the European Commission, for devices in class I, manufacturers can go through the assessment process on their own.
In today’s article, I’d like to give you the necessary guidelines for risk management and tools with their scope going beyond the healthcare industry as they can be easily employed for risk assessment in any other sector.
What is risk management?
Risk management is the process of identifying, analysing and either reducing or enhancing things that may not go according to plan. It may sound counterintuitive, but it’s basically about preparing for the uncertain and unpredictable, anything that may impact your objectives.
It may sound surprising, but risk management includes all situations and conditions that are changeable, both negative (threats) and positive (opportunities). The key here is making sure that you know what to do when they occur. In the case of threats, it’s also about limiting – not eliminating – the risk as it’s impossible to completely eradicate it. If you can increase your tolerance and resilience to any unpredictable element, then you’re on the right path.
Now – before we’ll check risk-reducing and enhancing strategies – let’s go through a list of possible threats and opportunities.
Please note that these may be different for each company, so this list is not complete. It’s also not to say that you should be including or focusing on all these risks in your strategy. It’s far more important to identify the threats and opportunities that have been, are and will be crucial for your business than to follow through on all of these.
What are the types of risk management?
Clinical/patient safety risk
Let’s start with a type of risk that’s crucial for the healthcare sector – the clinical/patient safety risk. It’s at the core of any risk management process for this industry, with a primary goal of identifying opportunities and circumstances that may pose threat to patients’ health and wellbeing, to prevent and manage these threats.
As a business professional, you need a strategy that will include your goals and the steps to achieve them. What you may not be taking into account is the fact that both of these are prone to changes and external conditions. This is what is called strategic risk. It’s then crucial to include risks in your strategy, so you can respond any time when they occur.
Even if you’re not working in heavily-regulated industries, there are still some standards you ought to be following. And as it is with almost anything external to your business, these tend to be adjusted at all times. The current situation with the Covid-19 pandemic brought a new swarm of regulations that couldn’t be predicted or prepared for. That’s why you should be responsive and adjust your compliance strategy if necessary.
Liquidity risk is linked to circumstances where an organisation or an individual is not able to cover their short-term financial obligations due to the lack of ability to convert – or in other words, sell – their assets. Although there are certain methods for tackling this situation such as asset liability management, they may not always be successful, especially in a highly unpredictable environment.
Your internal processes may seem perfect, but it may happen that they will be affected by unprecedented conditions such as external security breaches or legal changes. Although these will likely require you to adjust your company’s in-house procedures, they can also have a wider reach and negatively impact your reputation, stakeholder value and client satisfaction. Assessing and proofing your operations against any type of risk is, therefore, a crucial activity for any business owner.
Almost any sector has specific technology risks, although, with more tech-based industries, they’re far more threatening and visible. Technology risk may refer to any danger related to technology failure that may disrupt your company activities. It includes not only more direct hazards such as data breach, software breakdown and spyware, but also more indirect ones, such as technology debt which from my own experience, is often underrated and which can easily turn into a downward spiral if neglect.
The lack of employees or potential candidates to hire is one of the recurring issues in about any type of industry. This hazard includes not only being unable to recruit new people but also very low retention and high turnover rates, especially for highly skilled specialists who will be expensive to hire and won’t be easy to be replaced. There are ways to limit and mitigate this risk, but you need to approach it holistically.
Opportunity risk is exactly the type of hazard you want to encounter as a business owner. This is also where you would use a risk management technique centred around enhancing and exploiting risk.
How to define your risk management goals?
Once again, it’s important to remember that while there are overall goals you can set depending on your strategy, ultimately, the actual problems to target will be different for each company.
This process of defining your risk management goals starts with identifying the opportunities and threats that are unique to your business.
How to do it right?
The most effective way to successfully identify the risks and the opportunities your business may be missing in its overall growth strategy. Once this list is ready, you can analyse them and apply the risk management strategies I’ve described below to limit or enhance certain hazards, depending on the character of their impact.
Risk management strategies
As it’s with the types of liabilities, we can define strategies that are either associated with positive or negative risks.
When it comes to threats, there are several ways to tackle them:
This is the best-case scenario for any type of threat and also a strategy that you are likely not to use too often as most risk can be limited, but not avoided. Some of the examples of using this technique may include cancelling a project, identifying the root cause and eliminating it and collecting and sharing information between all stakeholders. You definitely want to apply this strategy for any critical threats.
Transferring the risk is basically a different name for insuring your business assets. The insurance company takes some responsibility for damages caused by unpredictable conditions such as natural disasters or accidents. This strategy will be ideal for any situations and resources that can be prone to casualties, that can have a huge impact on your company and where you can find affordable insurance options.
This is the most popular strategy and I guarantee that you will apply it frequently. Mitigating the risk is all about making sure that it’s decreased using small changes and tweaks to your plan. Ideally, this should happen as early as possible to reduce the probability of any damages. One of the examples of using risk mitigation is preparing an MVP of a product before launching it. The key to mitigation is to identify the risks first and check how they’re all linked together.
Similarly to transferring risk, this strategy consists of sharing the risk with another company. Most often, it includes a partnership where each partner is responsible for some element of business operations, but it’s not limited to this option. Sharing the risk can be completed through diving the accountability among a few different parties such as outsourced companies or company members.
Here are the methods for boosting positive risks, also known as opportunities:
This strategy can be used for potential threats too, especially when the risk is low and will not have a long-lasting impact on your company. This strategy will be also perfect for any situation where the outcome is highly unpredictable and we’re yet to explore whether it will have a positive or negative influence on the company’s operations.
This strategy is to be applied for opportunities only, for obvious reasons. Even if the occurrence is dependent on multiple factors, there are still things you can do to exploit it when it happens. For example, you can train your staff extra skills or make plans for a scenario where the demand for your product is much higher than expected and you need to deliver it to your customers faster and more efficiently.
Enhancing risk is a more subtle way of exploiting it. It’s also about identifying what may cause the positive risk to bring even more positive outcomes and focusing on these root causes.
Risk management tools
Risk Data Quality Assessment
Assessing the quality of your data and collecting it with the right approach are key for a successful risk audit. As it often happens, the only issue is that not much objective/quantitative data is available, so you must rely on subjective/qualitative data. The most effective way to gather this type of data are in-person interviews where you’d need to look for bias that would falsify your results, including availability bias (interviewees focus on recent events only) and organisational bias (interviewees were trying to make the project look better and/or afraid of talking about difficult situations). I’d say that in both cases, what’s necessary for breaking the bias is trust and psychological safety. If you’re using risk assessment as a way to deride the employees, you will never get valid data that are needed to complete a risk audit.
Probability and Impact Matrix
Focusing on too many risks at once would strain your team’s resources and possibly cause them to either avoid any risk prevention activities or enhance the risk of failure. What’s the best approach then? Once you’ve identified possible hazards, it’s time to group and prioritise them. You can do that by determining how likely each of these risks is to happen and what the possible impact on other aspects of your project would be. With the matrix filled with the hazards that may threaten your project, your team is well-equipped to know where to concentrate their efforts.
Risk Register is one of the most straightforward risk assessment tools out there, but its impact is not to be underestimated. It doesn’t need any complex systems and all you require is a spreadsheet where you will include descriptions of existing risks, what could be their possible outcomes/impact and what are the best ways to prevent them from happening. You can also indicate the risk level for each of these hazards and assign a person responsible for limiting them and responding accordingly. An uncomplex risk register will be also perfect for tracking any lessons learnt following i.e. a product launch and monitoring how well your team has been addressing any obstacles.
Although brainstorming is one of the most casual forms of assessing risk, don’t forget to make sure that it needs to have a minimal structure in order to be impactful. If I’d be to give you just one piece of advice for successful brainstorming, I’d pick: learn how to ask better questions and focus on them instead of seeking responses. Also, ensure that you document each brainstorming session.
Root cause analysis
Simply speaking, root cause analysis (sometimes abbreviated as RCA) is all about finding root causes for the failure and issues in your project. Although it may sound plain, it’s a powerful risk prevention tool. The goal of this type of analysis is discovering what really stands behind setbacks, so you’re focusing on the matters that may not be visible at a first glance instead of just solving problems on the surface. There are multiple ways to approach RCA, but one of them is the rule of ‘5 Whys’. You start with a statement about the most recent issue of a failure, and you reverse it by asking why you weren’t doing certain things or following certain procedures five times until you’ll get to a root cause. You can then brainstorm with your team to pinpoint a way to determine your action plan aimed at fixing it.
As it is with other strategies mentioned in this article, the most important thing to remember here is that you need to keep a fresh eye on what is and has been happening in your project and an open mind to be able to question your findings.
Delphi technique is a forecasting tool that can be easily adapted to serve as a risk assessment analysis template. What’s important – especially in this age and time – is sessions need to be run both in-person as a group discussion and online as an asynchronous exercise. If you take the latter approach, I highly recommend deciding on the set of questions very carefully and keeping it the same for each of the participants of the exercise. Once you’ve collected enough responses, you can move on rating each risk for a few iterations so a comprehensive list is formed that’s also confirmed by every participant of this exercise.
Over to you
If you’re not sure how to go through the risk management process on your own and apply the MDR and ISO 14971 requirements to your product or service, then do not hesitate to contact our team of experts on our Healthcare and Life Sciences website.
About the author