5 Elements of a Risk Management Policy
ISO 14971:2019 requires top management to establish a risk management policy. Here are 5 steps to achieve this important objective.
Clause 4.2 of ISO 14971:2019 requires the top management to define and document a policy for establishing criteria for risk acceptability. This policy must provide a framework to ensure that criteria are based on applicable national or regional regulations and relevant International Standards, stakeholder concerns and generally acknowledged state of the art.
It is not a new requirement in the 2019 revision of this International standard. However, there are several key changes in the language and organization of the clause. In this blog, we are focusing on 5 key aspects of a risk management policy that can help you comply with this revised requirement.
Why a policy and not a procedure?
Merriam-Webster dictionary defines the term policy as “prudence or wisdom in the management of affairs”, or from a legal perspective as “an overall plan, principle, or guideline”, or “a contract of insurance”.
A procedure on the other hand is “a particular way of accomplishing something or acting”.
A procedure provides specific instructions, whereas a policy provides guidance for decision making on issues that are of material significance to an organization. A policy operates at a much higher level than a procedure.
Consequences of not following policy, generally are more severe than not following a specific procedure. Changes to procedures are routine and frequent, as new knowledge becomes available. Changes to policy, however, are less frequent because a policy relates to the way business is done.
By requiring a policy for establishing risk acceptability criteria, ISO 14971:2019 is creating a mechanism for top management responsibility and commitment.
Here are 5 key steps to consider as you develop your policy for risk acceptability required by ISO 14917:2019.
Purpose: The primary goal of a risk management policy is to provide guidance for establishing the criteria for risk acceptability. It does not mean that these criteria need to be spelled out in the policy. A best practice is to link the policy to the organization’s vision and/or mission statement to drive consistent action across the entire operation.
Scope: The policy needs to apply throughout the product lifecycle and all personnel involved.
Factors: The policy needs to consider stakeholder concerns, regulatory requirements, international standards and state of the art in guiding the criteria for risk acceptability.
Risk Control: The nature of the products, their intended use, and the markets in which they are sold may influence the approach to controlling risks. Note 1 to clause 4.2 of ISO 14971:2019 outlines a few possible approaches such as reducing risks to as low as reasonably practical (ALARP), as low as reasonably achievable (ALARA) or as far as possible without adversely affecting the benefit-risk ratio (AFAP).
Review and Approval: Specify who approves the policy and how often it is reviewed to ensure it continues to be applicable.
Check out the video below for further details and specific examples.
There is a lot going on in the medical industry right now. To stay current, subscribe to our YouTube Channel for our weekly updates. You can also sign up here for our exclusive, in-depth analysis of key topics in the medical industry. Contact us if you have any questions or comments, or if you would like to learn more about any specific topics related to risk management.