This newsletter has focused on Enterprise Risk Management (ERM), which applies to all businesses, and some would say to non-profits as well as those profit-making enterprises.  In this article we will bring a different perspective to Risk Management from a particular sector of the economy.

PRODUCT SAFETY AND RISK MANAGEMENT
In healthcare manufacturing, there are very specific requirements from the regulatory bodies for the manufacturers to address product safety.  This focus has been titled “Risk Management” but from a different set of definitions.

Two specific documents in this field have been developed to address the needs of the health products industry, which includes pharmaceuticals, biologics,  and the medical devices.  Pharmaceuticals include common off-the-shelf pain relievers, and prescription drugs, while biologics includes vaccines.  Medical devices are much more diverse and vary from toothbrushes, tongue depressors, and hospital beds, to automatic external defibrillators and mechanical hearts.

The two documents covering risk management for these products have been developed based on definitions of “risk” found in IESO/IEC Guide 51 which defines product safety terms and contains definitions for risk that are different from the definitions found in ISO/IEC Guide 73 on risk management terms.  ISO/IEC Guide 73 provides the definitions for ISO 31000 general risk management standard.

CONFUSION ARISES
And now the confusion arises.  Within the healthcare industry, the management team wants to implement Enterprise Risk Management and from a management perspective wants all risk management in one, neat clean place.  That would be great if risk was defined as “effect of uncertainty on objectives” in both ERM and product risk management.

However, the Guide 51 product safety guide definition is “combination of the probability of occurrence of harm and the severity of that harm”, where harm is “physical injury or damage to the health of people, or damage to property or the environment”.  Thus, the focus of the Product Safety Risk Management process is much different from the Enterprise Risk Management process.

A medical product manufacturer is left with a decision regarding the implementation of a risk management process.  Do I implement one process or two separate risk management processes – ERM and Product Risk Management?

THE CHALLENGE OF TWO RISK MANAGEMENT SYSTEMS
The answer is based on the fact that the two standards that define “state of the art” for risk management processes use two different risk definitions.  The manufacturer of these products needs to have two separate systems that address the separate needs of the two processes, one that protect the business from risks, such as regulatory, IT, and financial risks as well as allows the business to take advantage of risk opportunities, like bing first to market with a novel product.  The Guide 51 based system protects the user of the product from safety issues with the product, thus reducing the product liability issues with the product.

One of the reasons for having two separate systems refers to the regulatory schemes covering the health products industries.  While all firms doing business in the United States must operate within the SEC and Federal Trade Commission regulatory environments, the health products have the additional requirement of the Food and Drug Administration (FDA) regulators overseeing their business.  The FDA investigators that routinely inspect the health products company, do not have access to business processes like finance, unless that business process becomes a part of the processes which FDA normally has ability to access legally.

While SEC may be interested in the financial risk issues, that is not under the jurisdiction of FDA, unless, in this case, the company has created a single process covering all risk activities like Information Technology, Financial, Insurance, and Stock risk issues, along with the product safety issues (risk) that FDA routinely reviews during inspections.  Especially in product liability cases, it is not good to connect product safety decisions with financial decisions.  Also, in a single risk management process, regulators such as FTC and SEC would examine the product safety processes.

So while we use the term “risk management” in both cases, it is important that a company understands the difference between the two processes and applies them in such a manner that the company is protected from Enterprise Risk Management issues, and also from Product Safety Risk Management issues.  The best solution is to provide separate processes for each properly managed risk system and reporting to top management in the structures assigned the responsibility for the process.  For instance, the ERM Risk system might report through Finance, while Product Risk might report through the Quality organization.

Both systems are equally important to the success of the organization and require properly trained team members to operate the processes, and management to oversee the systems to assure resources necessary for success are provided.

Bio:

Edwin Bills is an ASQ Fellow, ASQ Certified Quality Engineer, ASQ Certified Quality Auditor, and ASQ Certified Manager of Quality/Organizational Excellence.  He is also Regulatory Affairs Certified by the Regulatory Affairs Professionals Society.  Mr. Bills holds Bachelors and Masters Degrees from the University of Cincinnati and is on the adjunct faculty of the Virginia Tech Graduate Health Products Risk Management Program, Blacksburg, VA.   He also serves on the US national committee sponsored by AAMI, committee QM/WG04 application of risk management to medical devices, and assisted the international technical committee in development of ISO 14971.  Mr. Bills has over 25 years experience in the medical products industry and is currently Principal Consultant for ELB Consulting, Butler, KY.