The Role of Risk Management in Compliance: Tools for Success

By Alexandre Alain, Life Science Product Manager, EtQ Inc. | March 10, 2016

Organizations today are more complex—businesses are increasing their global footprint with a worldwide scope of locations around the world. This, coupled with the addition of mergers and acquisitions, results in disparate trends in compliance. Companies in the life sciences need to address their impact on both quality and compliance as they grow; however, there is a dissonance in how compliance is organized once a company expands in complexity.

Technology can help growing companies maintain compliance while facing complexity and change—automation of critical compliance process is a start. Companies are implementing technology to streamline and connect business processes in line with compliance initiatives, and drive better process automation. They are integrating business systems to better communicate and create greater visibility into operations. They are also trying to harmonize processes by keeping a consistent and single workflow for processes that adhere to compliance initiatives.

This all comes at a cost, of course. Systems are an investment, as is investing time and resources to maintain compliance. There’s also the cost of reporting, compliance with changing regulations, adjustments to products and production as regulations change and more. These are all costs of compliance.

Alexandre Alain is the life science product manager at EtQ Inc.
How can life science organizations ensure compliance, and find ways to streamline the process while mitigating costs?

Risk Management is a Key Tool in Compliance
Risk is becoming the way many companies are seeking to streamline compliance in an objective and systematic way.

Risk management starts with identification of any relevant risks. You should look at your business operations, determine where the hazards are, and what the risk of those hazards might be. A risk team will have to be assembled to help identify these risks throughout operations. The next step is to take known risks and determine a way to quantify those risks—to look for ways to measure the risk in a systematic and objective way. This can be done using scales such as severity and probability.

The next step is to implement a process for evaluating and assessing the risk. A risk assessment tool plays a valuable part in this aspect. The key point of risk management is the ability to come to a decision as a result of an assessment. Companies can use risk management tools to help quantify and filter the risk, but ultimately you will make the decision on how to handle the risk.
There are many considerations that go into this decision, such as:
  • Acceptance—it’s worth the risk.
  • Reduction—take steps to mitigate risk.
  • Compensation—find ways to insure against the risk.
  • Transfer—source out risk to a partner/supplier with a better management process.
  • Avoidance—if the risk is too much, stop the process altogether.
Once a decision is made, it has to be implemented. This arises as either managing change to processes or operations, implementing controls to mitigate or reduce the risk, or any improvement activities that can ultimately support your company’s decision.

The Value of Risk Assessment
The structured approach is in risk management, not risk assessment. Your company can’t have one without the other—risk management needs risk assessment, and vice versa. The key here is that risk management is the process by which a company systematically comes to the right conclusions, using risk assessment within the overall process. You use the process to help eliminate the subjectivity, and maximize the effectiveness of the tools within the process.

You’ll also need to collect a lot of data in risk management. One operational area is not enough—single points are going to provide something, but not the whole picture. It’s beneficial to roll out risk management throughout the enterprise, and record all types of data, not just the more critical. You should look at the near-miss data as well as the critical data to round out the risk management picture.

Risk management is the process by which your organization should be applying risk to all processes. Risk management helps ensure that risk is properly used. However, the risk assessment piece in itself is the core technology and tools that are needed to measure levels of risk. Risk assessment provides the means to evaluate risk in its operational context—it allows you to apply event data in a risk-based approach.

What makes risk assessment tools powerful is that they are repeatable and objective; your company can replace the otherwise subjective “gut feel” with a more guided decision-making approach. Furthermore, it’s easy to understand for people who aren’t directly initiated into the process. In many cases, it’s even color-coded.

Risk assessment tools help to drive change both in short-term and long term contexts. This builds alerts for critical events, and wraps guidelines and decisions around risk assessment to develop solutions for unacceptable risk levels. These solutions are systematic and repeatable so your company can implement solutions for high risks in a more automatic and consistent manner.

However, it is important to reiterate that risk assessment is a tool, not the solution. Like any tool, you’ll have to make sure you don’t fall into a false sense of security by relying on the tool alone. For example, someone on the shop floor may see something as a critical risk and escalate the level of risk, whereas when a company rolls this up to the top floor, the risk may not be as bad in the larger context of operations. Risk needs to be universal in this sense, and not a matter of opinion. You’ll have to continuously test risk assessment and tweak the risk tools with this data. You should have a team in place to vet your risk tools and make sure that they are achieving the right results. As operations change or as more data fills the system, you may find that the risk levels need to be adjusted, just as they would with any business tool.

In quality and compliance, risk is found throughout the business operations. When looking at these operational areas, your company may find areas where risk assessment makes sense as a viable tool.

As a company designs processes, it can build risk management in an operational context in processes planning for change. This ensures that the process is benchmarked along the way, and enables you to build risk management into not only change but also around production part approval process (PPAP) and failure modes and effects analysis (FMEA).

Any organization is looking to foster continuous improvement because this drives the business to be more efficient and to operate in a more streamlined and compliant manner. When building risk management into continuous improvement initiatives, complaint data should be filtered by risk, to ensure that the most critical events are handled first. Those that pose the most risk to the organization rise to the top of the list. Risk management can also be built into the supply chain. This is a growing concept, and by creating a holistic approach to supplier risk, your company can determine which suppliers have a higher risk than others, giving you insight into which suppliers are the best for your company.

Similarly, internal audits will measure the effectiveness of operations, and building risk management into the auditing process will help to prioritize the level and nature of the audit report. Finally, corrective and preventive action is a great way to assess risk. It enables a company to not only effectively correct systemic issues, but to correct them to within acceptable risk levels. Risk assessment serves as an important “check” on the effectiveness of corrective actions taken. Was the level of risk reduced? If not, then maybe the corrective action wasn’t truly effective.

Common Risk Assessment Tools
There are many ways to approach risk management, and many organizations have developed different risk-based tools to suit their specific business needs. While these tools may be different, they share a common goal—to provide an effective risk management process. Below is just a sample set of some risk tools:
  • The Risk Matrix: The risk matrix is a grid that is quick, easy and colorful—it’s designed to make risk levels evident to all people in the operation. What risk matrices do is plot two or three levels on a graph: typically severity and probability. Each risk level is assigned a number, and within the graph a company can plot a formula to calculate where the two numbers intersect. Then, a user can assign a color to the level of risk—red, yellow, or green in a simple format (some will use more colors depending on the complexity of the result). The goal is that the company is defining a risk level based on two levels and building guidance into the results to help foster a decision based on the calculation.
  • Decision Trees: The next method for risk assessment is one many will use perhaps without knowing it’s a risk assessment—the decision tree. If your company receives an adverse event it can use the decision tree to help determine the outcome of that event. Decision trees can be built in such a way that they will help you come to the right decision and provide guidance on that decision. This is an effective method of risk assessment. It allows you to follow a path, usually through question and answer trees (e.g. if this; then this, etc.).
  • Bowtie Risk: Bowtie is a great method for assessment of risk in low-occurrence events. In some cases a company may have very little data on potential critical events, but the undesired effect of these events are so catastrophic that it cannot afford to sit and wait for it to happen. Bowtie is considered a proactive risk assessment tool in that it looks to mitigate risk before it even happens. This model looks at the undesired effect and builds out controls as “barriers” to prevent that event from occurring. Bowtie risk essentially builds out a scenario in which that event might occur and puts preventive controls in place to mitigate the risk of it actually happening. Similarly, it also builds out recovery controls to minimize the impact if the event does in fact occur.
Compliance is moving towards a risk management focus, and building in risk tools is an effective way to benchmark and measure compliance. However, it is important to add that risk technology is not automatic—these are just tools to support decision making. They do not replace people. Risk tools will take a level of subjectivity out of the equation by virtue of historical data and quantitative risk tools, but the ultimate decision-making still relies on employees.

Risk is common for all levels of compliance—it is a universal language that is applicable to many operational areas. It provides an objective and systematic way for your company to filter and prioritize adverse events to help ensure better informed decision-making and, in turn, continuous improvement. 

Alexandre Alain is the Life Science Product Manager for EtQ Inc., headquartered in Farmingdale, N.Y. Alex has extensive background in the life science industry, where he focuses on multiple processes within quality and manufacturing. He is experienced in nonconformance and CAPA, complaints, change request, training and validation and has served roles as quality improvement lead and line manager. Alex focuses on quality processes as he leads implementation and guides customers through their quality management journey.