hero header image Risk Management – So much more than just compliance | Elemed



Risk Management – So much more than just compliance

Kenn milton : elemed expert corner

This is a blog written by Elemed expert guest blogger Kenn Milton.
Want to be a guest blogger? Email mathilde@elemed.eu for more info!

There are two reasons for implementing a Risk Management System
1. To run an effective business
2. It is a requirement

People who have read the previous blog about Quality Management Systems might notice some similarities in the introduction and the setup of this blog. This seems reasonable – as Risk Management sets the level of effort expected to be put into the Quality Management ecosystem.

Risk Management is the systematical approach to identity, evaluate, respond/control, and accept risk.

In Medical Devices the risk is understood on two levels. The first level of risk comes with the classification of the device, which will guide the company to the level of minimum documentation required. The second level of risk is introduced when designing, developing, manufacturing, and maintaining the product and services. This risk will identify the efforts needed in each activity to build enough evidence to prove the device is meeting general safety and performance requirements.

The first risk level can be established for each individual device in accordance with MDR, Annex VIII – Classification Rules. The second risk level is probably the most difficult or complex task to do when creating the technical documentation, but it is also the most rewarding. Why is it difficult? Because risk management is subjective. Two people assessing the same risk can have two completely different outcomes. Therefore, it is important when evaluating risk, to write down the justification for the assessment. Adding to this complexity, is the fact that risk is only a “potential” issue, which means that it must be expected that a number of identified risks never becomes an actual issue. It is crucial to follow the same risk definition and procedures to be able to get the value from multiple risk assessments. It is essential that key stakeholders i.e. product owner, subject matter experts and person responsible for regulatory compliance contribute to the risk assessment. Please read the blog on Quality Management Systems to get the full value of the ecosystem.

Risk is commonly understood as Risk = Severity x Probability, where the factors must be predefined, documented, and commonly understood by all stakeholders when filling in the risk assessment information. If the definitions are not aligned, the output of the assessment cannot be comparable.

Risk can be accepted, mitigated, avoided, or transferred. A low risk can be accepted, a high risk is by default unaccepted and must be mitigated, avoided, or transferred. Mitigation means that the company will implement the risk control, avoided means that the requirement which causes this risk must be removed, or the risk can be transferred, meaning that a supplier or third party can be selected to mitigate the risk in question.

Risk controls can i.e. be SOPs and training (internal), device build, verification, validation and Instruction For Use (external). Instruction For Use is often used as a disclaimer or a list of precautions which needs to be considered before using the medical device, because the risk could not be resolved by other risk controls (taking into account the benefit-risk ratio).

Risk assessment vs. Risk Management

Risk Assessment is the activity of creating a Risk Management File once. Risk Management is the act of continuously using the Risk Management File. Tracking open risk controls until closure, updating the file during design & development processes and in monitor the accuracy during Post-Market-Surveillance feedback. Most companies do risk assessments, but never gets the value of true risk management.

Management System

Risk Management is an integral part of a Management System which, we have already established previously, any professional company should have. Yet, experience shows that most companies only have a Quality Management System and only create risk assessments due to regulatory compliance requirements. However, with just a little modification of basic compliance expectations, the risk assessments can be used as a powerful tool to understand and communicate the business-critical activities to be able to go-to-market and maintain quality products and services in a Post Market environment. By adding an additional key metric for the category, in the typical risk assessment, and add the entries of Strategic, Financial, Operational and Compliance impact, the tool becomes enterprise relevant. Management is interested in Strategy, Financials and possibly Operations. The communication must be focused on business assurance. At the same time ensure that compliance requirements are met by using tools which enables Quality by Design. Additionally, recent interest in Sustainable Development Goals can be added to the list of categories and in the world of the “new normal”, increasing interest has be given to Environmental Disasters, which might have identified the possible risk controls in case of a pandemic. (might the probability rating have been significant enough).

Business Assurance

Large organizations are compliant (No doubt about it. They must be…) But they are often spending a significant number of resources in establishing and maintaining compliance. In order to be or stay competitive, the larger companies (like smaller companies) are now increasingly focused on being more effective when handling business-critical tasks in getting to the market faster. By understanding the events which can occur in providing products and services to the market, the company will be able to use just the right number of resources and focus on what matters. Business assurance also means that besides strategy, financials and operational risk, consideration must be given to the risk to brand reputation. In the end, how many complaints are the company accepting to receive for this type of product without damaging the brand value?

Quality By Design

There are various tools today which is used to manage the risk process. These tools are often built in excel files, which completely covers the expectations of a Risk Management File. If you are creating one product, it will be sufficient, and hopefully, an audit would not be too nerve-racking. If you, on the other hand, are dealing with multiple products and multiple projects, then the excel files will probably make you lose the overview and governance, or you are spending way too many resources trying to obtain transparency. To be effective, transparency is key. Already available work must be reused. To complete the activity faster at a much more accurate level, collaboration is needed. To ensure collaboration between process experts to reach process excellence, better tools are essential. When using digital solutions with a visual display of the risk landscape it is easier to understand where to focus the effort. With increased visibility, it is easier to get the overview and possibly see trends in and across risk assessments. Solutions, with data-driven risk management which are integrated with CAPA control, incident monitoring and complaint handling will additionally allow visibility to risks which are critical in Post-Market scenario. Focus on what matters. Spend fewer resources. Be more effective. Make better business decisions. Enhance communication to key stakeholders. Work with Quality by Design.

I do not need yet another tool!

Imaging, people working in the same company, designing, and developing similar products, working with the same procedures and even with the same tools available, can have a significantly different outcome of the risk assessment. Maybe worse, either of them probably knows about the risk assessment carried out by their colleague on a similar product and misses the opportunity for value-added knowledge sharing. It seems that even though companies run countless risk assessment for different products and services, they never utilize the true benefit, to be able to compare the risks and the efforts needed to mitigate and monitor the effectiveness of the controls.

Why you should consider it anyway

If risk is not handled optimally a lot of resources is spent on non-value-added activities. It is important to understand the risk landscape and to be able to communicate the output differently when talking to the compliance risk manager, rather than when talking to the steering committee. While risk managers possibly want to know every little detail, the stakeholders typically only want to focus on top 5 risks at the time and the proposed plan to mitigate them. Visual dashboards make better communication and better communication makes better business decisions. Large corporations can benefit from tools which can:

    • present the enterprise perspective. (strategic, financial, operational, compliance)
    • put the risk in perspective of the entire critical to business assurance ecosystem.
    • be used for easy communication with key stakeholders.
    • map the risk with the guidance of ISO and regulation.
    • track the risk control until closure.
    • compare equivalent portfolio.
    • compare risk (potential issues) with incidents (actual issues).


Risk and any other activity, which is critical for business assurance, should be communicated and visualized so the key stakeholders can be informed and take the optimal business decisions. At the same time resources can be focusing on what matters as the actions required are visually identified.

Learn from people who have done this before

The right time to start Risk Assessment activities is at the beginning of the product introduction. The best time to make an accurate risk assessment is when the product has been on the market for a period of time. At this time, the actual issues the users or patients are actually experiencing with the product are known. Therefore, when beginning the risk assessment the optimal background would be from previous lessons learned. If you have real-life data, it would the best starting point. If you are not that fortunate to have been through the process before, then ISO standards and Regulations, are very helpful in the aspect of identifying possible Events and Circumstances (Table C.2 ISO Risk Management 2019) and General Safety and Performance Requirements (Annex I, MDR), where issues have previously been seen and reported by other companies since many decades, and thereby you have an opportunity for a good starting point with the help from industry standards and other companies lessons learned, and possibly also got burned, in the areas where they should have looked for risk.

Medical Device Regulation

The Medical Device Regulation, MDR is enforced May 2021. In this regulation, new classification rules are introduced. It is essential to establish the correct risk class of each individual device with classification rule(s) in accordance with MDR, Annex VIII – Classification Rules. Next look into the General Safety and Performance Requirements, MDR Annex I, which, if interpreted correctly, will guide you in where to look for risk in the device design, development, manufacturing, and maintenance activities. An additional key to understand and get guidance in the regulatory Risk Management expectations is to use ISO 14971 Medical Devices – Application of Risk Management.


The recommendation is to start the risk management journey early. Use the right solution that will guide you and which will give you additional business benefits instead of only thinking about regulatory compliance. Get more stakeholders in the organization interested in risk management. Get management interested in risk management. Do regular reviews to ensure processes are effective and technical documentation is relevant. In the end, risk management is a business advantage.


1. Medical Device Regulation, (EU) 2017/745
2. ISO 13485:2016 Medical Devices – Quality Management Systems
3. ISO 14971:2019 Medical Devices – Application of Risk Management


About the author

kenn milton

Kenn Milton

Founder and CEO of MyBlueLabel

Working with large corporations about innovation within Enterprise Risk Management solutions.
A focused and result-oriented Senior Executive, with significant experience in the provision of compliance solutions. A competent strategist, capable of delivering innovative solutions to ensure seamless project delivery and the achievement of business objectives. Ensures full compliance with internal and external regulations and quality processes. For several years developing a SaaS solution based on the Quality Management experience carried by a strong wish to help all companies with Quality and Risk Management, www.mybluelabel.com

Elemed's expert corner

We love to showcase content by
guest authors

What is Elemed’s expert corner?
It is a hand-selected group of individuals that have been identified as top
voices/thought leaders in their space.

Why should you take part?
This is a great opportunity for you to raise your personal brand awareness, your company’s reach in the market, but also to provoke wider discussion. It will establish yourself as an authority in the space and enhance your professional image.

Get in touch with Mathilde at mathilde@elemed.eu to find out more and/or take part.

Say goodbye to wasting time and money on digitising your regulatory activities.


Arrange a callback

WE'RE Here To Assist You

Let’s get to know each other

Have a free, personalised, career consultation with one of our experts. Learn about under-the-radar opportunities, salary insights and develop your career plan.