5 Medical Device Best Practices for Managing Risk to Users, Patients, and the Environment


Medical device companies of all sizes are often concerned about speed-to-market, new device clearance overhead costs to maintain compliance, and lack of certainty about what is needed to maintain compliance, and fear of non-compliance consequences.

Taking a risk-based approach can alleviate these concerns and simplify adherence to numerous compliance requirements established by regulatory bodies such as:

  • U.S. Food and Drug Administration (FDA)
  • Medicines and Healthcare products Regulatory Agency (MHRA) in the United Kingdom (UK)
  • European Union Medical Device Regulation (EU MDR)
  • International Organization for Standardization (ISO)
  • Therapeutic Goods Administration (TGA) in Australia

Meeting these compliance standards and following the best practices explained in the next section are key to bringing new medical devices to market with success.

Most medical device companies are audited by regulatory bodies at least once per year depending upon their geography. Incorporating a solid risk management process can not only mitigate regulatory risk but also deliver peace of mind to all stakeholders in the enterprise as they launch new products.

Whether you are still using a legacy, paper-based quality management system (QMS) or an electronic quality management system (eQMS), risk management is critical.

In general, the risk management process should be applied throughout the lifetime of the device.

Following are five best practices in risk management for medical devices.

1. Involve the Right Stakeholders

In order to effectively manage risk, stakeholders need to be involved every step of the way, beginning with an initial risk assessment. Stakeholders can include people such as managers, clients, employees, shareholders, unions, etc. Many of these individuals may be key personnel and are critical to the company’s risk management processes. Each of these individuals represent different roles and responsibilities within the organization, thus giving you a holistic representation of all of the aspects of the business and each risk that comes along with it.

It is imperative to encourage stakeholders to help improve the continuous risk process by getting them involved in answering the question, “What keeps you up at night?”

2. Create a Strong Risk Culture

The second risk management best practice – and an important step in any successful risk management program – is creating a strong risk culture. Risk culture is defined as the values, beliefs, and attitudes about risks by a common group of people. It is the responsibility of management and the board of directors to clearly communicate the company’s culture and set the tone for compliance from the top. Management buy-in is critical to ensure that the importance of risk awareness is emanated throughout the entire organization.

A good question to ask as a leader or within your team is, “What is our company’s risk culture?”

3. Communicate Risks Throughout the Organization

The third best practice in risk assessment and risk management is communication. Communicating risks throughout the organization is another important aspect of risk management. Key risks, or risks that would have a high organizational impact, are identified and monitored by all departments. Any new risks are identified, assessed, and mitigated properly. Creating awareness of risks through communication to the entire organization is critical to a successful risk management process.

As a leader, you should always ask yourself, “Is everyone in the organization well-informed about key risks?” If you are part of a team, it’s important to ask, “Has my team identified and monitored key risks, and did we communicate that information to the appropriate manager?

4. Decide on Clear Risk Management Policies

Developing clear risk management policies is the fourth best practice in risk management success. Questions to answer should include:

  • Is the Risk Assessment policy clearly documented?
  • Are the roles and responsibilities clearly defined?
  • Are there clear policies and procedures defining mitigation of any and all identified risks?
  • Is there a Business Continuity Plan and an Incident Response Plan in place that map out how the organization will handle and overcome any unforeseen risks?
  • Are these policies communicated effectively to all employees?

Having these clear policies developed helps identify all potential risks that could affect the organization, the likelihood and impact of those risks, how the risk is mitigated and prevented, and how new risks are monitored and managed.

5. Create a Continuous Risk Monitoring Process

The fifth best practice is to set up a process that continually monitors risk. In order to manage risks, risks must be identified. Once the initial risk assessment is performed and the proper controls are in place to mitigate and address these risks, the next crucial step is monitoring. Clear monitoring processes must be established to ensure that any and all risk mitigation efforts are working and effective. This is a crucial aspect of any risk management process.


Understanding risk management and implementing a risk management plan is critical to the success of any medical device company. Once you have a risk management plan in place, compliance is simplified and your organization can focus its priorities on what matters most: the user, the patient, and environmental safety.


Nicolle Cannon is founder and CEO of Cannon Quality Group, a full service outsourced quality management organization specializing in supporting start-ups and early stage medical device companies. She started her company over ten years ago, and prior to that worked in quality for device companies such as Fox Hollow, Advanced Stent Technologies, and AVE/Medtronic. She holds a degree in mechanical engineering from Cal Poly State University.

Free Resource

Medical Device Trends in 2021

Enjoying this blog? Learn More.

Medical Device Trends in 2021

Download Now
[ { "key": "fid#1", "value": ["GxP Lifeline Blog"] } ]