MasterControl's Murray Defines Risk---and What It Isn't

Risk management is many things 
but it is not enterprise, project or 
financial risk management.
For medical manufacturing professionals, the MD&M conferences and exhibits are some of the most valuable professional networking tools available. At MD&M East, medical manufacturing professionals, from the eastern United States and from areas spread across the world, meet together with regulatory, quality, compliance, and manufacturing experts to glean and share knowledge. Tracks covered over the course of the most recent conference, held June 13.-15, 2016, focused on “Market Value and Consumer Health, New Technologies, Big Data, and Mobile Product Risk.”

One of MasterControl’s most seasoned quality experts, Walt Murray, presented at the recent conference on risk management, which for the last two years has been an especially salient topic for medical device and medical manufacturing professionals. Between changes in the ISO 13485 regulations and the general management and coordination of regulations and standards across the medical manufacturing industry, risk management is changing in distinct ways that are affecting the medical device and manufacturing sectors.
Risk Management is NOT Enterprise, Project, or Financial Risk Management

As many great presenters often do, Murray began his presentation by defining risk management and by defining what risk management is not. Risk management is notenterprise risk management, project risk management, or financial risk management (SOX) but is, according to Murray, the following:
  • A Quality System process-based approach
  • Business COQ orientation
  • Sometimes referred to as “operational risk management”
  • Sometimes called “safety risk management”
  • Minimization of harm to the patient, user, or the environment
In his presentation, Murray also showed and demonstrated (using examples) how risk management can be seamlessly integrated with compliance management and quality management processes. These processes can “meet in the middle” as Murray showed with one of his visual diagrams and this “middle” can be referred to as systematic event management processes. To learn more about these processes and seamless integration contact Marci Crane at to receive Murray’s complete slide deck.

This article is related to the 
Product Data Sheet: MasterControl Risk.
To get the full details, please download your free product data sheet.

Types of Operational Risk; FDA as an Example

Murray also shed light on various types of operational risk, discussed examples involved with FDA regulations (including risk analysis as one of the FDA’s modus operandi) and external and internal reasons to implement risk management in the first place. These reasons include the following:
  • External
    • Regulations
    • Standards
    • Liability/Insurance
  • Internal
    • Quality
    • Cost
    • Business Continuity
Murray also shared principles for understanding the value of risk and for managing risk. These principles included those listed below. An effective organization should understand at all levels that risk management:
  • Creates and protects value
  • Is an integral part of all organizational processes
  • Is part of decision making
  • Explicitly addresses uncertainty
  • Is systematic, structured and timely
  • Is based on the best available information
  • Is tailored
  • Is aligned with external and internal context of a risk profile
  • Takes human and cultural factors into account
  • Is transparent and inclusive
  • Is dynamic, iterative and responsive to controlled change
  • Facilitates continual improvement in the organization
Risk Management Regardless of the Regulation or Standard Worldwide

Whether a medical device and/or medical manufacturing company is required to adhere to regulations and/or standards created and enforced in the U.S. the EU or other geographies throughout the world (e.g. Canadian quality regulations, the JHM adoption of the ISO 14971 manufacturing or product, of the TGA Annex 20 stipulations for the risk management process within a QMS) the company is surely in need of a good understanding and solid application of risk management principles and the integration of risk processes with in conjunction with additional quality processes.

Additional Risk Vigilance

Sometimes risk vigilance extends beyond the “typical” areas of risk management. In his presentation, Murray also expounds on environmental management (ISO 14001), health and safety management (ISO 18001), and finance/insurance/legal management (SOX) and how these can be managed in cohesive and efficient processes.

The Essentials of Risk Management

An adherence to solid risk management principles can save a company’s products and reputation. The essentials of risk management include risk acceptability criteria (predefined); the identification of hazards (including hazardous situations); the estimation of risks; the evaluation of risk; the control of risk; monitoring of effective risk controls; and feedback results into the risk management process (under change control).

Learn More

To learn more about any aspect of risk management for medical manufacturing professionals, please request Murray’s full slide deck and professional contact information by emailing Marci Crane at
Marci Crane is MasterControl’s Localization Manager and a Marketing Communications Specialist. Marci writes on various topics including changing global (and U.S.) standards including the ISO and QSR regulations/standards. To receive a copy of Walt Murray’s official slide deck from the 2016 MD&M East conference and exhibition, or to learn more, please contact Marci at