While some regulated organizations lack a formal, comprehensive process for properly identifying, analyzing, evaluating, and controlling risk, all regulated organizations are likely to have some basic processes in place to address and respond to operational risks smoothly and effectively.
For companies that do not have a formal risk management process, a simple quality risk management database may be a beneficial tool. The size of the company, nature of its business, and the regulations and standards it is required to comply with are some of the factors that determine whether the tool can be relatively straightforward (for example, a spreadsheet) or requires more sophistication (for example, an electronic system). Risk management has many connotations depending upon its audience (i.e., a drug manufacturer as opposed to a medical device maker). Whether the tool is a spreadsheet or an electronic system, it is crucial that the quality risk management database be in accordance with the regulations and standards applicable to the particular company.
For example, ISO 14971 has become the "de facto" global standard for risk management for medical device companies. The standard, of which the latest revision was published in 2007, specifies a process for a manufacturer to identify the hazards associated with medical devices, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls. The requirements of ISO 14971 are applicable to all stages of the lifecycle of a medical device. In this context, a medical device manufacturer creating a quality risk management database should consider how the database would help not only in estimating and evaluating the quality problems that could expose the company to harmful risk, but also how it can help in reducing, controlling, and monitoring that risk moving forward.