Last week, I listened to an impressive lineup of panelists and attendees at the seventh AAMI-FDA Summit, this one tackling the subject of risk management. The inspiration for this update is a recurring theme in the summit that “risk management is everyone’s business.” Starting with the keynote address of Jeff Natterman, the risk manager for Johns Hopkins, this point has been woven through the fabric of each session. As for the other gems from the summit, you’ll just have to wait to see the post-summit publication at the end of the year!
While the context for the summit discussions is managing risk with clinical technology, it is easy to translate the concepts, as well as the discipline of managing risk, to a million decisions that are made by all of us or on our behalf—or in spite of us—every day: riding a bicycle down from the top of a mountain, riding a motorcycle (with or without a helmet), smoking, not washing hands before food preparation or caring for patients, living in a home without smoke detectors, postponing a repair on the axle of a bus, or producing automobiles that either don’t perform or can’t meet emissions tests.
Panelists and attendees have shared many examples illustrating the need for us to broaden our opinions about, as well as our sense of ownership of, risk management. It is everyone’s business, starting at the top with the CEO of every medical device company and healthcare system. We have heard stories of design engineers who think that risk management is “just paperwork” or quality managers saying, “Oh, that’s compliance.” Some report that top management is dismissive of risk management or that funders who want to get a product on the market view risk management as slowing things down.
Medical device companies and healthcare delivery organizations alike have a defined staff role of risk management, which comes in many shapes and sizes. While the individuals in these roles may be the evangelists for continuously assessing risk throughout every stage in the life cycle of a medical device, every single person who touches a medical device throughout that cycle makes decisions that can “change” a risk profile. Every decision, in effect, is an emergent property that can very quietly increase risk in a device or in the system in which that device is designed, developed, manufactured, deployed, implemented, connected to other devices, used, cleaned, maintained, repaired, upgraded, or recalled.
The list of decisions that can affect risk when it comes to medical devices is endless: a department changes a process, a part specified in the design is sourced differently, a company issues a directive to cut costs or change some processes, a slight change is made in design, a new regulatory requirement is issued, a manufacturing process is made more efficient, a manufacturing material is changed, labeling is redesigned, instructions for use are updated, a transportation route is changed, packaging is modified, a supplier change is made, a component part changes, the intended use is modified, workarounds are executed, the intended user is different, clinical practice evolves, changes are made in the environment of care, another piece of technology is introduced into the use environment, nursing changes its workflow, software bugs are fixed, software or hardware updates are made in the field, etc.
These changes could be singular or combined in any number of ways. Viewed in isolation, any one of these changes might be so slight that it is not even noticed. However, if we all see ourselves as risk managers, then any isolated change that we think about making should and hopefully would include an assessment of the overall context (including, for example, consideration of other changes or those that are in the works) and how our one change might impact the risk profile.
The field of risk management has grown and become much more capable and sophisticated, with new decision tools to help minimize personal biases, limited imaginations, and our narrow peripheral vision. We are learning how to incorporate systems engineering tools into the discipline. We are thinking more about enterprise risk management. We are beginning to use decision analysis tools to help quantify risk. It has been inspiring to listen and learn as the field expands its vision right here at the summit, where talented risk management professionals pool their knowledge, acknowledge their limitations, and seek to nudge the discipline even further. At the core, though, the field still needs all of us to think of ourselves as risk managers.
Volkswagen has been in the news for an enterprise risk management nightmare, presumably of its own making, with its admission that it cheated on diesel emissions tests. The Volkswagen debacle will become a great case study for textbooks, business writers, and training modules on building risk management into a system from the beginning and not leaving it to a person or department. That story will continue to unfold in the weeks and months to come, and we no doubt will begin to learn about emergent properties that, in isolation, may not have seemed like anything significant, but that ultimately led to some decisions that will haunt the company for years. I contend that, from a risk management perspective, the culturally embedded belief that everyone is a risk manager—buttressed by a robust systems approach to risk management—would not have allowed this situation to creep into a danger zone.
The boards and CEOs of companies, health systems, and regulatory bodies spend a significant part of their days assessing some kind of risk and making decisions that have implications on some aspect of enterprise risk management. Uncertainty continues to grow exponentially with the increasing scope and complexity of technology at our disposal. And yet, if asked where risk management is handled in their organizations, CEOs are likely to identify a particular department, individual, or committee.
The reality is that everyone is a risk manager in healthcare. In our space of healthcare technology, we each have an important role to play in identifying, assessing, planning, reducing, and managing risk—all with a goal of improving patient outcomes. As the field and discipline of risk management continues to grow, I predict that in the not-too-distant future, when asked where risk management is handled in their organizations, CEOs will say that risk management has to be and is everyone’s business in healthcare.
Mary Logan, JD, CAE, is president of AAMI.