Identifying Risk Mitigation Plan Gaps

🤔A recent FDA warning letter highlights these gaps in risk management: 1️⃣ Not including potential safety-related user needs leading to inadequate design validation and unmitigated risks in the field. 2️⃣ Inadequate design verification of design outputs linked to safety-related design inputs, leading to device explants in the field. 3️⃣ CAPA procedure requires only severity 4 or 5 adverse events to be escalated. It does not require consideration of lower severity adverse events that may occur at high frequency for CAPA. 4️⃣ Incorrect calculation of occurrence rates of "spikes" and "adverse event trends" using incorrect units sold data, leading to underestimation or risk. 5️⃣Not analyzing potential adverse events correctly and failing to report as MDRs. 🛑I am noticing a lot more scrutiny from the FDA on deficiencies in risk management and more explicit language used in warning letters. 💥Take a critical look at your QMS before QMSR goes into effect. #letstalkrisk #qmsr #riskmanagement

I watched a safety manager confidently hand an OSHA inspector his emergency response plan. 30 minutes later, his face turned white. The inspector found 3 critical failures that led to a five-figure citation. After reviewing many emergency response plans across manufacturing and pharmaceutical sites, I've discovered these same 3 issues appear repeatedly: 1. The "once and done" mindset ↳ Plans created years ago sitting untouched ↳ Contact lists with people who left the company ↳ Equipment procedures that don't match current machinery ↳ Evacuation routes that no longer exist due to facility changes OSHA 1910.38(f) requires reviewing your plan when: - Employee responsibilities change - The plan is developed - The plan is changed Fix: Set a quarterly reminder to review your plan. Document each review with date and signature, even if no changes were made. 2. Training that exists only on paper ↳ Employees sign training logs but can't explain procedures ↳ Everyone knows to evacuate but not where to assemble ↳ Shift workers who missed the annual training altogether ↳ No practice drills in the past year OSHA expects employees to demonstrate knowledge of their roles, not just show paperwork. Fix: Run scenario-based drills quarterly. Ask employees: "What would you do if..." and document their responses to identify gaps. 3. Site-specific hazards ignored ↳ No procedures for specialized equipment emergencies ↳ Missing response plans for chemicals actually present on site ↳ Generic templates that don't address your unique operations ↳ Failure to address temporary work zones and changing conditions The most expensive citations come from plans that fail to address the hazards specific to your workplace. Fix: Walk your facility with fresh eyes. For each area, ask "What's the worst that could happen here?" Then ensure your plan addresses it. Strong safety leadership means recognizing that emergency preparedness isn't just compliance. It's protecting your team when they need it most. I've helped dozens of companies transform their emergency response from paperwork to protection. The difference is always leadership commitment. Would your plan pass an OSHA inspection today?

Results from 1990 gaps on third party risk management programs is this: 𝗕𝗢𝗧𝗧𝗢𝗠 𝗟𝗜𝗡𝗘: People struggle making third party risk programs efficient and meaningful to their business. 𝗕𝗔𝗖𝗞𝗚𝗥𝗢𝗨𝗡𝗗: We have done more than 2000 assessments at risk3sixty. Of those assessments we have identified 1990 gaps. By far one of our most common gaps. 𝗙𝗜𝗡𝗗𝗜𝗡𝗚𝗦: Here's where the gaps are concentrated: 𝟭. 𝗣𝗼𝗹𝗶𝗰𝗶𝗲𝘀 𝗮𝗻𝗱 𝗣𝗿𝗼𝗰𝗲𝗱𝘂𝗿𝗲𝘀 𝗙𝗮𝗶𝗹 𝘁𝗼 𝗠𝗮𝘁𝗰𝗵 𝗥𝗲𝗮𝗹𝗶𝘁𝘆 𝗼𝗻 𝘁𝗵𝗲 𝗚𝗿𝗼𝘂𝗻𝗱: Policies are written, but often do not reflect the reality of what companies need to produce meaningful results. For example, they typically do not reflect realistic processes or provide meaningful guidance on how to risk rank vendors. And most importantly, they don't provide any guidenace or "teeth" on how to disqualify a vendor if they exceed a risk threshold. As a result, vendor management often becomes a check-the-box administrative task to get through procurement. 𝟮. 𝗧𝗵𝗶𝗿𝗱 𝗣𝗮𝗿𝘁𝘆 𝗥𝗶𝘀𝗸 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗗𝗲𝗴𝗿𝗮𝗱𝗲𝘀 𝗜𝗻𝘁𝗼 𝗮 𝗧𝗲𝗱𝗶𝗼𝘂𝘀 𝗔𝗱𝗺𝗶𝗻𝗶𝘀𝘁𝗿𝗮𝘁𝗶𝘃𝗲 𝗧𝗮𝘀𝗸 The volume of vendors and the manual nature of assessment work means that true risk management takes a back seat to checking-the-box. Third party risk management is often an additional duty for already busy GRC professionals or it is delegated to teams without authority to make vendor disqualification decisions. More common than not, the people doing the assessment work do not have the context to make educated decisions about vendors or to ask smart questions. This is thankless work and can lead to burnout quickly. 𝟯. 𝗧𝗼𝗼𝗹𝘀 𝗔𝗿𝗲𝗻'𝘁 𝗮 𝗖𝘂𝗿𝗲 𝗔𝗹𝗹 Tools range from glorified excel spreadsheet replacements, workflow engines that route questionnaires, or (my favorite!) tools that scrape website and assign risk scores based on website security scores (taking into no consideration the actual service rendered). Further, the industry suffers from under implemented and under adopted tools that fail to live up to the promised results. 𝗪𝗛𝗔𝗧 𝗧𝗢 𝗗𝗢: Here's some practical steps to consider: 1. Draft policies and procedures that reflect the reality of the process. That includes realistic risk scores, decision criteria for disqualifying vendors, and establishing a bar for which vendors need true analysis vs. which do not. DO NOT over engineer it. 2. Spend outsized effort on high risk vendors. And allow for it in policy. 3. Consider outsourcing vendor management in part or fully. If you use a good third party you can probably increase the quality and get some of the worst work off of your full time employees. They will thank you for it. --- What am I missing? #cybersecurity #thirdpartyrisk #vendormanagement