Should we all jump on the bandwagon then? Let's see...
Most RBC strategies include the following (or similar) tactical steps:
1. Identify the risks of non-compliance: what can happen? when? where? how? why?
2. Determine the level of each risk: what is the short term and the long term impact, in real dollars (fees, penalties, recalls) as well as in soft costs (lost sales, lost opportunities, and loss of customer trust)
3. Prioritize risks based on the level of risk and on the estimated probability of risk realization. Decide on which risks to address.
4. Identify and select the best suited compliance measures to address the selected risks
5. Plan and implement the chosen compliance measures
6. Monitor, review, and report progress (status, costs), and compliance levels (internal audits, external audits, etc.)
While it is true that implementing a RBC strategy might improve the state of our firm's regulatory compliance in some cases, let's also consider the following thoughts:
1. RBC parameters are internally determined (perhaps with the help of consultants), while the “state of regulatory compliance” is externally determined (by regulatory agencies).
Yet due to an unforeseen side effect of a recent software upgrade, excessive torque gets applied to a mounting screw and the device casing cracks under stress exposing the patient to a potential air embolism. Customers complain and the subsequent FDA audit drill-down exposes the lack of validation as the root cause. A recall is initiated. A CAPA is launched. Total cost: $5 million.
2. RBC probabilities of occurrence for each risk are either determined intuitively, or based on past history.
“Since it has not been brought up in any regulatory audits in the past, why should we be concerned with adding a Human Factors analysis step in our design process? We believe the risk of non-compliance (for us) to be less than 1%.”
Yet due to an unforeseen side effect of a mold change for our infusion pumps, nurses have a tendency to confuse Start with Stop which can lead to non-delivery of medication and potential Adverse Events. A recall is initiated. A CAPA is launched. Total cost: $12 million.
3. The criteria used to decide which compliance measures are “best suited” are highly influenced by internal biases and constraints.
“We are a small firm; therefore we believe that the best way for us to keep track of customer complaints is to log them into an Excel spreadsheet that we all share on our internal corporate LAN”
Yet due to the inability of such a simplistic system to avoid multiple update conflicts, 2 complaints logged by one customer support representative are lost when the shared file is updated by another. A subsequent FDA audit finds that one of the complaints that was lost should have triggered an MDR, and the company is assessed a $430,000 fine for adverse event reporting violations.
While following an RBC strategy seems to help optimize the cost of regulatory compliance, we also have to realize that, just like with any model based on a set of implicit assumptions, there might be significant pitfalls [you might want to hopefully avoid] if, when, and where these assumptions might not hold true.
What do you think?
No comments:
Post a Comment