Better Risk Assessment and Controls

Understand your roles and responsibilities

Published: Thursday, April 2, 2015 - 11:00

In almost everything in quality there are multiple facets of responsibility. The same applies when we talk about cybersecurity and threat assessment.

The last time I spoke about this topic I addressed our responsibility for protecting our own organization’s intellectual property and security. This time I’m concerned with how we protect those who depend on the products and services we provide. Market demands for increasingly intelligent products, coupled with rapidly evolving software and wireless technology, provides the means for companies to deliver exactly what the market demands. What is equally clear is that the ability of companies to assess the risk for the user and their privacy is not coming close to keeping pace with these advances. Just because the capability for smart devices is more readily available is no guarantee that prudent product management decisions are being made. The media is filled with stories about misuse of everything from baby monitors to auto-assist parking in late model vehicles.

I recently attended a seminar concerning FDA regulatory requirements specific to software as a part of a medical device, or in some cases, the device itself. Half of the two-day event was devoted to putting the attending companies on notice that the responsibility for prudent risk assessment and controls was squarely on the product provider. The FDA is strengthening their guidance documents and position on cybersecurity, governance, definitions, and controls for wireless devices in particular. Responsibilities related to enforcement are being shared with NIST and, in a smaller role, the FCC. A complete and cogent understanding of what is required for prudent development and risk management for software is currently all over the map, relative to compliance.

There are manufacturers of smart toys that communicate with your child, and smart TVs that record at least some of the interaction with the consumer and send it wirelessly back to the developer. Many companies partner with a software development organization and simply purchase the technology with little understanding of the potential for misuse and harm to the consumer. On the other end of the spectrum are companies like Google, who know they have a lot of skin in the game. They employ a tightly managed group of very savvy hackers who spend all their time doing their best to hack every line of code written by Google developers. The goal is to harden the code and thwart criminals before they can harm the Google user community.

Looking at litigation related to software as part of a product, the courts seem to be taking the same position as the FDA; that is, the product provider has the majority of responsibility for assuring that a prudent assessment of risk resulted in reasonable steps to mitigate the potential for misuse. This appears to extend to even inadvertent misuse, particularly by children and the elderly.

Risk assessment, mitigation, and controls are no longer a “nice to have” component of a quality and compliance system. Every company needs to ensure that they have included prudent risk assessment and controls against the potential misuse of all of their offerings. Extend your thinking about standard risk calculations to include normal, out of process, and misuse as conditions for assessment. Here’s how:
• Begin conducting regular design risk management meetings as part of your product management process.
• Make sure you include this mindset in your test and quality assurance programs, and in your assessment of warranty claims and customer feedback.
• Treat your CAPA and complaint process as your early warning system that the users of your product may be exposed to cyber threats and potential harm, even inadvertently.
• Take the proper steps to ensure that your company does not stumble in the race to embrace new technology.

The sizzle of enticing new features is great, but make sure your customers don’t choke on the steak.

First published March 17, 2015, on the Quality Management 2.0 Blog.

Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types.

However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads.

Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.

So please consider turning off your ad blocker for our site.

Thanks,
Quality Digest

About The Author

Mary McAtee

Mary McAtee has been a member of the Siemens organization for more than 20 years. She is a 40-year quality professional specializing in reliability engineering for semiconductor and nuclear devices. McAtee is an exam-qualified lead assessor for ISO 9001, ISO 14001, ISO 13485, IATF 16949, and TickIT. She has lead several organizations to successful registrations to various standards and has written and presented on the topic of compliance and quality extensively over the years. She is working with organizations in the United States and Europe to develop a broader uniform interpretation of primary norms and compliance standards.

Quality Digest