The purpose of a risk management plan is to provide assurance that all project risks are identified and analyzed, and options / solutions are presented to eliminate or reduce the effect of those risks. It allows project stakeholders to evaluate these risks and provides an opportunity to add or modify the risks identified and solutions offered. The risk management plan is developed within industry standard regulations to guide the development team to a successful and satisfactory implementation. This plan evaluates possible areas of risk and presents:

• Analysis of risks and hazards
• Methodologies that are being employed to reduce the risk
• Solutions to mitigate the risk
• Options to manage the remaining risk items

Begin by writing a brief product overview including the technology that will be used, intended use of the product, and any needed accessories. Once the product has been defined, determine what type of compliance standards will be followed.

Moving forward, the above details will help shape the risk management plan for the entire project. Several activities must be fulfilled to complete the plan, including risk identification and analysis, risk acceptability, and defining hazard types. Project stakeholders must work together to analyze the project and identify any technical and project risks. In an initial risk identification meeting, the team must pinpoint and categorize the project’s risks, assigning each a probability of occurrence and respective consequence. The team must provide options and solutions to reduce the risk to an acceptable level, all documented on a risk identification and management spreadsheet.

Risk Acceptability
The criteria for accepting risks is determined based on the probability and consequence values set for each risk. Risk criteria are placed into a criteria chart and risks are considered acceptable with a result of a pre-determined percentage. The end client/product owner shall make final determination on the criteria and level for accepting risk. This acceptance of risk is based on the probability or occurrence of harm, the variations of outcomes that could occur over a specified time frame, the given situations that may change over time, and the level of risk that is acceptable. The measurement of risk is an estimate that should be reviewed at least monthly and reevaluated if needed.

Risk Categories
Risks should be identified and categorized into four main categories: Technical, Project Management, Product, and External. The four main categories of risk are further broken down into more detailed categories as follows:

Technical: The technical risks are focused on the effects related to design and development of the project and may be categorized as:

• Requirements
• Technology
• Complexity and Interfaces
• Performance / Reliability
• Quality
• Hardware Issues
• Other

Project Management: The project management category provides selections related to the management and scheduling of the project and may be categorized as:

• Estimating
• Planning
• Scheduling
• Resources
• Project Dependencies
• Other

Product: The product category provides selections related to the output product of the project and may be categorized as:

• Safety – Patient/Process Control Environment
• Safety – User/Operator
• Safety – Other
• Design & Development
• Manufacturing
• Disposal
• Other

External: The external category provides selection related to events that may occur outside of the control of the engineers and may be categorized as:

• Outside Suppliers
• Government Regulations
• Customers/Clients
• Weather
• Other

Estimation of the Risk(s) for each Hazard
The likelihood a hazard will occur and its impact to the product or device are estimated and entered in a worksheet as the probability and consequence, respectively. Estimation of reasonably foreseeable combinations of events that can result in a hazardous situation are considered and the resulting hazardous situation(s) are recorded in the same worksheet estimating the percentage of occurrence.

Hazard Types & Severity
Potential hazards and probable causes should be described briefly in a standard operating procedure (SOP). A hazard is defined as a situation that has the potential to cause an accident or harm to a stakeholder, usually a user and/or patient (if a medical device).

For each hazard identified, an estimate of the degree of severity of the harm (consequence) that might result if the hazard were to occur is assigned using the severity definitions from the SOP. Severity levels may be defined as follows:

Risk Evaluation
The probability and consequence values should be figured into an overall risk score based off of probability and consequence criteria. To make things simpler, score risk using a 10-point scale, showing the probability of occurrence and impact to the product. The scale and overall overall risk/hazard enables the reviewer to quickly assess the risk as objectively as possible. For each identified hazardous situation, a decision is made as to whether risk reduction is required. The results of the risk evaluation should be recorded in a risk management spreadsheet or database.

Probability of Occurrence, Detection, and Consequences
The probability of occurrence criteria determine the likelihood that the risk occurs. These criteria along with the consequences of the risk are used to assess the severity of each risk. The likelihood assessment is determined by the expertise of the document approvers using the following guidelines taken from references and product experience to determine the likelihood that the identified hazard or risk would occur. Examples of rationale or reference for likelihood estimation may be expert opinion, complaint data, statistical analysis, or experimental data with similar devices. Define the probably of detection utilizing a pre-determined table outlining the qualitative and quantitative outcomes. The consequences criteria determine the effect on the project if the risk occurs. This criterion is considered along with the probability to identify the severity of the risks. All of this data is used to build a criteria chart. This chart is used to identify the three levels of risk severity/impact and establish a rating for each identified risk. The chart shows the three levels by green, yellow and red boxes, ultimately determining risk as high, moderate, and low.

High

Risks identified in red are high impact or severity. The impact on cost, schedule, product, and safety performance is substantial. Risks that fall into this category require significant actions and are a high priority to mitigate.

Moderate
Risks identified in yellow are moderate severity. There is some impact on cost schedule, and safety product performance. Some action and management attention may be required.

Low
Risks identified in green are low in severity. There is minimal impact on the project schedule, cost or performance safety. Minimal oversight is needed to ensure the risk remains low.

WHAT’S NEXT?
Next week we will deliver part 4 of this series, focusing on the 3rd critical step of project planning: product & software requirements.