Understanding your Role and Responsibility for Risk Assessment and Controls
In almost everything in Quality there are multiple facets of responsibility. The same applies when we talk about cyber security and threat assessment. The last time I spoke about this topic I addressed our responsibility for protecting our own organization’s intellectual property and security. This time I am concerned with how we protect those who depend on the products and services we provide. Market demands for increasingly intelligent products coupled with rapidly evolving software and wireless technology provides the means for companies to deliver exactly what the market demands. What is equally clear is that the ability of companies to assess the risk for the user and their privacy is not coming close to keeping pace with these advances. Just because the capability for smart devices is more readily available is no guarantee that prudent product management decisions are being made. The media is filled with stories about misuse of everything from baby monitors to auto-assist parking in late model vehicles.
I recently attended a seminar concerning FDA regulatory requirements specific to software as a part of a medical device or in some cases the device itself. Half of the two day event was devoted to putting the attending companies on notice that the responsibility for prudent Risk Assessment and Controls was squarely on the product provider. The FDA is strengthening their guidance documents and position on cyber security, governance, definitions and controls for wireless devices in particular. Responsibilities related to enforcement are being shared with NIST and in a smaller role, the FCC. A complete and cogent understanding of what is required for prudent development and Risk Management for software is currently all over the map, relative to Compliance.
There are manufacturers of smart toys that communicate with your child, smart TVs that record at least some of the interaction with the consumer and send it wirelessly back to the developer. Many companies partner with a software development organization and simply purchase the technology with little understanding of the potential for misuse and harm to the consumer. On the other end of the spectrum are companies like Google, who know they have a lot of skin in the game. They actually have a position that consists of a tightly managed group of very savvy hackers who spend all their time doing their best to hack every line of code the Google developers write. The goal is to harden the code and thwart the cyber criminals before they can harm the Google user community.
Looking at litigation related to software as part of a product the courts seem to be taking the same position as the FDA, that the product provider has the majority of responsibility for assuring that a prudent assessment of risk resulted in reasonable steps to mitigate the potential for misuse. This appears to extend to even Inadvertent Misuse, particularly by children and the elderly.
Risk assessment, Mitigation and Controls are no longer a “nice to have” component of a Quality and Compliance system. Every company needs to assure that they have included prudent Risk Assessment and Controls against the potential misuse of all of their offerings. Extend your thinking about Standard Risk Calculations to include Normal, Out of Process, and Misuse as conditions for Assessment.
- Begin conducting regular design risk management meetings as part of your Product Management Process.
- Make sure you include this mindset in your Test and QA programs and in your assessment of warranty claims and customer feedback.
- Treat your CAPA and complaint process as your early warning system that the users of your product may be exposed to a cyber-threat and potential harm, even inadvertently.
- Take the proper steps to assure your company does not stumble in the race to embrace new technology.
The sizzle of enticing new features is great but make sure your customers don’t choke on the steak.
Application Builder Webinar