Over the past several weeks, I’ve published a series of posts that talk about how to assess and mitigate risk with your regulated IT systems. The FDA recommends using a risk-based approach to accomplish this feat, and we agree, so we laid out a four-part approach for you:
- Assess a system for its regulated status
- Assign a risk level to the regulated system
- Assess the risk of each proposed change to the regulated system
- Mitigate the risk involved in implementing the change to the regulated system
Each of the items above contains a link to the corresponding previous post – click any link to learn more about the step/process.
When designing your methodology, remember that standardization is key. This does not mean that all systems should be treated equally. Rather, it means that the processes of categorizing inherent system risk and assessing individual change risk, as well as the level of rigor required per degree of risk, should be standardized so that systems of similar risk are treated the same, and changes of similar risk are mitigated the same.
This kind of standardization not only makes it easier to determine the level of rigor needed to effectively mitigate risk, it makes it easier to defend your approach in an audit.
If you need help designing your methodology, assessing your methodology for gaps, or even performing a mock audit, we would be happy to help. Just drop us a line!
