A few weeks back, I described how to determine the risk level of a proposed change to a regulated IT system. I also talked about how the system risk level (SRL) and change risk level (CRL) work together to determine the level of rigor required to implement a proposed change without disrupting its validated state.
In this week’s post, I’ll explain a bit more about the concept of determining the level of required rigor, which is the final part of our four-part approach to assessing and mitigating risk with regulated systems.
Part Four: Change Risk Mitigation
Mitigating the risk involved in implementing a change can be standardized, just like the process of assessing a systems’ regulated status, determining its SRL, and determining the CRL of a proposed change to the system. Mitigating the risk of implementing a change involves defining the activities and document deliverables that each CRL requires, and then laying them out in a matrix, similar to this:
Using a predefined matrix, like this, enables a standardized approach to mitigating risk so that you do not have to reinvent the wheel for each system or change control. It also makes it easier to defend in an audit, if each system goes through the same series of assessments and is treated like every other system of the same risk type.
Next time, I’ll sum up the key points from this little series on risk management for regulated systems. In the meantime, here’s The Ultimate Guide to 21 CFR Part 11. Enjoy!
