The next step in risk management is to evaluate any Residual Risk that remains after the Risk Control measures are implemented. It is important that the risk is identified and assessed properly. According to ISO 14971, “If the residual risk is not judged acceptable using these criteria, further risk control measures shall be applied.”
Your company needs to make sure to weigh the severity of the risk against the probability of it actually occurring – this is somewhat subjective.
Residual Risk is what remains of the original risk after steps have been implemented to eliminate/reduce the risk. This information is to be captured in the risk management file. According to the Medical Device + Diagnostic Industry (www.mddionline.com), “there is a requirement for a manufacturer to look not only at the acceptability of individual risks, but to evaluate whether the combination of all individual risks associated with the device exceeds acceptable levels. Even when all individual risks are considered acceptable, the cumulative effect of those risks may be unacceptable. Even in cases where this overall or aggregate risk exceeds acceptable levels, a risk-benefit analysis may still demonstrate that what might otherwise be considered an unacceptable level of risk is acceptable in light of the benefits provided.”