If you observe a non-compliance, who and which department is responsible to say if it is a compliance risk or not?
Will it be wrong to say every non-compliance is a compliance risk?
The question is quite broad and probably not easily answered in that context, because you can have internal non-compliance by an employee, internal non-compliance from a system, external non-compliance by a supplier/distributor, external non-compliance from a customer such as a complaint. In simple terms, every instance of non-compliance or meeting compliance carries a risk. This is why ISO 9001 and ISO 13485 speak more about using risk-based thinking or a risk-based approach. In a medical device quality system, generally it would the ones responsible for quality and/or regulatory which would be involved in compliance risk. In a pharmaceutical company, this would generally be the Qualified Person's responsibility to understand compliance risks with any non-conformity. As an aside, with the EU MDR and EU IVDR published they introduced a Person Responsible for Regulatory Compliance which is may not be at the level of a Qualified Person, but I think in the European Union this is the intent to have individual(s) monitoring compliance for the company.
Richard has provided some valuable insight which I completely agree with. I will just add a little context from my own personal experience: any non-conformance should be reviewed holistically to ensure that the actual situation is completely understood before determining what the risk is. This should really be a coordinated effort between multiple groups (Quality, Regulatory, Operations, Legal, etc.) to ensure that the most reasonable and defensible decision is made.
As for who is responsible, I am not sure I am entirely understanding your question here. If you mean who is responsible for making the final decision - then that is often company dependent based on how reporting is coordinated and who has what exact responsibility within the organization. If the question is more about who should report the issue, then I think it depends on whether or not it is an "internal" non-compliance or if it is "external". To me, whoever recognizes the non-compliance is responsible for initiating the internal review of the issue for risk determination and any possible or necessary actions on the part of the company. Then, once the company performs their analysis it is up to the decision of the company how to manage the next steps and with whom to contact/interact depending on the severity of the risk, the requirements of the analysis (what happened where and caused by whom) and then obviously what the regulations require.
Regulatory Affairs Professionals Society (RAPS)5635 Fishers Lane, Suite 400Rockville, Maryland 20852
firstname.lastname@example.org+1 301 770 2920
JoinMy RAPS DashboardLearn More