Recommendation 6-1: FDA should use enterprise risk management1 to inform its inspection, training, regulatory cooperation, and surveillance efforts. Enterprise risk management should apply to the agency’s entire operation, and it should incorporate a number of set criteria such as country of manufacture or production, volume and type of product, facility inspection history, and trends or data shared from other regulatory authorities.
The FDA’s implementation of an enterprise risk management system will be the best measure of this recommendation. The FDA’s allocation of resources in a way that reflects decisions grounded in enterprise risk management will also be a measure of this recommendation. The FDA will also have to select which statistics best measure the impact of its inspections, trainings, and surveillance efforts. Choosing which metrics to monitor most closely will be part of the assessment. The timetable on which the FDA collects these data is up to the agency’s management, but it should be frequent, perhaps every quarter, but at least every 6 months.
Should the results of an enterprise risk management analysis suggest full reorganization of the FDA, such a process would take time. In order to work toward this change promptly, the FDA needs to conduct enterprise-wide risk assessment, analysis, and evaluation. If its results suggest an inefficient or unscientific allocation of resources in the agency’s current operations, as one expects they will, then the FDA will need, at that time, to lobby Congress for permission to revise its operations.
The agency has more freedom in running its capacity building programs. Therefore, an enterprise risk management assessment, analysis, and evaluation can be used to reorganize international programs in the next 3 to 5 years.
Enterprise-wide Risk Management
Multinational food and medical product companies have been using enterprise risk management for some time (see Box 6-1). Even the most profitable business cannot afford to monitor every transaction on its supply chain with the same diligence. Instead, multinational companies develop a hierarchy of risk and devote resources to the highest risks in the hierarchy. These companies may have a broader data set to inform their estimates than the FDA would have. Nevertheless, the FDA has to work with the
1 Enterprise risk management is a discipline by which an organization “assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization’s short- and long-term value to its stakeholders” (Casualty Actuarial Society-Enterprise Risk Management Committee, 2003, p.8).