Surviving Risk Management Audit with Excel: a True Account on Why we Built our own Risk Management Apps on Jira

March 22, 2022

“Ok, let’s follow a few of these risk mitigation actions down to outputs and verification activities” says the auditor.

A typical question. Anybody who’s ever been audited for risk management process, has been here dozens of times.

While I try to bring the attention of the auditor to another topic, I know a few meters away in a control room, my colleagues are scrambling through the endless Excel files, trying to find that bloody risk mitigation action.

Even if you print those gigantic Excel files on an A3, or a plotter, you just can’t read them. They are simply too big. And the page layout function of Excel is not the best.

You start rendering the last weeks prior to the audit in your head – the final push, all hands on deck, everybody rushing, hundreds of requirements, risk mitigation actions, verification protocols, deviations, reports to write, approvers that are offsite or nowhere to be found. It is not because you have been careless, it is just the reality of Every Single Project.

You scroll through your Excel frantically, thinking “Did we miss that one?”

The auditor is getting impatient. It’s the last day, they are already behind schedule, they don’t need another delay.

“So this action..?” the auditor asks again.

“It’s here, it’s just a very large document, it may take a while to find it” and I smile (only on the outside).

The door behind me opens and a colleague whispers in my ear: “6th page, 13throw”

I smile again (this time on the inside, too – well done team!) and I point it to the auditor and we follow it through the end, without any damage.

“Great, let’s pick another one…” the auditor continues.

Deep breaths. Deep breaths…

No matter how bulletproof your quality system is, how many times you and your team have reviewed the risk documents and traceability matrices. You are always worried that there could be one of them that was missed by everyone. Someone forgot to transfer it to the requirements, or forgot to trace it, or mixed it with something that sounded almost the same.

To be completely fair to Mr. Gates, this is not what Excel was designed to do – Excel is a Spreadsheet. Spreadsheets are used to manipulate data. Not to manage risks and traceability.

So, you start looking for a Risk Management tool. Something easy to use, with good traceability features. There are plenty out in the market to pick from – all of them good tools, that tick all the boxes.

CASE 1: A Large Corporation

You (enthusiastically), to your Manager:

“We would really benefit from one of these Risk Management tools. We have so many risk management activities, we could save a lot of time using one. In addition, everything is linked, no danger of losing traceability or mitigation actions. I’ve already tested a few and they look really good.”

Manager (not as enthusiastic): “I see, and how much do they cost?”

You, ready for this question, going through your papers:

“One of them costs a lot but it’s one-off; the other one is cheaper as it is per licence per user. We definitely have the budget for it. And we will save tons of money by automating the risk management activities and improve compliance!”

Manager: “Sure. Do any other divisions / plants use one of these tools?”

You: “No. We all use Excel. But it’s not really what Excel is designed to do, though.”

Manager, a little less enthusiastic:

“Did you check with the other Quality Managers if they are happy with adopting a new tool? It doesn’t make sense that we are the only ones to use it. We will need to create our own procedures for it.”

You: “Yes, I mentioned it to them. They agree in principle, although their approach to risk management is slightly different so we will need to create different environments or templates anyway.”

Manager: “And what about IT?”

You: “They say it’s feasible, they will have to check it for data security, and they have to talk to the other IT departments in the other divisions first.”

Manager: “Does it come validated?

You: “Well, no. But we will have to validate it ourselves anyway.”

Manager, dismissing the whole conversation with: “Ok, send me all the info, I will discuss it at the next management meeting.”

– Three Months Later –

You (hopefully): “Hello, did you talk about the risk management tools with the other managers?”

Manager: “Yes. We will need a detailed cost/benefit analysis for it. We have to include all costs: IT, validation, training, maintenance. But keep it in the backburner, at the moment we have other priorities.”

You: “Sigh…”

CASE 2: A Small Startup

You (enthusiastically), to your Manager:

“We would really benefit from one of these Risk Management tools. We are relatively new to risk management and we could really save a lot of time using them. In addition, everything is linked, no danger of losing traceability or mitigation actions. I’ve already tested a few and they look really good.”

Manager (not as enthusiastic): “How much?”

You: “One of them costs a lot but it is one-off; the other one is cheaper as it is per licence per user. They will save money by automating the risk management activities and improve compliance”

Manager (worried): “Wow it’s a lot of money… What are we using now?”

You: “Excel. But it’s not really what it is designed to do. It’s easy to miss things… and we are not really experts, the new tools have nice guidance. And it takes a lot of time to manage risks in Excel.”

Manager (confused): “Yeah, but what’s wrong with Excel? It worked fine until now. We went through the last audit with it.”

You: “Yes, we went through it, but it was a pain. We couldn’t find things, people could not remember how risks were linked to mitigation actions… We actually had a few close calls.”

Manager: “Can we get a free demo?”

You: “Sure, but it’s not the point, after 3 months we are back to Excel.”

Manager: “This will get us through our new product development project. Then we’ll see.”

You: “Well, not sure if it’s worth it then, we will have risk management files in two different systems…”

Manager: “Look, if we get that huge project… If the sales of our new product goes well…” (…and a countless more ifs…)

You protest: “But this can be a year from now…”

Manager, remaining calm: “It is not critical. If the client, the FDA and the notified body are fine with Excel, so are we. The cost is too high. We have a system that more or less works.”

You try one last time: “But we could have a major problem at our next audit…”

Manager dismisses it and turns to other tasks.


This is the background of why we decided it’s time to develop something that ticks the boxes for everyone, including managers:

  1. Affordability – No scary numbers;
  2. Pay-as-you-go license fee – No need for capital requests that require lengthy approval processes;
  3. Integrates with other software tools used in the company e.g. risk management in Jira;
  4. Embedded guidance – A great tool is useless if you don’t know how to use it;
  5. Fully customisable – Different departments can use the same tool, regardless which risk management method they use;
  6. Automates traceability, the nightmare for QAs;
  7. IT loves it – Requires no effort from IT being cloud-based, yet reliable and secure.
SoftComply Risk Management apps on Jira

In case you want to learn more about the SoftComply Risk Manager apps on Jira, please read about them in our previous blog posts. You are also welcome to arrange an online demo call with us.  

By Marion on 22 Mar 2022

Table of Contents

Ready to get started?

Contact us to book a demo and learn how SoftComply can cover all your needs

New Cybersecurity Risk Management Features in Jira
Picture of Marion Lepmets

Marion Lepmets

CEO
November 8, 2024

The Role of Cybersecurity in Medical Device Safety The Global medical device market is a $800 billion business that is rapidly growing, especially in the area of software as a medical device (SaMD). The majority of the SaMD segment is made up of the digital health and digital therapeutics solutions,...

Medical Device Compliance Guide
Picture of Marion Lepmets

Marion Lepmets

CEO
September 23, 2024

Introduction This medical device compliance guide focuses on the key requirements and strategies for navigating the regulatory landscape. We will cover the role of major regulatory bodies like the FDA, the classification of devices, and the importance of quality management. We will also discuss the challenges of global compliance and...

CVSS-FDA-cybersecurity-medical-devices-1712x599-c
Picture of Matteo Gubellini

Matteo Gubellini

Regulatory Affairs Manager
September 16, 2024

This case study describes the experience of a multinational medical device manufacturer meeting the FDA cybersecurity requirements. The company is operating in the MedTech sector developing a class 2/IIb device consisting of hardware and software. The company spent about 2 years working on the security risk management of the device....