Risk management in Point of Care - learning from industry standards

A framework for risk assessment of Point of Care Services.

The aim is to provide a robust service and get the right result on the right patient every time. In order to do this we will be looking not only to the international standards in the laboratory, but also to international risk management standards applicable across several industries including pharma, medical device and the aviation industry.

Clinical diagnostic testing is traditionally performed in a laboratory environment with medical scientists trained specifically for the task at hand and a robust quality system in place.

By contrast, POCT devices can be used and operated by multiple users from disparate backgrounds. Each operator's skill level is different and performing diagnostic testing does not have to be the operator's core area of expertise.
In addition as POCT becomes increasingly decentralised into the community and at home testing, we must remain cognisant of the quality assurance and governance necessary for the implementation and use of such tests in new and decentralised settings. 

Of course, generating diagnostic results in any environment outside of a dedicated laboratory can bring risks. Even within a traditional hospital environment it is necessary to have a governance system in place to bring the testing environment to a level that minimises risk and gets the right result on the right patient. It is no longer acceptable just to react to incidents and complaints, it is imperative that we adopt a pre-emptive and proactive approach to risk. T
his gap between a well managed and governed laboratory service and a well managed POCT service in terms of risk can be bridged by having a defined process for assessing, monitoring and mitigating risk.

What is risk management?

Risk management is the process of helping to identify risk or potential risk, analysing the risk and then creating a plan of action to avoid and/or manage the risks. Some risks can't be completely mitigated and in these circumstances it is about deciding the level of risk that is acceptable and achievable.
Therefore, having a procedure for risk management is an essential part of any quality management system and it can contribute considerably to meeting quality objectives if carried out correctly and systematically.
Identifying and mitigating risk in your service is as applicable to one device or test as it is to hundreds of devices or tests.

What are the benefits of having a risk management program in place?

  • Increases patient safety.
  • Optimises practice and process.
  • Reduction of waste in terms of downtime, reworks, replacements.
  • Easier facilitation of review and audit.
  • Transparency across the system/organisation.
  • Provides a starting point for remedial work and continual improvement.
  • Provision of evidence for resource allocation to stakeholders.
  • It can optimise resources towards the high risk endeavours and away from the low risk.
  • Fosters a confident and competent workforce.
  • A confident organisation (less exposure to medico legal cases) and where there is a case you have a paper trail and evidence of a risk management program.
  • Promotes an open culture of reporting incidents and implementing improvement from lessons learned and it's what we do.
  • Providing a gap analysis between where you are now, where you need to go and what you need to do to get there.  
  • Supporting short and long term strategy in terms of procurement, equipment planning, resource planning, IT infrastructure and upgrades.

Which standards can we utilise?

Quality management systems and international standards in essence are devised and implemented to identify and minimise risk in hospitals, manufacturing and industry.

ISO 22870 relating to POCT in particular, points to all the elements we must put in place to optimise accuracy and consistency in obtaining diagnostic results that are utilised for diagnosis, treatment and monitoring of patients.
The new iteration of ISO 22870, due November 2022 will be a more risk based standard and will be absorbed into ISO15189.
ISO 22870 relates to POCT in a hospital and/or an ambulatory care setting carried out by a healthcare worker and does not cover at home or community care testing.

Although in medical laboratories we strive to comply with the ISO22870 and ISO15189 for accreditation purposes, it is useful to look to other international standards for reference and guidance on instigation and implementation of risk management strategies.

These standards have been used in the pharmaceutical, medical device, automotive and aerospace industries for years.
ISO 31000 is a family of guidelines which relate to risk and provides principles and general guidelines on managing the risks faced by organisations. It seeks to provide a universally recognised paradigm for practitioners and companies. It first came out in 2009 and was updated in 2018 with more emphasis on the involvement of senior management and the integration of risk management into the organisation. It is a guide to generic risk management across industries.

ISO 31010 was originally one of the 31000 family of standards and provides a practical guidance on the selection and application of techniques for assessing risk in a wide range of situations. It is used to make decisions where there is uncertainty.

Risk per ISO 14971 is defined as the combination of the probability of occurrence of harm and the severity of that harm. ISO 14971 is a nine-part standard which first establishes a framework for risk analysis, evaluation, control, and review, and also specifies a procedure for review and monitoring during production and post-production phases of medical devices. It was developed in the landscape of regulations in relation to medical device manufacturing. It is comforting to know that medical device manufacturers incorporate risk management procedures during the design and production phases and this is weighed against benefit to the patient, operator and patient safety.

You can't talk about risk assessment without talking about ICH (International Council of Harmonisation) Q9 Quality Risk Management. This guideline was developed 16 years ago and was updated in March of this year. It was developed for application in the pharmaceutical manufacturing industry. Quality risk management was developed in the pharmaceutical regulatory landscape and the ISO 14971 for medical device manufacture is heavily based on ICH Q9


The focus of ICH Q9 is based on two primary principles:

  • The evaluation of the risk to quality should be based on scientific knowledge and ultimately link to the protection of the patient.
  • The level of effort, formality and documentation of the Quality Risk Management process should be commensurate with the level of risk.
Whichever risk management procedure you choose to follow, the basic steps involve:
  • Establishing the context.
  • Risk assessment: Risk Identification, Risk analysis, Risk evaluation.
  • Risk treatment/Mitigation.
  • Calculating residual risk.
  • Audit, review and monitoring.
  • In parallel there is communication, consultation, monitoring and review happening up and down the process and up and down the organisation.
Contribution of a risk assessment to the risk management process ISO 31010

Earlier I mentioned calculating the risk score or risk rating. In a risk assessment Matrix, the likelihood of a risk occurring is multiplied by the severity of injury or harm caused.

The likelihood 1-5 is multiplied by the Impact or consequence 1-5, in order to calculate the current risk score. Steps may be necessary to reduce the risk further and in this case the risk is then recalculated to give the residual risk number. The residual risk number is the risk that is left after all efforts have been made to eliminate the risk.
The risk rating score can give us an indication of whether the risk category is in the low, moderate, high rating.

All recommendations from official guidelines, from industry task forces and from private authors basically follow the same principles for risk assessment.

Identify the risks: What can go wrong?

Analyse the risks: What is the likelihood or probability that something goes wrong and what are the consequences or what is the severity if something goes wrong?

Estimate the risk rating: Likelihood vs. Impact

If the risk is too high develop and implement control steps to reduce or eliminate the risk.

Analyse the residual risk and assess if it is acceptable.


Integrating risk standards and practices into your POCT Quality Management System

Integrating such risk management techniques into risk assessment of POCT services and processes can give us powerful insights into how our processes and services are performing and get us on a good path of compliance to ISO 22870 for accreditation purposes if that is the goal. Or at a minimum it will ensure that you have considered those risks and mitigated them in order to produce consistent accurate results.
A risk management process is an integral part of any quality management system.
To integrate risk assessment into your QMS it is useful to take the techniques from the risk standards and apply them to assess your POCT processes as laid out in ISO 22870.


  1. Taking the sample
  2. labelling the sample
  3. Handling the sample


  1. Patient identification input
  2. Analysis
  3. Interpretation of the result
  4. procedure for acting on abnormal results

Post Analytical

  1. Reporting the results (electronic or manual)
  2. Are users aware of limitations of use and potential errors and hazards
You might ask questions as follows:
  • What is the skill level of the person operating the equipment?
  • Have they had training?
  • Are operators aware of what the results mean and interpretation of the results?
  • Are operators aware of what type of sample is required?
  • what are the environmental factors for an optimal sample?
  • What are the optimal environmental factors for the device and reagents?
  • Are procedures and technical documents written and in place?
  • Are procedures and technical documents complying with the QMS guidelines?
  • Is there traceability of reagents and the patients' results?
  • Is there traceability in the event of failure, injury or defect?
  • Can results be recalled either manually or electronically?
  • Are quality control and quality assurance requirements in place, in compliance and monitored?
  • This list is not exhaustive.

One way to identify and assess risk is to start at the beginning, along the process from taking the sample to reporting the sample and anything in between. You will never mitigate all risk, define what is acceptable and unacceptable risk.

Recording your Risk assessment information

I recommend creating a spreadsheet template and assessing groups of device types together. The spreadsheet headings could include, in order:
  • Context/background and to whom has the risks been escalated
  • Is the risk related to pre analytical, analytical or post analytical phases
  • Description of the risk identified as it stands currently
  • The consequences of the risk
  • Calculation of risk rating
  • Steps required that could be taken to mitigate the risk
  • Calculation of the residual risk rating
  • Timeline for review and monitoring
  • Recommendations overall
  • Stakeholder distribution list
The completed risk assessments can then be stored on your quality management system module for referral, reference, distribution and review.

The POCT committee and quality and risk department, should be made aware of all risk assessments carried out. The risk assessments can be disseminated to nursing directors, managers and procurement.
When there is transparency in the system which can be shared, the information can be utilised for strategy, budgeting and resource management.

Having a risk management program implemented for POCT can have many positive benefits. Assessing risk invites you to look at your systems, equipment and processes, you will gather so much information in the process.
Once you have gathered the information you will have the big picture and the detail. You will have a plan, a strategy, a resource, a solid foundation, confidence, a tool for communication, a positive attitude to risk and mitigation of risk, a clear picture to relate to other stakeholders to increase engagement and bring the organisation along with you. Risk makes you nervous? Not anymore.

poct consultancy contactpng


Carole Gough is a Senior Medical Scientist with many years of experience working in UK and Ireland medical laboratories in both public and private hospital settings. Extensive study has gained her a Fellowship in Clinical Chemistry, MSc medical device regulatory affairs, HDip in Health services management and a cert in Counselling and Psychotherapy.

Carole is a mentor with the Academy of Clinical Sciences and Laboratory Medicine for medical scientists and young medical science professionals, supporting them in their work journey and facilitating conversations to assist them in achieving their goals and fulfilling their potential. 
Carole is a POCT and Lean thinking enthusiast and has been working in POCT since 2007 in several capacities. She is particularly enthusiastic about the impact POCT and IT interoperability can have for patients, healthcare workers, laboratory workflows,health economics and community healthcare.

She has also worked with several blue chip multinational clinical diagnostic companies in a sales and training capacity for medical devices and healthcare IT. Facilitating many implementation and training projects across hospitals.

Carole is founder of 'The POCT consultancy' which aims to facilitate businesses, organisations or community settings in realising their Point of Care Testing goals.


Contact Carole: