I gave a talk at NERCE about risk management and based on a comment, realized that I failed to explain something properly. So after thinking about it, here it is.
Bad risk management – This could occur either by a manufacturer or a clinical laboratory. As a manufacturer example, assume a glucose meter is being released for sale with remaining known issues. The manufacturer could perform a risk benefit analysis which looks at the risk of releasing the glucose meter with known issues vs. the benefit of having diabetics use glucose meters. This analysis will always favor releasing the product because the lack of knowledge from not using a glucose meter outweighs the risk of harm from erroneous results.
Good risk management – This could also occur either by a manufacturer or a clinical laboratory. As a clinical laboratory example, blood gas results for an operating room must be produced. If the machine fails, patient harm may result. As a control measure, many laboratories have multiple blood gas analyzers. If one has two blood gas analyzers, the risk of a not producing a result is lower because both analyzers must simultaneously fail. Yet, the risk of failure is not zero. One can add a third analyzer and get an even lower risk but again it is still above zero. So at some point, one must accept the failure risk because funds are limited. This risk level is often called ALARP (as low as reasonably practicable).
The reason why the “bad risk management” example is bad is because the risk was not reduced to the ALARP level. Of course, what is practicable will differ depending on resources available, culture, regulations, and so on.