How To Identify, Quantify and Manage Enterprise Risks for Medical Device Companies with Mike Cremeans

November 25, 2015

podcast_michael cremeans

In episode #9 of the Global Medical Device Podcast we’re joined by Mike Cremeans. Mike is the Vice President in the Healthcare and Life Sciences practice at Willis (the third best insurance broker in the world). His main function is that of a risk strategist, for FDA regulated organizations worldwide.

Mike’s passion is helping leaders of highly regulated organizations to identify and navigate risks so they can focus on strategically growing their businesses. He has some great stories stacked up from all his years in the field, and he was more than happy to share a great deal of it with us, along with some key pieces of knowledge, as well.

In this episode Mike shares with listeners his top two pieces of advice for a company that’s pursuing bringing a product to market, but isn’t currently engaged in some kind of enterprise risk activity.

 

LISTEN NOW:

 

Like this episode? Subscribe today on iTunes or Spotify.

 

Some highlights of this episode include:

  • An overview of Mike’s role at Willis and what they do for medical device companies

  • How he helps people identify, quantify and manage their risks

  • The horror story of a company that didn’t engage in risk management

  • ISOs you should be checking out and their predecessors

  • Striving to always put out an amazing product

  • The importance of a disaster plan

  • “Common risk language"

 

Memorable episode quote:

The principals involved with product risk management are similar or maybe even the same principles that you’re employing from an enterprise risk management.” – Jon Speer


 

Transcription: 

Narrator:

Welcome to the Global Medical Device Podcast, where today's brightest minds in the medical device industry go to get their most useful and actionable insider knowledge, direct from some of the world's leading medical device experts and companies.

 

Jon Speer:

Hello. This is Jon Speer, the founder and VP of quality and regulatory at Greenlight Guru. Hey, we're having a good time over here, recording all kinds of podcasts with some wonderful guests. Today, we've got another really great guest on our show, The Global Medical Device podcast. We've Mike Cremeans. Mike is with Willis, and you know we've talked a lot about this topic of risk management, and what it means. Most of our conversations to date have been focused on the product side of things and complying with 14971. In today's episode, Mike brings a slightly different perspective or angle on risk.

 

 

As a teaser, and you know we all know, or should know anyway, that ISO 13485 is going to be released. The new revision of that is going to be released in 2016, and that new version is going to incorporate this thing called risk-based QMS. Well, when we talk with Mike today, we're going to learn a little bit about another type of risk management, and that is enterprise risk management. So it's really starting to meld 14971 risk management and 13485 risk based QMS, and then looking at the entire organization from a holistics point of view. So if you're a med device company that's bringing product to market, you need to listen to what Mike has to say on this episode of The Global Medical Device podcast.

 

 

Hello, this is Jon Speer, the founder and VP of Quality and Regulatory at Greenlight Guru and welcome to another exciting episode of the Global Medical Device podcast. Today, I have Mike Cremeans with me. Mike is with Willis, and let me tell you a little bit about Mike. Mike is the Vice President in the Healthcare and Life Sciences practice at Willis, and his main function is that of a risk strategist for FDA regulated organizations worldwide. Mike is passionate about enabling leaders of highly-regulated organizations identify and navigate risks, so they can focus on strategically growing their business. He believes long term relationships are earned through trust and hard work. His primary role is to understand the needs of his clients and help them navigate their risk with confidence. As a risk strategist, Michael (Mike) has the unique ability to simplify and translate complicated situations into understandable concepts with practical solutions. Mike, welcome to the Global Medical Device podcast.

 

Mike Cremeans:

John, I'm thrilled to be here. Thanks for allowing me to spend some time with you. I'm looking forward to the discussion.

 

Jon Speer:

Great. So obviously I read a little bit about you and I know there's a whole lot more. I'm sure as we talk here in the next little bit, that we're going to all discover a little bit more about you as well as Willis. But if you would, give us a little bit of an overview of your role and what Willis does for med device companies.

 

Mike Cremeans:

Absolutely. You know, John, if I'm at a cocktail party and someone asks me what do I do for a living, I usually hesitate to say I'm an insurance broker, because that person is immediately reminded of the root canal appointment that they forgot about. Insurance is not necessarily something that people like to talk about. So what I've done for the last 20 years, John, is I have been helping my medical device clients achieve their goals by helping them identify, quantify, and manage their risks. It's really not an insurance discussion at all. I guess you could say that I'm essentially there to try to keep them out of trouble.

 

 

Willis is a very large insurance broker. I think today we are rated as the number three insurance broker in the world. We are about to merge with a rather substantial organization in its own called Towers-Watson. So after January, it looks as though our two combined organizations will have in excess of 36,000 employees. One of the specialties of Willis is on the medical device, and even a bigger category, the FDA-regulated businesses, where we provide insurance and risk management. So that's Willis, and for me again, John I've had the pleasure of doing just medical device work and working for these folks in the insurance and risk management area for about 20 years.

 

Jon Speer:

Very good. You know, in preparation for today's discussion, I read a little bit about Willis, and I appreciate you sharing those insights. One of the things that I found really interesting is, Willis can tie its origin back to, I think it was 1828.

 

Mike Cremeans:

It's pretty remarkable. The organization is just huge, and one of the things I found working here is there's some incredibly bright people. They've got a tremendous amount of history, obviously going back to the 1800's, but when you really get down to it, it's the people that are making the difference, and John I'm very fortunate. I hang around with some really, really bright folks.

 

Jon Speer:

It's good to be passionate and enjoy what you do. I've been fortunate throughout my career, as well. All right, so my audience is used to hearing me talk about risk management, and usually when I'm talking about risk management, I'm talking about things like ISO 14971 and I guess more from a product standpoint, identifying hazards and estimating the probability of occurrence of harm and the severity of harm and all those sorts of things, but this is not the kind of risk management that you deal with. Am I correct?

 

Mike Cremeans:

Actually, conceptually John, it's the same thing, however the way I would describe my work is more of an enterprise risk management. So what we do with our risk assessments is we start really at a very, very high level. We engage several different departments within an organization. It'll be the CEO, the financial piece, sales and marketing, regulatory, operations. So what we're doing is starting at a very, very high level in assessing overall risk, but as it turns out, John, you and I actually approach risk in the same way.

 

 

We're still getting in and talking to our customers about what could put them out of business, what are some of the things that they should be thinking about specifically to help their business, and so our approaches are similar, but what I do is start at a very, very high level and help them assess overall risk. And certainly what you do, John, in your particular area, and things that impact my customers directly are the managing of the medical device development and the risk associated with it.

 

Jon Speer:

Right. So that's a good summary. And I guess if I could take home one key message there is that, the principles involved with product risk management are similar or maybe even the same principles that you're employing from an enterprise risk management.

 

Mike Cremeans:

It's absolutely spot on, John. Actually our approaches are strikingly similar.

 

Jon Speer:

Right.

 

Mike Cremeans:

It's interesting, John. You and I essentially met on Twitter, where we started tweeting about some of the same things.

 

Jon Speer:

Yeah.

 

Mike Cremeans:

But they're very, very similar, our approaches.

 

Jon Speer:

Right. And so in your business, I mean, you've been doing this you said over 20 years now, and obviously the ISO 14971 standard hasn't been around quite that long. I mean, there are some of its predecessor standards that started to creep in to I guess our lexicon and practices back in the mid to late '90s. So has ISO 14971 and its prevalence, has that been a good thing? Has it been a challenging thing? Do you find that you have to explain your role in the risk management continuum often? Can you talk a little bit about some of those things?

 

Mike Cremeans:

Yeah. As far as the ISO subject matter, John, there's no question in my mind that anything that helps companies with process, with procedures, with rules, with regulations ... I mean look, our customers are in a very highly-regulated business. If we don't spend time with the details, if we don't dig in to things that could not only hurt our potential customers, meaning if we're a medical device company, we don't want to put a bad product out there. That's not our intent.

 

 

We want to make sure that we're putting a fantastic product out on the table and that we've tried to manage those risks. So I think that, in this particular case, the ISO processes and procedures, any new rules that come out, the guidance documents that the FDA produces, these are all really fantastic ways for companies to understand. You know, they've got to have a road map. They have to understand what it's going to take to actually produce a safe product, and obviously to make their company successful.

 

Jon Speer:

Yeah, that's well said. Alright, so here in a moment, I want you to think about this now but, here in a moment I'm going to ask you about some horror stories, or maybe some disasters. So that'll be a little bit of an intrigue frame for our audience.

 

Mike Cremeans:

Absolutely.

 

Jon Speer:

In the meantime, I mean, the topic of risk seems to be all over the place right now. Certainly in the FDA and other regulatory bodies, so much so that the next version of the ISO 13485, the quality management system standard that is due for actually a revision, and that's anticipated to go live sometime early 2016. The big buzz about that new revision of 13485 is this concept of risk-based quality system. So it's clear that this topic is front and center. It's clear that this is something that organizations need to be considering, not only from a product standpoint, but also from an enterprise standpoint.

 

Mike Cremeans:

No question, John. If I may, when we start with these assessments, what we're really trying to do is get a common risk language. If you think about it, even though in your company's efforts and the real work that you do, you still have to communicate. You still have to be able to take what the operations people, what the regulatory people, the compliance folks are doing, and you have to translate that into something that the salespeople are going to understand. The finance, the CEO, and then certainly the board of directors wants to understand why they have to make an investment in these kinds of things.

 

 

So again, getting back to that enterprise risk management, what we're trying to do is create a risk language so that everyone can appreciate and understand. I mean John, salespeople speak different language than finance. Go figure. Engineers talk differently than marketing people. So it's important to engage all the facets of the company and get them together and try to come up with this common risk language. I think it's something that's essential when you look at the big picture enterprise risk of these companies.

 

 

If I could also add, John, and we'll get into a couple of specific horror stories, it really is fascinating to me that, no matter how many of these assessments I do, every single one is different. Companies are going to view risk in a totally different manner. Perhaps you find that as well, even though it is supposed to be in a "very structured environment" right? You've got these guidance documents.

 

Jon Speer:

Right.

 

Mike Cremeans:

Rules are rules, and there shouldn't be room for interpretation, but in fact, there really is room for interpretation. I just find it fascinating that every time I do these, the final assessment comes out different in every case.

 

Jon Speer:

So do you find that the final assessment coming up different, do you think it has more to do with your customers expectations of what risk is, or do you think it's more about what their appetite for risk is?

 

Mike Cremeans:

I think it's probably both of those things. I think, in addition to that John, what you're going to find is it's the board and how culture and ideas and doing the right thing, what that means at the top. What it means at the board level, the CEO that you've chosen, the managers that the CEO has chosen. So there's a risk culture that gets developed, hopefully at a very high level that will flow right on down through the company. And I think that it also has to do with the amount of years that the company has been in business. How mature it is. And then, certainly, if you've got ... I mean, I've got two examples here in front of me. I've got an implant manufacturer that just raised $75 million in the last three years. They're viewing risk in a certain way. And then I've got a company that I just did an assessment for that's been around for 15 years, and they have a totally different focus.

 

 

I'll tell you, John, the ones, and I hope you agree with me, but the companies that I absolutely love doing business with are the ones that want to do it the right way. They want to make sure that they're putting the best possible product out there, which is going to result in, obviously higher valuations if these companies want to sell, but you're going to find that there's a risk culture that really creates a great environment for not only a satisfied employee, but a fantastic work product and a product that's getting out to the marketplace.

 

Jon Speer:

All right, so a couple of rapid-fire questions, here. When and how should a med device or FDA-regulated company, when in their life cycle should they engage you and Willis?

 

Mike Cremeans:

I think that there are varying levels of engagement. Just at a very, very high level, it seems to me that you should be integrating risk planning into your strategic plans. If you've got a private placement memorandum, if you have a company, frankly John, that's even just formed, it's very easy for me to give people a couple of ideas very, very quickly and at a very high level, with not a lot of detail as to some of the things that they should anticipate and be worried about.

 

 

I think the most effective risk assessments come in when you've probably just achieved FDA approval and now you have to produce a product. Now you've got to create your supply chain. You have to create your distribution force. You have to create the products. You're managing your contract manufacturers. You're out looking at different hospitals to do business with. You're faced with group purchasing organization contracts. You're expanding on an international basis. So you may have great people, but you can really determine pretty quickly whether or not your company is scalable, whether or not what you've created can actually grow into something really big. That seems to me to be the perfect time to really do a little bit of a deeper dive and start to invest into the enterprise risk management strategy.

 

 

You know John, frankly Willis is a very large organization. We've done risk assessments for companies that are into the billions in sales. Those are the kinds of risk assessments that take one, two, three, five, ten days of actually digging in and putting a pretty substantial work product on the table. For me, in my particular position focused on the medical device companies that I have, it's probably what I described. It's when you get FDA approval or a couple of products and you're really trying to scale this baby into something big.

 

Jon Speer:

Okay. So I guess to summarize that, even if I'm a small or a startup med device company trying to bring a product to market, enterprise risk is still important to what I'm doing, and it's still something that they should potentially pick up the phone and call Mike.

 

Mike Cremeans:

Well John, I really believe that you should, because think about it. You're out raising money, right? And the more sophisticated buyers, the VCs and the private equity companies that have been in this space for a very long time that you want to get money from, you want their intellectual capital on your board, if you can show them that you've actually gone through a risk assessment, that you've actually anticipated some of the challenges that the company may run into, that you've already anticipated where the risks might be and you have budgeted for them and hopefully you're not going to have as many surprises as the average company, I think you're putting yourself in a much better position to get more money, and you're putting yourself in a much better position to be successful.

 

Jon Speer:

Okay. So now, give me and our audience the top two things that a company who is pursuing bringing a product to market and has not currently engaged in some sort of enterprise risk management activities, what are the top two pieces of advice that you would give those companies.

 

Mike Cremeans:

Well, the top two pieces, I would say the first one is manage your current investor expectations. That's something that I've heard many, many times from my customers. It's making sure that when you're putting something into a document where you're explaining to your investors or your board where you're headed, what your plans are, what you're up to, and how you're going to spend their money the most effectively. I think you have to be in a position to be able to remove communication risk between what you plan to do and how you're going to use the investor's money. Because John, I don't know if you share this opinion, I would say that most of your customers are also backed by venture capital or some type of an investment. Is that accurate?

 

Jon Speer:

I mean, it's definitely accurate. Just about every company that we work with at Greenlight Guru has a set of investors, whether it's institutional money or friends and family, there are investors.

 

Mike Cremeans:

Absolutely. The number two, and it's interesting, if I do a top 10 and I just look at the last 10 assessments that I did, almost half of the concerns with companies have to do with the management of human capital risk. It's educating people on the value system, talent acquisition, loss of key employees, loss of reputation. How do we attain, how do we attract, how do we maintain talent? I think that's a huge risk for people. I mean, the good news when you grow, is you have to hire employees. The bad news when you grow is you have to hire employees.

 

Jon Speer:

Right.

 

Mike Cremeans:

It creates risk for you.

 

Jon Speer:

Right. Okay, so we promised to share a couple of disaster or horror stories, so I guess without naming, obviously, the guilty or specifically citing a person or a company, share one of the horror stories that might resonate with the audience of maybe a company that didn't engage in enterprise risk management or did it poorly or what have you.

 

Mike Cremeans:

Well, the holy grail of "Boy my day just turned into something really bad" is the FDA showing up at your door and then subsequently, let's just say either a consent decree or where the FDA has threatened to shut you down. In one specific case, we had a situation where there was a company that was threatened with a consent decree, and basically what happened is, it arose specifically out of the idea that you had the corporation who had a set of rules, regulations, they had processes, procedures set up, they brought on an acquisition, and the acquisition happened to have different processes, different procedures, and what happened is unfortunately the acquisition's processes and procedures unfortunately caused some pretty serious injury to some of their customers.

 

 

In that particular case, that's what prompted the FDA to come in. In this particular case, the FDA basically cited them eventually. I'm shortening this story. They said, "Look, you acquired this company who had certain rules and regulations that didn't even follow your own rules and regulations." So John, there was a lack of integration between what the parent company said was supposed to be the rules compared to what the acquisition or that division, what rules and regulations they followed. The FDA hammered them, and that was just something that, if there would have been a little more time spent on those common processes, making sure that when you bring on an acquisition, that their culture is exactly what yours is at the home office, that all of the rules and processes are followed in the way that the home office wants it, that's going to go a long way to preventing, obviously some serious injury that happened to people, but I think the FDA would have been a little more lenient on them if they would have had some consistency.

 

 

So that's one of the first major ones. The next one is, unfortunately the lack of a disaster plan and a lack of someone putting some time into how much cash they would have needed in the event of a fire. John, you and I are probably, I doubt that you have had to live through a fire, but it is absolutely devastating to a business, where you go home one night, and all of the sudden, in the middle of the night you get a call at 3:00 that said, "Hey, your building's on fire." In this particular case, what we had was a situation where a plant completely burnt to the ground, and what happened for this particular client is, even though we went through the process of going through and me pushing like crazy some type of a business interruption and also a disaster recovery program, they didn't put the time in previously that they should have.

 

 

And unfortunately, when their plant burned to the ground, they realized a little too late that a little bit of prevention and perhaps a little bit more of an investment in what they would have done in the event of a fire, would have put them in a much better position. I think the good news is that they survived. The challenging news is that it took them probably four to five years longer than it should have, to actually get back to where they should have been if the loss hadn't happened. So it was that lack of a disaster recovery plan that really put them behind.

 

 

So those are just a couple of horror stories.

 

Jon Speer:

Yeah, and I'm sure you have plenty more, but-

 

Mike Cremeans:

Well, I'm in the disaster business John.

 

Jon Speer:

Well I guess a better way to say it is, you and I both are both in a, hopefully, disaster prevention business actually.

 

Mike Cremeans:

Well, there's no question about that. I mean, I'm a disaster guy. When it really gets down to it, I'm there to try to keep people out of trouble. Try to help them identify some of the ship sinkers, and we're talking about events that, if not recognized and not planned for and where if you don't put thought in to it, it's the absence of thought in here, you can get yourself in to some pretty big trouble, and it's the future of the company that's at stake.

 

Jon Speer:

Well Mike, I appreciate the opportunity to speak with you a little bit today. I mean, you have shared a lot about why any of our listeners should be thinking about enterprise risk management. I mean, the reality is, if you're going to bring a product to market, this is a very real topic. You need to obviously consider 14971 and product risk management, but you also need to think about your investors and having risk mitigation strategies for your entire enterprise.

 

Mike Cremeans:

No question, John. And it's hitting it right on the head.

 

Jon Speer:

Yeah, and so you can learn a lot more about Mike Cremeans and Willis, if you go to Willis.com. You can look up Mike Cremeans, his last name's spelled C-R-E-M-E-A-N-S. And Mike, best place to find you is probably LinkedIn?

 

Mike Cremeans:

LinkedIn is a great place. Just search for Mike or Michael Cremeans, at Willis. You'll find me there. You can also follow me on Twitter, @Willislifesci, @W-I-L-L-I-S-L-I-F-E-S-C-I. I should be out on the internet, for a Google search rather easily. I've had the great fortune, John, of being in this business for a long time, and I think you'll find me, that I was a speaker at several events, and I'm sure you'll be able to connect with me that way.

 

Jon Speer:

All right, so reach out to Mike if you have any questions about enterprise risk management and what you need to do, at your med device company. Again, this has been Jon Speer, the founder and VP of Quality and Regulatory at Greenlight Guru. Greenlight Guru, we have a software platform that helps you manage your entire quality management system, including your design, history file and all your design controls, as well as that product risk management information that we've talked a little bit about today. If it's important for you to follow 14971, and here's a hint. If you're a med device company, it's important for you to follow 14971. You need to give me a call. And you can look up our company at Greenlight Guru. Yes, that is the domain name. So until next time, this has been Jon Speer, for the Global Medical Device podcast.

 

About The Global Medical Device Podcast:
medical_device_podcast

The Global Medical Device Podcast powered by Greenlight Guru is where today's brightest minds in the medical device industry go to get their most useful and actionable insider knowledge, direct from some of the world's leading medical device experts and companies.

Like this episode? Subscribe today on iTunes or Spotify.

Quality Management Software

Nick Tippmann is an experienced marketing professional lauded by colleagues, peers, and medical device professionals alike for his strategic contributions to Greenlight Guru from the time of the company’s inception. Previous to Greenlight Guru, he co-founded and led a media and event production company that was later...

Search Results for:
    Load More Results