By Shawn M. Schmitt
Communications Specialist, Enzyme
When the US Food and Drug Administration (FDA) begins auditing MedTech companies under the new Quality Management System Regulation (QMSR) in 2026, the agency’s facility investigators will be looking for more than simply ticking off compliance checkboxes. They will expect companies to demonstrate a culture of quality, where risk management is embedded throughout an organization’s processes and decision-making.
Risk management has always been a priority for the FDA, but under the QMSR – which replaces the longstanding Quality System Regulation (QSR) – the emphasis will be even greater. The QMSR aligns FDA requirements with ISO 13485:2016, an international quality management standard, which itself places significant weight on risk management through references to ISO 14971:2019, the global standard for medical device risk management.
Risk Management as a Cultural Expectation
“The FDA made it clear in its responses to public comments on the QMSR that quality systems are more than just SOPs [standard operating procedures]; they also include behaviors and attitudes,” explained Christie Johnson, co-founder at Prodct Studio and VP of Quality at myBiometry. “This represents a notable shift in emphasis. FDA investigators won’t just be looking at your risk management file; they will expect to see risk management principles integrated across your company’s operations and culture –starting from leadership.”
Johnson pointed to Comment No. 27 in the FDA’s final QMSR rule, noting that the agency “expects medical device manufacturers, led by individuals with executive responsibilities, to embrace a culture of quality as a key component in ensuring the manufacture of safe and effective medical devices.”
The question becomes, what attitudes and behaviors are the FDA referring to, and what do they have to do with risk management? Johnson, in an interview with Enzyme, said a quality culture starts at the top. “Leadership must foster a risk-forward environment where all employees are encouraged to ask each other deep, difficult questions, proactively invite quality and risk perspectives into conversations even when it’s inconvenient, and ensure risk is not an isolated function but instead is an active part of the entire product lifecycle, including development, testing, transfer to manufacturing, commercialization, and post-commercialization.”
A key aspect of this shift is ensuring that the risk management file is not a static document, but instead is a living, evolving resource that informs decision-making across the device lifecycle and is readily accessible for frequent referencing and updates.
One strategy Johnson suggests is taking executive and technical teams out of the boardroom – perhaps for a walk or hike – to clear their heads and identify barriers to building a strong risk-embracing culture. “When you remove people from their usual setting, you often get more honest conversations about what’s really preventing quality and risk management from being embedded in the organization,” she said. Employees at all levels need to feel safe to raise concerns about risk or quality without fear of repercussions. Recognizing and embracing employees’ worries can often uncover risks that would otherwise be missed.”
Beyond Regulatory Audits
Despite the strong focus by the FDA on a quality culture, Johnson clarifies that it is unlikely to be an explicit inspection finding. “You’re unlikely to see an FDA-483 observation stating that a company lacks a quality culture,” she said. “However, fostering a strong quality culture builds a sense of confidence with investigators, and if a company is lacking in quality culture, there are likely other opportunities to improve compliance, too.”
One tangible way to demonstrate this commitment is through executive engagement in risk management during risk reviews and in document approvals. “Executives – whether it’s the CEO, CTO, or R&D leaders depending on the organization – should be engaged in risk-related conversations and actively reviewing and approving risk management artifacts, with involvement from a Chief Medical Officer or another respected clinician,” Johnson said.
Moreover, Johnson warns that a lack of cross-functional involvement in risk management can raise red flags. “If an FDA investigator sees that only one person’s name appears on all the documents within the risk management file, they might raise an eyebrow and wonder if your whole team actually engages in having a culture of quality – or is this something your quality person does in a silo?” Johnson said, noting that a true quality culture requires collaboration across teams, from engineering to customer support.
Develop Cross-Functional Quality Culture Team
The bottom line? Improving your quality culture now will go a long way in ensuring your team’s focus on safety and effectiveness, which will be reflected in compliance once the QMSR is the law of the land.
Ultimately, Johnson emphasizes that risk permeates every aspect of a company’s operations. “ISO 13485 references risk several dozen times throughout, and there are components of risk management that need to be included in almost every aspect of a manufacturer’s Quality Management System, including design and development, testing, transfer to manufacturing, manufacturing processes and tools, supplier activities, CAPA [corrective and preventive actions], complaint handling, nonconforming product, and more,” she said. “There are little, tiny tentacles of risk in each of these facets of the company, each of which are guided and governed by an SOP.
By proactively embedding risk management into every stage of the product lifecycle, companies can build a more resilient, compliant, and high-performing quality system. This integration of risk-based thinking ultimately safeguards patient safety, which is the true goal of a strong quality culture.
