Management review that isn't a slide show — genuine quality signals

I used to dread management-review season. The folder would arrive with ten slide decks, two long PDFs, and a hopeful calendar invite. Management would attend for 20 minutes, nod politely, and we'd file the slides. Then a notified-body auditor would ask for the "evidence of management decisions being implemented" and the room would go quiet.

Management review is a regulatory requirement (see ISO 13485:2016 clause 5.6 and, for MDR manufacturers, your QMS obligations under Article 10(9)). To be fair, the requirement is short on prescriptive detail — it tells you what to review, not how to show you actually acted. In practice this means the difference between a theatre piece and a living management system. Here is what I use to keep ours in the latter category.

What management review should signal (not merely state)

Think of the review as a control point, not a presentation. A genuine management review gives you these signals:

• Traceable decisions. Every decision links to an action, an owner, and an expected completion date — and you can trace progress in the QMS.
• Evidence of closure. When the review notes a CAPA or change, there is evidence the activity completed and was verified (not "we closed it" on a slide).
• Risk posture updated. Risk files reflect any decisions — e.g. risk control implementation, benefit-risk re-evaluation, or new hazards identified through complaints/field data.
• Resource alignment. If management approved more people or budget, that uplifts the capability and is visible in hiring or supplier contracts.
• Measurable trends. You see controlled KPIs with acceptance thresholds and actions when thresholds are breached.

If you don't have those, it's a slide show.

Practical inputs I demand before the meeting

Auditors and regulators look for documented inputs. My checklist for the pre-read package is deliberately short and standardised:

• Open CAPAs / top 10 CAPA status with root-cause and verification evidence.
• Audit results (internal, supplier, and external) with corrective actions and trend commentary.
• Product performance signals: complaints, vigilance reports, field corrective actions, and high-level trending.
• Post-market activities: PMCF progress, and PSUR/periodic reporting summaries where applicable.
• Supplier performance and critical supplier risks.
• Changes under review: change-control summary with impact assessment.
• Regulatory landscape: new guidance, notified-body findings, or market constraints.
• Resource & training needs, and any unresolved financial constraints.

Package these as data tables, not slides. I want direct links to the records — minutes should point to the CAPA IDs, audit report IDs, and change-control numbers. Connected workflow matters; when CAPA #1234 is discussed, I should be able to open it from the meeting note.

Structure that forces action (what we actually do)

We run a two-part review:

1. Tactical session (monthly, 45–60 minutes)

   • Short, evidence-based: top three risks, top three open CAPAs, supplier hot-spots.
   • Decisions are tactical: reallocate resources, escalate to strategic, approve urgent changes.

2. Strategic management review (quarterly/annual as required)

   • Review trends, product portfolio risk posture, regulatory changes, and the QMS effectiveness measures.
   • Make strategic decisions and approve resource plans.

Both use the same minute template so audit trails are uniform.

Minute template — the non-negotiable fields

A good minute looks like a transaction record:

• Unique meeting ID and date.
• Attendees and their roles (attendance is an auditable control).
• Inputs reviewed (list with links/IDs).
• Decisions made (short sentence).
• Action items: owner, due date, priority, link to CAPA/change ticket if applicable.
• Follow-up verification: who will confirm completion and by when.
• Sign-off by top management.

This gives you automated CAPAs and a controlled assistance feel: decisions turn into assignable, traceable tasks.

Red flags auditors ask for (and what fixes them)

Notified bodies repeatedly ask for three things:

• Where did this decision come from? Fix: link minutes to the input record.
• How do you know it worked? Fix: show verification records and risk-file updates.
• Who is accountable? Fix: assign owners with due dates and follow-up evidence.

If you cannot show traceable links, you will get a finding.

Tech that helps — but don’t outsource judgement

An eQMS with connected workflow lets you mirror actions across modules: link a management-review decision to a Change Control, CAPA, and the affected Technical File document. This reduces transcription errors and improves reviewability.

That said, tools don’t replace judgement. Automated CAPAs or AI-assisted summarisation can help with the pre-read (pulling trends, flagging anomalies), but the human decision about residual risk, business impact, and resource trade-offs stays with management. Use technology for process automation and traceability — don’t let it perform the decision.

Quick list: tangible quality signals to show an auditor

• Signed minutes with links to records and CAPA IDs.
• A closed-loop example: decision → CAPA → verification → change logged in the Technical File and risk file updated.
• Trend charts where thresholds trigger a management action, and evidence the action occurred.
• Resource approvals followed by recruitment/hiring or supplier-contract changes tied to the decision.
• Evidence that PMCF/PSUR outputs influenced decisions.

Final note

If your management reviews feel like theatre, start small: require the pre-read data pack, standardise your minute template, and force one decision into the QMS workflow every meeting. You’ll trade theatrical slides for auditable transactions — and that is exactly what regulators want to see.

How have you turned one management-review finding from a notified body into a permanent process change in your organisation?