Internal Audit
Explore this topic in more depth to build a complete picture of your quality and compliance operations.
Explore
Glossary Term
Management Review
The periodic, documented review by senior management of the quality system's suitability, adequacy, and effectiveness, with defined inputs and traceable outputs.
Management review is one of the most-checked boxes in the quality system, and one of the most-cited when it's done as a formality.
On this page
What management review is
Management review is the periodic, documented review by senior management of the quality management system's suitability, adequacy, and effectiveness. It has defined inputs (data from across the quality system), defined outputs (decisions and actions with owners), and traceable evidence that senior management actually saw the data and authorized the actions.
It's not a status meeting. It's a regulator-required governance activity, present in every major quality framework: ICH Q10 for pharmaceuticals, ISO 13485 for medical devices, 21 CFR §820.20(c) for U.S. devices, EU GMP Chapter 1 for EU GMP. The intent across all of them is the same: senior management has visibility into how the quality system is performing and accountability for keeping it suitable, adequate, and effective.
What distinguishes management review from a regular operational meeting is the formality: predefined inputs that must be reviewed, predefined outputs that must be produced, attendance by people with the authority to act on the outputs, documented record of what was reviewed and decided, and traceable closure of actions through the next review.
Management review is governance, not reporting
If MR is a slide deck presented to senior management who then leave the decisions to QA, that's reporting. If MR is a working session where senior management debates the data, allocates resources, and authorizes changes, that's governance. The regulations require the second.
Why management review is inspected as a governance signal
Inspectors use management review records to evaluate whether the quality system has real senior-management oversight or whether it sits in QA's silo. The MR record is one of the fastest ways to read the culture: who attended, what was reviewed, what was decided, who owns the actions, and whether those actions closed.
Weak MR records reliably correlate with broader quality issues. Programs where MR is a once-a-year formality tend to have other governance gaps: CAPA trends that nobody escalates, supplier issues that don't drive action, regulatory changes that go unaddressed. The MR finding is rarely the only finding in those inspections; it's the leading indicator.
Inspector note: When I review a firm's management review records, I look for three signals. First, do the attendees actually have authority — names from the C-suite or the senior quality role with executive responsibility? Second, are all the required inputs present, or are some routinely missing? Third, are the action items from the last review closed, partially closed, or sitting open? A program that fails any of those signals is doing MR for the binder, not for the system.
What the regulations and standards actually require
Management review is anchored by complementary device, drug, and broader quality-system frameworks:
- ISO 13485 §5.6 — Management Review: most prescriptive single reference. §5.6.1 (intervals + records), §5.6.2 (12 required inputs), §5.6.3 (required outputs)
- ISO 9001:2015 §9.3 — Management Review: same intent applied broadly
- ICH Q10 §3.2.4: pharmaceutical-framed equivalent. Inputs include process performance, product quality, audits, complaints, regulatory commitments, change management, CAPA effectiveness
- 21 CFR Part 820 — QMSR (effective February 2, 2026): incorporates ISO 13485:2016 by reference, including §5.6 Management Review. Under the former QSR (in force through February 1, 2026), §820.20(c) was the explicit management review clause requiring management with executive responsibility to review the QMS at defined intervals and document the date and results.
- 21 CFR §211.180(e): quality unit records of evaluation supporting MR evidence base for drugs
- EU GMP Chapter 1 §1.4(xv): pharmaceutical quality system review; senior management has ultimate responsibility
- EU GMP Chapter 1 §1.6: senior management review of QMS operation
- EU GMP Annex 11 §1: senior management responsibility for computerised system risk and validation status
- EU MDR Annex IX §2.2: post-market QMS surveillance and MR obligations for devices
- WHO TRS 1019, Annex 3
- PIC/S PI 054-1 (July 2021): Recommendation on Pharmaceutical Quality System Effectiveness; directly addresses what regulators look for when evaluating PQS performance (the substance of MR)
Required inputs, expected outputs, and the action loop
The required inputs are drawn primarily from ISO 13485 §5.6.2; the required outputs from §5.6.3. Each output should be a specific action with an owner, due date, and effectiveness check. Vague outputs ("continue monitoring") fail inspection. The action loop closes at the next MR: previous review's outputs are an explicit input, and each action is reported as on-track, delayed, or closed with evidence.
- Customer feedback and complaint handling status and trends
- Reporting to regulatory authorities (vigilance, MDR submissions, field actions)
- Audit results — internal, external regulator, certification body, supplier audits
- Monitoring and measurement of processes — capability, yields, KQIs
- Monitoring and measurement of product — release, OOS trends, stability
- Corrective actions — status, effectiveness, recurring root causes
- Preventive actions — status, effectiveness
- Follow-up from previous MRs
- Changes that could affect QMS — organizational, regulatory, technical
- Recommendations for improvement
- Applicable new or revised regulatory requirements
- Risk management activities — register status, residual risks, post-market data
- Required outputs — decisions on improvements to QMS suitability/adequacy/effectiveness, improvements related to customer/patient requirements, resource needs, changes needed for the QMS
What strong management review programs do
The programs that hold up at inspection share recurring discipline:
The 'rubber-stamp' tell
MR minutes that say the same thing every cycle — 'the quality system is operating effectively, no significant issues, continue current practice' — are a tell. Inspectors look for evidence of actual debate: contested decisions, deferred recommendations, resources reallocated, scope changed.
- Defined frequency — annual full + more frequent topic reviews; risk-based
- Required inputs assembled in advance — templates, owners, pre-meeting prep
- Senior management present with authority — not quality-team-only with C-suite copied
- Documented review of every required input — missing inputs are findings
- Outputs are specific actions — owner, due date, effectiveness check
- Action register tracked between reviews — continuous, not annual reconstruction
- Previous-review follow-up is explicit input — each open action reported with status
- Signed minutes / report — attendance documented, decisions attributed, senior mgmt signature
- Controlled record per document control SOP — retention per predicate rule
- Trend visibility — current vs prior, direction not just point-in-time
How Complere supports management review
Management review is fundamentally a synthesis exercise. The data lives all over the quality system, and your job is to bring it together, look at it as a leadership team, decide what to do, and prove the decisions actually landed. Complere is built to make that synthesis straightforward instead of a quarterly scramble through inboxes and spreadsheets.
Honest up-front: a dedicated management review surface is on our roadmap, not yet built. What you have today is something practical — the inputs your review needs already live inside the operational records where your team's work happens. CAPA status and trends, audit findings and closure rates, complaint and deviation patterns, risk-register movement, training compliance, document revisions, change-control cycle times. They sit in their native modules with consistent filtering and export, so your team can assemble the review pack without re-keying anything.
The review record itself — the minutes, the report, the decisions, the action register — sits in your document workflow as a controlled record. It's template-driven, routed for approval, signed with meaning, retained per your predicate rule, and carries a per-record audit trail. The senior-management signatures on the record are the same kind of signature your team uses on any other regulated document, so the question "show me the evidence senior management actually authorized this" gets a clean, attributed answer.
When the review produces actions — and a real review always does — those actions live where they belong. Items that need structured corrective or preventive work become CAPAs, with the same owners, due dates, and effectiveness verification the rest of your system runs on. The CAPA records reference the review they came from, and the next review's input pack shows their status. The action loop closes where it should.
What Complere doesn't do is run the review for you. That's deliberate. The discussion, the trade-offs, the resource calls — those are governance decisions that belong to your senior leadership, not to a piece of software. Complere assembles the evidence and keeps the record; the judgement stays with your team. As the dedicated review surface ships, we'll keep this seam invisible to you — but the honest answer today is that the cross-module discipline plus controlled records is what gets you to a defensible review.
Frequently asked questions
Common questions about Management Review sourced from regulatory references and inspection patterns.
How do ISO 13485 §5.6 and ICH Q10 §3.2.4 differ on management review?
Both require a periodic, documented, senior-management review of the quality system's suitability, adequacy, and effectiveness, with defined inputs and traceable outputs. ISO 13485 §5.6 is the more prescriptive of the two — §5.6.2 enumerates twelve required inputs and §5.6.3 specifies required outputs. ICH Q10 §3.2.4 is pharmaceutical-framed and structures the inputs around process performance, product quality, audits, complaints, regulatory commitments, change management, and CAPA effectiveness. Firms operating under both frameworks typically meet ISO's prescriptive requirements, which covers ICH expectations as well.
How often does management review need to happen?
Regulations require 'defined intervals' rather than a fixed frequency. Industry practice for most firms is one full annual review covering all required inputs, supplemented by quarterly or monthly topic-specific reviews on higher-risk areas (CAPA trends, complaint patterns, supplier performance). The cadence should be risk-based and defined in the MR SOP — and the rationale for the cadence should itself be defensible at inspection.
Who is required to attend management review?
Personnel with executive responsibility — senior management who have the authority to allocate resources, change the quality system, and act on the outputs. The QMSR (and the former §820.20(c)) require 'management with executive responsibility.' A review attended only by quality and middle management with the C-suite copied on the minutes is the most-cited governance finding: it indicates reporting, not governance.
What inputs must be reviewed at management review?
Per ISO 13485 §5.6.2: customer feedback and complaint status; regulatory reporting; results of internal and external audits; process monitoring data; product monitoring data (release, OOS, stability); corrective action status and effectiveness; preventive action status and effectiveness; follow-up from previous reviews; changes that could affect the QMS; recommendations for improvement; applicable new or revised regulatory requirements; and risk management activity status. ICH Q10 §3.2.4 carries the equivalent set in pharmaceutical framing.
What outputs must be produced?
Per ISO 13485 §5.6.3: decisions on improvements to QMS suitability, adequacy, and effectiveness; improvements related to customer/patient requirements; resource needs; and any QMS changes required. Each output should be a specific action with an owner, due date, and effectiveness check. Vague outputs ('continue to monitor') are an inspection pattern; specific outputs with traceable closure are not.
What are the most common management review findings?
Incomplete or missing required inputs; action items captured without owners, due dates, or effectiveness verification; the same recommendations recurring without resolution; minutes that read identically year-over-year ('no significant issues, continue current practice'); senior-management attendance not evidenced on the record; and prior-review action items still open at the next review without status.
Does management review need a written report?
Yes. ISO 13485 §5.6.1, EU GMP Chapter 1, and the QMSR (formerly §820.20(c)) all require records of the review to be maintained. The record needs to show what was reviewed, what was decided, who attended (with executive responsibility evidenced), and what actions were assigned. Retention follows the predicate-rule period for QMS records.
How does management review connect to CAPA?
Two directions. As an input, CAPA status and effectiveness trends are required reading at MR — the trend of how many CAPAs are open, ageing, closed effectively, or showing recurring root causes is one of the strongest signals MR receives. As an output, decisions made at MR often become CAPAs themselves — a recurring complaint pattern that warrants systemic action gets routed through CAPA rather than handled inside the MR record. The action loop closes at the next review when those CAPAs are reported as on-track, delayed, or closed with evidence.
Continue Exploring
Explore related topics, modules, and compliance resources for a deeper understanding of your quality system.
See Management Review in action during a Complere demo
Walk through how Complere operationalizes this concept inside a validation-ready quality system.