--- title: MDR Management Responsibility: What the CEO/Founder Must Own (Using ISO 13485) description: Top management under MDR is accountable for the QMS. Here is what the CEO or founder must personally own, using EN ISO 13485 clause 5 as the framework. authors: Tibor Zechmeister, Felix Lenhard category: Quality Management Under MDR primary_keyword: MDR management responsibility canonical_url: https://zechmeister-solutions.com/en/blog/management-responsibility-mdr source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # MDR Management Responsibility: What the CEO/Founder Must Own (Using ISO 13485) *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **Under MDR Article 10(9), "responsibility of the management" is one of the named aspects every manufacturer's quality management system must address. The legal accountability for the QMS sits with top management — in a startup, that means the CEO or the founder. EN ISO 13485:2016+A11:2021 clause 5 (Management Responsibility) is the harmonised standard's tool for meeting that obligation, covering management commitment, customer focus, the quality policy, planning and quality objectives, responsibility and authority, the management representative, internal communication, and management review. The CEO or founder cannot delegate the accountability. They can delegate the execution, but the signature, the decisions, and the answers to the Notified Body auditor remain with them.** **By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.** --- ## TL;DR - MDR Article 10(9) lists "responsibility of the management" as a mandatory QMS aspect. It is not optional and it is not delegable upward to a consultant. - In a startup, top management is the CEO or the founder — whoever actually decides where the money and the people go. That person owns the QMS. - EN ISO 13485:2016+A11:2021 clause 5 operationalises management responsibility through the quality policy, measurable quality objectives, defined responsibilities, a management representative, internal communication, and periodic management review. - The quality policy is a one-page document signed by top management. The Notified Body will ask to see it, ask who wrote it, and ask whether the organisation can recite its core commitments. - Management review is the forum where top management looks at the real QMS data — audit results, CAPA, complaints, PMS, supplier performance — and takes decisions. Skipping it is a standard non-conformity. - MDR Article 15 (PRRC) is separate from, and additional to, management responsibility. The PRRC is a specific named individual with defined qualifications. Top management's accountability does not move to the PRRC. --- ## The morning the CEO did not show up A Vienna startup, twelve people, preparing for its first Notified Body audit under the Annex IX route. The QA manager had built a real QMS around the actual operations — the kind we described in the pillar post on what a medical device QMS is. The documentation was honest. The procedures matched the work. The records were current. The opening meeting of the audit was scheduled for 9:00. At 8:55 the auditor asked who from top management would be in the room. The founder was not there. The COO was not there. The CTO was dialling in from a customer meeting for the first ten minutes only. The QA manager walked in alone. The auditor closed her laptop and waited. Twenty minutes later the founder arrived, apologising about a fundraising call. The auditor opened the meeting with a question that did not appear on the agenda: "Who in this company is accountable for the quality management system?" The founder pointed at the QA manager. The auditor wrote a note. The audit proceeded, but the note became a finding by the end of the week. The finding was not about any procedure, any record, any technical matter. It was about management responsibility — specifically, that top management had demonstrated, in the opening minutes of the audit, that the QMS was somebody else's problem. This is what management responsibility looks like in practice. Not the quality policy on the wall. Not the organisation chart. Who walks into the room on audit day. Who answers the auditor's first question. Who the organisation believes owns the system. ## Why top-management commitment is legally required MDR Article 10(9) lists the aspects every manufacturer's QMS must cover at a minimum. Among the thirteen items in that list, one is named simply "responsibility of the management." (Regulation (EU) 2017/745, Article 10, paragraph 9.) The Regulation does not spell out the detail of what that means. It names the obligation and leaves the operationalisation to the harmonised standard and to the manufacturer's own judgment. Two points follow from the wording. First, "responsibility of the management" is not the same as "a person named in the QMS who handles quality." It is the management of the organisation accepting legal accountability for the QMS. In a startup, management is the CEO or founder. There is no escape hatch where accountability flows sideways to a QA manager, a consultant, or the PRRC. The PRRC has their own distinct obligations under MDR Article 15 — we will come back to this — but the PRRC role does not absorb top-management accountability for the QMS as a whole. Second, the obligation is active. Article 10(9) uses verbs — establish, document, implement, maintain, keep up to date, continually improve — and all six of them attach to the manufacturer. Top management is the layer of the manufacturer that actually has the authority to allocate resources, set priorities, and hire or fire the people running the processes. When the Notified Body checks whether those verbs are being honoured, they check at the management layer first. This is why management responsibility is the aspect of the QMS the auditor tests at the start of the audit, not the end. If top management is not genuinely engaged, every other process downstream is compromised, because the authority to run those processes flows from management. A QMS with a hollow management layer is a house with no foundation. ## EN ISO 13485:2016+A11:2021 clause 5 — the tool The harmonised standard operationalises management responsibility in clause 5. The MDR is the law. Clause 5 is how a manufacturer meets the law efficiently. Clause 5 is structured into the following sub-clauses: - **5.1 Management commitment** — top management shall provide evidence of its commitment to the development and implementation of the QMS and to maintaining its effectiveness. - **5.2 Customer focus** — top management shall ensure that customer requirements and applicable regulatory requirements are determined and met. - **5.3 Quality policy** — top management shall establish a documented quality policy that is appropriate to the purpose of the organisation, includes a commitment to comply with requirements and to maintain the effectiveness of the QMS, provides a framework for quality objectives, is communicated and understood, and is reviewed for continuing suitability. - **5.4 Planning** — quality objectives at relevant functions and levels, including those needed to meet applicable regulatory requirements; planning of the QMS so that it meets clause 4.1 and the objectives. - **5.5 Responsibility, authority and communication** — responsibilities and authorities are defined, documented, and communicated; a management representative is appointed from the organisation's own management; internal communication is established. - **5.6 Management review** — the QMS is reviewed at planned intervals to ensure its continuing suitability, adequacy, and effectiveness, with defined inputs and documented outputs. Each of these sub-clauses maps to the Article 10(9) obligation of "responsibility of the management." Following clause 5 correctly gives presumption of conformity with that part of the MDR under Article 8. Skipping any sub-clause creates a gap that the Notified Body will find. The common mistake is to treat clause 5 as a paperwork exercise — write a quality policy, draft an org chart, put the QA manager's name next to "management representative," and declare clause 5 complete. The standard is more demanding than that. Clause 5 asks for evidence that top management is actually committed, actually reviewing, actually deciding, actually communicating. Documents are the trace, not the substance. ## Quality policy and quality objectives The quality policy is a short document — ideally one page — signed by top management. It states what the organisation is committed to: compliance with the MDR, effectiveness of the QMS, safety and performance of the devices, continual improvement. It is written in the organisation's own voice. Template quality policies that could belong to any MedTech company are a red flag for auditors, because they signal that the document was copied rather than thought through. The quality policy is then translated into measurable quality objectives. Clause 5.4 requires quality objectives at relevant functions and levels, and the objectives must be measurable and consistent with the quality policy. For a startup, this does not mean dozens of objectives. It means a handful of objectives that actually matter — on-time CAPA closure, design review completion, complaint response time, PMS data completeness — and that top management tracks at management review. A quality policy nobody in the company can recite is not a quality policy. A set of quality objectives that have not been reviewed in the last six months are not quality objectives. Both failure modes are common, both are easy to check, and both are standard findings. ## Management review as the CEO forum Clause 5.6 requires top management to review the QMS at planned intervals. The inputs to the review are specified: results of audits, customer feedback and complaints, process performance and product conformity, status of CAPA, follow-up from previous management reviews, changes that could affect the QMS, recommendations for improvement, applicable new or revised regulatory requirements, the handling of complaints, PMS data, supplier performance, and monitoring and measurement results. The outputs are decisions and actions related to improvement of the QMS, improvement of product related to customer and regulatory requirements, and resource needs. In a startup, management review is frequently treated as a ceremonial meeting where the QA manager presents slides to a disengaged founder. That is the failure mode. The correct pattern is the opposite: the founder or CEO arrives prepared, reads the pre-read in advance, asks hard questions about the data, takes documented decisions, and allocates resources. Management review is the forum where the QMS closes its own loop, and the CEO is the one whose signature closes it. Cadence matters. For a startup at the scale of ten to thirty people preparing for a first audit, quarterly management review is a defensible minimum. Annual is too thin — the data moves faster than that and decisions get stale. Monthly can be excessive unless the company is in a pre-audit sprint or working through a major CAPA. Pick the cadence honestly and hold it. The output of management review is a documented record — minutes, decisions, action items with owners and dates, and evidence that the previous review's actions were closed or are tracked. This record is one of the first things the Notified Body asks to see. If it does not exist, or if the record shows the same action items unresolved across three reviews, the finding writes itself. ## Delegation that works Top management cannot do the QMS execution themselves. A founder running a twelve-person startup is not drafting procedures, running internal audits, or investigating complaints. The work has to be delegated, and the standard allows for it — clause 5.5.2 explicitly requires a management representative appointed from the organisation's own management, with responsibility and authority for ensuring processes are established, reporting to top management on QMS performance and any need for improvement, and ensuring awareness of applicable regulatory and customer requirements throughout the organisation. Delegation that works has three features. **First, the delegate is named and the authority is documented.** The management representative is written into the QMS with a specific role description, reporting line, and scope. In a startup, the management representative is often the QA manager or the head of regulatory affairs. The person is real, employed by the company, and has the time and authority to do the job. **Second, top management stays informed.** The management representative reports to top management on QMS performance at defined intervals — typically into management review, but also outside of it when something urgent arises. Top management reads the reports, asks questions, and acts on them. **Third, top management remains the decision layer.** When the management representative flags a resource need, a major CAPA, a significant non-conformity, or a regulatory change, the decision about what to do sits with the CEO or founder. The management representative is the messenger and the executor, not the final decision-maker on matters that affect the organisation's direction or resources. When delegation is built this way, top-management accountability is preserved and the founder can focus on the decisions only they can make, while the daily QMS work runs through the delegate. ## Delegation that fails Delegation fails in three characteristic patterns. **Pattern one: the consultant substitute.** A startup hires an external consultant, labels them the management representative in the QMS documents, and points at them when the auditor asks about management responsibility. The standard requires the management representative to be appointed from the organisation's own management — a member of management, not an external party. An external consultant as management representative is a structural non-conformity. Consultants can support the QMS, draft procedures, train staff, and review outputs, but they cannot be the management representative. **Pattern two: the invisible CEO.** The QA manager is appointed as management representative, does the work honestly, and runs management review. The CEO signs the quality policy once, never attends a management review, never reads the QMS data, and cannot answer the auditor's opening question. This is the Vienna opening-meeting pattern. The audit finding attaches to management, not to the QA manager, and it is a serious finding because it indicates a structural problem with top-management commitment. **Pattern three: the PRRC confusion.** MDR Article 15 requires every manufacturer to have at least one Person Responsible for Regulatory Compliance with defined qualifications. Micro and small enterprises may have the PRRC permanently and continuously at their disposal under Article 15(2) rather than internally employed. Some startups assume that having a PRRC satisfies management responsibility. It does not. The PRRC has specific Article 15 duties — ensuring conformity of devices before release, preparation of technical documentation, post-market surveillance, vigilance reporting, and statements for investigational devices. Top-management accountability for the QMS as a whole remains with top management regardless of whether the PRRC is an employee or an external arrangement under Article 15(2). Post 766 and post 769 cover the PRRC role in detail. All three patterns produce findings. All three are avoidable if the CEO or founder accepts that management responsibility cannot be handed off. ## The Subtract to Ship angle Subtract to Ship applied to management responsibility produces a short list of non-negotiables. Keep: the signed quality policy, measurable quality objectives, the documented management representative, scheduled management reviews with real data and real decisions, and the CEO or founder visibly running the room. These items are required by Article 10(9) and clause 5, and their presence is verifiable. Cut: the ceremonial slide decks nobody reads, the templated quality policy that could belong to any company, the org charts that describe a fictional team, the management review minutes copy-pasted from a prior quarter, and the quality objectives that have not changed in two years. None of these trace to a real MDR obligation at useful depth. They are theatre. The test is the same as in the pillar post. Every management-responsibility artefact must describe something the company actually does. If it does not, it comes out. If an Article 10(9) aspect is missing, it gets added at the depth the device class requires. Proportionate to the risk class and type of device, not to the consultant's template. ## Reality Check — Where do you stand? 1. If the Notified Body auditor walked in tomorrow and asked "who in this company is accountable for the quality management system?" — who answers, and how? 2. Can the CEO or founder recite the core commitments of the quality policy without looking them up? 3. When was the last management review, who was in the room, and what decisions came out of it? 4. Are the quality objectives measurable, current, and actually tracked by top management — or are they the same four bullets that have been in the deck for eighteen months? 5. Is your management representative a member of your own management, or is it an external consultant whose name appears in the QMS? 6. Does the PRRC under Article 15 understand that their role is distinct from, and additional to, top-management responsibility under Article 10(9)? 7. If you removed the CEO or founder from every QMS activity for a month, would the organisation still believe top management owns the system — or would the auditor find out at the next opening meeting? Any "not yet" is where the work is. ## Frequently Asked Questions **Who counts as "top management" in a startup for MDR purposes?** Top management is the layer of the organisation with the authority to allocate resources, set direction, and take the decisions that affect the QMS as a whole. In most startups this is the CEO or the founder. In a small co-founder team it can be the founding group collectively, but one named individual must still be accountable for the QMS in the documentation. **Can I appoint an external consultant as management representative?** No. EN ISO 13485:2016+A11:2021 clause 5.5.2 requires the management representative to be a member of the organisation's own management. External consultants can support QMS work and advise management, but the management representative must be internal. Appointing a consultant to this role is a structural non-conformity. **Is the PRRC the same as the management representative?** No. The PRRC is the Person Responsible for Regulatory Compliance under MDR Article 15, with specific duties listed there. The management representative is the role required by clause 5.5.2 of EN ISO 13485:2016+A11:2021 to ensure QMS processes are established and to report to top management on QMS performance. One person can hold both roles in a small company, provided the qualifications for each are met, but the roles and obligations are distinct and top-management accountability under Article 10(9) remains with top management in either case. **How often does management review have to happen?** The standard requires "planned intervals" and does not fix a frequency. For a startup preparing for a first audit, quarterly is a defensible minimum and annual is typically too thin. Choose a cadence proportionate to the risk class and the pace of change in the organisation, document it, and hold it. **What does the Notified Body actually check for management responsibility?** They check whether top management is engaged — attendance at management review, evidence of decisions taken and resources allocated, awareness of the quality policy and objectives, and whether the management representative is a real member of the organisation's management. They check the documents, but they also read the room. The opening meeting tells them most of what they need to know. **What is the most common management-responsibility finding in first audits?** Management review records that are thin, late, or missing; quality objectives that are not measurable or not tracked; and a CEO or founder who cannot speak to the QMS with any depth. All three trace back to top management treating the QMS as somebody else's job. The corrective action is behavioural, not documentary. ## Related reading - [What Is a Quality Management System for Medical Devices?](/blog/what-is-quality-management-system-medical-devices) — the pillar post for the Quality Management Under MDR cluster. - [MDR Article 10(9) and Annex IX: The QMS Requirements Every Startup Must Meet](/blog/mdr-article-10-9-annex-ix-qms-requirements) — the legal basis this post builds on. - [How to Build a Lean QMS for an MDR Startup](/blog/build-lean-qms-mdr-startup) — the operational playbook for the QMS that management is accountable for. - [The Minimum Viable QMS for a Medical Device Startup](/blog/minimum-viable-qms) — the smallest honest QMS that can still meet Article 10(9). - [Management Review Under MDR](/blog/management-review-mdr) — the deeper dive on the management review process itself. - [Internal Audits Under MDR](/blog/internal-audits-mdr) — the self-check mechanism that feeds management review. - [The PRRC Under MDR Article 15](/blog/prrc-mdr-article-15) — what the Person Responsible for Regulatory Compliance does and does not cover. - [Choosing Between an Internal and External PRRC](/blog/internal-vs-external-prrc) — the Article 15(2) option for micro and small enterprises. - [The Subtract to Ship Framework for MDR](/blog/subtract-to-ship-framework-mdr) — the methodology behind the discipline in this post. ## Sources 1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10 (general obligations of manufacturers, including paragraph 9 on the quality management system and the "responsibility of the management" aspect), Article 15 (person responsible for regulatory compliance, including Article 15(2) on micro and small enterprises). Official Journal L 117, 5.5.2017. 2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Clause 5 (Management responsibility), including sub-clauses 5.1 Management commitment, 5.2 Customer focus, 5.3 Quality policy, 5.4 Planning, 5.5 Responsibility, authority and communication (including 5.5.2 Management representative), and 5.6 Management review. --- *This post is a deep dive within the Quality Management Under MDR cluster in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. The MDR is the North Star. EN ISO 13485:2016+A11:2021 clause 5 is the tool. Top-management accountability for the QMS is not delegable — the CEO or founder owns it, and the Notified Body auditor will find out one way or the other.* --- *This post is part of the [Quality Management Under MDR](https://zechmeister-solutions.com/en/blog/category/quality-management) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*