Risk Management: A Primer for Lean Quality Assurance

Several of our previous blogs have been devoted to critical concepts and tools of Quality Systems.  In this month’s installment of the Quality System series, we will take a closer look at what is becoming perhaps the most useful tool in the belt of today’s Quality professionals: Risk Management.

This blog has been designed for readers whose organizations haven’t yet formally adopted this practice.  This installment includes an overview of the terminology, objectives, and processes involved in strengthening the existing Quality Systems with those designated to manage the risks inherent to product development and routine manufacturing and monitoring. 

We hope that the information presented will inspire the reader to engage local leadership and promote the development of an effective Risk Management process that begins with the design stage of the product lifecycle and continues all the way through monitoring of routine production.

Critical Terminology

Prior to discussing the topic at hand, we feel it useful to orient the reader by providing context to the terminology that is integral to the concept.  Here at Coda, we believe that the first step on the road to process development is precision in language.  Toward that end, we would like to focus on the meaning of the following terms within the context of Risk Management:

What is Risk Management?

Risk Management is a process that allows us to systematically consider risk while making decisions.  In almost every facility, considering potential risk is already a part of the natural decision making process.  Formal Risk Management programs proceduralize this organically occurring process by building a process of well-defined steps which, when taken in sequence, support better decision making by contributing to a greater insight into risk and the impact associated to the realization of risk modes.

Risk Management programs should include proceduralized elements such as identification and assessment of risk, mitigation or elimination of identified and assessed risk, and timely communication of identified risk.

The federal guidelines on modern Quality Systems have made it very clear that there is an expectation that this practice be formalized and documented to ensure that it is:

  • Performed in a consistent manner
  • Documented and inspectable
  • Consumer-centric

It’s clear that FDA expects the outcome of this process to deliver reduction of consumer-centric risk, but does this mean that we should only consider patient-specific risk?


It means that that process must be capable of cumulatively increasing the strength of the existing quality systems, which, in the end, results in higher quality product, offering minimal or no risk to any patient.  To truly understand this difference, we should always associate the word Risk with the work Quality.  

Risk to the Quality of the Product


This assumption is predicated on the fact that a strong quality system and robust data set will lead to:

  • Increased knowledge
  • Lower uncertainty
  • Fewer variables and
  • Continual Improvement

The risk management process should be appropriately documented and verifiable.  Procedures should include steps that have been designed to produce documentation that provides evidence of:

  • The risks considered
  • The roles of those assessing the risk factors
  • The outcome of the assessment, made directly relevant to the risks considered and the mitigation steps taken
  • An explanation of the decision made, including decisions that led to no action


When Do We Manage Risk?

Risk Management programs and tools can be developed for each product or process and each decision type in all phases of the product lifecycle, from development through change management. 

It can be usefully applied and integrated with existing Quality Systems for facility systems management, materials management, production, laboratory controls, packaging and labeling, as well as regulatory activities.

The extent of the Risk Management processes defined should be commensurate with the level of risk associated with the decision and the level of complexity of the product/process.

An example of when integrating Risk Management tools into existing Quality Systems can be useful: 


Risk assessments and continual monitoring

How Do We Manage Risk?

Step 1: Identify the Risk (Risk Analysis)

Managing Risk begins with conducting Risk Analysis.  Risk Analysis is a systematic, proactive identification of the specific sources of harm (hazards) paired with an estimate of the risk, related to the situation at hand, with the ultimate objective of mitigating or eliminating the risk.  The first step in the process is the analysis of potential risks:

  • What can go wrong? (man, method, machine)
  • What is the likelihood (probability) it would go wrong?
  • What are the consequences if something does go wrong?

This begins by proactively defining every way that the product or process could fail, and identifying the potential root causes of that potential failure mode and predicting the consequences (impact) with each potential failure mode.

 Although consequences will vary by production phase, decision type, and/or product line, typical examples of consequences of realized failure modes that are essentially consumer-centric, may look like this:


When the Risk Identification component of the program is being developed, the following should always be considered:

  • How will failure mode information and potential risk be used by the decision makers? (Who will the decision makers be, and what will the program need to provide them?)
  • How will risk management decisions impact future options for risk management? (How do we ensure that the process repeats itself?)
  • How will identified risk be documented?  (What will the outcome of this step look like?)
  • The level of scientific knowledge of the processes involved in the product lifecycle that would be required to identify (and assess and mitigate (see steps 2 and 3) risk (the level of scientific understanding of how manufacturing process factors affect product quality)
  • The sources of data within the company that could provide the necessary technical information (e.g., process validation/process capability, continuing verification/process stability)


Step 2: Risk Assessment and Evaluation

Once a list of identified risks has been completed, the program should then require identification of team resources, providing a method of selecting team members with the appropriate expertise to fully execute the upcoming assessment. This step of the process should also require the clear identification of a team leader.

Once a list of potential root causes of potential risks (failure modes) has been generated, and an appropriate team assembled, the next step is the assemblage of background information and data on the failure mode.   

This information should include:

  •  Conditions that would cause the failure and the likelihood of their occurrence (probability)
  • Harm that would be caused by the failure mode (impact to human health) (severity)

This step requires that the team assess and evaluate each identified risk of failure in context with the impact statements.

Risk Evaluation compares the estimated risk against given risk criteria using a quantitative or qualitative scale to determine the significance of the risk.   Once the significance is determined, risks can be prioritized in accordance with the qualitative scale.

Once risks are prioritized, mitigation plans and deliverables can be developed with regard to priority; that is, risk factors, together with significance of impact, can be quantitatively prioritized so that the largest risk factors can be dealt with first.

This entire process should be documented.

The document in which this information is presented and assembled is generally referred to as a “Failure Mode and Effects Analysis” (FMEA) document.  The FMEA, in simple terms, is a matrixed document that, by product or process, indexes all identified potential failure modes, supplemented with quantified or qualified impact statements.  FMEAs should be formalized, reviewed and approved, and controlled.

The FMEA should be considered, and treated, as a living document.  Theoretically, integrated with other Quality Systems all driving toward continual improvement, it should diminish in size as time moves forward.  If used appropriately, the FMEAs will continue to be revised after their initial production and they will be fed by all of the existing monitoring systems, including CAPAs, Change Control, Complaints, and Product and Manufacturing failures.

Some examples of using the FMEA in an integrated fashion moving toward continual improvement:


Hopefully as you begin to see how Risk Management integrates with other Quality Systems, it will make the value of the tool easier to see.  It is critical to note, when developing any Quality System, that each must produce output that is used as input to another system.  Together, they should systematically pay information forward, funneling the knowledge routinely gained, as time goes by, into each other; together they allow each system to achieve some measure of improvement, based on knowledge gained during execution of another system.


Step 3: Controlling and Mitigating Identified and Assessed Risk

 Once risks have been identified, assessed, prioritized, and documented, it is time to develop action plans designed to reduce, mitigate, or hopefully eliminate identified risks.

 Remember, this is why we began the process.  Unless we develop meaningful action plans and execute them, we wasted our time with steps 1 and 2.  Each action taken has the same objectives:

  • Reduce risk (reduce the probability of occurrence)
  • Mitigate risk (reduce the severity of harm)
  • ELIMINATE risk

This step of the process should be executed by a well qualified, cross-functional team and together, with a deep knowledge of the technologies and products, they should ask themselves:

  • What will it take to mitigate or reduce each of the identified risks (failure modes)? 
  • Are there options for mitigation and control?
  • Will there be an impact on future options if we implement these options? 
  • Is the risk acceptable (the quantified or qualified characterization of the likelihood + the severity of the consequence)?

Once this decision making process completes, formal plans should be developed to implement all mitigation, reduction, or elimination plans. 

 The most commonly overlooked element in this process is documentation justifying the actual decision making progress.  It is not enough to document the risk and decisions made; we have to produce documentation that explains how the decision was reached, who was involved and why they feel this is an appropriate path. 

 This is especially critical when the decision is to accept risk.



Step 4: Communicating Risk

 Risk Communication is the exchange or sharing of information about risk and risk management between the decision maker and other stakeholders.  The information can relate to the existence, nature, form, probability, severity, acceptability, treatment, detectability, or other aspects of risks to quality. The communication among stakeholders concerning identified risk, assessed risk, and risk mitigation decisions can be achieved through existing channels as long as it achieved.

 While, for the purposes of this blog, we chose to represent these actions in a step-wise fashion, it is important to note that, at times, it may make sense to execute steps 3 and 4 concurrently.  That is, to communicate known risk as soon as possible; this in fact, is partially accomplished upon issuance of the initial FMEA.

 The most critical component of Risk Communication is the realization that everyone involved in the production, testing, and distribution of the product must be made aware of all known risks.


Step 5: Monitoring Risk

 Like many of the components of quality systems, risk management processes are meant to be dynamic and iterative; they are not designed to be executed only once.  Each Quality System is meant to interact with every other on a routine basis.  They are meant to strengthen the original controls required by the cGMPs by not only assuring control, but also by promoting improvement.

 Quality Risk Management processes, when integrated with other existing Quality Systems, should contribute to the overall knowledge base, providing the benefit of knowledge to all other Quality Systems, including future Risk Management decision cycles.  This integration of the Risk Management process with all other Quality Monitoring Systems will enhance the overall knowledge base and promote continuous improvement. 

The Integrated Process

 The following illustration will provide a view of the steps while allowing visualization of the living nature of the process. 




 Summarizing this topic is perhaps best done with a simple list of takeaways:

  • The identification, evaluation, and reduction/mitigation of risk should ultimately be considered a consumer safety activity.
  • Technical experts should manage and execute the Risk Management process.
  • Risk Management is a dynamic, iterative, interactive component of the Quality Systems.
  • The extent of the risk reduction/mitigation plans should be commensurate with the level of risk associated with the decision.
  • As is the case with all technical decision making processes, Risk Management activities should be data driven, justifiable, well-documented, and verifiable.
  • FMEAs are living documents; if they are part of a well designed system, they will diminish in size overtime.
  • The choice to accept risk is viable, if justifiable.
  • Choosing to not communicate risk is choosing to not manage risk.

 © Coda Corp USA 2011.  All rights reserved.

Gina Guido-Redden


Post a comment or leave a trackback: Trackback URL.


  1. greg
    Posted October 3, 2014 at 1:52 am | Permalink

    HI Coda:

    We are wondering if we could reprint this article in CERM Risk Insights.

    Thanks for your consideration of this request. Best,

    Greg H

    • codacorp
      Posted October 8, 2014 at 3:55 pm | Permalink

      Thank you for your interest! We will contact you soon. The Coda Team

    • Posted October 11, 2014 at 1:05 pm | Permalink

      Hello Greg,

      We look forward to seeing the post in your publication!

      Please feel free to include my email address in the bio.

      [email protected]

      Thank you,

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>