Risk Management: A Primer for Lean Quality Assurance

In this blog we will examine what is perhaps the most useful tool in the belt of today’s quality professionals: risk management.

Critical Terminology

Prior to discussing the topic at hand, I like to provide context for the terminology integral to the concept. The first step on the road to effective system development is alignment of language. To that end, let’s focus on the meanings of common terms within the context of risk management.

What is Risk Management?

Risk management systems formalize this organically occurring process by building a process of well-defined steps which, when taken in sequence, improve decision making by developing a greater insight into risk and the impact associated with the realization of risk modes.

Risk management programs include procedural elements such as:

  • Identification of potential failure modes.
  • Assessment of the probability of those failure modes occurring.
  • Severity of the consumer harm caused if they were to occur.
  • Development of plans to mitigate or eliminate all identified risk.
  • Timely communication of remaining risk.

The federal guidelines on modern quality systems have made it very clear that there is an expectation that risk management practices be formalized and documented to ensure they are performed in a consistent, and consumer centric manner, and documented so that the information can be easily utilized and readily inspected.

Why Manage Risk?

It’s clear that regulators expect this process to deliver reduction of consumer centric risk. I think we all agree, no one working in our industry wishes to produce a product that places the consumer at risk. But does this mean that we should only consider patient specific risk?

No. In the end, the most certain way to lower consumer risk is to reliably produce high quality product.

We must consider our business practices, our products, and our consumers, in order to identify predictable and harmful outcomes, even if they are unlikely. However, we recognize that there will always be some level of uncertainty surrounding all future events. Risk management cannot render all outcomes certain, but it certainly can help us to avoid the worst outcomes.

As explained in the table below, an effective risk management program can protect our consumers from harm, reduce the potential for crisis situations, and increase the strength of the existing processes and systems that cause (or limit) the quality of our product:

This perspective is predicated on the fact that a strong quality system and robust data sets will lead to:

  • Increased knowledge.
  • Lower uncertainty.
  • Fewer variables.
  • Continual improvement.

When Do We Manage Risk?

Risk management programs and tools can be developed for each product or process, and each decision type, in all phases of the product life cycle. Throughout the life cycle of our products, risk management systems should be integrated with all other existing quality systems. The scope of the integrated risk management processes should be commensurate with the level of risk associated with the level of complexity of the products, processes, and lifecycle stage.

How Do We Manage Risk?

Before we start, let’s underscore the need to appropriately document every step in the process. The output of every step we are about to discuss should provide evidence of:

  • The risks considered.
  • The roles of those executing every step.
  • The outcomes of each step, made directly relevant to the risks considered, and the mitigation steps taken.
  • An explanation of the decisions made, including decisions that led to no action.

Step 1: Identify the Risk

Risk analysis is a systematic, proactive identification of the specific sources of harm (hazards), with an estimate the risk posed by each.

  • What can go wrong? (man, method, machine)
  • What are the consequences if something does go wrong?

This begins by proactively defining every way that the product or process could fail (potential failure modes), identifying the potential root causes of that failure mode, and then predicting the consequences (impact) of each failure mode.

Although precise consequences will vary by lifecycle stage, decision type and/or product line, in general, they will each cascade from quality, to business and supply. Consequence should always be considered in this cascading fashion. Examples of cascading consequences of realized failure modes that are essentially consumer-centric, may appear as the table below explains.

When risk identification activities are being undertaken, the following should always be considered:

  • How will the information regarding identified failure modes and associated risk be used by the decision makers? Who will the decision makers be, and what will the program need to provide them?
  • How will risk management decisions impact future options for risk management? How do we ensure that the process repeats itself?
  • How will identified risk be documented? What will the outcome of this step look like?
  • The level of scientific knowledge of the processes involved in the product life cycle that would be required to identify and assess and mitigate risk.
  • The sources of data within the company that could provide the necessary technical information.

Step 2: Assess, Evaluate and Prioritize the Risks

After risks have been identified, we then set out to assess each one.

Risk assessment activities seek to build out the risk profile for each identified failure mode with the assessment of the probability of each failure mode occurring, and the impact if they do.

Assessing the risks includes determining:

  • The conditions that would cause the failure and the likelihood of the occurrence of each failure mode (probability).
  • The harm that would be caused by the occurrence of the failure mode (impact to human health and severity).

Risk Evaluation then compares assessed risk against risk criteria using a quantitative or qualitative scale to determine the significance/magnitude of the risk. Determining the significance of each risk leads to a comparative order for all of the risks, ensuring that the most pressing risk factors can be dealt with (mitigated/eliminated) first.

The document in which this information is assembled and presented is generally referred to as a “Failure Mode and Effects Analysis” (FMEA) document. The FMEA, in simple terms, is a matrixed document that indexes all identified potential failure modes by product or process, supplemented with quantified or qualified impact statements. FMEAs should be formalized, reviewed and approved, and controlled.

The FMEA should be considered, and treated, as a living document. If used appropriately, the document should continue to be revised after the initial production. Revisions will be informed by all of the existing monitoring systems, including CAPAs, change control, complaints, and product and manufacturing failures. When integrated with other quality systems, the sum total of risk per product or process should diminish in size as time moves forward.

It is critical to note–no quality system lives in isolation–they all produce output that is used as input into another system. Together, they systematically pay information forward; quality systems funnel the knowledge routinely gained into each other and allow each system to achieve some measure of improvement, based on knowledge gained by another system.

The following are examples of how FMEAs are integrated with other quality systems, in a way that loops all of the information–informing decision making points, and continually improving the processes and products by increasing mitigation efforts over time.

This data loop presents in two ways, if:

  1. The FMEA is informing a quality system (pushing data), it ensures that the most efficient (risk based) decisions are made.
  2. the FMEA is informed by a quality system (pulling data), it ensures that the mitigation efforts for known risks are furthered, or that new (previously unknown) risks are added and dealt with.

Step 3: Controlling and Mitigating Identified and Assessed Risk

Once risks have been identified, assessed, prioritized and documented, the time has come to develop action plans designed to reduce, mitigate or hopefully eliminate those risks.

Remember, this is why we began the process. Unless we develop meaningful action plans, and execute them, we have wasted our time up to this point. The mitigation plan is where we directly pursue achieving the overall objectives of the process:

  • Risk reduction (reduce the probability of occurrence).
  • Risk mitigation (reduce the severity of harm).
  • And in some cases, where possible, the elimination of risk.

Development of mitigation plans should be undertaken by a well-qualified, cross functional team; together they must possess a deep knowledge of the technologies and products in question. This team must consider:

  • What would it take to mitigate or reduce each of the identified risks?
  • Are there options for mitigation and control?
  • Will future options be limited if we implement these options?
  • What represents acceptability of remaining risk (the quantified or qualified characterization of the likelihood + the severity of the consequence)?

The most commonly overlooked element of this process is documenting and justifying the actual decision making progress. It is not enough to document the eventual decisions made; we have to produce documentation that explains how the decision was reached, who was involved, and why they felt these decisions were appropriate.

This is especially critical when the decision is to accept risk.

Step 4: Communicating Risk

Risk communication is the exchange or sharing of information about risk and risk management between the decision maker and other stakeholders. The information can relate to the existence, nature, form, probability, severity, acceptability, treatment, detectability, or other aspects of risks to quality. The communication among stakeholders concerning identified risk, assessed risk and risk mitigation decisions can be achieved through existing channels, as long as it achieved.

While I chose to represent these actions in a step-wise fashion, it is important to note, that at times, it may make sense to execute steps three and four concurrently. That is, to communicate known risk as soon as possible. This is partially accomplished upon issuance of the initial FMEA.

The most critical component of risk communication, is the realization that everyone involved in the production, testing, and distribution of the product, must be made aware of all known risks.

Step 5: Monitoring Risk

Like all quality systems, risk management processes are meant to be dynamic and iterative; they are not designed to be executed only once. Each quality system is meant to interact with every other, on a routine basis. They are meant to strengthen the original controls, by not only assuring control, but also by promoting improvement.

This is especially critical when considering continuous monitoring of product quality, process effectiveness, and control. Output of the risk management process should contribute to the overall knowledge base, informing the continuous monitoring processes, which encompasses  all other quality systems, including future risk management decision cycles. This will enhance the overall knowledge base and promote continuous improvement.


The following illustration provides a view of the all of the steps while illustrating the living nature of the process.


  • The identification, evaluation, and reduction/mitigation of risk should ultimately be considered a consumer safety activity, achieved by assuring product and process quality.
  • Technical experts should manage and execute the risk management process.
  • Risk management is a dynamic, iterative, and interactive component of the quality systems.
  • The extent of the risk reduction/mitigation plans should be commensurate with the level of risk associated with the decision.
  • As is the case with all technical decision making processes, risk management activities should be data driven, justifiable, well documented, and verifiable.
  • FMEAs are living documents; if they are part of a well-designed system, they will diminish in size over time.
  • The choice to accept risk is viable, if justifiable.
  • Choosing to not communicate risk is choosing to not manage risk.

This article can also be seen at Master Control/gxp-lifeline/.

This image has an empty alt attribute; its file name is Gina-GuidoRedden_Headshot-e1596639531113-150x150.jpg

Gina Guido-Redden is a quality and regulatory professional with over 25 years of domestic and international industry experience. She is the co-founder and chief operations officer of Coda Corp USA, which provides consultancy services to pharmaceutical, biologics and medical device firms.

Guido-Redden’s history specializes in the areas of facility start up, regulatory compliance and remediation, quality system development, mentorship and training, quality system design, and implementation and management.

She is also a quality systems subject matter expert (SME), frequent seminar presenter, and content contributor to industry publications, including GAMP’s White Paper on Part 11, The Journal of Validation Technology, New Generation Pharmaceuticals, Computer Validation Digest, and MasterControl’s GxP Lifeline. Coda Corp USA is an enterprise partner of MasterControl.

Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>