Pharmaceuticals, large and midsize, have a long history of rewarding reactive firefighting as opposed to proactively identifying problems and preventing issues from occurring. As a result, proactive risk management and the cultural change that goes with it have been a hard sell.

Proactive risk management is key to a competitive advantage. It has been a requirement set by ISO 14971 for med devices and ICH Q8 through Q11 for pharmaceuticals since the early 2000s. As large and midsize pharmaceutical companies seek to balance being more cost-competitive with increasing complexity, proactive risk management will be a priority.

It is critical to understand a risk management program is a work in progress, a continuous improvement effort. But where to start?

High-level, risk-based KPIs and dashboards can be used to initiate an assessment. A risk assessment can inform the strategic goals for the year, planning which areas of the business to focus on from a risk management perspective. Mitigations can provide solutions with a timeline, budget, and resources agreed-upon cross-functionally. And, the transparency of the effort through required communication channels provides a learning opportunity and team building. Over time, risk management becomes a part of the culture.

Common Pitfalls When Implementing Risk Assessment

Currently, risk assessment in biotech environments is largely limited in scope. Often it is reactive, based on adverse events, and there is a tendency to conduct a risk assessment once instead of continually assessing. There is also a resistance to change in conducting and acting on risk assessments.

Some of this can be explained by limited experience with applying risk management principles and tools. Some clients confuse product quality outcomes with risk levels. This shows a lack of understanding of risk management, which should focus on future outcomes, not past. The FDA often speaks on the misuse of risk management and notes it is among the top three audit findings. Most of the biggest pitfalls in risk management in a larger biotech environment can be easily avoided with a little forethought:

    1. A one-off risk assessment performed to justify actions that did not follow what should have been a commitment to regulations or regulatory agencies. In such cases, the assessment is simply reactive and not meant to be part of a robust risk management program as suggested in Annex 20 or ICH Q10. There is increased focus by auditors on risk assessments being used to justify not following regulatory requirements.


    1. Confusing impact assessments with risk assessments. Per ICH Q9, risk is the combination of likelihood and potential impact (and other dimensions as necessary). If one looks at just impact, it is not a risk assessment.


    1. Using a single tool, called a risk register, for all risks. This is useful for startup programs and companies. However, as the program and company grow and mature, other tools may be needed. The risk register is a great communication tool for project and program management. However, it is important to remember there isn’t a one-size-fits-all tool that can be used for all cases. Additionally, some companies use failure mode effect analysis (FMEA) for every assessment. Sometimes this is too deep of an assessment for higher-level issues, and sometimes the detection dimension used in FMEA is not applicable. Auditors often find that if you use one tool for every application as an indicator, there may be deeper problems, and they will push further into your program. A sophisticated risk program allows for multiple and/or custom tools to be used, many of which can be seen in ICH Q9. To quote ICH Q9 regarding risk tool usage: “The level of effort and formality is commensurate with the level of risk.”


    1. Lack of good documentation practices, which should be expected of any quality system. For example: risk assessments must be data-centric, and the evaluation criteria should be both transparent and align to the data. This risk assessment is for posterity — not only for auditing, but for the continued reassessment of the program. It should be apparent how one got to those risk values and mitigations by reading the assessment with no questions asked. All scoring should be justified with scientific rationale.


  1. A risk assessment consisting of a simple check-off box as part of a senior leadership directive, but once completed, there is no follow-up and it is not revisited. Per ICH Q9 and Q10, risk management is intended to be an iterative program wherein risks are assessed, mitigated, reviewed, and reassessed and risks are communicated along the way. The value of risk management lies in how, throughout the process life cycle, obstacles are removed and disasters avoided and how the team gathers with well-known roles to navigate the success of the process’s future.

Do you have a Quality Risk Management program?

Looking to increase quality and efficiency and deliver accurate analyses of clinical study site performance and data quality? Check out Angie Maurer’s webinar, “Building A Quality Risk Management Program And Leveraging Technology For Risk Based Monitoring

Risk Management Best Practices

Risk management is intended to be proactive and systematic. It should be part of the corporation’s culture and occur throughout the project life cycle. By taking such an approach, potential risks can be mitigated before harm is caused.

Planning should begin with senior leadership buy-in to areas that have the most issues and then systematically cover all other areas. Risk management should be robust from development, tech transfer, and manufacturing into supply chain and discontinuance, with a feedback loop from patients. It should also be linked to annual product reviews and product launch strategies. This is accomplished with good program management, operational excellence, and risk management tools:

  • Perform a value stream analysis (VSA) or other mapping of all areas and documents for which risk should be assessed.
  • Prioritize, considering quick wins, the areas and projects to have a risk program.
  • Develop a project plan, considering resources.
  • Tie this information back into a dashboard of metrics so interaction with other KPIs is apparent.
  • Continue to revisit the plan.

Deciding how to facilitate risk assessments without wasting time is the final trick. This involves doing the homework up front, getting management buy-in, and ensuring alignment on expectations and tool needs/criteria up front and only the required participants attend to minimize confusion and chaos. The facilitator should have a draft tool that aligns with the scope/risk question. Also, subject matter experts (SMEs) should already be looking into modes per a process map and completing statistical analysis of causes of those modes before the assessment occurs. The effect typically aligns with the risk question.

Avoiding frustrating delays begins with identifying the risk question, with the following simple process:

  • Identify who owns the risk assessment. The ones responsible for mitigations (resources, money for fixes, etc.) are the same ones responsible for determining the risk question.
  • Identify the risk question. From here, you can align various failure modes to the question.
  • Identify what is in scope and out of scope. This helps avoid “rabbit holes” and time wasted on unnecessary items.
  • Ask pointed questions about dimensions (applicability of detection) and depth level (high- versus low-level tools). From here, sketch out how the tool will work and communicate this with the risk owner.

From that sketch, determine what information is known and unknown. This will help determine who else may need to be involved. Ask whether the process needs to be mapped out, whether likelihood data is available, and whether reports about potential severity are available.

Keeping scope in mind, invite the applicable individuals to the assessment. The risk owner ensures all SMEs bring data to the assessment. Limit the people in the session to those who are critical to the process.

Identify the mitigations, but also track them, communicate them, and, when done, reassess your risks to determine how the risk profile has changed and how it affects the rest of your business. This is a reiterative process with the intent of bringing continuous improvement to your entire organization, and this calls for a risk review based on both a time period and triggers that come as feedback from KPIs. Ensure there is a risk communication plan in place that ties into your KPIs.

Also, business continuity, supply, and other risks to the business that impact supply to the patient are quality risks by ICH Q9 definition. Ensure these risks are tied into the knowledge management system.

Finally, understand that your contract manufacturing organizations are considered extensions to your company. Therefore, as part of your quality agreement, ensure their risk management programs are as robust as required by industry standards.

About The Author:

Xach Kibbie is the executive director at XDKConsulting, a consulting firm helping life sciences companies and federal agencies accelerate their success and supporting research, development, and manufacture of safe and effective medicines. Kibbie is an experienced business transformation leader with a demonstrated track record in program management, product strategy, risk management, operational excellence, and stakeholder communication. His portfolio of work consists of the development and life-cycle management of: clinical, launch, commercial product management, tech transfer, validation master plans, global risk systems, strategic product programs, and training. Expert, coach, speaker, and facilitator in risk-based business transformation, learning sciences, and executive and team leadership. He can be reached at and on LinkedIn.

Leave a Reply