Do you like fighting quality fires? Do you enjoy generating meaningless metric reports that no one acts upon? Do you get the most from your quality risk management (QRM) program? QRM principles should be integrated into the quality management system, and risk management should be the lens through which we see the world and make decisions. It should be in our DNA. Establishing and acting upon meaningful metrics is the basis of steering the course of an organization to get ahead of quality issues. It is the difference between being reactive vs. proactive. This article provides three practical steps for integrating quality risk management into your quality system to ensure your organization stays on course.

Create Meaningful Metrics

Risk management, properly implemented, allows you to create meaningful metrics. Metrics can either be a great benefit to a company or a total waste of time. Many companies use metrics as a check-the-box exercise, while some leaders implement metrics because their boss has them on the annual goals. In fact, metrics should be used to provide signals of changes in the risk profile of processes you care about.

A major problem in every organization is data overload, which causes important signals to get lost in the noise. Quality risk management is a filter that can screen out the noise, allowing important quality signals to become apparent. I like to create metrics based on the critical control points of the manufacturing process. Critical control points (CCPs) are the process controls that have the greatest impact on the critical quality attributes (CQAs). CCPs are in a bucket containing the most critical of the critical process controls and they represent leading indicators communicating the health of the process. As such, a negative trend in a CCP indicates a direct increase in the risk profile. It screams, “Pay attention to me.”

An example of a CCP is the residual moisture in drying granulation material. Inconsistencies in moisture can lead to inconsistencies in content uniformity. The metric should go deeper than simply ensuring the process meets specification. It should dive deep into the process monitoring the control most likely to cause changes in the process. It should be trended over time to understand the capability and limits of control. The trending should be part of the management review and the annual product review. It is that important. Trending the right variables adds real value to these routine deliverables and to management review.

Act On The Right Signals

If your child is about to walk into a busy street, what is your reaction? I bet it is not to wait and see what happens. You take immediate action. Likewise, when you establish metrics to monitor the most critical variability in the process, being passive is unwise. When you get a process signal, it is time to jump into action. Understanding risk as it relates to metrics is the heart of understanding the difference between corrective action and preventive action. Going back to the example of the child in the street, correction is getting the child out of the street. Corrective action is keeping the child out of the street. Preventive action is stopping the child from thinking about going into the street.

We know that risk is a function of severity and probability:

Risk level = Severity * Probability.

Risk level = CCP Severity * Variability

Change in risk level = Change in variability

Monitoring the critical control point equates to monitoring the part of the process with the highest severity. Severity is intrinsic to the process and will not vary over time unless the process or product is significantly changed. Such a change would likely require some sort of regulatory approval or notification. Therefore, a change in the risk profile results from a change in variability. Monitoring trends in variability thus shows trends in process risk. Changes in variability manifest in several ways. Examples include:

  1. The change can result from a special cause, which can manifest as a spike.
  2. Changes can manifest as a process shift. In a process shift, the metric will establish a new mean, either higher or lower.
  3. Changes can result in increased common cause variation. In this instance, the process mean remains the same, but the process capability decreases.

Metrics can move negatively, resulting in actionable risk. For example, the change in variability causes the overall risk to move from “acceptable” to “as low as reasonably possible” or from “as low as reasonably possible” to “unacceptable” (Table 1). The action can be either a corrective action or a preventive action. Negative trends with critical control points add a sense of urgency. Depending on the strength of the signal, escalation to site management could be warranted and an emergency team may be needed. The key takeaway: The level of action should be commensurate with the risk. The investigation process should be robust and get to root cause. The preventive actions could be a green belt or black belt project in your continuous improvement program.

Table 1: Risk Rating

High Unacceptable

Follow-up action is mandatory to reduce risk

Medium ALARP (As Low as Reasonably Possible)

Follow-up action is highly recommended

Low Acceptable

Follow-up action is not mandatory

The added benefit of linking risk management to corrective and preventive action (CAPA) is the ability to clearly document the rationale for opening or not opening a CAPA. Citing the risk file adds credibility to the decision. It also makes the rationale easier to write. Regulators and auditors like to see preventive actions; however, many firms do not open them. Proper trending of CCPs allows the firm to open a preventive action on a trend before a nonconformance occurs, creating the quintessential preventive action scenario. The benefits don’t stop there. Firms also struggle with how to define and justify CAPA effectiveness checks. The actions will be deemed effective when the risk profile returns to baseline or improves to an acceptable level.

Institutionalize The Learning

The result of the investigation and CAPA is new process understanding. Great firms will institutionalize the learning, while mediocre firms will rely on tribal knowledge. The best way to institutionalize the knowledge is to update the risk assessments. Reassess the risk profile of that parameter. If new critical variability is discovered, the new parameter should be added to the list of critical parameters. It could mean a parameter is no longer critical, resulting in it being deleted from the list. The CAPA may implement a new control or other mitigation that needs to be added to the risk assessment. In all cases, the risk assessment should reference the data or investigation. It is important for the next person to be able to find it.

I once was set on changing the culture of one organization from tribal to institutional knowledge. I hardwired the change into the quality system by requiring the risk assessments to be updated with the new understanding before the CAPA could be closed. It was a standard task in the CAPA plan. The CAPA owner was responsible for ensuring it was complete and QA verified the risk update at CAPA closure. Linking CAPA to risk management to keep the file up to the state of the art is a major reason I have inspection success. It completes the cycle of continuous improvement.

Drug Substance Quality Risk Management

Join Kevin Wall in his course, “Drug Substance Quality Risk Management: A Practical Approach to Identify Critical Quality Attributes and Critical Process Parameters,” to learn the practical approach of identifying drug substance critical variability.


Risk management helps ensure the organization controls things of value. Firms spend significant resources generating risk assessments. Proper integration of QRM make them the most referenced and used documents in day-to-day operation. This article demonstrates how risk management adds value to many quality system elements. It amplifies ICH Q10, which states quality risk management is foundational to quality systems. Hence, application of quality risk management must be a core skill for every pharmaceutical professional.

About The Author:

Kevin Wall is principal consultant and owner of Cincero Consulting. He has worked with five virtual pharmaceutical companies to move eight of their drug substance and drug product projects through development. He applies “fit for phase GMP” from Phase 1 to commercialization. Wall’s process for identifying critical quality attributes (CQAs) and critical process parameters (CPPs) forms the basis for the CMC section of the regulatory submission (ICH Q11). He led the Johnson & Johnson development and global deployment of quality by design (ICH Q8) and quality risk management (ICH Q9) in pharmaceutical development and operations. He helped define and deploy Janssen’s risk-based qualification and process validation systems (ICH Q7). You can contact Wall at 817-915-0822 or, or visit his YouTube channel, cGMP Made Easy.

Leave a Reply