This is the fifth article in a series of six intended to provide a holistic primer on the field of quality risk management (QRM).  The first article, Quality Risk Management 101: Risks Associated With Medicinal Products, discussed the difference between intrinsic and extrinsic risks and clarified the scope of QRM efforts. It was followed by Quality Risk Management 101: A Brief History of Risk Management in the Regulation of Medicinal Products. Quality Risk Management 101: ICH Q9 In Context offered a critical discussion of the QRM process proposed by ICH Q9, while Quality Risk Management 101: QRM And The Product Life Cycle discussed the relationship between QRM and quality by design, the pharmaceutical quality system, and post-approval change management.  The final article in the series will explore common challenges associated with QRM implementation.

Following the publication of ICH Q9, industry eagerly embraced the opportunity to share ideas and best practices related to QRM.  The cadence of publication steadily increased as ICH Q8, ICH Q10, and ICH Q11 emerged, as thought leaders sought to provide practical guidance to industry on the application of QRM. This article will focus on selected publications addressing general, rather than specific, applications of QRM.

The first book published on the topic of QRM was one by renowned quality expert James Vesper in June 2006, one year following the publication of ICH Q9.  Titled Risk Assessment and Risk Management in the Pharmaceutical Industry: Clear and Simple, the book posits risk management is nothing new; people (and industry) are exposed to and must manage risk every day, whether they are exposed to hazards during a daily commute to work or through the manufacture of sterile, life-saving medicines.Through this simple comparison, Vesper dispels any anxiety-provoking stigma that might accompany the introduction of a new quality management tool and made the concepts of QRM more accessible to and achievable by the reader.  This pragmatic tone quickly became the modus operandi within industry literature, as many subsequent publications adopted a case study approach in lieu of rigorous philosophical discussion on the principles and application of QRM.

Vesper’s book describes the objectives of and process for quality risk management, but devotes much of the text to a discussion of risk tools and assessment methods.  While this was certainly appropriate given the low level of QRM knowledge within industry at the time, combined with general (albeit misguided) perceptions that risk assessment was synonymous with risk management, the emphasis on risk tools is now viewed as a very narrow scope indeed.  Nevertheless, Vesper’s practical language and clarity of insight make his book required reading for the QRM practitioner.

In 2012, the Parenteral Drug Association (PDA) published the first (and only) industry white paper on the general principles and best practices associated with a QRM program, Technical Report No. 54, Implementation of Quality Risk Management for Pharmaceutical and Biotechnology Manufacturing Operations.2 In addition to expanding upon ICH Q9 to offer additional guidance on QRM implementation, this technical report expands the body of knowledge by introducing industry to three key concepts to be applied in QRM: risk maturity, the formality spectrum, and human heuristics.

PDA chose to begin the technical report with an introduction of risk maturity, which serves as the foundation of this research effort and is discussed in detail throughout this thesis.  A brief review of where QRM should be applied throughout the product life cycle, as described in ICH Q8(R2), Q9, and Q10, is offered, followed by a discussion of the different types of risk management: proactive and reactive.  This distinction is particularly important but had not been given much attention in the ICH guidelines; the inclusion of this concept in the PDA technical report sets the tone for future discussions within industry.  In addition, PDA proceeds to examine the role of governance in a QRM program, including organizational and managerial aspects that are pivotal to the success of QRM, one of these being transparency in communication throughout all levels of a company.2

The PDA technical report also explores the concept of proportionality of risk management, explaining the intent behind the clause in ICH Q9 that efforts in QRM should be commensurate with the level of risk.2 PDA relates proportionality to various risk tools and the rigor with which they should be applied.  For example, PDA suggests that more formal tools, such as FMEA (failure modes and effects analysis) or HACCP (hazard analysis and critical control point), should be applied to more critical and complex systems and leverage expert knowledge from a risk facilitator and curated QRM team to execute the assessment, while less formal tools such as risk ranking need not employ the services of QRM experts in all cases.  PDA points out that formality should not be considered a dichotomy (i.e., either formal or informal), but rather is a spectrum that allows for various combinations of rigorous methods, techniques, documentation options, and expertise to be employed as appropriate for the risk question.2

The concept of human heuristics, as applicable to QRM exercises, is likewise reviewed in PDA’s Technical Report No. 54.  The influence of human heuristics on decision-making processes was first identified by decision science gurus Daniel Kahneman and Amos Tversky, whose work earned a Nobel Prize in Economic Sciences in 2002.  PDA borrowed from both Kahneman/Tversky and Dr. Kevin O’Donnell, who made the critical linkage between Kahneman’s work and QRM in 2010 through the publication of a two-part article addressing subjectivity and uncertainty in QRM exercises.3,4 Human heuristics are cognitive “shortcuts” that are used when judgments are made in the presence of uncertainty; colloquially, these are referred to as “rules of thumb.”  Heuristics have the potential to adversely affect the validity of risk analyses and risk acceptance decisions, as the estimation of risks and their acceptability to the patient can be greatly influenced by cognitive shortcuts at the expense of scientific knowledge.  PDA called attention to this phenomenon where other sources had neglected it; the importance of human heuristics in QRM marks this as a breakthrough.

PDA Technical Report No. 54 was one of the earliest documents of its kind, focused on the establishment of a QRM program to be integrated and applied within the product life cycle.  Because of this strategic perspective and the best practices offered within the text, this technical report has become one of the most widely referenced treatises on the enabling function QRM plays in an effective quality system.

Risk Management Applications in Pharmaceutical and Biopharmaceutical Manufacturing, edited by Mollah et al and published in 2013, offers a modern and much more sophisticated treatise on QRM, including chapters on philosophical, academic, and statistical topics that enabled a more comprehensive understanding of the benefits and concepts underpinning QRM.5 The book includes chapters on various QRM topics, compiled from myriad QRM experts; this book therefore represented the perspectives of thought leaders on QRM at the time.

Do you have a Quality Risk Management program?

Looking to increase quality and efficiency and deliver accurate analyses of clinical study site performance and data quality? Check out Angie Maurer’s webinar, “Building A Quality Risk Management Program And Leveraging Technology For Risk Based Monitoring

Mollah et al provide a succinct business case for the application of risk management for quality improvement before delving into how various risk management tools can support the overarching QRM life cycle.  Acknowledging the difficulty of providing discrete “rules” around the use of particular methodologies at the expense of others, Walker and Busmann compare the advantages and limitations of the basic QRM toolkit (e.g., those summarized in Annex I of ICH Q9).6 While the book does not discuss how to select the best fit risk tool for a particular circumstance and risk question, a pivotal article published by Murray and Reich in 2011 offers guidance on navigating the expansive toolkit based on the objective at hand. 7

Long offers his expertise on regulatory expectations of QRM, including common misunderstandings and pitfalls associated with risk implementation, in his chapter, “Risk Management: Regulatory Expectation, Risk Perception, and Organizational Integration.”8 Some instances of QRM misuse as described by Long include:

  • Lack of QRM usage (not assessing the risk to patient or product quality where warranted by an event or circumstance)
  • Improper implementation of QRM (lack of evidence supporting risk-based decisions, lack of sufficient product and process understanding)
  • Variable risk tolerance (deeming a given risk management “acceptable” in some instances but not others, with no clear explanation)
  • Use of QRM to justify an expected outcome (“reverse engineering” a risk assessment to justify a previously-determined decision or outcome)8

Perhaps the greatest contribution of Mollah et al’s book is Long’s chapter on probability estimates and statistical techniques as they relate to QRM exercises.9 Despite the fact that probability is a full 50 percent of the risk calculus (likelihood x severity = risk), there are very few sources available to industry QRM practitioners that explore this topic in a suitable depth.  Long addresses this topic head on, explaining general principles of probability, the roles of uncertainty and heuristics in estimating probability, and the benefits of moving toward more quantitative, data-driven assertions to support the validity of QRM outcomes.9 Indeed, industry commonly confuses risk management tool categories (qualitative vs. quantitative) with the application of quantitative risk analysis efforts, using actual probability estimates grounded in scientific data.10 Long’s direct inquiry into the relationship between statistics and QRM makes a critical connection that is often overlooked by industry practitioners.

Based on its depth of discussion on all manner of QRM topics, Risk Management Applications in Pharmaceutical and Biopharmaceutical Manufacturing serves as a rich source of knowledge that can enhance the level of expertise of its readership, contributing to general increases of QRM maturity within industry.

While a great many articles, white papers, and other documents on the topic of quality risk management are available in the public sphere, it is the author’s opinion that those discussed in this article should comprise required reading for any QRM practitioner.  These documents offer unique insight into the field that can help make QRM efforts both efficient and effective, ensuring QRM continues to add value to the patient.


  1. Vesper, J. Risk Assessment and Risk Management in the Pharmaceutical Industry: Clear and Simple. Baltimore, MD: PDA/DHI, Jun 2006.
  2. PDA. Technical Report Number 54, Implementation of Quality Risk Management for Pharmaceutical and Biopharmaceutical Manufacturing Operations. 2012.
  3. Strategies for Addressing the Problems of Subjectivity and Uncertainty in Quality Risk Management Exercises: Part 1 – The Role of Human Heuristics. O’Donnell, K. s.l.: Journal of Validation Technology, Summer 2010.
  4. Strategies for Addressing the Problems of Subjectivity and Uncertainty in Quality Risk Management Exercises: Part 2 – Risk Communication and Perception Issues. O’Donnell, K. s.l.: Journal of Validation Technology, Autumn 2010.
  5. Mollah, A., M. Long, and H. Baseman. Risk Management Applications in Pharmaceutical and Biopharmaceutical Manufacturing. Hoboken, NJ: John Wiley & Sons, Inc., 2013.
  6. Walker, M. and T. Busmann. Risk Management Tools. [book auth.] Mollah et al. Risk Management Applications in Pharmaceutical and Biopharmaceutical Manufacturing. Hoboken, NJ: John Wiley & Sons, Inc., 2013.
  7. Murray, Kristin S. and Reich, Stephen. Quality Risk Management (QRM) Tool Selection: Getting to Right First Time. Pharmaceutical Engineering. July/August 2011.
  8. Long, M. Risk Management: Regulatory Expectation, Risk Perception, and Organizational Integration. [book auth.] Mollah et al. Risk Management Applications in Pharmaceutical and Biopharmacetuical Manufacturing. Hoboken, NJ: John Wiley & Sons, Inc., 2013.
  9. Long, M. Statistical Topics and Analysis in Risk Assessment. [book auth.] Mollah et al. Risk Management Applications in Pharmaceutical and Biopharmaceutical Manufacturing. Hoboken, NJ: John Wiley & Sons, Inc., 2013.
  10. Waldron, K. Risk Analysis and Ordinal Risk Risk Rating Scales – A Closer Look. Journal of Validation Technology, Dec 2015.

About The Author:

Kelly Waldron is currently a senior consultant with ValSource and a member of the Pharmaceutical Regulatory Science Team (PRST) at the Dublin Institute of Technology in Dublin, Ireland. She has particular expertise and a specialized focus on the development and implementation of innovative approaches to quality risk management (QRM). Her expertise also extends to various quality functions in the pharmaceutical, biopharmaceutical, and medical device industries, including quality system design, quality strategy and planning, deviations/investigations, CAPA, change management, audit and inspection programs and response, stability programs, and design control. In addition, Waldron has authored numerous industry and academic papers on QRM. She has a BA in biology from Boston University, an MBA in pharmaceutical management from Fairleigh Dickinson University, and a Ph.D. in pharmaceutical regulatory science (thesis in QRM) from the Dublin Institute of Technology. She can be reached at

Leave a Reply