What should be the Risk Management Approach, We all recognize that risk management could be a very good tool to avoid any major failure or disaster with in the future if we actually justice with this tool, which means if we really follow it seriously these days then it’ll save us with in the future.

What is the objective of Risk Management

Risk management is a process to identify, evaluate, control, communicate, mitigate any kind of threat/hazard up to the acceptance limit and further continous review.

Quality Risk Management as per ICH Q9

“Quality risk management is a systematic process for the assessment, control, communication, and review of risks to the quality of the drug (medicinal) product across the product lifecycle.”

Quality Risk Management as per PIC/S

“Quality Risk Management is a systematic process for the assessment, control, communication, and review of risks to the quality of the medicinal product. It can be applied both proactively and retrospectively”

Risk Management is used in various industries i.e. finance/ banking, aerospace, automobile, etc. but in this article, we will discuss Quality Risk Management – applicable for pharmaceutical & healthcare.

Risk Management Approach

  • Proactive Risk Management Approach

  • Reactive Risk Management Approach

The conception of each variety of risk management is that the same, the sole distinction is Proactive Risk Management is performed before associate degree quite a failure but reactive risk management approach is performed once an encounter with any quite failure.

The proactive risk management approach provides an opportunity to do the right thing the first time and reactive risk management approach attempts to reduce the tendency of the same or similar accident which happened in the past being repeated in the future. In other words, reactive risk management solely depends on past accident analysis and response.

In alternative words, we can say that…

Proactive Approach to doing risk management is like “Prevention” & Reactive approach to doing risk management is like “Cure” 

We all apprehend that “Prevention” is always better than “Cure” however it doesn’t suggest that reactive approach to doing risk management isn’t needed in any case.  Any failure is prevented with the proactive approach to risk management if all the danger hazards known, control, and mitigate timely. A proactive approach to risk management will solely achieve success if every and each method bifurcates into tiny – tiny steps and every step analyzed circumstantially to spot any risk hazards & current management with within the method so the action is taken to scale back the incidence of failure and increase the detection level of failure.

It is usually understood that risk is outlined because of the combination of the likelihood of incidence of damage and also the severity of that damage.

Risk Management Process Flow

Quality Risk Management may be a Team Approach whether or not it’s a proactive approach or reactive approach to try to risk management.

Team means a cross-function team which comprises all the subject matter experts of the different area i.e. Engineering, operations, quality, warehouse, etc. as per the nature of the process where risk management is required

Risk Management
Risk Management Process

Step-1: Initiating Quality Risk Management Process

  • Define the Problem/ Identify the potential risk
  • Gather or assemble all background information/ data on potential hazards
  • Identify a project leader & other resources i.e. formation of a team.
  • Define a timeline, deliverable, and appropriate level of decision making.

Step-2: Risk Assessment 

Risk assessment has itself three sub-steps as given below;

  1. Risk Identification
  2. Risk analysis
  3. Risk Evaluation

Risk Identification is the step to identify the risk hazard within the process and this can be done by asking the below question.

Question: What might go wrong?

Risk analysis is the stage to evaluate the severity, occurrence, and detectability of the identified risk hazard. Severity and likelihood can be decided by asking the below questions.

Question- What are the consequences of identified risk (Severity)?

Question – What is the likelihood (probability) if it will go wrong?

Risk Score= Severity (S) x Occurrence (O)

In some risk tools, detectability scores are also considered to get a risk score by following the below formula.

Risk Score= Severity (S) x Occurrence (O) x Detectability (D)

Risk Evaluation is a stage to decide the level of the overall risk of any failure/ hazards. It could be Low, Medium, High, Ultra High, etc., and it is decided based on the risk score. Calculated risk scores are compared against predefined criteria to decide the overall risk.

Step-3: Risk Control

Once the risk assessment stage got completed, then the next stage of risk management is “Risk Control”. After identification and risk evaluation, risk reduction and its acceptance are required. It is basically the decision-making stage. Risk control stage has two sub-stages

  1. Risk Reduction
  2. Risk Acceptance

Risk Reduction: If the identified risk score or level is beyond the acceptance limit then risk reduction is required by implementing some mitigation action to improve the detection level of failure & to reduce its occurrence in the future. At this stage following question can be asked;

  • What can be done to reduce the risk?
  • What is the appropriate balance among the benefits considering risk and resources?
  • Are new risks introduced as a result of identified risk being controlled?

Risk Acceptance: At this stage, compare the calculated risk score with a pre-defined score of risk acceptance and ask the question, Is the calculated risk score acceptable? If yes then go ahead and if not then proposed some action to control the risk.

Step-4: Risk Communication

One risk mitigation actions are proposed to reduce the identified risk up-to acceptable level then risk communication is required between all the applicable parties. However, at any stage of the risk management, parties/team can communicate with each other.

While communicating with each other;

  • Share the completed information about identified risk, mitigation action, target completion date, etc. for effective communication and to get better results.
  • Align on the action and completion date.
  • Each and every communication should be documented.

Step-5: Risk Review

Once all the above activities completed, then there should be a mechanism to review all the identified risk and it should be based on the risk level. There should be a defined frequency to review all identified risks. Priority can be decided basis the risk level, which means give the priority to ultra-high risk to low risk. The revised score should be verified during the risk review. If during risk review any unacceptable risk found the again redo the risk reduction and acceptance process to make it acceptable. This review can be made easy with site risk register where all high priority risks with target completion date and responsible person should be defined and should be routinely monitored for its completion and further understand the effectiveness and its control of the state.

Risk Format (FMEA) 

Here is the risk format (eg. FMEA) which is enabled with formula calculation. Download it free from here…

FMEA Format

Concerning Risk Management, the following questions are frequently asked by the people…..

Question: Can the Severity score reduced after implementing the risk mitigation action?

The answer is No because the severity score is given based on identified hazards & its associated risk, not based on current control we have in place to reduce the risk.

Question: Can the risk be 100% eliminated?

Answer: No, see example below

Example: Severity, Detection & Occurrence of any hazards can not be Zero (0), it could be at least one (1) or Low and as per the risk score formula if we multiply

Risk Score = Severity x Occurrence x Detectability

Risk Score = 1 x 1 x 1

Risk Score = 1

Similarly, in the case of qualitative risk management tools if we multiply or sum the lowest risk of severity, occurrence & detectability which is “Low” then it will come “Low” only so with these examples we can not eliminate any risk 100% but we can control it up to an acceptable level. As it is confirmed that we can not eliminate risk 100% then it is necessary to monitor or review the identified risk at a defined frequency.

There are two types of risk management approaches; Proactive & Reactive as discussed in the beginning and the following are the sources of all these risk management approaches.

Source of Proactive & Reactive Risk Management Approach

Proactive approach of risk management can be used in the following;

  • Introduction of any new product in the facility
  • Purchasing of any new equipment or line
  • Building of any new facility
  • Introduction of new utilities
  • Introduction of new cleaning agent or disinfectant

Reactive approach of risk management can be used in the following;

  • In case of any outlier/ out of trends
  • In case of any equipment/ process or procedure failure etc.

Take Away Message

  1. Do it in a team so that each and every risk can be identified
  2. Do justice with risk and risk management tools.
  3. Don’t use it to hide the facts
  4. Follow a proactive approach but don’t forget to follow a reactive approach in case of any failure.
  5. Communication is the key to risk management so keep very good communication with each team member.
  6. You should have site risk register and keep all high priority risks in this risk register and monitored each risk at a defined frequency to understand the current situation of identified risk.
  7. Be in mind, risk can not be eliminated permanently however it can be reduced up to an acceptable limit so a regular review is essential to make the risk management effective.