Quality Risk Management (QRM) is important as it ensures that we place the risk to the patient and risk to product quality at the centre of each decision that we make. It provides a mechanism for us to identify and understand the true risk associated with our course of action, whether that is related to the design of our facilities and processes, the management of change, the assessment of deviations and unplanned events or in the design of our Quality Management Systems.
A Quality Risk Management program can only be efficient when the information gathered through the risk assessment process is revisited regularly and used to drive decision making. Prospective risk assessments should be in the majority, so that risks and their consequences can be mitigated and avoided before they occur and before there is a need for resources to be spent on fixing problems that could have been avoided.
If a Quality Risk Management program is efficient there will be a smaller number of risk assessments that are prospective, prevent risks, and are revised regularly e.g. when a Change Control is proposed or an OOS or Deviation occurs. They are living documents and should also be driver for knowledge retention and management. Inefficient Quality Risk Management programs do not define the boundary of each risk assessment appropriately and contain risk assessments that are performed to ‘tick a box’ or satisfy inspectors rather than to drive improvement and risk reduction.
At the design phase, for a product, process or facility, the potential risks should be identified and controls defined for each risk within the context of the risk question (s). These controls are then incorporated into the design and Quality Management System, documented and detection mechanisms are identified to monitor the effectiveness of the controls.
When the detection indicates that a control is not performing as expected, or a risk is realized, the risk assessment is reviewed, revised and updated with additional controls until the risk is managed and only residual risk remains. This process is continued throughout the lifecycle of a product, process or facility and following the implementation of the Quality Management System, each Change Control and Deviation should trigger a review of the relevant risk assessments.
For example, if a Change is proposed in a process, the relevant process step should be reviewed in each relevant risk assessment and the change assessed against the impact it will have on the current controls or methods of detection at that process step. Likewise, when a deviation occurs, this is an indication that something has gone wrong, i.e. a risk has occurred that wasn’t prevented by the Quality Risk Management program.
Investigation of the deviation should identify why the risk had not been foreseen or if it had, why the controls had failed to prevent the risk occurring. Any resulting CAPA actions should be included in the relevant risk assessments as controls on conclusion of the investigation and implementation of the resulting CAPA plan.
Planning is important to: 1) ensure that the key risk assessments required in the Quality Risk Management plan are identified and 2) to ensure the appropriate scope and risk question is identified for each risk assessment identified. This prevents the performance of multiple risk assessments that do not have clear direction or a defined risk question.
The risk question should always tell you the type of risk being assessed, e.g. quality risk, contamination risk etc., and what the risk is being assessed against. For Quality Risk
Management, the risk question should always be the assessment of the defined risk to the product quality or patient safety.
Business or safety risk does not fall within the scope of Quality Risk Management. It is also important to plan each risk assessment so that the purpose of the risk assessment is clear and to provide the opportunity to identify the correct tool for documenting the risk assessment. Risk Assessment tools do not drive the risk assessment, this is the function of the risk question, they are there to help the clear documentation of the risk assessment.
When planning the Quality Risk Management program, it is important to remember that the purpose of risk management is to help you identify the true risks that are present in your processes so that they can be mitigated and prevented.
Quality Risk Management is not a tool for justifying bad practice or justifying deviations from GMP. Many companies skip the planning process and implement risk assessment as a method for impact assessment after the fact. This is not the intention of Quality Risk Management. The risk assessments that will help you to constantly monitor, assess and mitigate the quality risks in your process need to be planned and identified so that they can prevent issues before they occur. To plan your Quality Risk Management Plan you must be aware of the following:
The key to efficiency and economy is having a small number of key prospective risk assessments that are revised regularly as new information becomes available through process improvement, change control and deviations. QRM programs become inefficient and resource hungry when risk assessments are performed every time something goes wrong instead of performing them at the start when you have a chance to mitigate risk and prevent issues. Each risk that you identify and prevent reduces the resources spent on issues and deviations and fixing mistakes.
This usually occurs if QRM and its function are not well understood or if risk assessments are reactive tools to problems rather than used to proactively prevent issues. This also occurs when the QRM program is not integrated nor informed by other elements in the Quality Management System as mentioned previously. QRM needs to be an ever evolving tool that keeps us informed of the detail of our current process, how that process is performing, how our controls are performing and areas where there is risk that we can prevent from occurring.
To manage a QRM program, its function needs to be understood by everyone in the organization, at all levels and there needs to be an open culture that welcomes the identification of risk so that it can be mitigated and prevented. If there is a culture of justification of current practice through risk assessment, an organisation will not improve or progress and will still have to waste resources in the management of deviations and issues that could have been foreseen and prevented with a good Quality Risk Management program.
Also, the emphasis is often incorrectly placed on risk management tools and implementation of complex tools that are poorly understood. The emphasis should always be simplified and brought back to the questions, “What can go wrong, what is the likelihood it will go wrong based on the current controls in place and how will I detect if it goes wrong or if my controls fail?”
As long as we answer this question comprehensively across our operations, we are performing Quality Risk Management and the method for documentation of this thought process is just that, a method for documentation.
Ensure that all levels in the organisation understand the following:
Training, planning, implementing and maintenance. If risk assessments are not revisited every time there is a deviation or change control, the system isn’t working!