“Quality” Risk Management (FDA Guidance).

Information | Understanding | Best Practice.


“Quality” risk management is based on establishing and implementing a structured, formally approved, well understood process for the “assessment, control communication and review of risk”.

Responsibility for the “quality” risk management process.
Responsibility for implementing the various requirements inherent within a risk process is usually allocated to a team who include individuals with an expertise in the product or process under review, in addition to individuals with a clear understanding of the risk process, the related regulatory & operational requirements.

Supervisors, managers, senior management, will all have defined roles related to the risk process, with a view to ensuring that a “quality” risk management process is established, defined, documented, fully resourced and effectively implemented within the organization.

Risk Management. Requirements. Standards. Current best practices.
Information | Understanding  | Best Practice >>>

Initiating the risk process.
The initiation of a risk review needs to be based on a defined systematic process which supports the use of fact based decision making. This may include defining the problem or risk to be considered, including the documenting of “pertinent assumptions” related to the risk, assembling background data or information related to the potential hazard or harm. Agreeing of a team leader and resources to be allocated to the risk review effort. Agreeing estimates of deliverables, timelines, and the decision-making requirements for completion of the risk effort.


There are three distinct phases in the risk management process, namely:

i) Risk Assessment,

ii) Risk Control and

iii) Risk Review.


In Risk Assessment there are the stages of Risk Identification, Risk Analysis and Risk Evaluation.

In Risk Control are Risk Reduction and Risk Acceptance stages, finally

Risk Review details a review of the Risk Events.


Risk Assessment.
Considering the previous stages in a little more detail, within Risk Assessment are the following:

Risk Identification is based on the application of scientific or fact based methods to identify hazards which are relevant to the risk under review. “What night go wrong” needs to be asked and all available information applied to identify the potential hazard.

Risk Analysis seeks to understand and estimate the risk associated with the previously identified hazards. In this stage the likelihood of occurrence and the potential severity, if the occurrence were to arise are considered, resulting in a qualitative or quantitative output. The ability to detect the “harm” may also be included into the analysis.

Risk Evaluation is the process of comparing the risks which have been analysed against predefined risk criteria.

The output of the risk assessment stage will be in the form of a quantitative or qualitative measure of the potential risks. Under a quantitative risk process the level of risk is detailed via a numerical probability. Under a qualitative risk process, the level of risk will be given a description e.g. low, medium, high, critical risk.


Risk Control.
The quality risk management process now moves onto Risk Control.

During a Risk Control process, decisions need to be made as to the acceptability of the risks as they exist or if actions need to be taken to reduce risks. The focus will be on the higher-level risks with the efforts to reduce proportionate to the potential risk. Risk Control entails Risk Reduction and Risk Acceptance activities.

Risk Reduction seeks to avoid risks which are in excess of a pre-determined acceptance threshold. Reducing risk can be achieved via a reduction in severity if the risk were to arise, alternatively reducing the probability of the risk arising in the first instance, or a combination of both approaches.

Risk Acceptance is the point where a risk is known but management are comfortable that the risk posed when viewed in terms of the potential benefits. For example, consider a new pharmaceutical product which can provide significant health benefits to users, equally such a product could carry significant risks to a small population of users. However, when the “risk to benefit” is assessed, the risk may be considered acceptable.


Risk Review.
The final stage in a “quality” risk management process is the Risk Review.

The information obtained from the risk management process needs to be continually reviewed and needs to include all new information or knowledge which will arise over time. The frequency of risk reviews need to reflect the level of risks. Also risk reviews need to include revisiting decisions previously made on any levels of risk acceptance.

Risk Review. Once the risk process has been initiated, the process needs to continually be applied to identify activities or events which could have an impact on prior decisions. Examples of such events could be customer complaints, product recalls, audit reports, product or product changes, information obtained from the corrective or preventative action process, etc., ..


Risk Communication.
An essential component of any Quality Risk Management process is Risk Communication. At all stages there is an expectation that there is open two-way communication about the identification, analysis, review and mitigation of risks.

Risk Communication can occur at any stage, however, there needs to be clear (formal & documented) communication at the “output” of the quality risk management process stage. The type of information to be communicated may relate to the existence of potential risks, the types of risks, the estimated probability, severity, detectability of such risks. The decisions made regarding risk acceptability, methods of risk control, risk monitoring and reporting going forward.
Risk Management Full Details

Risk Management.