Manage Risk

In order to Manage Risk, the first step is to identify the Hazards and perform a Risk Analysis.

Determine if a risk analysis has already been performed or is there any other relevant information available, for a similar product or process. if yes, then the information which is already available may be useful in developing a new risk analysis.

If the product or process is part of a larger integrated system/process, the risk analysis should consider interface(s) to and combinations with other products and/or accessories.

The basic functional structure and workflow of the product or process should be identified, analyzed and included in the risk analysis.


Estimate and evaluate the risks identified during the risk analysis.

For every risk identified, you need to determine if risk reduction is required. If reduction is required, you need to determine if it is practical and beneficial in terms of cost or reputation or compliance?

Risk acceptability levels should be defined using a “Risk Matrix”. The risk matrix helps to remove subjective judgement and provides a numeric or visual (color coded) indication of the potential risk.


Implement a process to reduce and control the identified risks.

Risk control should reduce the probability of occurrence of harm. A “reduction” of severity is only possible by inherent safe re-design of a specified functionality (i.e., elimination of the underlying hazard).

Risk control measures may need to be applied in terms of combinations with other products and processes. During Risk Control, Critical Quality Attributes (CQA’s)* may be identified and classified.

Critical Quality Attributes (CQA’s)* may need to ensure that safety related risk control measures are implemented.

Both implementation of risk control measures and effectiveness of risk control measures should be verified and documented.

A validation study may be used to verify the effectiveness of any risk control measures implemented. Note: Verification or validation activities, by themselves, cannot be considered as a risk control measure. If the residual risk is considered unacceptable, further risk control measures should be applied.


* Critical Quality Attribute (CQA) – A physical, chemical, biological or microbiological property or characteristic that shall be within an appropriate limit, range, or distribution in order to ensure the desired product or process quality.


Monitor the effectiveness of the controls implemented.

A monitoring system should be established, documented and maintained to actively collect and review information (e.g. post-market surveillance and other data sources) about the product or process or similar products in order to re-assess the effectiveness of the risk controls implemented.

Sources of information can include complaints, non-conformance reports, feedback from users, or from maintenance/service personnel.

When implementing a risk management process, many organizations start with a risk management plan. They also evaluate and develop staff competences on a range of risk analysis techniques such as Cause and Effect Analysis, Fault Tree Analysis, HAZOP, 5 Why’s, etc.

Another key element is the Risk Management File, where all the critical risk documents are held or if not physically located in the file, have pointers maintained in the risk file as to where they can be located.