Quality Risk Management

ISO 9001:2015

The following introduction to Quality Risk Management is based on a fantastic public Blog on
ISO 9001 issues which we thoroughly recommend to you.

1 Introduction
Risk management principles are effectively utilised in many areas of business and
government including finance, insurance, occupational safety, public health, pharmaceutical,
and by agencies regulating these industries.
Risk is defined as the combination of the probability of occurrence of harm and the severity
of that harm. However, achieving a shared understanding of the application of risk
management among diverse stakeholders is difficult because each stakeholder might
perceive different potential harms, place a different probability on each harm occurring and
attribute different severities to each harm.

2 Principles of Quality Risk Management

The two primary principles of quality risk management are:

 the evaluation of the risk to quality should be based on scientific knowledge

 the level of effort, formality and documentation of the quality risk management
process should be commensurate with the level of risk

3 General Quality Risk Management Process

Quality risk management is a systematic process for the assessment, control,
communication and review of risks to the quality of product across the product life-cycle.
A model for quality risk management is outlined in the diagram. Other models could be used
and the emphasis on each component of the framework might differ from case to case.
However, a robust process will incorporate consideration of all the elements at a level of
detail that is commensurate with the specific risk.

Quality Risk Management Page 1 of 9

4 Overview of a typical quality risk management process

Decision nodes are not shown in the diagram above because decisions can occur at any
point in the process.
These decisions might be to return to the previous step and seek further information, to
adjust the risk models or even to terminate the risk management process based upon
information that supports such a decision.
Note: “unacceptable” in the flowchart does not only refer to statutory, legislative, or
regulatory requirements, but also to indicate that the risk assessment process should be
revisited.

5 Responsibilities
Quality risk management activities are usually, but not always, undertaken by
interdisciplinary teams. When teams are formed, they should include experts from the
appropriate areas such as quality unit, business development, engineering, regulatory

Quality Risk Management Page 2 of 9

affairs, production operations, sales and marketing, legal, statistics, in addition to individuals
who are knowledgeable about the quality risk management process.
Decision makers should:

 take responsibility for coordinating quality risk management across various functions
and departments of their organization

 ensure that a quality risk management process is defined, deployed, and reviewed
and that adequate resources are available

6 Initiating a Quality Risk Management Process

Quality risk management should include systematic processes designed to coordinate,
facilitate and improve science-based decision making with respect to risk. Possible steps
used to initiate and plan a quality risk management process might include the following:

 define the problem and/or risk question, including pertinent assumptions identifying
the potential for risk

 assemble background information and/or data on the potential hazard, harm or

human health impact relevant to the risk assessment

 identify a leader and critical resources

 specify a timeline, deliverables, and appropriate level of decision making for the risk
management process

7 Risk assessment
Risk assessment consists of the identification of hazards and the analysis and evaluation of
risks associated with exposure to those hazards.
Quality risk assessments begin with a well-defined problem description or risk question.
When the risk in question is well defined, an appropriate risk management tool and the
types of information that will address the risk question will be more readily identifiable. As an
aid to clearly defining the risk for risk assessment purposes, three fundamental questions
are often helpful:
1. What might go wrong?
2. What is the likelihood (probability) it will go wrong?
3. What are the consequences (severity)?

8 Risk identification
Risk identification is a systematic use of information to identify hazards referring to
the risk question or problem description.

Information can include historical data, theoretical analysis, informed opinions, and the
concerns of stakeholders. Risk identification addresses the “What might go wrong?”
question, including identifying the possible consequences. This provides the basis for further
steps in the quality risk management process.

9 Risk analysis

Quality Risk Management Page 3 of 9

Risk analysis is the estimation of the risk associated with the identified hazards.
It is the qualitative or quantitative process of linking the likelihood of occurrence and severity
of harms. In some risk management tools, the ability to detect the harm (detectability) also
factors in the estimation of risk.

10 Risk evaluation
Risk evaluation compares the identified and analyzed risk against given risk criteria.
Risk evaluations consider the strength of evidence for all three of the fundamental questions.
In doing an effective risk assessment, the robustness of the data set is important because it
determines the quality of the output.
Revealing assumptions and reasonable sources of uncertainty will enhance confidence in
this output and/or help identify its limitations. Uncertainty is due to combination of incomplete
knowledge about a process and its expected or unexpected variability. Typical sources of
uncertainty include gaps in knowledge, gaps in process understanding, sources of harm
(e.g., failure modes of a process, sources of variability), and probability of detection of
problems.
The output of a risk assessment is either a quantitative estimate of risk or a qualitative
description of a range of risk. When risk is expressed quantitatively, a numerical probability
is used.
Alternatively, risk can be expressed using qualitative descriptors, such as “high,” “medium,”
or “low,” which should be defined in as much detail as possible. Sometimes a risk score is
used to further define descriptors in risk ranking. In quantitative risk assessments, a risk
estimate provides the likelihood of a specific consequence, given a set of risk-generating
circumstances.
Thus, quantitative risk estimation is useful for one particular consequence at a time.
Alternatively, some risk management tools use a relative risk measure to combine multiple
levels of severity and probability into an overall estimate of relative risk. The intermediate
steps within a scoring process can sometimes employ quantitative risk estimation.

11 Risk control
Risk control includes decision making to reduce and/or accept risks. The purpose of risk
control is to reduce the risk to an acceptable level. The amount of effort used for risk control
should be proportional to the significance of the risk.
Decision makers might use different processes, including benefit-cost analysis, for
understanding the optimal level of risk control. Risk control might focus on the following
questions:

 Is the risk above an acceptable level?

 What can be done to reduce or eliminate risks?

 What is the appropriate balance among benefits, risks and resources?

 Are new risks introduced as a result of the identified risks being controlled?
Risk reduction focuses on processes for mitigation or avoidance of quality risk when it
exceeds a specified (acceptable) level. Risk reduction might include actions taken to mitigate
the severity and probability of harm. Processes that improve the detectability of hazards and

Quality Risk Management Page 4 of 9

quality risks might also be used as part of a risk control strategy. The implementation of risk
reduction measures can introduce new risks into the system or increase the significance of
other existing risks. Hence, it might be appropriate to revisit the risk assessment to identify
and evaluate any possible change in risk after implementing a risk reduction process.
Risk acceptance is a decision to accept risk. Risk acceptance can be a formal decision to
accept the residual risk or it can be a passive decision in which residual risks are not
specified.
For some types of harms, even the best quality risk management practices might not entirely
eliminate risk. In these circumstances, it might be agreed that an appropriate quality risk
management strategy has been applied and that quality risk is reduced to a specified
(acceptable) level. This (specified) acceptable level will depend on many parameters and
should be decided on a case-by-case basis.

12 Risk Communication
Risk communication is the sharing of information about risk and risk management between
the decision makers and others. Parties can communicate at any stage of the risk
management process.
The output/result of the quality risk management process should be appropriately
communicated and documented. Communications might include those among interested
parties (e.g., regulators, industry, within a company, industry, or regulatory authority). The
included information might relate to the existence, nature, form, probability, severity,
acceptability, control, treatment, detectability, or other aspects of risks to quality.
Communication need not be carried out for each and every risk acceptance. Between the
industry and regulatory authorities, communication concerning quality risk management
decisions might be effected through existing channels as specified in regulations and
guidance.

13 Risk Review
Risk management should be an ongoing part of the quality management process.
A mechanism to review or monitor events should be implemented. The output/results of the
risk management process should be reviewed to take into account new knowledge and
experience.
Once a quality risk management process has been initiated, that process should continue to
be utilised for events that might impact the original quality risk management decision,
whether these events are planned (e.g., results of product review, inspections, audits,
change control) or unplanned (e.g., root cause from failure investigations, recall).
The frequency of any review should be based upon the level of risk. Risk review might
include reconsideration of risk acceptance decisions.

14 Risk Management Methods and Tools

15 Introduction
Quality risk management supports a scientific and practical approach to decision making.

Quality Risk Management Page 5 of 9

It provides documented, transparent, and reproducible methods to accomplish steps of the
quality risk management process based on current knowledge about assessing the
probability, severity, and, sometimes, detectability of the risk.
Traditionally, risks to quality have been assessed and managed in a variety of informal ways
(empirical and/or internal procedures) based on, for example, compilation of observations,
trends, and other information. Such approaches continue to provide useful information that
might support topics such as handling of complaints, quality defects, deviations, and
allocation of resources.
An organization can can assess and manage risk using recognized risk management tools
and/or internal procedures (e.g., standard operating procedures). Below is a non-exhaustive
list of some of these tools.

16 Basic Risk Management Facilitation Methods

Some of the simple techniques that are commonly used to structure risk management by
organizing data and facilitating decision making are:

 Flowcharts

 Check Sheets

 Process Mapping

 Cause and Effect Diagrams (also called an Ishikawa diagram or fish bone diagram)

17 Failure Mode Effects Analysis (FMEA)

FMEA provides for an evaluation of potential failure modes for processes and their likely
effect on outcomes and/or product performance.
Once failure modes are established, risk reduction can be used to eliminate, contain, reduce,
or control the potential failures.
FMEA relies on product and process understanding and methodically breaks down the
analysis of complex processes into manageable steps. It is a powerful tool for summarizing
the important modes of failure, factors causing these failures, and the likely effects of these
failures.
FMEA can be used to prioritize risks and monitor the effectiveness of risk control activities
and can be applied to equipment and facilities and might be used to analyze a
manufacturing operation and its effect on product or process. It identifies
elements/operations within the system that render it vulnerable.
The output / results of FMEA can be used as a basis for design or further analysis or to
guide resource deployment.
Template for FMEA

18 Failure Mode, Effects, and Criticality Analysis (FMECA)

FMEA might be extended to incorporate an investigation of the degree of severity of the
consequences, their respective probabilities of occurrence, and their detectability, thereby
becoming a Failure Mode, Effects, and Criticality Analysis (FMECA).

Quality Risk Management Page 6 of 9

In order for such an analysis to be performed, the product or process specifications should
be established. FMECA can identify places where additional preventive actions might be
appropriate to minimize risks.
FMECA application should mostly be utilised for failures and risks associated with
manufacturing processes; however, it is not limited to this application.
The output of an FMECA is a relative risk “score” for each failure mode, which is used to
rank the modes on a relative risk basis.
Template for FMECA

19 Fault Tree Analysis (FTA)

The FTA tool is an approach that assumes failure of the functionality of a product or
process.
This tool evaluates system (or subsystem) failures one at a time but can combine multiple
causes of failure by identifying causal chains. The results are represented pictorially in the
form of a tree of fault modes. At each level in the tree, combinations of fault modes are
described with logical operators (AND, OR, etc.). FTA relies on the experts’ process
understanding to identify causal factors.
FTA can be used to establish the pathway to the root cause of the failure and can also be
used to investigate complaints or deviations in order to fully understand their root cause and
to ensure that intended improvements will fully resolve the issue and not lead to other issues
(i.e. solve one problem yet cause a different problem).
Fault Tree Analysis is an effective tool for evaluating how multiple factors affect a given
issue. The output of an FTA includes a visual representation of failure modes. It is useful
both for risk assessment and in developing monitoring programmes.
Example of Fault Tree Analysis

20 Hazard Analysis and Critical Control Points (HACCP)

HACCP is a systematic, proactive, and preventive tool for assuring product quality, reliability,
and safety). It is a structured approach that applies technical and scientific principles to
analyze, evaluate, prevent, and control the risk or adverse consequence(s) of hazard(s) due
to the design, development, production, and use of products.
HACCP consists of the following seven steps:

 conduct a hazard analysis and identify preventive measures for each step of the
process

 determine the critical control points

 establish critical limits

 establish a system to monitor the critical control points

 establish the corrective action to be taken when monitoring indicates that the critical
control points are not in a state of control

 establish system to verify that the HACCP system is working effectively

 establish a record-keeping system

Quality Risk Management Page 7 of 9

HACCP might be used to identify and manage risks associated with physical, chemical, and
biological hazards (including microbiological contamination).
HACCP is most useful when product and process understanding is sufficiently
comprehensive to support identification of critical control points. The output of a HACCP
analysis is risk management information that facilitates monitoring of critical points not only
in the manufacturing process but also in other lifecycle phases.
Template for HACCP

21 Hazard Operability Analysis (HAZOP)

HAZOP is based on a theory that assumes that risk events are caused by deviations from
the design or operating intentions.
It is a systematic brainstorming technique for identifying hazards using so-called guide
words. Guide words (e.g., No, More, Other Than, Part of) are applied to relevant parameters
(e.g., contamination, temperature) to help identify potential deviations from normal use or
design intentions. HAZOP often uses a team of people with expertise covering the design of
the process or product and its application.
HAZOP can be applied to manufacturing processes, including outsourced production and
formulation as well as the upstream suppliers, equipment and facilities for drug substances
and drug products. It has also been used primarily in the pharmaceutical industry for
evaluating process safety hazards.
As is the case with HACCP, the output of a HAZOP analysis is a list of critical operations for
risk management. This facilitates regular monitoring of critical points in the manufacturing
process.
Example of HAZOP

22 Preliminary Hazard Analysis (PHA)

PHA is a tool of analysis based on applying prior experience or knowledge of a hazard or
failure to identify future hazards, hazardous situations and events that might cause harm, as
well as to estimate their probability of occurrence for a given activity, facility, product, or
system. The tool consists of:

 the identification of the possibilities that the risk event happens,

 the qualitative evaluation of the extent of possible injury or damage to health that
could result,

 a relative ranking of the hazard using a combination of severity and likelihood of

occurrence, and

 the identification of possible remedial measures

PHA might be useful when analyzing existing systems or prioritizing hazards where
circumstances prevent a more extensive technique from being used.
It can be used for product, process and facility design as well as to evaluate the types of
hazards for the general product type, then the product class, and finally the specific product.
PHA is most commonly used early in the development of a project when there is little
information on design details or operating procedures; thus, it will often be a precursor to

Quality Risk Management Page 8 of 9

further studies. Typically, hazards identified in the PHA are further assessed with other risk
management tools such as those in this section.
Example of a Preliminary Hazard Analysis Report

23 Risk Ranking and Filtering

Risk ranking and filtering is a tool for comparing and ranking risks. Risk ranking of complex
systems typically involves evaluation of multiple diverse quantitative and qualitative factors
for each risk.
The tool involves breaking down a basic risk question into as many components as needed
to capture factors involved in the risk. These factors are combined into a single relative risk
score that can then be used for ranking risks. “Filters,” in the form of weighting factors or cut-
offs for risk scores, can be used to scale or fit the risk ranking to management or policy
objectives.
Risk ranking and filtering can be used to prioritize manufacturing sites for inspection/audit by
regulators or industry. Risk ranking methods are particularly helpful in situations in which the
portfolio of risks and the underlying consequences to be managed are diverse and difficult to
compare using a single tool.
Risk ranking is useful for management to evaluate both quantitatively-assessed and
qualitatively-assessed risks within the same organizational framework.
Template for Risk Ranking

24 Supporting Statistical Tools

Statistical tools can support and facilitate quality risk management. They can enable
effective data assessment, aid in determining the significance of the data set(s), and
facilitate more reliable decision making. A listing of some of the principal statistical tools
commonly used is provided:

 Control charts
For example Acceptance control charts, Control charts with arithmetic average and
warning limits, Cumulative sum charts , Shewhart control charts, Weighted moving
average.

 Design of experiments (DOE)

 Histograms

 Pareto charts

 Process capability analysis

Quality Risk Management Page 9 of 9