Often seen as a burden, Quality Risk Management (QRM) is actually a powerful tool to drive compliance, control, and improvement. Many medium and smaller pharmaceutical organisations, particularly those with virtual business models (i.e. office based without any production or storage facilities) have struggled in the past to comply with this regulatory expectation. Only recently have inspectors started to review how organisations manage risk through documented risk assessments and formal risk registers. Larger global organisations have fully embraced QRM, with strong inter-site links to share equivalent risk mitigation on similar processes and systems.
This article is not intended to replicate the content of ICHQ9 and other valuable information sources on this subject. It is primarily designed to shed a little more light on the practical aspects of generating a comprehensive risk assessment for businesses and operational sites, regardless of size, complexity, markets supplied and GxP compliance.
In many cases the starting point is an event that may have required a formally documented product quality risk assessment to facilitate release. It is important to appreciate that quality risks can be derived from these events, whether planned (such as Product Quality Reviews or audits) or unplanned (deviations, complaints, out of specification results, stability failures, product recalls etc). However, preparing risk assessments in this manner can be fragmented, inconsistent, poorly recorded and lacking in any kind of defined actions.
Due to lack of resource, experience and conflicting priorities, available risk assessments may be limited to those created from events, and without the sponsorship, commitment and support from senior management will not progress beyond this stage.
The most effective way to introduce a QRM programme is to initiate a structured review of processes and systems. This should at least include facilities, equipment, utilities, IT systems, documentation, qualification, change control, QA/QC functions, storage, suppliers, contractors, and service providers.
Rather than being seen as a QA responsibility, risks should be assessed in teams using tools such as Failure Mode Effect Analysis (FMEA), Fishbone Analysis, 5 Whys etc. It is vital at an early stage to record the risk description accurately and precisely. A risk that is described in loose terms will potentially drive the wrong actions, so like a problem-solving exercise there needs to be agreed clarity on what the problem is, where it exists, when it occurs but not defining the potential root cause.
So, preparing a list of risks by area or system is probably the first task, prior to any consolidation of shared risks, scoring, recording current controls or allocating responsibilities for mitigation action steps.
The task of preparing the master list of risks (risk register) can be daunting and take some time to complete, depending on the complexity of the operation. By involving the users, it will encourage a culture of transparency and facilitate escalation of more critical risks – those ‘red’ risks with high scores.
Moving onto scoring, this analysis in terms of severity, likelihood and detectability should be as objective and evidence based as possible. It is extremely easy to rate too many risks with high scores when this may not be the case. A site manufacturing sterile product can be expected to have many risks with high scores, when compared to a company with only a warehouse of ambient products.
Two scores are necessary, based on the current control mechanisms and then when all the desired mitigation actions have been successfully completed. Clear responsibilities can be allocated to close actions within appropriate timescales, again based on the risk.
Having generated a comprehensive set of risks that form the site/business risk register, it can then become an integral part of decision making. This applies to compliance, governance, and quality oversight, with periodic reviews of risks, actions, and closure through management review. It must be recognised that the risk management programme must be proactive, dynamic, and ongoing. It should not reside neglected in a file or out of date folder, rather than part of a site continuous compliance improvement programme.
QRM is not rocket science, nor is it a simple one-off task allocated to a junior QA staff member just before an inspection. If applied in a constructive, detailed and cross functional manner, it will not only satisfy regulatory expectations but also be a part of routine operational and business activity.
So to summarise QRM, it should be
- Sponsored by senior management
- Organised as a team effort
- Comprehensive
- A structured and dynamic programme
- Precise and specific for each risk
- Scored appropriately
- Part of periodic management review
About the Author
Roger Smith, Consultant and Auditor
Roger Smith has more than 40 years of experience in pharmaceutical manufacturing and supply, with responsibilities in quality, production and technical support. After an extensive career working in a number of multinationals, over the last 5 years Roger has acted as an independent pharmaceutical quality consultant, offering QP services, inspection preparation, auditing and QMS/QRM support. He is a graduate chemist and has a Diploma in Management Studies.