The Risk Management Process


This section addresses the following questions:

  • What are the most important prerequisites for a risk management process?
  • How can the systematic application of risk fields facilitate this work?
  • What are the most important elements of risk management?
  • What factors must be taken into account in the implementation of a risk management concept?
  • How should an implementation team be put together?
  • How do we achieve acceptance for a risk management process?

The most important elements of the risk management process, such as

  • Identification,
  • Evaluation
  • Control,
  • Communication and Monitoring

should always be clearly identified. In contrast, the choice of tools and the deployment of resources depends greatly on the risk fields concerned and their individual critical level. It is important that a systematic procedure is transparent to a third party and the risk management process can therefore be sustainably maintained. This provides easier access to information for colleagues who may analyse related or similar risk fields in the future.

1 Risk fields

In particular in the design phase of an RM system, you will often question which aspects and general conditions affect the design of, for example, interfaces, process balance limits, and systems, as well as the selection of e.g. teams and methods. Differentiation according to quality risk fields can be a very valuable method. You will soon realise that this enables the definition of basic requirements for the composition of teams, and it may even be possible to preselect the corresponding methods. Figure 10.B-1 and figure 10.B-2 show the risk fields that are involved, and how they interact with each other.

Figure 10.B-1 Risk fields and their interactions

Figure 10.B-2 Risk fields and their interactions

Risk fields

Risks presented by technical facilities and their operation (facility risks)

E.g. Equipment, apparatus, IT, environment, interfaces, operating personnel

System risks

E.g. Quality systems: Control, measures, changes, documentation, regulatory compliance

Process risks

E.g. Quality parameters. parameter control during a processing step

Product risks

Drug product safety, efficacy, e.g. quality criteria

Figure 10.B-3 Risk fields, e.g. fluidised bed process

Risk field (gen.)

Risk field

General considerations

Specific considerations



Critical elements on the coater (e.g. spray nozzle, flow control)


Quality system


General rules and aspects of apparatus qualification (e.g. documentation, maintenance)

Specific aspects for qualification of coating facilities (inspection of fluidisation)



Critical process variables (temperature, gas flow)

Operation and facility-specific process variables


Product XY

General quality criteria (layer thickness, homogeneity)

Specific influence of layer thickness on the product properties

Before identifying the risks for a specific step in the life cycle of a particular product, the general risks for the relevant systems, facilities, and processes should be considered at a higher level. Figure 10.B-3 provides an example of how a systematic procedure can be established for identifying and handling risks for a fluid bed coating process in the processing of product XY in a coater. A qualification procedure, a coating system, or the coating process itself may hide potential risks independently of the product to be processed. This type of risk evaluation can therefore provide results that form a useful basis for specific considerations.

2 Prerequisite

In order for a risk management project to succeed, certain prerequisites have to be fulfilled that are already familiar from normal project work. Risk management activities are often performed by interdisciplinary teams specifically designated for this task (for more information, see chapter 5.2 Project team). The teams formed to carry out risk management activities should include experts from all areas involved, as well as people who already have some experience of risk management processes and associated methods.

Figure 10.B-4 Roles and responsibilities

Roles and responsibilities

Who makes the resources available?

E.g. Management with personnel responsibility from development, marketing authorisation, or production.

Who defines the competence fields?

E.g. Staff with operational and/or regulatory responsibility with a broad range of knowledge; requires a broader overview across system and organisational boundaries

Who possesses the necessary knowledge and experience for which field?

E.g. Experts with very detailed knowledge:

  • Development experts for particular formulations
  • Production managers in manufacturing
  • Experts in pharmacology, pharmacokinetics, and biometrics
  • Auditors

Who moderates the team and provides guidance of risk management matters?

E.g. Experts in the systematic processing of procedures, e.g. from the area of quality management

Who makes decisions on the acceptance of particular risks and on the measures to be implemented?

E.g. Heads of development, manufacturing, quality management; In general the contract giver, who provides the resources, can also make the corresponding decisions.

Who realises and monitors the consistent implementation?

E.g. Head of manufacturing

The following is a list of important aspects that should be observed or clarified during the preparation phase:

  • Definition of risk fields
  • Description of the boundaries and interfaces for the system, process, technical facility or product group under consideration
  • Clear description of problems or questions on the possible risks
  • Definition of acceptance criteria
  • Selection of method(s)
  • Roles/responsibilities (see figure 10.B-4)

3 Knowledge and experience

The most important prerequisite for a meaningful risk evaluation is a familiarity with the circumstances and the environment. Often, the knowledge or experience may not be sufficiently documented, and it may be necessary to include experienced staff from the operational area as experts in the team. Furthermore, you need to carefully check whether similar activities and e.g. risks have already been identified and evaluated in a similar area. Sometimes, a literature search can also provide important realisations and incentives. A systematic risk evaluation performed by R + D, of product characteristics and their synthesis and manufacturing processes, provides important information that should always be incorporated in the development of production processes and equipment design.

In addition, information that enables definitive statements on the possible risks are also very helpful, e.g.

  • Information on the process capability (out of specification results (OOS), other deviations, cpk values)
  • Critical material properties, stability data
  • Complaints (internal and external)
  • Critical process parameters
  • Audit results

4 Elements of risk management

The ICH Q9 Guide provides a systematic list of the steps that must be carried out in risk management (see figure 10.B-5). Here, less emphasis is placed on the requirement for each individual step in the process to be formally documented. Instead, it is necessary to establish how risks can be systematically identified, evaluated, and controlled in their causal relationships. The ICH Q9 Guide provides a very detailed description of the individual steps in risk management (see chapter E.8 ICH Q9: Quality Risk Management ). The process itself follows a logical and systematic approach. Communication must be possible at all points in the process so that the affected functions accept the residual risk at an early stage, or so they can contribute new and important insights into an ongoing discussion. The risk management process is continual, each additional insight and experience should be rapidly incorporated in the process in order to contribute to the best possible and efficient solution.

Figure 10.B-5 The quality risk management process according to ICH Q9

5 Implementation of a risk management process

This chapter describes the most important elements for implementing a quality risk management process in a company. In particular, the interaction with an existing quality management system (QMS) presents interesting possibilities. Regulations contained in a QM system already fulfil the aims of compliance with external bodies of rules and secure the quality of the products and processes. In this context, the QM regulations should already include measures that reduce and even prevent the risk of unacceptable product quality. The measures are often described, without the reason behind the measure being explained. In general, this is also not within the scope of a regulation. In order to establish an effective QM system, it is useful to view measures as consequences of a risk assessment (see chapter 10.C Risk management and quality management system).

The areas in which a systematic RM should be implemented, and to what extent, depends on the corresponding risk potential. A comprehensive overview of potential areas of application is provided in Annex 1 of the ICH Guide Q9 (see chapter E.8 ICH Q9: Quality Risk Management ).

5.1 Commitment of management

If the company decides to go ahead with the implementation of a risk management system, a project group should be formed to develop a company-specific strategy and compile methods and instruments, with the overall objective of efficiency. The decision to implement a risk management system must be consistently supported by the management. All the required resources must be made available for the realisation.

5.2 Project team

The project team should be composed to reflect all functions that could have a decisive influence on quality or compliance.

An example team might have the following members:

  • Experts from technical functions
    • Development
    • Clinical research
    • Marketing authorisation
    • Production
    • Distribution
  • Persons responsible for quality management
  • Experts with an overview of external regulations
  • Project management

5.3 Analysis of current status

Strategies for risk-based procedures may already exist within the company. It is necessary to check whether risk assessments already exist, e.g. in the areas of development, clinical research, or manufacturing, or as a part of facility qualification, or process or computer validation procedures. Risk systems may already be in place to cover financial, economic (e.g. for market launch), environmental, or safety-relevant aspects. These systems should also be reviewed to check, for example, whether process descriptions can be used. Similarly, it is necessary to check whether potential communication interfaces to an RM system may exist. All these approaches should be systematically integrated into the overall process.

5.4 Standardisation of methods

A range of application-specific standards for recording and evaluating the risks makes it easier to compare similar processes and utilise available synergies. At the same time, the regulations for the use of methods should also offer sufficient freedom to adapt the work required according to the risk, so that technical content, rather than formal aspects, predominate. The primary purpose of standards is to provide support for the responsible staff. It is therefore useful to provide instructions and forms for the application of the methods.

5.5 Training

Staff with responsibility for the quality of products and processes should develop an awareness of risks in their day-to-day behaviour, and should be in a position that enables them to identify and deal with risks. Acceptance can be considerably facilitated by explaining that the implementation of a risk management system should not represent a major, resource-intensive implementation of complex requirements, but instead that the focus of everyday work should rather be steered towards some major aspects through methodical handling. Before the official implementation of a risk management process, some form of risk-based approach has almost certainly been identified and questions of quality assurance, together with risk-relevant aspects, will have been discussed. These existing approaches should be covered as part of a training course and supported with appropriate examples.

The implementation of sustainable risk management requires that all involved staff have a sense of "risk awareness". This takes time to develop, and requires repeated training courses, supported by case-specific coaching.

The following additional aspects should also be covered in training courses:

  • Why and how does risk management offer support?
  • How should a team be put together?
  • Recording conspicuousness, realisations, and decisions

The methods used in RM should be described briefly, as well as their strengths and weaknesses and typical applications. It is important to explain that the risk management system is intended for use from a practical perspective, and is not merely a bureaucratic procedure.


The commitment of management is vital for the implementation of a risk management system. The effective implementation of this type of system relies to a great extent on acceptance by the staff responsible. This can be achieved by respecting existing approaches and integrating them into an RM system. Careful analyses, which must always include the operational levels, are an essential requirement. Regulations developed for an RM system must be viewed as effective support and not as an additional burden. The primary aim of risk management is to focus the limited resources on the most important and critical aspects.