|Managing risk across an organization is now a critical skill |
that should be fully integrated with other business functions
such as finance, strategy, internal control, procurement,
continuity planning, HR and compliance.
Co-Founder, Coda Corp USA
In this article, we will take a closer look at what is becoming perhaps the most useful tool in the belt of today’s quality professionals: risk management.
Risk management is the new face of lean quality assurance. It is a critical planning and assessment tool that serves both consumer-centric and production activities.
This blog has been designed for readers whose organizations haven’t yet formally adopted this practice. The installment includes an overview of the terminology, objectives and processes involved in strengthening the existing quality systems with those designed to manage the risks inherent to product development, routine manufacturing and monitoring.
We hope that the information presented will inspire the reader to engage local leadership and promote the development of an effective risk management process that begins with the design stage of the product lifecycle and continues all the way through monitoring of routine production.
Prior to discussing the topic at hand, we felt it useful to orient the reader by providing context to the terminology that is integral to the concept. Here at Coda, we believe that the first step on the road to process development is precision in language. Toward that end, we would like to focus on the meaning of the following terms within the context of risk management:
What is Risk Management?
Risk management is a process that allows us to systematically consider risk while making decisions. In almost every facility, considering potential risk is already a part of the natural decision-making process. Formal risk management programs document this organically- occurring process by building a process of well-defined steps which, when taken in sequence, support better decision making by contributing to a greater insight into risk and the impact associated to the realization of risk modes.
Risk management programs should include documented elements such as identification and assessment of risk, mitigation or elimination of identified and assessed risk, and timely communication of identified risk.
This article is related to the Whitepaper: GAMP®5 - A Risk-based Approach to Compliant GxP Computerized Systems.To get the full details, please download your free copy.
The federal guidelines on modern Quality Systems have made it very clear that there is an expectation that this practice be formalized and documented to ensure that it is:
- Performed in a consistent manner
- Documented and ready to be inspected
- Consumer - centric
It means that that process must be capable of cumulatively increasing the strength of the existing quality systems, which in the end, results in higher quality product, offering minimal or no risk to any patient. To truly understand this difference, we should always associate the word "risk" with the word "quality."
This assumption is predicated on the fact that a strong quality system and robust data set will lead to:
- Increased knowledge
- Lower uncertainty
- Fewer variables and
- Continual Improvement
- The risks considered
- The roles of those assessing the risk factors
- The outcome of the assessment; made directly relevant to the risks considered and the mitigation steps taken
- An explanation of the decision made, including decisions that led to no action
When Do We Manage Risk?
Risk management programs and tools can be developed for each product or process and each decision type, in all phases of the product lifecycle, from development through change management.
It can be usefully applied integrated with existing quality systems for facility systems management, materials management, production, laboratory controls, packaging and labeling as well as regulatory activities.
The extent of the risk management processes defined should be commensurate with the level of risk associated with the decision, and the level of complexity of the product/process.
An example of when integrating Risk Management tools into existing Quality Systems can be useful:
How Do We Manage Risk?
Step 1: Identify the Risk (Risk Analysis)
Managing risk begins with conducting risk analysis. Risk analysis is a systematic proactive identification of the specific sources of harm (hazards) and to estimate the risk, related to the situation at hand, with the ultimate objective of mitigating or eliminating the risk. The first step in the process is the analysis of potential risks:
- What can go wrong? (man, method, machine)
- What is the likelihood (probability) it would go wrong?
- What are the consequences if something does go wrong?
Although consequences will vary by production phase, decision type and/or product line, typical examples of consequences of realized failure modes that are essentially consumer-centric, may look like this:
When the risk identification component of the program is being developed, the following should always be considered:
- How will failure mode information and potential risk be used by the decision makers? (Who will the decision makers be, and what will the program need to provide them?)
- How will risk management decisions impact future options for risk management? (How do we ensure that the process repeats itself?)
- How will identified risk be documented? (What will the outcome of this step look like?)
- The level of scientific knowledge of the processes involved in the product lifecycle that would be required to identify (and assess and mitigate (see steps 2 and 3) risk (the level of scientific understanding of how manufacturing process factors affect product quality)
- The sources of data within the company that could provide the necessary technical information (e.g., process validation/process capability, continuing verification/process stability)
Step 2: Risk Assessment and Evaluation
Once a list of identified risks has been completed, the program should require identification of team resources, providing a method of selecting team members with the appropriate expertise to fully execute the upcoming assessment. This step of the process should also require the clear identification of a team leader.
Once a list of potential root causes of potential risks (failure modes) has been generated, and an appropriate team assembled, the next step is the assemblage of background information and data on the failure mode. This information should include:
- Conditions that would cause the failure and the likelihood of their occurrence (probability)
- Harm that would be caused by the failure mode (impact to human health) (severity)
This step requires that the team assess and evaluate each identified risk of failure, in context with the impact statements.
Risk evaluation compares the estimated risk against given risk criteria using a quantitative or qualitative scale to determine the significance of the risk. Once the significance is determined, risks can be prioritized in accordance with the qualitative scale.
Once risks are prioritized, mitigation plans and deliverables can be developed with regard to priority; that is, risk factors, together with significance of impact, can be quantitatively prioritized so that the largest risk factors can be dealt with first.
This entire process should be documented.
The document in which this information is presented and assembled is generally referred to as a “Failure Mode and Effects Analysis” (FMEA) document. The FMEA ,in simple terms, is a matrix document that by product or process, indexes all identified potential failure modes, supplemented with quantified or qualified impact statements. FMEAs should be formalized, reviewed, approved, and controlled.
The FMEA should be considered and treated as a living document. Theoretically integrated with other quality systems all driving toward continual improvement, it should diminish in size as time moves forward. If used appropriately, it will continue to be revised after its initial production and then will be fed by all of the existing monitoring systems, including CAPAs, change control, complaints, product and manufacturing failures.
Some examples of using the FMEA in an integrated fashion moving toward continual improvement:
Hopefully, as you begin to see how risk management integrates with other quality systems, it will make the value of the tool easier to see. It is critical to note, when developing any quality system, that each must produce output that is used as input to another system. Together, they should systematically pay information forward, funneling the knowledge routinely gained over time into each other--- allowing each system to achieve some measure of improvement, based on knowledge gained during execution of another system.
Step 3: Controlling and Mitigating Identified and Assessed Risk
Once risks have been identified, assessed, prioritized and documented, it is time to develop action plans designed to reduce, mitigate or hopefully eliminate identified risks.
Remember, this is why we began the process. Unless we develop meaningful action plans, and execute them, we wasted our time with steps 1 and 2. Each action taken has the same objectives:
- Reduce risk (reduce the probability of occurrence)
- Mitigate risk (reduce the severity of harm)
- ELIMINATE risk
- What it would take to mitigate or reduce each of the identified risks (failure modes)?
- Are there options for mitigation and control?
- Will there be an impact on future options if we implement these options?
- Is the risk acceptable (the quantified or qualified characterization of the likelihood + the severity of the consequence)?
Once this decision-making process is completed, formal plans should be developed to implement all mitigation, reduction or elimination plans.
The most commonly overlooked element in this process is documentation justifying the actual decision-making progress. It is not enough to document the risk and decisions made; we have to produce documentation that explains how the decision was reached, who was involved and why they feel this is an appropriate path.
This is especially critical when the decision is to accept risk.
Step 4: Communicating Risk
Risk communication is the exchange or sharing of information about risk and risk management between the decision maker and other stakeholders. The information can relate to the existence, nature, form, probability, severity, acceptability, treatment, detectability or other aspects of risks to quality. The communication among stakeholders concerning identified risk, assessed risk and risk mitigation decisions can be achieved through existing channels, as long as it achieved.
While for the purposes of this blog, we chose to represent these actions in a step-wise fashion, it is important to note that at times, it may make sense to execute steps three and four concurrently. That is, to communicate known risk as soon as possible, which is partially accomplished upon issuance of the initial FMEA.
The most critical component of risk communication is the realization that everyone involved in the production, testing and distribution of the product must be made aware of all known risks.
Step 5: Monitoring Risk
Like many of the components of quality systems, risk management processes are meant to be dynamic and iterative; they are not designed to be executed only once. Each quality system is meant to interact with every other, on a routine basis. They are meant to strengthen the original controls required by the cGMPs, by not only assuring control, but also by promoting improvement.
Quality risk management processes, when integrated with other existing quality systems, should contribute to the overall knowledge base, providing the benefit knowledge to all other quality systems, including future risk management decision cycles. This integration of the risk management process with all other quality monitoring systems will enhance the overall knowledge base and promote continuous improvement.
The Integrated Process
The following illustration provides a view of the steps while allowing visualization of the living nature of the process.
Summarizing this topic is perhaps best done with a simple list of takeaways:
- The identification, evaluation and reduction/mitigation of risk should ultimately be considered a consumer safety activity.
- Technical experts should manage and execute the risk management process.
- Risk management is a dynamic, iterative, interactive component of the quality systems.
- The extent of the risk reduction/mitigation plans should be commensurate with the level of risk associated with the decision.
- As is the case with all technical decision making processes, risk management activities should be data driven, justifiable, well documented and verifiable.
- FMEAs are living documents; if they are part of a well-designed system, they will diminish in size overtime.
- The choice to accept risk is viable, if justifiable.
- Choosing to not communicate risk is choosing to not manage risk.
© Coda Corp USA 2011. All rights reserved.
COO, Coda Corp USA
Gina Guido-Redden co-founded and directs Coda Corp USA, a quality systems consulting company. Ms. Guido-Redden holds an MsChE and is a certified Quality Auditor and Master Black Belt and has been involved with Title 21 regulatory affairs and quality leadership for over 20 years, providing services in the areas of remedial navigation; crisis management; global change leadership; quality system development; risk mitigation; Lean Six Sigma project management; and executive mentoring.
Ms. Guido-Redden is also a charter member and partner of The Life Science Link, a professional consortium dedicated to the growth and development of the life science industry in the western New York area and she serves as a management coach and mentor at the Women's Business Center of Canisius College in Buffalo, NY.
Ms. Guido-Redden can be reached by phone at 716.638.4180 or by email at GGuidoRedden@CodaCorpUSA.com.