Guest Column | November 29, 2021

How To Enable Your Quality Risk Management Lifecycle

By Tiffany Baker, Danica Brown, and Amanda McFarland; ValSource, Inc.

Teamwork iStock-1279995279

The topics covered in this article represent some of the common risk management pain points and mechanisms to overcome these challenges, focusing on the foundation of quality risk management (QRM). This includes using consistent terminology, determining risk strategy, implementing QRM, and the advantages of early implementation. In another article, we will focus on risk execution and how we can best get information from our subject matter experts in a virtual world.

The Foundation — Getting Started

One of the biggest challenges when developing a risk management program is identifying which risk assessments are needed in your risk management system. Identifying these risk assessments is commonly achieved through evaluating critical processes across the facility or critical equipment that is needed to enable organizational success. Once you have identified the risk assessments that need to be executed, the next hurdle is identifying which risk assessments require routine updates — this is where having a strong risk foundation is instrumental. A critical part of the risk foundation is how risk assessments are classified. Two elements are considered when you classify a risk assessment: the spectrum of formality and nature the risk assessment.

The spectrum of formality is commonly associated with the risk management tool or the structured approach taken to complete an assessment. As per ICH Q9 Quality Risk Management,1 “the level of effort, formality and documentation of the quality risk management process should be commensurate with the level of risk.” This principle allows each organization to select the risk tool that most appropriately meets the needs of the risk assessment objectives. In years past, organizations almost exclusively relied upon Failure Modes and Effects Analysis (FMEA) to execute all risk assessments across their organizations. This “FMEA for everything” approach has slowly taken a back seat as less formal risk assessments, such as Preliminary Risk Assessment (PRA) and Risk Estimation Model (REM), have become more widely used.2

The second part of classifying risk assessments is the nature of the risk assessment, which outlines the purpose of the risk management activity. There are two ways to categorize the nature of a risk assessment. The appropriate categorization can be determined by asking “am I performing this assessment to understand the system, the product, or the process, or am I evaluating a condition to make a decision?”. A life cycle assessment (LCA) is the best choice when you want to understand a process, product, or system. LCAs are dynamic/living risk assessments and cover a process from cradle to grave. LCAs give a big picture view of the system’s health and are subject to the risk review portion of the risk management life cycle. A gate-to-gate assessment can be used if you are interested in making a decision about a system, such as, for example, whether to implement a design change.  Gate-to-gate assessments that support a decision are commonly called ad hoc or static risk assessments. These smaller assessments are inputs into the risk review portion of the QRM life cycle; however, they are not themselves periodically reviewed.

Life cycle assessments and gate-to-gate assessments are connected through the risk management life cycle. Consider Figure 1.0, which shows that the life cycle assessment from cradle to grave represents the full life cycle of a system. This assessment evaluates the process risks of a particular system, and through this formal assessment we would expect detailed analysis of the hazards and harms that impact the system or process. However, the inputs to the risk assessment may change over time -- changes in facility conditions, deviation rates, reject rates, or regulatory conditions may impact the living risk assessment. To account for changes or improvements to the process, the LCA needs to be updated with the decision-focused risk assessments represented in the cloud in Figure 1. It is both the original life cycle assessment and all the events occurring to that process, product, or system that give us a full picture of system health.

When considering how these two types of assessments come together, think about the life cycle assessment as an establishment of your state of control. This is the baseline assessment and reflects how the system, product, or process is performing at its onset. The gate-to-gate assessments are the ways in which you demonstrate that you're maintaining a state of control, such as, for example, maintaining a state with minimal numbers of deviations or minimal numbers of rejects. The connection between life cycle assessments and gate-to-gate assessments can also facilitate continual improvement. Once you have classified your risk assessments, it is time to consider the strategy you will take to make them most effective.

The Strategy – Creating Structure For Your QRM Portfolio

Regulations like EU GMP Annex 1: Manufacture of Sterile Products3 tell us what and where to use quality risk management principles. Firms are expected to use QRM in making decisions about processes, equipment, facilities, and manufacturing activities. In thinking about what is needed to develop a strategy for our QRM practice, you’ll see that you need to tackle when and how to use risk management.

Early implementation of a QRM strategy can reap substantial long-term benefits. By intentionally implementing a defined QRM approach at the beginning of a life cycle, you can avoid headaches and save costs associated with future corrections to patchwork inadequate risk management practices. This is aligned with quality by design principles, as from the outset we are contemplating how various decisions may impact quality. We can assemble the appropriate expertise to proactively identify and address potential issues, from decisions on project viability to what interventions should be included in process simulations and whether gaps exist in an external contamination control strategy. Assessments can also become supporting documents to articulate relevant deciding factors and drive consistency in decision-making. A risk assessment has a beginning, middle, and end. In the beginning, scope and methodology are determined in advance for the assessment at hand. In the middle, the work of performing the risk assessment is done, and risk levels are assigned based on the predefined methodology. At the end, the outcomes of the risk assessment are summarized, along with their implications or identified mitigations.

As you begin gathering inputs, you need to gain knowledge on current controls, pull relevant data, and identify intended controls in cases where a future state is under assessment. There are some common challenges to gathering QRM inputs early in a life cycle, such as lack of clarity, ongoing changes to the planned future state, limited physical access to a space or piece of equipment, and evolving deadlines for decision-making. How do you take the available information and develop a portfolio of risk documentation that meets the requirements of Annex 1?

Option 1: One by One

You could choose to create an individual, discrete assessment for each risk question that emerges: Using one by one, the best tool will be selected, the appropriate team assembled, and a scope set in order to answer the question at hand. This approach will yield a QRM portfolio that has a one-to-one relationship between risk questions or topics and assessments, giving you the ability to check off the list of needed assessments. Some difficulties may be encountered with this strategy. You will be creating scattered sources of knowledge, potentially assessing the same thing multiple times, and creating a cumbersome QRM portfolio to maintain through its life cycle. A summary of these strengths and difficulties is shown in Table 1.

Option 2: Master Assessment

Conversely, you could choose to answer all risk questions within a single master risk assessment. This will provide a centralized source of organizational knowledge and avoid potential discrepancies in how assessments are performed. It will also streamline the risk review process considerably, as it will be the only assessment to review. Lastly, there will be just one methodology on which to train participants and facilitators.

However, crafting criteria that incorporate all QRM needs is a challenge to be considered carefully. To be meaningful, criteria should be more detailed than their functional descriptions. For instance, the interpretation of “unlikely” will differ between users or across risk topics. In drafting likelihood criteria, for example, criteria can specify what each level would mean across different topics that will be assessed. It may also be difficult to identify a single tool that meets all input needs. And even with this master risk assessment, you will have life cycle challenges. Documenting one-off risk-based decision-making in the same document as “health-of-system” risks creating challenges in how to appropriately scope the risk review without rehashing past decisions that were made to support one-time events. See Table 2 for a summary of this approach.

Option 3: Strategic Grouping

The final strategic choice we will explore is to combine risk questions and topics wherever possible, generating as few documents as is practical and keeping similar risk topics together (for example, for a manufacturing process used across multiple products). This approach provides flexibility in the tool selected to examine a risk topic, and you are not creating as dispersed a knowledge base as in the scenario with separate assessments for every topic. Management of the QRM life cycle is also easier. Based on the risk topic and type of decision or strategy it supports, risk review can be planned and executed accordingly. To achieve this strategy, knowledge and understanding are still required. Furthermore, you must decide how to divide up assessments: Should this be done by inputs needed to complete an assessment? By outputs of an assessment or what kinds of decisions will be made based on it? By when information is available to inform it? Thought should be given to find the right size and appropriate scope for these assessments. Table 3 summarizes the strengths and difficulties of this approach.


Carefully considering the ways in which your organization defines the nature of risk assessments will enable tracking of risk assessments, robust risk review processes, and will provide a direct view of the state of control of the processes under assessment. Equally critical is the strategy that an organization takes in developing and maintaining a portfolio of risk assessments. The strategy selected (i.e., one-by one, master assessment, or strategic grouping) will be dependent upon the needs of the organization.


  1. ICH Harmonized Tripartite Guideline, Quality Risk Management Q9, 09November 2005
  2. Understanding the Concept of Formality In Quality Risk Management, Institute of Validation Technology, Kevin O’Donnell, Deidre Tobin, Stephanie Butler, Ghada Haddad, and Donal Kelleher, 20Jul2020
  3. Volume 4, EU Guidelines to Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use. Annex 1, Manufacture of Sterile Medicinal Products, 25Nov2008

About The Authors:

Tiffany Baker is a quality risk management (QRM) and microbiology senior consultant with ValSource, Inc. She specializes in development and implementation of innovative approaches to QRM, QRM program design, creation of risk-focused culture, and development risk-based approaches to support contamination control strategies. Baker is an active member of the PDA, a faculty member for PDA’s Training Research Institute, and an instructor for PDA courses on QRM. She is also the co-lead for the PDA Task Force on remote audits and Inspections. Baker was a coauthor on ISPE’s Baseline Guide Volume 5 - Commissioning and Qualification. She has a B.S. in microbiology and chemistry from the University of Rhode Island and an MBA from Providence College. She can be reached at

Danica Brown is a consultant with ValSource, Inc., and is an ASQ Certified Quality Engineer. She has expertise in the development and deployment of customized solutions to quality risk management (QRM), including QRM program design, development of risk-based approaches, and integration of QRM within quality systems. Her expertise also spans various quality functions in the pharmaceutical, biopharmaceutical, and medical device industries, including quality strategy and process improvements, deviations/investigations, and design verification and validation. She has a B.S. in biochemistry from Simmons College, earned her Lean Six Sigma Green Belt from the Johnson & Johnson Supply Chain Academy, and is an active member of the PDA. Brown can be reached at

Amanda McFarland is a quality risk management and microbiology senior consultant with ValSource, Inc. She specializes in the creation and implementation of risk management programs and developing risk-based strategies for use in clinical and commercial settings. McFarland is an active member of the Parenteral Drug Association (PDA), a faculty member for PDA’s Training Research Institute, and an instructor for the PDA course on quality risk management implementation. She has a B.S. in entomology and an M.S. in mycology, both from the University of Florida. Amanda can be contacted at