Guest Column | January 20, 2022

Plot A Successful Course: Critical Risk Assessments With CDMOs

By Amanda McFarland, ValSource, Inc.


As a consultant, I am routinely engaged by clients to facilitate complex microbial and viral risk assessments. By nature, these are critical risk assessments that have direct implications for patient safety and product quality. When these risk assessments are performed by a biopharma company, and it has direct oversight of the manufacturing operations and facility, the risk management process proceeds as expected. Risks are identified, root causes of pain points are discussed, and risk control measures are brainstormed and implemented. In these cases, the organization comes together to explore and solve problems. I have often noticed that during initial sessions, sharing of information is tentative and measured but, over time, the risk team develops a rapport that is unified by a shared culture, patient safety, and product quality.

What happens when a biopharma company entrusts another group of individuals to manufacture its product? Is the only common ground that which is founded by audits, deviations, and quality agreements?

In the instances where I have been engaged with biopharma companies and their CDMOs, the landscape of risk management looks nothing like those where direct oversight is the operating paradigm.

Find Common Ground When Assessing Risks

When a biopharma company and its CDMO come to the table for a risk assessment, there are a set of challenges related to differing cultures and risk perceptions, but the goal of the assessment is the same – to evaluate the risk using the risk management process. Typically, these risk assessments include nearly two times the recommended number of subject matter experts (SMEs) due to participation of duplicate personnel from each organization (two people from quality, two from manufacturing, two from microbiology, etc.).

During risk initiation, the teams explain the manufacturing process and detail the facility design and management structure. While the scope of the risk assessment is established and the risk question is drafted, the team works well together, is engaged, and they actively listen to one another. A hurdle that commonly presents itself during initial conversations is related to agreement on risk ranking criteria. When using likelihood and severity, the likelihood ranking criteria are generally straightforward and are based on number of failures/deviation rates or a set of measurable elements. The challenge can be determining the severity criteria, which highlights the differences in risk perception from each organization. Considering that the relationship between the biopharma company and its CDMO is founded in a business transaction, failures are often viewed as business or financial impacts. While this is a critical element to consider, the intent of a quality risk management processes is to evaluate risks from a patient perspective. Establishing the impact of failures from a patient perspective with both parties will ensure there is a common goal relating back to the safety, integrity, purity, and quality of the product. Building the risk assessment with this as a joint mission will enable the teams to view risks from the same perspective.

Facilitate Trust

With risk ranking criteria defined and agreed upon, the risk management process progresses to “hazard identification,” the portion of the risk assessment where the team’s job is to brainstorm sources of harm. For microbial and viral assessments, sources of harm often include failures related to personnel, equipment, raw materials, process, facility, and utilities. Preventing the failures from occurring links back to the prevention and detection controls in place.

For microbial and viral risk assessments, this list of controls is lengthy. To document the current practices, the facilitator is commonly reliant upon the SMEs to provide detailed descriptions of how gowning occurs, the aseptic technique training, equipment cleaning, etc. The most effective means of sharing this information would be for the CDMO to share the governing standard operating procedures (SOPs) with the risk team. When SOPs are not shared, the risk assessment process is delayed while discussions about “current controls” and “anticipated future state” are merged and indistinguishable. Determining the “truth of record” becomes an art form. The facilitator must find ways of asking questions that are open ended enough to allow for dialogue and questions that are “closed” enough without being accusatory.

The risk assessment cadence is often driven by the level of trust between the biopharma company and the CDMO during the risk assessment. For example, when there is a low level of trust, the assessments can progress very slowly and data is not shared readily. When the teams have a mature level of trust, the assessments are smoother and there is less “back and forth” in understanding the current operating structure. Despite the speed of the risk assessment, through the process the two parties learn more about the critical portions of the process and understand one another’s perspective more clearly. The detriment is often to the reputation of the quality risk management (QRM) process — teams can walk away from the assessment with a negative opinion of the risk management process and associate it with disagreement, confusion, and repetition. However, the QRM process is what assists us in a structured way to dissect a difference of opinion and to examine complex processes from a common foundation. By implementing some of the tips listed below, you can preserve your business relationships with your CDMOs, as well as your perspective on effective quality risk management processes.

  1. Establish up front (and remind each other often) that the ultimate goal of the partnership is for the betterment of the patients. Keep this reminder visible and at the foundation of the relationship.
  2. Acknowledge that both parties have different risk thresholds. Find the intersection between the two perspectives and use that as your guide in decision-making.
  3. During quality agreement negotiations, develop a list of risk assessments in which both parties will participate. Define risk communication mechanisms in the quality agreement.
  4. Have a candid discussion about how documents will be shared and the level of transparency expected by both parties.
  5. Ensure that leaders from both parties are aware of joint risk assessments. Invite them to the kickoff session to participate in foundational conversations about the risk assessment objective.

About The Author:

Amanda McFarland is a quality risk management and microbiology senior consultant with ValSource, Inc. She specializes in the creation and implementation of risk management programs and developing risk-based strategies for use in clinical and commercial settings. McFarland is an active member of the Parenteral Drug Association (PDA), a faculty member for PDA’s Training Research Institute, and an instructor for the PDA course on quality risk management implementation. She has a B.S. in entomology and an M.S. in mycology, both from the University of Florida. Amanda can be contacted at