Risk assessment exercises seem pretty simple. Make a list of everything that could go wrong. Quantify those risks, by assigning
scores. Then decide if you need to do more to prevent the high-risk events from happening. Tedious, but not complicated.
The recent CMC Strategy Forum on quality risk management, however, revealed the challenges involved. For example, how do you
deal with the subjectivity of scoring? And how do you score a potential harm based on risk to patients, especially when you're
analyzing upstream steps, where almost any risk would be mitigated before the product reached the patient? Group dynamics
also can present challenges. You have to ensure that all voices are heard, and that the group really prioritizes risks, rather
than just ranking everything high. That means finding a skilled facilitator, or training one.
None of the challenges is insurmountable, of course, and the discussion at the Forum revealed many ways to handle them. But
then one must consider the substantial resources involved. The process requires many hours of meeting time from expert staff,
and someone has to manage it all. Many large companies are creating new risk management positions and even departments.
Given the size of the task, I start to wonder whether it is truly necessary or worthwhile. Clearly, some sort of risk management
is essential to ensure product safety and efficacy. But many would say that the industry has always done quality risk management,
without calling it that. It was how one justified specifications.
So if quality risk management is not really new, the question becomes, Is it necessary, or beneficial, to formalize the process?
That's hard to say. Proponents cite various benefits. For example, the process documents institutional knowledge, as well
as upper management's awareness of risks. It gets staff from different departments to talk to each other. You also may be
able to use the data in regulatory filings for site and process changes.
All that is nice, but the real value of formalizing risk management will be if it improves product quality. Yet most companies,
I think, would assert that their drug product quality is already excellent; manufacturing processes are robust, and quality
control measures ensure that work-in-process or final product that doesn't meet specifications is rejected.
Assuming that's true, "improving quality" really translates to two things: a) minimizing waste by reducing deviations, lot
rejections, and investigations, and b) averting a major—but so far unforseen—quality disasater that could harm patients. The
latter, I have to assume, is the core goal of risk management.
To truly achieve the goal of preventing disasters, risk assessment exercises will have to identify risks that previously had
not been considered or taken seriously. Because as several people pointed out during the Forum, if these discussions only
identify "the usual suspects," the process will not add much value.
So if companies are going to take the time and effort to implement a new risk management program, they should focus on the
dialogue—that conversation among experts and across departments that so many say doesn't otherwise happen, or happen often
enough. And they should make sure that in those discussions, people really question their assumptions, and don't take a a
"been there, done that" attitude.
Otherwise, risk assessments will devolve into an exercise to please regulators, or just a paperwork drill, as many people
say sometimes happened with process validation. In that case, we might as well continue doing things the old way.
Laura Bush is the editor in chiefof BioPharm International, firstname.lastname@example.org