INTEGRATING RISK ASSESSMENT IN BUSINESS ACTIVITIES
Broadly adopting risk-based decision-making involves more than overlaying risk assessment and mitigation planning in particular
areas, such as manufacturing and quality. It requires weaving a set of methods into the more encompassing methodologies related
to the organization's work, such as cGMP.
Risk assessment should be integrated with large-scale change-management programs as well. For example, life-sciences companies
cannot afford non-robust and unreliable processes. The risks are simply too great: costly rejected lots, launch delays, supply
interruption, noncompliance issues, and time-consuming investigations. At the same time, FDA is calling on companies to continually
strive to improve processes and to take a science- and risk-based approach to decisions related to product quality. By integrating
risk assessment with programs designed to fully characterize, remediate, or control processes, the project team can proactively
identify and distinguish high-impact risk mitigation actions from low-impact actions and make high-value decisions as they
seek to control variability in the process in advance.
Similarly, transformational cost-reduction programs that are designed to reduce waste and non-value-added work should incorporate
risk assessment to make higher-value decisions about what can be improved, eliminated, or scaled back. Technology transfer
projects, which by their nature involve significant change, offer another opportunity to assess and respond to risks. In addition
to integrating risk assessment with change-management programs, a business leader may want to seek an independent risk review,
engaging external experts to help develop an objective understanding of risks the business faces.
Proper risk assessment should not only identify and quantify a set of risks, but should also proceed to mitigation planning.
The combination affords an understanding of impact as well as potential cost of mitigation. The organization then has the
ability to justify investments in mitigation and to compare them with other investments.
Overall, a comprehensive integration of risk assessment and mitigation planning across an organization can change the way
many activities are conducted, including:
Business planning—the review of a company's investment portfolio generally includes investment reviews, cost reviews, and other considerations.
Risk assessment should be a part of the analysis. In the end, a single portfolio of activities should be created so that
risk-focused activities can be compared side-by-side with business opportunities.
Major initiatives—integrating risk assessment into major business initiatives can shift the focus from short-term objectives to long-standing
concerns, thereby enabling their resolution.
Outsourcing initiation and review—outsourcing represents both a large opportunity and substantial risk. Developing an understanding of the risks and forming
management plans to mitigate those risks are crucial to achieving the goals of outsourcing.
Business reviews—business reviews tend to focus on past performance, cost drivers, product characteristics, and a few other key metrics. Inclusion
of risks in these periodic or one-time reviews can produce a different and valuable perspective.
Mock audits—when planning for an FDA audit, a company can not only identify regulatory risks, but also make the exercise far more productive
by drawing in other parts of the business and developing a view of potential impacts throughout the enterprise. Developing
approaches to resolve concerns and following up with a business plan that captures related risks, their potential resolution,
and potential costs can be greatly beneficial before a live audit.