A True Assessment of Risk

If risk assessments only identify "the usual suspects," the process will not add much value.
Aug 31, 2009


Laura Bush
Risk assessment exercises seem pretty simple. Make a list of everything that could go wrong. Quantify those risks, by assigning scores. Then decide if you need to do more to prevent the high-risk events from happening. Tedious, but not complicated.

The recent CMC Strategy Forum on quality risk management, however, revealed the challenges involved. For example, how do you deal with the subjectivity of scoring? And how do you score a potential harm based on risk to patients, especially when you're analyzing upstream steps, where almost any risk would be mitigated before the product reached the patient? Group dynamics also can present challenges. You have to ensure that all voices are heard, and that the group really prioritizes risks, rather than just ranking everything high. That means finding a skilled facilitator, or training one.

None of the challenges is insurmountable, of course, and the discussion at the Forum revealed many ways to handle them. But then one must consider the substantial resources involved. The process requires many hours of meeting time from expert staff, and someone has to manage it all. Many large companies are creating new risk management positions and even departments.

Given the size of the task, I start to wonder whether it is truly necessary or worthwhile. Clearly, some sort of risk management is essential to ensure product safety and efficacy. But many would say that the industry has always done quality risk management, without calling it that. It was how one justified specifications.

So if quality risk management is not really new, the question becomes, Is it necessary, or beneficial, to formalize the process?

That's hard to say. Proponents cite various benefits. For example, the process documents institutional knowledge, as well as upper management's awareness of risks. It gets staff from different departments to talk to each other. You also may be able to use the data in regulatory filings for site and process changes.

All that is nice, but the real value of formalizing risk management will be if it improves product quality. Yet most companies, I think, would assert that their drug product quality is already excellent; manufacturing processes are robust, and quality control measures ensure that work-in-process or final product that doesn't meet specifications is rejected.

Assuming that's true, "improving quality" really translates to two things: a) minimizing waste by reducing deviations, lot rejections, and investigations, and b) averting a major—but so far unforseen—quality disasater that could harm patients. The latter, I have to assume, is the core goal of risk management.

To truly achieve the goal of preventing disasters, risk assessment exercises will have to identify risks that previously had not been considered or taken seriously. Because as several people pointed out during the Forum, if these discussions only identify "the usual suspects," the process will not add much value.

So if companies are going to take the time and effort to implement a new risk management program, they should focus on the dialogue—that conversation among experts and across departments that so many say doesn't otherwise happen, or happen often enough. And they should make sure that in those discussions, people really question their assumptions, and don't take a a "been there, done that" attitude.

Otherwise, risk assessments will devolve into an exercise to please regulators, or just a paperwork drill, as many people say sometimes happened with process validation. In that case, we might as well continue doing things the old way.

Laura Bush is the editor in chiefof BioPharm International,