Process Outweighs Experience with Risk Management

December 1, 2016

BioPharm International

Volume 29, Issue 12

Page Number: 51–53

A consistent approach in assessing risk is an important aspect of successful quality management.

When a biopharmaceutical company seeks to achieve quality outcomes, applying a risk-management approach is always one of its core objectives. After all, the purpose of launching a corrective action and preventive action (CAPA) or conducting change management is to eliminate or mitigate the potential risks posed by any given situation.

When such actions are taken--or not taken--on quality issues, they are often challenged by employees who are reluctant to embrace the changes they bring, and this may postpone time to market. Those actions, or lack thereof, can also be challenged--during audits by customers or FDA. A vulnerable area quite common in biopharma is the use of due process during the phase gated design process. Reviews are required at the closure of each phase and the quality of the outputs is at risk due to lack of process (critical thinking). These stumbling blocks can serve as one of the biggest obstacles to the integration of risk management into an existing quality system. Without a formal, standardized risk-based process, it can be difficult to defend actions taken based on poor quality decisions (1). Smart organizations will work to establish a consistent risk-based approach with methodologies to create objective risk metrics as thresholds for evidence-based decision making (2).

When implementing a risk-based approach, many organizations mistakenly view it as a grandiose, high-caliber, or massive undertaking. The reality is that risk should be handled on an individual level. Risk management must be viewed, implemented, and managed as a continuous process by individuals within an organization. To be effective, risk management needs to become an integral part of the critical thinking process. The National Council for Excellence in Critical Thinking defines critical thinking as “the intellectually disciplined process of actively and skillfully conceptualizing, applying, analyzing, synthesizing, and/or evaluating information gathered from, or generated by, observation, experience, reflection, reasoning, or communication, as a guide to belief and action” (3).

The Hidden Dangers of Groupthink

One of the obstacles to critical thinking is groupthink, which often happens in managed projects, as is the case in life sciences. So, it becomes imperative to produce successful thinking process outcomes based on factual, empirical, and analytical data. Groupthink is a term that was coined by social psychologist Irving Janis. It is defined as a psycological phenomenon that occurs when a group makes faulty decisions because group pressures lead to a deterioration of “mental efficiency, reality testing, and moral judgment” (4). A group is especially vulnerable to groupthink when the group is comprised of members who are similar in background, insulated from outside opinions, and when there are no clear rules for decision making.

Groupthink occurs when a group values harmony and coherence more than accurate analysis and critical evaluation. To overcome groupthink, a team must first decide what the objective is relative to the outcome. They need to determine what they are trying to accomplish. For example, they need to break down an issue, investigating for root cause, and choose among alternatives based on good decision making. In closing the process cycle, they need a plan that is well thought out from a process-analysis perspective that will identify critical areas/steps to minimize or eliminate risk, and not rely on their experience. Rather, use experience inside of the critical thinking process.

Using a regulatory perspective, there are many review points during the design, testing, and manufacture of products (e.g., assay development and testing, synthesis of product using various precursor-based ingredients). This is especially true when a project is instigated in the design aspect of a new assay and subsequent polymer synthesis/production. Cross-functional teams provide ad-hoc expertise during the reviews to determine actions, steps, or change control in a recyclical direction, based on data and status regarding a given outcome in the preliminary design phase or the verification and validation phases of a new or variant product. The quality of such outcomes is based on the rigor of due process in a critical thinking orientation.

When putting a plan together, it is important to consider where risk from error could occur. In a systematic approach, risk is conceived in the earliest stages of the design of the processes; as part of the methods and outcomes that make up the products, tests, and activities, or during any other aspect of product or concept ideation. One of the riskiest elements of groupthink is unintentionally introducing a myriad of human factors that put the outcome at risk. By its very nature, groupthink introduces risks because it does not use a fact-based decision making process approach.

The concepts of critical thinking and decision making go hand-in-hand. A lack of critical thinking skills can manifest in a number of ways including poor decisions, dangerous mistakes, inaction when action should be taken, costly errors, inaccurate inferences, and assumptions. Experienced controlled deliberation can cause a group to violently agree on a perspective while not using common process for critical thinking in order to stay on the same page. The fallout from poor due process in groupthink are poor consensus, high frustration, breakdown of respect, and a loss of high-quality outcomes. This will then put an outcome at risk.

Overleveraging Experience

The challenge is that a risk based approach using experience is not sufficient enough to supplant proper process. An inherent risk of groupthink is knowing how and when to inject the inference of experience in factual data. In the critical thinking process, one must first gather the facts before they infer. For instance, an experienced person may look at a situation and if X has occurred then Y must have happened. This simple inference can be dangerous but so can very complicated experience-based conditions. The more technical the nature of the issue, the greater the risk relative to the inference from experience.

The decision making process involves five steps to be effective: 

  • Clearly define and review the purpose of a decision.

  • Identify and analyze decision criteria according to the requirements and objectives of the situation.

  • In developing alternatives, subsequently characterize each one according to a given criteria. 

  • Identify and assess specific risks that may affect the success of a chosen alternative.

  • Complete a well-thought-out decision or recommendation balancing performance (criteria) and risks (potential problems).

The process itself must be a previously thought-out condition under which these steps can provide certain outcomes. For example, in issue clarification one would typically be dealing with global-oriented concerns such as quality. When speaking of the company, one would typically talk about the fact that quality is sub-par, they can’t deal with their customers in an effective way, and they are constantly wrangling with suppliers. The first thing that needs to be addressed is what does sub-par quality mean? It needs to be broken down and defined. If at that point key issues can be uncovered, then each one should be individually addressed. One issue may be that the company cannot retain quality people. Another one may be that the company does not get timely results, that could help to predict what is happening. Each one of those issues has a root cause and risks associated with them, which also need to be broken down.


In ISO 9000:2015, Quality Management Systems-Fundamentals and Vocabulary, risk is defined as the “effect of uncertainty” and explained as a “deviation from the expected” (which could be positive or negative) (5). ISO 9000 further describes risk as being related to potential events, and that it is typically expressed as a result of the likelihood and consequence of such an event.

The integration of risk is the inherent loss of application that does not happen within the critical thinking processes. If one were to conduct an issue clarification for a concern, perform root cause analysis, complete a risk-based decision, or perform a plan analysis, risk must be considered within each process. One of the most important factors in decision making is critical thinking and the context of the process or procedure in which it is used. In terms of improving quality, critical thinking includes the following four activities:

  • Issue characterization and refinement based on risk (e.g., timing, urgency, and impact)

  • Root cause analysis for verifiable cause(s) and validation of action(s) to be implemented

  • Risk-based decision making, which is criteria-driven and based on the sound objective(s) to be implemented

  • Risk analysis of (project) planning to identify critical areas of concern with risk factors identified in order to plan the right type of actions to eliminate, avoid, contain, and mitigate risk/consequences.

In order to decide what the next steps are, one must first determine urgency, timing, and impact--all three are risk based. When evaluating urgency, timing, and trend/impact, members of the organization would prioritize the inherent risks of each one of those issues before going to the next step of assigning an action such as developing a plan, making a decision, and conducting a root cause analysis.

Instead of solving problems and using CAPA, rather, the standard ISO 9001: 2015 now says to evaluate and plan for risk and opportunity analysis. The reason the terms risk and opportunity analysis are used distinctively is so one can eliminate, avoid, or minimize consequences as well as create opportunities by facilitating or exploiting conditions for improvement concerning risk (6).

The team should evaluate risk before they commit themselves to any outcome. Before the team makes a decision among alternatives, they should evaluate the risk of those alternatives before a decision is made. For example, there may be multiple alternatives, or a binary decision to choose from using key developed criteria. The top critical criteria become limit driven, which means there is some kind of limiting factor, such as the company does not have the budget to support those alternatives. If any of them drop because they don’t meet the limit criteria, then the options left are the preferential (weighted) criteria that distinguish which choices are still viable. To then choose a viable alternative, evaluate the level and types of risk at stake. At that point, they may have several that fall out when the risks are thought through. When risk has been incorporated, controlled measures can be developed to eliminate or deal with risk if it occurs. The success rate becomes significant regarding a choice to take action in developing a plan where risk is eliminated or contained accordingly.


1. ISO, ISO 9001; 2015, A.4 Concept-Risk-based Thinking (ISO,Geneva, 2015).
2. ISO, ISO 9001; 2015, QMP6-Evidence-Based Decision Making (ISO, Geneva, 2015).
3. Foundation for Critical Thinking, “Defining Critical Thinking,”, accessed Nov. 7, 2016.
4. J.L. Irving, Victims of Groupthink, (Houghton Mifflin, New York, 1972).
5. ISO, ISO 9000:2015, 0.3.3 Quality Management Systems--Risk-Based Thinking (ISO, Geneva, 2015).
6. ISO, ISO 9001:2015, 6.1 Actions to Address Risks and Opportunities (ISO, Geneva, 2015).

About the Author

Walt Murray, ICLA, CSSMBB, president and CEO of ARC Experts and strategic partner for MasterControl Quality & Compliance Consulting, is a globally recognized compliance and risk consultant.

Article Details

BioPharm International
Vol. 29, No. 12
Pages: 51–53


When referring to this article, please cite as W. Murray, “Process Outweighs Experience with Risk Management," BioPharm International 29 (12) 2016.