Procedure For Quality Risk Management


Title: Procedure For Quality Risk Management

Department: Quality Assurance


 This SOP defines the approach to Quality Risk Management (QRM) of a GMP  site which may be used to facilitate the process and to aid personnel performing the assessment.


Applicable to any process at a GMP site that requires a Risk Management approach. The applicability of QRM methodology and the corresponding level of documentation may vary depending on the individual circumstance. Circumstances to which QRM may be applied in conjunction with existing SOPs include but are limited to:

Identification and evaluation of the potential quality and compliance impact of product and product or process deviation, including the impact across multiple and divergent markets.

Evaluation and determination of the scope of internal and external quality assessments such as quality concern investigation system, complaints handling, out-of-specification investigation, quality control testing, etc.

Evaluation of design of facilities, equipment, materials of construction, utilities, and Preventative Maintenance (PM) programs.

Determination of the scope and extent of commissioning, qualification, and validation activities for facilities, equipment, and production processes.


  • Manager-Quality Assurance
  • Manager-Quality Control
  • Manager-Production Formulation
  • Manager-Ware House


  • Department Head



QRM processes will broadly follow a process model comprising:

Risk Assessment Risk Control Communication Risk Review
Risk Identification Risk Reduction Documentation and Communication of the Outcome/result  to stakeholders Review Events
Risk Analysis Risk Acceptance
Risk Evaluation



Risk will be multi-dimensional and a shared understanding will be a prerequisite for the success of any risk management process. The initiation phase of the QRM process involves understanding the risk events by defining and agreeing on the context, the scope, and the tolerability criteria for the quality assessment, together with any underlying assumptions.

Initiation of the QRM process will involve all the stakeholders, All the relevant information will assemble and shared, any gaps are identified and analysis tools will be selected.

The scope of the quality risk assessment will be clearly defined both in business and technical terms. The scope will clearly establish the boundaries of the process, system, project, or activity being assessed and any inherent assumptions that will be made. It will consider possible interactions outside the boundary and their potential impacts.

The risk assessment process evaluates the tolerability of the identified risks against some defined criteria to determine whether any mitigating actions are required. A common approach to establishing criteria will be to divide risks into five categories;

A very high-risk band where adverse risks will be intolerable whatever benefit the activity might bring and risk reduction measures will essential, whatever the cost.

A high-risk band where the risk will not be generally acceptable unless there were very significant benefits and where reduction measures will be expected as the norm.

A medium-risk band where costs and benefits will be taken into account and opportunities will be balanced against potential adverse consequences.

A low-risk band where positive or negative risks will be small and where potential benefits can only be justified at minimum cost.

A very low-risk band where positive or negative risks will be negligible or so small that no risk treatment measures will be necessary.

A team comprising individuals with the education, training, and experience relevant to the issue or situation under evaluation will undertake the risk assessment process.

Each risk assessment will be reviewed by appropriate department heads, Quality assurance manager will review and approve all compliance-related risk assessments.


For traceability purposes, a reference number will be assigned to each risk assessment by quality assurance personnel.

A risk assessment conducted for deviation, complaint, or out of specifications investigations will not need a template to follow due to their adherence to the investigation. An entry to the risk register will also not require.

A risk assessment conducted for calibration interval; supplier assessment and external supplier audit frequency; engineering and validation projects will not need a reference number. Hence, an entry to the risk register will not be also required.

All initiated risk assessments using the tool “Risk Ranking and Filtering- Method 2” will be logged into the risk register. The hard copy register will be located in the risk assessment and quality investigation folder kept in the QA office.

The format at the risk assessment reference number must be kept as RISK/YY/XXX where YY reference to the last two digitals of the year the assessments will be carried out and XXX refers to the next sequential integers starting from 001.

The person initiating a risk assessment must consult QA personnel, take a risk number, and enter the required details on the risk register.

All completed risk assessments using the method-2 risk tool will be located with the quality assurance team. The hard copy risk assessment with a wet signature will be kept in the Risk assessment and quality investigation folder.

All supplier-related risk assessments will be kept in individual supplier folders.

Completed risk assessments for calibration intervals, engineering, and validation projects should be kept in respective department folders.


The risk assessment will be a process of identifying the hazards and evaluating the potential consequences of those hazards. It will be critically dependent on the people with the right knowledge being involved.


Risk identification will consist of the systematic use of information, Risks to be considered include, but will not be limited to:

  • Patient safety
  • Product non-conformance
  • Fitness for use
  • Specification and Product Registration
  • Adulteration
  • Information used to identify risk will include historical data, theoretical analysis, informed opinions, and the concerns of those impacted by the decision.
  • The risk assessment process must also seek to identify opportunities to improve processes. The decision to accept an opportunity will be generally based on an analysis of the costs, benefits, and values.


During risk analysis, the likelihood (probability) that the identified risk will occur or recur will be estimated. It also can consider the ability to detect that the issues occurred or recurred.


Risk evaluation will consist of the determination of the consequences of the issue to be addressed and compares the identified and analyzed risk against pre-defined acceptance criteria. A qualitative or quantitative process will be used to assign the probability and severity of a risk. Risk evaluation must consider the strength of the information used to complete the three phases of the risk assessment.

The completed risk assessment will result in an overall risk value expressed as either:

A quantitative estimate of risk, expressed numerically, such as a probability scale from 0 to 1.

A quantitative description of a range of risks, using quantitative descriptions such as “High”, “Medium”, or “low”. The qualitative descriptors will be defined, with as many details as possible.


There will be many tools and techniques that can be used to help identify risks from hazards and assess the risks. No single tool or technique will meet all requirements. Following is a table with a list of risk assessment tools used in the site with descriptions and possible areas of application. Adaptation or combination of these methods and other statistical tools may be applicable for specific events or circumstances.

Risk Tools/ Methodology Descriptions Area of applications on site References
Risk Ranking and Filtering-Method 1 A quick method to compare and rank risks, typically involving evaluation of unique risk events (deviation/ complaints/OOS) by weighting each risk dimension severity, probability, and detestability associated with the event. Quality concern investigation such as Deviation handling, Product complaint investigation, of Specification investigation. These methods should be designed to apply quickly in repetitive quality events as such.
Risk Ranking and Filtering –Method 2  A descriptive method to compare and rank risks, typically involving evaluation of multiple diverse quantitative and qualitative factors for each risk, weighting factors, and risk scores. Manufacturing and regulatory change Management rework management establishing external supplier quality audit frequency. Entry to the risk register for Method 2 should necessary.
Failure Mode Effect Analysis (FMEA) Evaluates potential failure modes for processes, and the likely effects on outcomes and/or product performance. Once failure modes will be known, risk reduction can be used to eliminate, reduce or control potential failures. Relies upon product or process understanding. The output should be a relative risk score for each failure mode. Change of critical instruments calibration intervals: evaluation of equipment and facilities; quality risk management for a supplier, preventive maintenance; process, cleaning. Entry to the risk register will not be necessary.



The number of tools that may be used to document and assess risk will be many and varied an appropriate tool will be used for the individual circumstances. These tools will be described in brief in the table below. The formal risk assessment steps and methodologies will be described in the appropriate format.

Risk control describes the actions taken to deal with the identified quality risks and the acceptance of any residual quality risks.


Risk Reduction focuses on processes for mitigation or avoidance of quality risk when the risk exceeds an acceptable level. Risk reduction includes.

Actions were taken to mitigate the severity and probability of risks: Processes or methods that improve the ability to detect risk implementation of risk reduction measures may introduce new risks into the system or increase the significance of other existing risks. Therefore, the risk assessment must be repeated to identify and evaluate any possible change in the risk profile.


Risk acceptance will be a decision to accept risk. The risk acceptance decision:

  • A decision to accept known, residual risk.
  • A decision to accept residual risks, which will be partially assessed, based on limited information.
  • A combination of these circumstances.
  •  An optimal QRM strategy will be designed to residue risk to an agreed-upon acceptable level. This acceptable level will depend on many parameters, will be decided on a case-by-case basis, and managed through identified mitigation takes.



 The result of the QRM process must be communicated to the relevant stakeholders, Including management and those operating the process or system who may be affected by those results. This requires that each step of the risk management process be documented at an appropriate level. The purpose of the output from the risk management process will be:

  • To share and communicate information about the risks and how they will be controlled.
  • To obtain the appropriate approval of the decisions taken.
  • To provide a record of the risks that enables decisions to be reviewed and the process to be audited.
  • To facilitate ongoing monitoring and review and to sustain the process.
  • The output from the risk assessment must specify a risk owner. Database and all identified corrective actions will be implemented in full and the risk will be managed.


  • QRM will be an iterative process that must be sustained throughout the life cycle of the product, A risk assessment only documents the current situation. The nature of quality risks may change with time. Improved knowledge may result in a different view of the risks and may lead to a challenge of the original assumptions.
  • The risk assessment document will be routed for approval to all impacted system owners and the quality assurance. The documentation package will contain all documented aspects of the QRM process.
  • Implementation of the notification system cannot proceed until all approvals should be obtained. The risk assessment process will be repeated any time a change will be introduced that impacts the practice.


  • SOP –     Standard Operating Procedure
  • QA –     Quality Assurance
  • FT –     Format
  • QRM –     Quality Risk Management


  • Nil.