The immediate thought of risk would haunt us and the reply would be a straight forward NO, since it is a great risk climbing a mountain. They both reached the highest point on earth, the Mount Everest 8848 meters above the sea level. When they achieved the rare feat, had they not thought about the risk involved in it? The greatest risk of survival! They would have planned meticulously the risks involved like extreme cold weather, low freezing temperature, climbing conditions and they would have combated with the study of the season, trials, dress, availability of Oxygen bottles and would have mitigated the risk and achieved the results. For the fact, it is not that climbing mount Everest is the only risk. In day-to-day life, we encounter many risk and risk mitigation like, oxygen masks in an aeroplane, stepney in a car, helmet in a two-wheeler and so on.
Risk management process in Pharmaceuticals
Likewise, the risk associated to quality in Pharmaceuticals is clearly covered under Quality Risk Management in ICH-Q9 Guidance. An effective quality risk management approach will ensure the high quality of the drug product to the patient by providing a proactive means to identify and control potential quality issues during development and manufacturing. It can be applied to different aspects of pharmaceutical quality throughout its entire lifecycle.
The common mistake is that decisions are taken by assumption & emotion and not by data. Few decisions are made in isolation without consultation and discussion. QRM plugs the gaps of those.
Risk is the probability and severity of harm.
Overview of a typical quality risk management process

Step1-Initiating Quality Risk Management QRM process.
Define the problem and/or risk question, get background information and/or data on the potential hazard, harm or human health impact relevant to the risk assessment, identify a leader and critical resources. Specify a timeline, deliverables, and appropriate level of decision making for the risk management process.
Step-2 – Risk Assessment
Risk identification is a systematic use of information to identify hazards referring to the risk question or problem description. Information can include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders. Risk identification addresses the “What might go wrong?” question, including identifying the possible consequences. This provides the basis for further steps in the quality risk management process.
Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harms. In some risk management tools, the ability to detect the harm (detectability) also factors in the estimation of risk.
Risk evaluation compares the identified and analysed risk against given risk criteria. Risk evaluations consider the strength of evidence for all three of the fundamental questions.
Step 3- Risk control
Risk control includes decision making to reduce and/or accept risks. The purpose of risk control is to reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional to the significance of the risk.
Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds a specified (acceptable) level. Risk reduction might include actions taken to mitigate the severity and probability of harm. Processes that improve the detectability of hazards and quality risks might also be used as part of a risk control strategy. The implementation of risk reduction measures can introduce new risks into the system or increase the significance of other existing risks. Hence, it might be appropriate to revisit the risk assessment to identify and evaluate any possible change in risk after implementing a risk reduction process.
Risk acceptance is a decision to accept risk. Risk acceptance can be a formal decision to accept the residual risk or it can be a passive decision in which residual risks are not specified. For some types of harms, even the best quality risk management practices might not entirely eliminate risk. In these circumstances, it might be agreed that an appropriate quality risk management strategy has been applied and that quality risk is reduced to a specified (acceptable) level. This (specified) acceptable level will depend on many parameters and should be decided on a case-by-case basis.
Step-4 Risk communication
Risk communication is the sharing of information about risk and risk management between the decision makers and others. Parties can communicate at any stage of the risk management process. The output/result of the quality risk management process should be appropriately communicated and documented.
Step-5 Risk review
Risk management should be an ongoing part of the quality management process. A mechanism to review or monitor events should be implemented.
QRM Tools
1. Basic Risk Management Facilitation Methods.
Some of the simple techniques that are commonly used to structure risk management by organizing data and facilitating decision making are:
-Flowcharts
-Check Sheets
-Process Mapping
-Cause and Effect Diagrams (also called an Ishikawa diagram or fish bone diagram)
2.Failure Mode Effects Analysis (FMEA).
The FMEA can be traced back to the US military standard from the 1940s which describes Procedures for Performing a Failure Mode, Effects and Criticality Analysis (FMECA). In 1963 NASA developed Failure Mode and Effects Analysis (FMEA) for the Apollo mission.
FMEA provides for an evaluation of potential failure modes for processes and their likely effect on outcomes and/or product performance. Once failure modes are established, risk reduction can be used to eliminate, contain, reduce, or control the potential failures. FMEA relies on product and process understanding. FMEA methodically breaks down the analysis of complex processes into manageable steps. It is a powerful tool for summarizing the important modes of failure, factors causing these failures, and the likely effects of these failures.
Once each failure mode is identified, the data is analysed, and three factors are quantified:
Severity (S): How significant is the impact of the effect on the patient?
Probability (P): How likely is the cause of the failure mode to occur?
Detection (D): How likely will the current system detect the failure mode if it occurs, or when the cause is present?
Each of the three factors is scored on a 1 (Best) to 3 (Worst) scale. The combined impact of these three factors is the Risk Priority Number (RPN). This is the calculation of risk of a particular failure mode and is determined by the following calculation: RPN = S x P x D.
Potential Areas of Use(s)
FMEA can be used to prioritize risks and monitor the effectiveness of risk control activities. FMEA can be applied to equipment and facilities and might be used to analyze a manufacturing operation and its effect on product or process. It identifies elements/operations within the system that render it vulnerable. The output/results of FMEA can be used as a basis for design or further analysis or to guide resource deployment.
Example:
Observed deviation-Low air velocity in a Grade A cabinet protecting a vial filling machine used for aseptic processing.
Failure mode-Ingress of contaminated air from Grade B area leading to contamination of vials.
3.Failure Mode, Effects, and Criticality Analysis (FMECA)
Failure mode effects and criticality analysis (FMECA) is an extended version of FMEA that incorporates criticality analysis into the whole process. FMEA might be extended to incorporate an investigation of the degree of severity of the consequences, their respective probabilities of occurrence, and their detectability, thereby becoming a Failure Mode, Effects, and Criticality Analysis. In order for such an analysis to be performed, the product or process specifications should be established. FMECA can identify places where additional preventive actions might be appropriate to minimize risks.
Potential Areas of Use(s)
FMECA application in the pharmaceutical industry should mostly be utilized for failures and risks associated with manufacturing processes; however, it is not limited to this application. The output of an FMECA is a relative risk “score” for each failure mode, which is used to rank the modes on a relative risk basis.
4.Fault Tree Analysis (FTA)
The FTA is a systematic top-down method which starts from an assumption of a system failure followed by identification of the modes of system or component behavior that has contributed to this failure.

5.Hazard Analysis and Critical Control Points (HACCP)
HACCP is a systematic approach to the identification, evaluation, and control of hazards based on the following seven principles
Principle 1: Conduct a hazard analysis.
Principle 2: Determine the critical control points (CCPs).
Principle 3: Establish critical limits.
Principle 4: Establish monitoring procedures.
Principle 5: Establish corrective actions.
Principle 6: Establish verification procedures.
Principle 7: Establish record-keeping and documentation procedures.
6.Hazard Operability Analysis (HAZOP)
A Hazard and Operability Study systematically investigates each element in a process. The goal is to find potential situations that would cause that element to pose a hazard or limit the operability of the process as a whole. There are four basic steps to the process.
-Forming a HAZOP team.
-Identifying the elements of the system.
-Considering possible variations in operating parameters.
-Identifying any hazards or failure points.
7.Preliminary Hazard Analysis (PHA).
-PHA prerequisites.
-Hazard identification.
-Consequence and frequency estimation.
-Risk ranking and follow-up actions.
8.Risk Ranking and Filtering
Risk ranking and filtering is a tool for comparing and ranking risks. Risk ranking of complex systems typically involves evaluation of multiple diverse quantitative and qualitative factors for each risk. The tool involves breaking down a basic risk question into as many components as needed to capture factors involved in the risk. USFDA uses this tool to schedule inspection/audit.
9.Supporting Statistical Tools
Applications of QRM
-Part of Integrated Quality Management-Documentation, Training, Quality defects, auditing/inspection, Periodic Product quality review, change management / change control, continual improvement.
-Part of Regulatory Operations- Inspection and assessment activities.
-Part of Development.
-For Facilities, Equipment and Utilities- Design of facility/equipment, Hygiene aspects in facilities, Qualification of facility/equipment/utilities, Cleaning of equipment and environmental control, Calibration/preventive maintenance, Computer systems and computer-controlled equipment.
-Part of Materials Management- Assessment and evaluation of suppliers and contract manufacturers, starting material, Use of materials, Storage, logistics and distribution conditions.
-Part of Production- Validation, In-process sampling & testing, Production planning.
-Part of Laboratory Control and Stability Studies- Out of specification results, Retest period/expiration date.
-Part of Packaging and Labelling- Design of packages, Selection of container closure system, Label controls.