Risk management – it does not have to be complicated

October 18th, 2011 by

At a course I was recently teaching at the University of California, Berkeley on Biotech Pharmaceutical Quality and Compliance, the topic of how to implement the ICH Q9 was brought up.  One attendee indicated that his company had tried to implement it and had run into trouble.  They had set up a Quality Risk Management (QRM) department and it just appeared that all they had done was create another function that had to review all work, SOP’s and reports.  It was like a further level of QA.  Processes were operating even slower than normal and it appeared the amount of work had mushroomed.  He indicated that in the presentation, I made it seem so easy.  he posed the question:

Where had we gone wrong? And was it to late to get back on the right path?

In reality, I find many companies that implement QRM do make it too complicated.  It should not be a separate department but rather the tools should be incorporated into your everyday processes so that simply there is just a further step in your pre-existing processes.  These processes could be change control, investigations, CAPA, complaints, environmental monitoring, testing schedules, raw materials programs, vendor qualification.  You get the picture.  Put it where it adds value.

I am reminded of one of the first times I heard an FDA’er articulate on QRM.  A few years ago (quite a few actually) I was at a conference where an FDA’er was describing Quality Risk Management (QRM) and their expectations.  It was a few months after the ICH Q9 was issued.  the speaker described agency expectations and since I knew him very well (having had lunch and a few beers socially), I approached him and indicated that I thought what he was describing was already in place in most progressive companies.

He replied:

You are right, it is.

I continued:

So what is different now?

He replied:

The agency just wants it to become second nature and get it integrated formally into your processes and, of course, document decisions and assumptions.

That was one of the most valuable set of comments I have received on the topic.

So I recommend that when making QRM mainstream, you need to do the following:

  1. Learn the tools and examples of where it can fit in.  There are many webinars out there offering the know how.  Tungsten Shield does offer some good ones on this and other topics.
  2. Examine all your business processes and incorporate QRM steps into the process that exists.  Try one first and slowly roll out across the other processes.  Change Control is an excellent one to start on.
  3. Examine after a period of time to see what works and what does not.  With QRM you have begun continuous improvement so expect changes over time as your skill increases and you find out how the company likes to operate.
  4. Remember to document all your decisions and most importantly assumptions.  Be prepared to go back if your assumptions are found to be wrong or new information  surfaces.
  5. Do not fall into the trap of setting up a QRM department or you will be mired in bureaucracy.

And, most importantly, enjoy what you are doing.

Leave a Reply

Your email address will not be published. Required fields are marked *